Your SlideShare is downloading. ×
0
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Bug bounty
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Bug bounty

1,515

Published on

Vinod Tiwari

Vinod Tiwari

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,515
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Bug Bounty Pawn to Earn Vinod Tiwari @war_crack
  • 2. Agenda • • • • • • • • Introduction Why #BBPs? Who are they? Prerequisites Develop your own approach Tools Avoid Duplicates Finding new #BBPs
  • 3. Introduction • Rewards(Not always) & Credits for finding loopholes • Bugs in application, Network, product etc. • Should be Responsible disclosure
  • 4. Why #BBPs? • Saves money getting job done by worldwide researchers • Different kind of bugs which owner never had thought of • Work directly with researchers • It was all started by Netscape in 1995
  • 5. Who are they? • • • • • • Google Facebook Mozilla ATT Barracuda List at – https://bugcrowd.com/list-of-bug-bountyprograms
  • 6. Prerequisite • You should read these, – OWASP Testing Guide V3 – The Web application hacker’s handbook – RFC 2616 - HTTP /1.1 • Have hands-on with few simulators e.g. – Mutillidae – DVWA – etc.
  • 7. Approach • Develop your own • Understand the Scope • Gather Information about domain, services, CMS & structures • Understand the logic • Avoid using automated tools • Have standard template to report
  • 8. Tools Required • Proxy: Burp Suite, Fiddler etc. • Browser extensions & Add-ons (Firefox) – Live HTTP header – Firebug/ Web developer tool – ClickJacking Defense – Wapplyzer – User agent Switcher – Many more
  • 9. Common Security Flaws Vulnerabilities 9% 14% 7% Injection Session flaws XSS 12% 16% IDOR Security Misconfiguration Sensitive Data Exposure CSRF 16% 19% 7% Other
  • 10. Avoid Duplicates • Try on Sub domains • Standard templates for common bugs can save time • Try with business logic flaws – https://www.owasp.org/index.php/Testing_for_b usiness_logic_(OWASP-BL-001)
  • 11. Submission Format • • • • • • • Vulnerability Name: Description: Impact: Vulnerable Link/Product: Environment tested on: POC (Screenshots, Video): References if any
  • 12. Finding New #BBPs • Google can help • Approach them • FUD will always help
  • 13. References • http://www.slideshare.net/mehimansu/bugbounty-for-beginners?from_search=1 • http://www.slideshare.net/goldshlager19/nirgoldshlager-killing-a-bug-bounty-programtwice-hack-in-the-box-2012?from_search=9
  • 14. Questions? • Thanks!  Twitter: @war_crack email: nikivin.vinod@gmail.com

×