SlideShare a Scribd company logo

Fun & Profit with Bug Bounties - Tips for Getting Started

n|u - The Open Security Community
n|u - The Open Security Community

null Dharmashal Chapter - July 2014 Meet

Education
1 of 22
Download to read offline
Fun & Profit with Bug Bounties - Madhu Akula Null - DharamshalaNull - Dharamshala
About Me ! root@localhost :~# whoami Madhu Akula Information Security Enthusiastic madhu.akula@hotmail.com www.madhuakula.com in.linkedin.com/in/madhuakula fb.com/madhu.akula twitter.com/madhuakula
Agenda What and how to start Bug Bounties & My experience with bug bounties...
What is bug bounty ? Vendor : ● Create a program ● Offer HOF (or) Swag (or) Reward (or) Duplicate ● Get the all vulnerabilities and Fix asap ! ● Make products and applications secure Researcher : ● Find the vulnerabilities in target ● Get mostly duplicates :P ● Other wise Hof, Swag (or) Reward ! ● Share in Social Network
History... https://blog.crowdcurity.com/the-history-of-bug-bounty-programs/
Who are eligible ? ● Are you able to p0p up
Where to find the list? ● Here you go...
How to start ??? ● Learn how things will work ● Owasp is our home to learn Web Application Security ● Do home work with Broken Web Apps ● Then apply what you learn ! Start with your requests untill you will get the response :)
How to start ??? ● Your main resource for bug bounties is gathering Proof Of Concepts (POC) ! ● Checking blogs for write up ● Adding bug hunters into your friends list to get PoC's as well as new programs :p ● Checking for new vulnerabilities site:hackerone.com/reports/
How to start ??? ● Take one site from the list of sites ● Check your luck with new sites ● Then try to map the target with attack surface ● Check for OWASP Vulnerabilities as first priority ● Check other type of vulnerabilities also ● Then get hof, swags and $$$$
Common checks ! ● Cross Site Scripting ● Cross Site Request Forgery ● Injections ● Authentication and Session Mechanism ● Remote Code Execution ● Other...
Resources Mozilla and addon's ● Live HTTP Headers ● Tamper Data ● Wappalyzer ● Foxyproxy ● Firebug ● Hack bar ● User switcher ● Others... writing custom scripts will give you more good and quick results searchdns.netcraft.com, www.wolframalpha.com - For subdomains finding ! Keep ready made report templates to become you are the first person to find ! Finally use https://pentest-tools.com Proxies ● Burp ● Owasp ZAP ● Any other Search Engine Discovery Google, Shodan, Bing, other Open Source ● Ironwasp ● Xenotix ● Many more... Bye bye to Scanners !
My Experiance with Bug Bounties ! Started with Duplicates... Don't know what is bug hunting (n00b)
Digging into deep ! ● only one target, find bugs untill you will be the first person to find ! ● Once you are the first person if is there any reward try more untill you will be listed in Top members...
After... Many More...Many More...
After... Many More...Many More...
After... Many More...Many More...
The End ! ● It's enough ● Realised that I'm wasting everyday 2hrs ● Luck is the best kick for duplicates ● Started as noob and got some expriance with app security ● Good friends in Social Networks ● Then started contributing to Open Source and got some CVE-2014-4329, CVE-2014-4722, CVE-2014-4853
Conclusion Bug bounties are not only for rewards (or) fame. You will learn about new attacks and exploitation techniques by playing with other applications.
Demo's & POC's
Walk Through !
Special Thanks ! http://null.co.infb.com/null0x00 twitter.com/null0x00

Recommended

My Bug Hunting With Open Source
My Bug Hunting With Open SourceMy Bug Hunting With Open Source
My Bug Hunting With Open SourceMadhu Akula
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansFelipe Prado
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
 

Recommended

My Bug Hunting With Open Source
My Bug Hunting With Open SourceMy Bug Hunting With Open Source
My Bug Hunting With Open SourceMadhu Akula
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansFelipe Prado
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Osint ashish mistry
Osint ashish mistryOsint ashish mistry
Osint ashish mistryn|u - The Open Security Community
 
How to ship web software like pirates!
How to ship web software like pirates!How to ship web software like pirates!
How to ship web software like pirates!Sylvain Carle
 
Intro to Hackathons 101
Intro to Hackathons 101Intro to Hackathons 101
Intro to Hackathons 101Anna Goncharova
 
Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! St. Petersburg College
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
Notice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentNotice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentTomomi Imura
 
Lvl.up
Lvl.upLvl.up
Lvl.upswee meng ng
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Linuxmalaysia Malaysia
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Bug bounty cash for hack
Bug bounty cash for hackBug bounty cash for hack
Bug bounty cash for hackAtul Shedage
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! Sean Prunka
 
Open ID and Django
Open ID and DjangoOpen ID and Django
Open ID and Djangonathanflorea
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
gettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfgettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfroystoncdsouza7
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 

More Related Content

Similar to Fun & Profit with Bug Bounties - Tips for Getting Started

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
How to ship web software like pirates!
How to ship web software like pirates!How to ship web software like pirates!
How to ship web software like pirates!Sylvain Carle
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
Notice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentNotice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentTomomi Imura
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Linuxmalaysia Malaysia
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Bug bounty cash for hack
Bug bounty cash for hackBug bounty cash for hack
Bug bounty cash for hackAtul Shedage
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! Sean Prunka
 
Open ID and Django
Open ID and DjangoOpen ID and Django
Open ID and Djangonathanflorea
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
gettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfgettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfroystoncdsouza7
 

Similar to Fun & Profit with Bug Bounties - Tips for Getting Started (20)

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Osint ashish mistry
Osint ashish mistryOsint ashish mistry
Osint ashish mistry
 
How to ship web software like pirates!
How to ship web software like pirates!How to ship web software like pirates!
How to ship web software like pirates!
 
Intro to Hackathons 101
Intro to Hackathons 101Intro to Hackathons 101
Intro to Hackathons 101
 
Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It!
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
 
Notice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentNotice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical Content
 
Lvl.up
Lvl.upLvl.up
Lvl.up
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Bug bounty cash for hack
Bug bounty cash for hackBug bounty cash for hack
Bug bounty cash for hack
 
Pentester++
Pentester++Pentester++
Pentester++
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny!
 
Open ID and Django
Open ID and DjangoOpen ID and Django
Open ID and Django
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
gettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfgettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdf
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 

Recently uploaded (20)

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 

Fun & Profit with Bug Bounties - Tips for Getting Started

  • 1. Fun & Profit with Bug Bounties - Madhu Akula Null - DharamshalaNull - Dharamshala
  • 2. About Me ! root@localhost :~# whoami Madhu Akula Information Security Enthusiastic madhu.akula@hotmail.com www.madhuakula.com in.linkedin.com/in/madhuakula fb.com/madhu.akula twitter.com/madhuakula
  • 3. Agenda What and how to start Bug Bounties & My experience with bug bounties...
  • 4. What is bug bounty ? Vendor : ● Create a program ● Offer HOF (or) Swag (or) Reward (or) Duplicate ● Get the all vulnerabilities and Fix asap ! ● Make products and applications secure Researcher : ● Find the vulnerabilities in target ● Get mostly duplicates :P ● Other wise Hof, Swag (or) Reward ! ● Share in Social Network
  • 6. Who are eligible ? ● Are you able to p0p up
  • 7. Where to find the list? ● Here you go...
  • 8. How to start ??? ● Learn how things will work ● Owasp is our home to learn Web Application Security ● Do home work with Broken Web Apps ● Then apply what you learn ! Start with your requests untill you will get the response :)
  • 9. How to start ??? ● Your main resource for bug bounties is gathering Proof Of Concepts (POC) ! ● Checking blogs for write up ● Adding bug hunters into your friends list to get PoC's as well as new programs :p ● Checking for new vulnerabilities site:hackerone.com/reports/
  • 10. How to start ??? ● Take one site from the list of sites ● Check your luck with new sites ● Then try to map the target with attack surface ● Check for OWASP Vulnerabilities as first priority ● Check other type of vulnerabilities also ● Then get hof, swags and $$$$
  • 11. Common checks ! ● Cross Site Scripting ● Cross Site Request Forgery ● Injections ● Authentication and Session Mechanism ● Remote Code Execution ● Other...
  • 12. Resources Mozilla and addon's ● Live HTTP Headers ● Tamper Data ● Wappalyzer ● Foxyproxy ● Firebug ● Hack bar ● User switcher ● Others... writing custom scripts will give you more good and quick results searchdns.netcraft.com, www.wolframalpha.com - For subdomains finding ! Keep ready made report templates to become you are the first person to find ! Finally use https://pentest-tools.com Proxies ● Burp ● Owasp ZAP ● Any other Search Engine Discovery Google, Shodan, Bing, other Open Source ● Ironwasp ● Xenotix ● Many more... Bye bye to Scanners !
  • 13. My Experiance with Bug Bounties ! Started with Duplicates... Don't know what is bug hunting (n00b)
  • 14. Digging into deep ! ● only one target, find bugs untill you will be the first person to find ! ● Once you are the first person if is there any reward try more untill you will be listed in Top members...
  • 18. The End ! ● It's enough ● Realised that I'm wasting everyday 2hrs ● Luck is the best kick for duplicates ● Started as noob and got some expriance with app security ● Good friends in Social Networks ● Then started contributing to Open Source and got some CVE-2014-4329, CVE-2014-4722, CVE-2014-4853
  • 19. Conclusion Bug bounties are not only for rewards (or) fame. You will learn about new attacks and exploitation techniques by playing with other applications.