how to do well in bug bounty programs. presentation at @nullhyd by abhijeth

Report

Post on 06-May-2015

2.747 Views

Category:

Technology

7 Downloads

Preview:

Click to see full reader

DESCRIPTION

This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world. For further details about the presentation/suggestions feel free to contact @abhijeth.

TRANSCRIPT

How to do well with Bug bounties?

-- ABHIJETH D

Agenda

Introduction

Finding the right target

Information gathering

Approach to discover vulnerabilities

Using various vulnerability scanners

POC writing

Few sample potential RCEs

Annnd thennnnnnn bug hunting

ww

w.a

bh

ijeth

.com

ww

w.n

ull.co

.in @

ab

hije

th

@n

ullh

yd

HelloTime to brag:

Security Consultant at TCS for bread and butter

Love speaking and training

Got lucky with Google, Y!, Microsoft, Twitter .. Etc

Love anime and politics !!

Trying to contribute to the security community and start-ups in Hyd.

Abhijeth Dugginapeddi

www.abhijeth.com

@abhijeth

Fb.com/abhijethd

http://www.abhijeth.com/

What is a bug bounty program

YOU FIND A VULNERABILITY

DO SOME R&D

GET FREE T SHIRTS

FREE SWAG

MOST IMPORTANTLY EARN SOME BOUNTY

“HALL OF FAME”

“Why do companies run such programs

ARE THEY DUMB TO PAY HACKERS??

Free publicity

Cost efficient

Improve security

Where to get the list !!!

Lets start …!!

How do we start ?? Which hall of fame do you want to get into ?

Lets test google.com

The road not taken

Start with easier sites

Find sites which were not tested by many

New bug bounty program

leads to better success

Find the right domain to find a bug.

Finding sub.sub.sub.domain

It is always important to find a sub domain

They say ..!!! BBP is all about XSS

A better approach

Mixed content

Click Jacking

Logical by pass

Bruteforce

Directory Listing

Open redirects

And When don’t “pay” don’t invest much time!! Remember even a CJ can give you a HOF

Few Tips

Next time you get a single vuln in diff domains, make sure you submit "individual" reports.

It is always important to find the “right” domain to attack

A right sub domain can give you a HOF in less than an hour

Understand the logic before you start your magic

It is very very very important to write a neat POC.

Presentation skills do matter!!!

My Dupe Stories….!! First Magento

Then Facebook and Yahoo

Even Google

What do you realize??

Special Thanks

Harsha Vardhan Boppana

Click icon to add picture

For sharing his secretsGineesh George

Click icon to add picture

In office, fortunately the only guy who can “hack”

Lalith and Varun Kakumani

Click icon to add picture

My partners :D

Thanks a lot

dabhijeth@yahoo.co.in

www.Abhijeth.com

@abhijeth

Facebook.com/abhijeth

mailto:dabhijeth@yahoo.co.in
http://www.abhijeth.com/

top related

the state of bug bounty - hubspot
Documents
bug bounty logistics and legalities: your questions answered
Technology
about bug bounty - 11... · 2020. 6. 25. · the pentagon,...
Documents
running a bug bounty program a bug... · 2020-02-10 · bug...
Documents
5 keys to successfully running a bug bounty program
Internet
bug bounty hunting for companies & researchers: bounty...
Technology
bug bounties, ransomware, and other cyber hype for legal...
Documents
the history of bug bounty programs
Internet
penetration testing of web applications in a bug bounty
Documents
bug bounty guidelines (insurance)
Documents
bug bounty - hackers job
Documents
bug bounty #defconlucknow2016
Internet
newbytes nullhyd
Internet
newsbytes - nullhyd
Technology
ida vulnerabilities and bug bounty  by masaaki chida
Technology
googlebugbounty - sekurak... o sobie google bug bounty •...
Documents
bug bounty platform bug bounty - owaspbug bounty other 20 40...
Documents
9 top bug bounty programs
Internet
bug bounty hunter - red team hacker academy · 2020. 10....
Documents
7 bug bounty myths, busted
Internet