how to do well in bug bounty programs. presentation at @nullhyd by abhijeth
DESCRIPTION
This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world. For further details about the presentation/suggestions feel free to contact @abhijeth.TRANSCRIPT
How to do well with Bug bounties?
-- ABHIJETH D
Agenda
Introduction
Finding the right target
Information gathering
Approach to discover vulnerabilities
Using various vulnerability scanners
POC writing
Few sample potential RCEs
Annnd thennnnnnn bug hunting
ww
w.a
bh
ijeth
.com
ww
w.n
ull.co
.in @
ab
hije
th
@n
ullh
yd
HelloTime to brag:
Security Consultant at TCS for bread and butter
Love speaking and training
Got lucky with Google, Y!, Microsoft, Twitter .. Etc
Love anime and politics !!
Trying to contribute to the security community and start-ups in Hyd.
Abhijeth Dugginapeddi
www.abhijeth.com
@abhijeth
Fb.com/abhijethd
What is a bug bounty program
YOU FIND A VULNERABILITY
DO SOME R&D
GET FREE T SHIRTS
FREE SWAG
MOST IMPORTANTLY EARN SOME BOUNTY
“HALL OF FAME”
”
“Why do companies run such programs
ARE THEY DUMB TO PAY HACKERS??
Free publicity
Cost efficient
Improve security
Where to get the list !!!
Lets start …!!
How do we start ?? Which hall of fame do you want to get into ?
Lets test google.com
The road not taken
Start with easier sites
Find sites which were not tested by many
New bug bounty program
leads to better success
Find the right domain to find a bug.
Finding sub.sub.sub.domain
It is always important to find a sub domain
They say ..!!! BBP is all about XSS
A better approach
Mixed content
Click Jacking
Logical by pass
Bruteforce
Directory Listing
Open redirects
And When don’t “pay” don’t invest much time!! Remember even a CJ can give you a HOF
Few Tips
Next time you get a single vuln in diff domains, make sure you submit "individual" reports.
It is always important to find the “right” domain to attack
A right sub domain can give you a HOF in less than an hour
Understand the logic before you start your magic
It is very very very important to write a neat POC.
Presentation skills do matter!!!
My Dupe Stories….!! First Magento
Then Facebook and Yahoo
Even Google
What do you realize??
Special Thanks
Harsha Vardhan Boppana
Click icon to add picture
For sharing his secretsGineesh George
Click icon to add picture
In office, fortunately the only guy who can “hack”
Lalith and Varun Kakumani
Click icon to add picture
My partners :D
Thanks a lot
www.Abhijeth.com
@abhijeth
Facebook.com/abhijeth