In this episode, we’re diving straight into one of the most overlooked - and most powerful vulnerabilities in bug bounty: IDORs and broken access controls.
No definitions, no theory - just the real mindset, the logic, and the techniques that turn a simple “403 Forbidden” into full access.
💡 Support AmrSec on Patreon:
https://patreon.com/AmrSec🔥 Join Our Community:
Discord:
https://discord.gg/nxHKyJTy3h📑 Resources
Video Article:
https://amrelsagaei.com/how-i-found-idors-that-shouldnt-existYWH:
https://yeswehack.com/YWH DoJo:
https://dojo-yeswehack.com/⭐ Become a Channel Member:
https://www.youtube.com/@AmrSecOfficial/join🟠 Get 20% off Caido Premium with code "AMRSEC20" (yearly plan only)
⚠️ Disclaimer
This channel is for educational purposes only. The goal is to teach cybersecurity, ethical hacking, and red team/blue team skills through real tools, techniques, and experience. Always hack ethically. 🔐
⏱️ Timestamps
00:00 — Introduction
00:44 — Quick Note
01:17 — IDOR Reality
01:49 — How to Think (Mindset Shift)
02:30 — Techniques Overview
05:18 — Trailing Slash / Path Normalization
06:08 — Double-Slash / Obfuscated Path
06:50 — Version Downgrade
07:36 — Subpath / Endpoint Variant
09:01 — Query Param vs Path
11:07 — Type Confusion — String vs Integer
11:58 — Leading Zeros / Hex / Alternate Formats
12:26 — NULL / Termination / Control-Char Encoding
13:17 — Header / Proxy-Based Bypass
14:13 — Unicode / Encoded-Space Tricks
17:08 — Quick Recap
17:49 — Conclusion
Follow AmrSec
LinkedIn:
https://www.linkedin.com/in/amrelsagaeiTwitter/X:
https://twitter.com/amrelsagaeiInstagram:
https://instagram.com/amrelsagaei#AmrSec #BugBounty #IDOR #WebSecurity #CyberSecurity #YesWeHack