fun & profit with bug bounties

Download Fun & profit with bug bounties

Post on 17-Aug-2014




0 download

Embed Size (px)


null Dharmashal Chapter - July 2014 Meet


  • Fun & Profit with Bug Bounties - Madhu Akula Null - DharamshalaNull - Dharamshala
  • About Me ! root@localhost :~# whoami Madhu Akula Information Security Enthusiastic
  • Agenda What and how to start Bug Bounties & My experience with bug bounties...
  • What is bug bounty ? Vendor : Create a program Offer HOF (or) Swag (or) Reward (or) Duplicate Get the all vulnerabilities and Fix asap ! Make products and applications secure Researcher : Find the vulnerabilities in target Get mostly duplicates :P Other wise Hof, Swag (or) Reward ! Share in Social Network
  • History...
  • Who are eligible ? Are you able to p0p up
  • Where to find the list? Here you go...
  • How to start ??? Learn how things will work Owasp is our home to learn Web Application Security Do home work with Broken Web Apps Then apply what you learn ! Start with your requests untill you will get the response :)
  • How to start ??? Your main resource for bug bounties is gathering Proof Of Concepts (POC) ! Checking blogs for write up Adding bug hunters into your friends list to get PoC's as well as new programs :p Checking for new vulnerabilities
  • How to start ??? Take one site from the list of sites Check your luck with new sites Then try to map the target with attack surface Check for OWASP Vulnerabilities as first priority Check other type of vulnerabilities also Then get hof, swags and $$$$
  • Common checks ! Cross Site Scripting Cross Site Request Forgery Injections Authentication and Session Mechanism Remote Code Execution Other...
  • Resources Mozilla and addon's Live HTTP Headers Tamper Data Wappalyzer Foxyproxy Firebug Hack bar User switcher Others... writing custom scripts will give you more good and quick results, - For subdomains finding ! Keep ready made report templates to become you are the first person to find ! Finally use Proxies Burp Owasp ZAP Any other Search Engine Discovery Google, Shodan, Bing, other Open Source Ironwasp Xenotix Many more... Bye bye to Scanners !
  • My Experiance with Bug Bounties ! Started with Duplicates... Don't know what is bug hunting (n00b)
  • Digging into deep ! only one target, find bugs untill you will be the first person to find ! Once you are the first person if is there any reward try more untill you will be listed in Top members...
  • After... Many More...Many More...
  • After... Many More...Many More...
  • After... Many More...Many More...
  • The End ! It's enough Realised that I'm wasting everyday 2hrs Luck is the best kick for duplicates Started as noob and got some expriance with app security Good friends in Social Networks Then started contributing to Open Source and got some CVE-2014-4329, CVE-2014-4722, CVE-2014-4853
  • Conclusion Bug bounties are not only for rewards (or) fame. You will learn about new attacks and exploitation techniques by playing with other applications.
  • Demo's & POC's
  • Walk Through !
  • Special Thanks !