The document discusses bug bounty hunting. It introduces Shubham Gupta and Yash Pandya who are security consultants and top bug hunters. It outlines the agenda which includes an introduction to bug bounty programs, reasons for bug hunting, how to find bugs, quick tips, proofs of concept, pros and cons, and a Q&A. It provides a brief history of bug bounty programs and notes that now anyone can participate from home. It discusses types of bugs and tools used for hunting. Quick tips include using Google dorks, testing for information disclosure vulnerabilities, and completing challenges to improve skills. Examples are provided of unique bugs found like SVG XSS and an IDOR issue found in Google.

1. Bug Bounty
Shubham Gupta & Yash Pandya

2. About Us

3. Shubham Gupta
Just another random guy interested in security
Web Application Hacker
Security Consultant at Pyramid Cyber Security & Forensic
I’ve been got acknowledgement by more than 100
companies like as Google, Microsoft, Twitter, Yahoo, Adobe.
Among top 100 bug hunter in Hackerone.
Penetration tester

4. Yash Pandya
 23 yr old Electronics and communication engineer from
Gujarat .
 i have experience in R&D on Embedded systems ,
networking, image processing, Robotics ,RTOS and Web
application security.
 Working as a Senior Security tester at IGATE GLOBAL
Solutions.
 I’ve been got acknowledgement by more than 100
companies like as Google, Microsoft, Yahoo, Apple, AT&T.
 My primary goal is to give contribution towards open source
technologies and make cyber space more secure and safer.

5. Agenda
Introduction
Why bug hunting?
How to do bug hunting?
Quick Tips
POC
Pros and Cons of bug hunting.
Q&A

6. INTRODUCTION

7. A Brief History of Bug Bounty Programs.
- 1995 (Net Scape) - 2004 (FIREFOX)
- 2005 - 2007
- 2010
- 2011
- 2012 - 2013
-2013
(Cobalt)
- 2013
(Synack
)

8.  Now even a College dropout or even school boy can do that seating at
home so BIG THANKS TO BUGBOUNTY PROGRAMME!!! :D
 In 2015 few researchers set a great example for community by earning
5,00,000$/year without doing any job.
 BYE BYE !!!!
 2015 was really challenging year for BUGBOUNTY Hunters.
Because “><img src=x onerror=prompt(1)> was not gonna work :P .

9.  In 2015 bug hunters Proved that
 Bug hunters going to do anything to earn more money in 2015 because of that they
started thinking out of the box scenarios.
 Some of the creative and impressive bugs reported in 2015 are as below:
I. Svg File upload xss.
II. CSV Injections
III. EL Injections.
IV. Sub domain takeover
V. Same Origin bypass

10. Bug bounty hunters dream hall of fame companies

11. Why to invest time in hunting bugs
rather then development?

12. Why bug hunting?
 Chances of finding bugs to put on your cv.
 Possibility of getting job.
 lots of money in very less time
 Cool T-shirts, Hoodies, Mugs and many
more swags
 Recognition
 Connections
 Less security breaches
 Enjoyment
 Person will Learn to work hard
because of Competition

13. Types of bugs.
 Web Vulnerabilities.
 Software Products Vulnerabilities
 Browser Vulnerabilities
 Network Vulnerabilities
 Mobile app Vulnerabilities.
 Hardware Vulnerabilities.

14. How to kickoff for hunting bugs?

15. How to do bug hunting?
 Bug hunting is all about Exploring Weaknesses and
Experimentation.
 It requires 30% programming knowledge and 70% logical out of
box thinking.
 Try each and every Combination to exploit bug .
 Dig dipper.
 Try more to find logical bugs it will increase your chance for higher
payouts and reduce chances for Duplicates.

16.  OWASP Testing Guide / Web Application Hackers
handbook.
 Public reports and papers from .
https://packetstormsecurity.com/
http://h1.nobbd.de/
https://www.facebook.com/notes/phwd/facebook-bug-
bounties/707217202701640
Tools
 Burp/ZAP/Fiddeler.
 Ironowasp.
 Appwatch
 Appie

17. QUICK TIPS

18. Quick Tips
 Don’t use scanner.
 Use Google Dorks.
I. EX: inurl: src|path|link|url
II. filetype:asp|aspx|jsp|jspa|php
 Make your own.
 Create Google alerts for recent changes in Bug bounty programmes or
for any other security related blogs.

19.  Look out for information disclosure which are quick to find:
I. https://www.site.com/.htaccess if you are lucky then you will get
access of .htaccess. Now go and report this bug and earn some $$ .
II. Go to https://www.site.com/server-status
III. GO to https://www.site.com/.svn/entries
.
 Try for Directory traversal using python script and using it try to find RCE .
 IDOR by changing id parameters in request .
 Unauthorized access of Data. Ex: Try to access pics or conversations or files which
is deleted using api.

20.  Try to Complete CTF, online hacking Challenges.
 Attend Webinars, Security Conferences.
 Make Good relations with other security researchers and try to learn
something from them.
 Try to report Exploitable bugs .Don’t waste your and other’s time by
reporting Non-Exploitable issues.
 Try to test each platform IOS, ANDROID, SOFTWARE , Web
Applications.
 Read as much as you can.

21. POC

22. Svg XSS
 One of the most unique bug of 2015 and easy to find.
 Most of the web based projects include svg for a clear and interactive user
experience.

23.  To verify this answer I created an svg file with an XSS vector below and started
testing the websites that allow images .

25. Most
of the
site is
vulner
able
for svg
xss.

26. I was like

27. 5 IDOR in GOOGLE’S
ACQUISITION
Title: IDOR : DELTE any user's Pagerduty services from stack driver.
URL: https://app.stackdriver.com/settings/notifications/pagerduty/
Steps to reproduce:
1. go to https://app.stackdriver.com/settings/notifications/pagerduty/
2. Add service
3. click on delete service
4. capture the request using burp suite
5. From Captured request change notification_method_id=any value
6. Remove x-CsrfToken value from request.
7. submit the request
you can successfully delete pagerduty service of any user.

28. Request:
GET /api/settings/policies-by-notification-
method?notification_method_id=821&amp;notification_method_type=pagerduty
HTTP/1.1Host: app.stackdriver.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101
Firefox/38.0Accept: application/json, text/plain, */*Accept-Language: en-
US,en;q=0.5Accept-Encoding: gzip, deflate
X-CSRFToken: sNLQRp560GcTsDf228EWmzhoAfRt3XMg
Referer: https://app.stackdriver.com/settings/notifications/pagerduty/
Cookie: __utma=25593471.1715845722.1411286450.1444643859.1445864251.5;
csrftoken=sNLQRp560GcTsDf228EWmzhoAfRt3XMg;

29. Some time you can be lucky

30. Subdomain Takeover in Avant
Parth thanks for writing that code 

32. Insecure Internal Storage

33. DO’S AND DON’TS

34. Do’s and Don’ts
 When don’t “pay” don’t invest much time.
 Don’t be a script kiddie always dig dipper.
 Play by your own rules
 Learn about the most common eligible vulnerabilities, how to find
them, and how to increase your chances of receiving rewards.
 Become an effective hunter and start reporting bugs for cash in no
time.

35. Thanks 

36. What to do with bug bounties?