Your SlideShare is downloading. ×
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Fun & profit with bug bounties
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Fun & profit with bug bounties

1,814

Published on

null Dharmashal Chapter - July 2014 Meet

null Dharmashal Chapter - July 2014 Meet

Published in: Education
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,814
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
59
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Fun & Profit with Bug Bounties - Madhu Akula Null - DharamshalaNull - Dharamshala
  • 2. About Me ! root@localhost :~# whoami Madhu Akula Information Security Enthusiastic madhu.akula@hotmail.com www.madhuakula.com in.linkedin.com/in/madhuakula fb.com/madhu.akula twitter.com/madhuakula
  • 3. Agenda What and how to start Bug Bounties & My experience with bug bounties...
  • 4. What is bug bounty ? Vendor : ● Create a program ● Offer HOF (or) Swag (or) Reward (or) Duplicate ● Get the all vulnerabilities and Fix asap ! ● Make products and applications secure Researcher : ● Find the vulnerabilities in target ● Get mostly duplicates :P ● Other wise Hof, Swag (or) Reward ! ● Share in Social Network
  • 5. History... https://blog.crowdcurity.com/the-history-of-bug-bounty-programs/
  • 6. Who are eligible ? ● Are you able to p0p up
  • 7. Where to find the list? ● Here you go...
  • 8. How to start ??? ● Learn how things will work ● Owasp is our home to learn Web Application Security ● Do home work with Broken Web Apps ● Then apply what you learn ! Start with your requests untill you will get the response :)
  • 9. How to start ??? ● Your main resource for bug bounties is gathering Proof Of Concepts (POC) ! ● Checking blogs for write up ● Adding bug hunters into your friends list to get PoC's as well as new programs :p ● Checking for new vulnerabilities site:hackerone.com/reports/
  • 10. How to start ??? ● Take one site from the list of sites ● Check your luck with new sites ● Then try to map the target with attack surface ● Check for OWASP Vulnerabilities as first priority ● Check other type of vulnerabilities also ● Then get hof, swags and $$$$
  • 11. Common checks ! ● Cross Site Scripting ● Cross Site Request Forgery ● Injections ● Authentication and Session Mechanism ● Remote Code Execution ● Other...
  • 12. Resources Mozilla and addon's ● Live HTTP Headers ● Tamper Data ● Wappalyzer ● Foxyproxy ● Firebug ● Hack bar ● User switcher ● Others... writing custom scripts will give you more good and quick results searchdns.netcraft.com, www.wolframalpha.com - For subdomains finding ! Keep ready made report templates to become you are the first person to find ! Finally use https://pentest-tools.com Proxies ● Burp ● Owasp ZAP ● Any other Search Engine Discovery Google, Shodan, Bing, other Open Source ● Ironwasp ● Xenotix ● Many more... Bye bye to Scanners !
  • 13. My Experiance with Bug Bounties ! Started with Duplicates... Don't know what is bug hunting (n00b)
  • 14. Digging into deep ! ● only one target, find bugs untill you will be the first person to find ! ● Once you are the first person if is there any reward try more untill you will be listed in Top members...
  • 15. After... Many More...Many More...
  • 16. After... Many More...Many More...
  • 17. After... Many More...Many More...
  • 18. The End ! ● It's enough ● Realised that I'm wasting everyday 2hrs ● Luck is the best kick for duplicates ● Started as noob and got some expriance with app security ● Good friends in Social Networks ● Then started contributing to Open Source and got some CVE-2014-4329, CVE-2014-4722, CVE-2014-4853
  • 19. Conclusion Bug bounties are not only for rewards (or) fame. You will learn about new attacks and exploitation techniques by playing with other applications.
  • 20. Demo's & POC's
  • 21. Walk Through !
  • 22. Special Thanks ! http://null.co.infb.com/null0x00 twitter.com/null0x00

×