Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Bug hunting for education, fun and profit 11-12-2018

134 views

Published on

  • Be the first to comment

  • Be the first to like this

Bug hunting for education, fun and profit 11-12-2018

  1. 1. BUG HUNTING FOR EDUCATION, FUN AND PROFIT
  2. 2. INTRO PHILLIP WYLIE, CISSP, OSCP, GWAPT • PENTESTER @ U.S. BANK • ADJUNCT INSTRUCTOR OF ETHICAL HACKING @ RICHLAND COLLEGE • BUGCROWD AMBASSADOR • PWN SCHOOL FOUNDER
  3. 3. WHAT ARE BUG BOUNTIES? • CROWDSOURCED PENTESTS/SECURITY ASSESSMENTS • MOSTLY WEB APPLICATION , BUT ALSO NETWORK, DEVICES, AUTOMOBILE • BUG BOUNTY PROGRAMS CAN BE MANAGED BY THE COMPANY UTILIZING BUG HUNTERS OR MANAGED BY A BUG BOUNTY PROGRAM MANAGEMENT COMPANY LIKE BUGCROWD
  4. 4. BUG HUNTING BENEFITS • • • •
  5. 5. EARNING POTENTIAL Totally ballpark estimates, not official data •10-20 hours a week: $20k-$90k •20+ hours a week: $100k-$500k
  6. 6. KNOW YOUR SKILLSET
  7. 7. WEB APP PENTESTING METHODOLOGIES
  8. 8. CORE TOOL: AN INTERCEPTION PROXY
  9. 9. DIVERGING PATHS FOR TESTING
  10. 10. RECON (METHODOLOGY AND OSS TOOLS)
  11. 11. MAPPING AND APPLICATION, KEYS FOR SUCCESS • Discern what valuable data is for the end user • Register multiple accounts • Register multiple roles • Exercise forms • Change account data • Upload files • Bookmark non-standard return content types • Profile OSS (Open Source Software) software • Try default creds • Profile dynamic inputs
  12. 12. EDUCATIONAL RESOURCES
  13. 13. EDUCATIONAL RESOURCES • BUGCROWD.COM/UNIVERSITY/ • • • SAMURAI-WTF.ORG • • •
  14. 14. Q&A
  15. 15. PWN SCHOOL LAB DEMO

×