Presentation slides used for my workshop on Bug Bounty hunting, in Null/OWASP Delhi.

1. The Game of Bug Bounty
Hunting
Money, Drama, Action and Fame
By,
Abhinav Mishra | 0ctac0der

2. Let’s get a bit friendly first
Me?
Abhinav Mishra | @0ctac0der | Bug Bounty Hunter | Freelancer . Have Quest?
And you?
Name? | What are you? | Security Exp? | Bug Hunter?
In the meantime, copy the content to your laptops. Install VirtualBox and copy the Kali ISO. Run Kali
Linux as a virtual machine. Help your neighbors (yes, this applies even if he is a guy)

3. What’s on the plate?
● All you need to know about bug bounty and platforms
○ History & present | Who can do it? What are the skill needed? Where to start from?
○ About Hackerone. | About BugCrowd.
○ Penetration Testing and Bug Bounties
● Need Some Motivation?
○ How much money are we talking about? MONEY
○ Where do you stand? Where do I stand?
● Bug Hunter’s Avenue
○ How do I do it? Building your approach?
○ Choose your Goose (to get golden eggs) and Let’s do it …. ACTION
○ Resources and Tools I use (suggest), Blogs and People to follow
● Best submissions H1 (those I love ) Fame
● Dark Side: Mishaps, Blunders and some (ugly) famous reports :) - DRAMA

4. Bug Bounties
What is it? Hack → Report → Get Paid
History of Bug Bounties:
Read more & Image credit : https://cobalt.io/blog/the-history-of-bug-bounty-programs/

5. Present Status of Bug Bounty Programs
● Most Famous Platforms:
○ HackerOne - Founded in 2012
○ BugCrowd - Founded in 2012
● Worldwide 488+ Public Programs (as per BugCrowd List)
● What you get? Cash | Bitcoins | Swag | Hall Of Fame
● Who can participate?
○ Technically? Anyone.
● What are the skills required?
○ Web/Mobile/Infra hacking skills, reporting skills, sharp mind, out of the “room” thinking (because
the box is too small)
● Where to start?
○ Process is very simple. Register to BB platforms → Choose program → Hack → Report

6. Lifecycle of Bug Bounty Submission

7. About HackerOne, BugCrowd & Public programs
● Two most popular Bug Bounty Platforms.
● Provide a great platform for white hats to sharpen the skills and earn cash.
● Public and Private programs to participate.
● Individual bug bounty platforms: Facebook, Google, Microsoft.
● List of all bug bounty programs:
○ BugCrowd Maintained List
○ FireBounty List
● Openbugbounty : Link

8. Bug Bounty Motivation #1 (Money)
Let’s have a tea break… 10 min.
If we started at right time, it should be 11.45 AM now.

9. Approach
What To Do
● The earlier, the better
● Be the user first
● Understand the logic, to break it
● Have custom methods, payloads
● Not just XSS, CSRF, IDOR, SQLi…
● Reporting is the money multiplier
● Be professional
What Not To Do
● XSS : ctrl c → ctrl v everywhere
● Low fruits are never the best
● The easy way is not the right way
● Half filled submissions
● Only OWASP Top 10?
● Irresponsible in responsible
disclosures.
● Don’t do #Beg-Bounty

10. Enough. So what next?
Next 1 Hour:
● Exploring the scope of a program. Building the approach.
● Lookout for low hanging fruits.
● Some cool tricks to speed up the hunting
● Tools and scripts which might help
● Reporting .. how to do this?
● Attack scenario and Exploit
After that (for 0.5 Hours):
● Choose your target
● Hunt for bugs, let’s see who is going to buy us a drink.

11. Action Begins Here...
● Exploring the scope
○ Read the “Rules of Engagement” and “Program Description”
○ Knockpy www.mydomain.com or Recon-ng Link
○ If scope is “*.mydomain.com” then do “Inurl:mydomain.com -www”
○ Mobile apps? Reverse engg to find URLs.
○ Mobile websites… https://m.mydomain.com
● Port scan, service detection & low hanging fruits
○ Do not miss the server
■ Port scanning: nmap is your buddy nmap -sS -A -PN -p mydomain.com
○ Publicly accessible grails console, fuzz for hidden files or insecure urls.
■ Wfuzz, google

12. Low hanging fruits….
Remember everyone is looking for it, but the only the one wins.
● Finding XSS
○ - Inject to find XSS Link
○ - Unicode transformation issues- By @tbmnull - PDF here
● CSRF: (Ref: https://whitton.io/)

13. Low hanging fruits…. Chase #2
● SSL issues (SSLscan),
● Wordpress bugs (WPScan)
○ Wpscan --url “www.mydomain.com/blog”
● Fuzzing (Wfuzz)
○ Wfuzz -c -z file,”SecList” --hc 404 https://www.mydomain.com/admin/FUZZ
● Session related vulnerabilities
○ Fixation, Reuse, Expiration
○ Insecure cookies, no account lockouts
○ Password reset bugs: token reuse, token generation etc.
○ Auto session logout on all devices? And mobile app?
○ Account enumeration, Clickjacking, Info disclosures

14. Bug Bounty Motivation #2
Let’s have a tea break… 10 min.
If we started at right time, it should be 1.30 PM now.

15. Slightly higher
● SQLi | Sample report: Link
● Insecure direct object reference (Game of “Eena Meena Deeka“) | Sample
report: Link
● XXE vulnerabilities | Sample report: Link (My personal fav)
● Remote code execution | Sample report: Link
● Priv Esc or Authorization bypass | Sample report: HackerOne Link
● Server Side request forgery (SSRF) | Sample report: HackerOne Link
● HTTP response splitting | Sample report: HackerOne Link

16. Out of the “room” findings (Fame)
Refer these incredible findings:
● Uber Bug Bounty: Turning Self-XSS into Good-XSS : Link
● How I hacked Hotmail : Link
● Command injection which got me "6000$" from #Google : Link
● Content Types and XSS: Facebook Studio : Link

17. Time is the “BOSS”
Any specific vulnerability that you want to know how to hunt?

18. Bug Bounty Motivation #3
Let’s have a tea break… 10 min.
If we started at right time, it should be 2.45 PM now.

19. Choose your Goose (for golden eggs)
What now? (30 Min)
● Register on any platform (BugCrowd or HackerOne) or Choose a public
program if you want.
● Hunt for bugs.
● Ask questions. Push yourself to go beyond just salary :)
At the same time:
● Follow the bounty rules.
● Follow the responsible disclosures. Do not public the bug (if you get lucky).
● Reporting is the hidden secret.

20. Bug Bounty Motivation #4
Let’s have a tea break… 10 min.
If we started at right time, it should be 3.30 PM now.

21. The Dark side (Drama)
Case 1. The unexpected “Facebook” and an over-curious hacker.
The story from Wes’s point of view: Link

22. The Dark side Part 2
Case 2. A desperate, unprofessional, greedy, abusive report, deserve this.

23. Where to go next?
Resources:
● How to become a Bug Bounty Hunter (BugCrowd)
● Researcher Resources - Tutorials (BugCrowd)
● The Bug Hunters Methodology (Jason Haddix)
● Researcher Resources - Tutorials (BugCrowd)
Public Bug Reports:
● Bug Bounty POC. All Bug Bounty POC write ups by Security Researchers. Link
● the unofficial HackerOne disclosure timeline. (HackerOne Reports) Link
● Public Pentest reports : Link

24. Where to go next?
Blogs to Follow:
● BugCrowd Blog
● HackerOne Blog
● Jack Whitton’s Blog
● Hack 2 Learn. Master the art of Cross Site Scripting. Brute Logic’s Blog
● Bug Bounty Findings by Meals. Meal’s Blog
Remember, all the resources, tools, blogs, examples shown by me in this session are one of those
hundreds (if not thousand) which are there on internet. The best way to find is, do not remain AFK

25. "Computers are useless. They can only give you answers."
- Pablo Picasso
If we started at right
time, it should be 4 PM
now.