• Like
  • Save
Bug bounty
Upcoming SlideShare
Loading in...5
×
 

Bug bounty

on

  • 1,208 views

Vinod Tiwari

Vinod Tiwari

Statistics

Views

Total Views
1,208
Views on SlideShare
1,204
Embed Views
4

Actions

Likes
0
Downloads
22
Comments
0

2 Embeds 4

http://www.slideee.com 3
http://webcache.googleusercontent.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial LicenseCC Attribution-NonCommercial License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Bug bounty Bug bounty Presentation Transcript

    • Bug Bounty Pawn to Earn Vinod Tiwari @war_crack
    • Agenda • • • • • • • • Introduction Why #BBPs? Who are they? Prerequisites Develop your own approach Tools Avoid Duplicates Finding new #BBPs
    • Introduction • Rewards(Not always) & Credits for finding loopholes • Bugs in application, Network, product etc. • Should be Responsible disclosure
    • Why #BBPs? • Saves money getting job done by worldwide researchers • Different kind of bugs which owner never had thought of • Work directly with researchers • It was all started by Netscape in 1995
    • Who are they? • • • • • • Google Facebook Mozilla ATT Barracuda List at – https://bugcrowd.com/list-of-bug-bountyprograms
    • Prerequisite • You should read these, – OWASP Testing Guide V3 – The Web application hacker’s handbook – RFC 2616 - HTTP /1.1 • Have hands-on with few simulators e.g. – Mutillidae – DVWA – etc.
    • Approach • Develop your own • Understand the Scope • Gather Information about domain, services, CMS & structures • Understand the logic • Avoid using automated tools • Have standard template to report
    • Tools Required • Proxy: Burp Suite, Fiddler etc. • Browser extensions & Add-ons (Firefox) – Live HTTP header – Firebug/ Web developer tool – ClickJacking Defense – Wapplyzer – User agent Switcher – Many more
    • Common Security Flaws Vulnerabilities 9% 14% 7% Injection Session flaws XSS 12% 16% IDOR Security Misconfiguration Sensitive Data Exposure CSRF 16% 19% 7% Other
    • Avoid Duplicates • Try on Sub domains • Standard templates for common bugs can save time • Try with business logic flaws – https://www.owasp.org/index.php/Testing_for_b usiness_logic_(OWASP-BL-001)
    • Submission Format • • • • • • • Vulnerability Name: Description: Impact: Vulnerable Link/Product: Environment tested on: POC (Screenshots, Video): References if any
    • Finding New #BBPs • Google can help • Approach them • FUD will always help
    • References • http://www.slideshare.net/mehimansu/bugbounty-for-beginners?from_search=1 • http://www.slideshare.net/goldshlager19/nirgoldshlager-killing-a-bug-bounty-programtwice-hack-in-the-box-2012?from_search=9
    • Questions? • Thanks!  Twitter: @war_crack email: nikivin.vinod@gmail.com