The document discusses bug bounty hunting and provides suggestions for finding bugs. It introduces the author and their background in security. It encourages participants in bug bounty programs to look beyond XSS and use manual testing to find bugs like clickjacking. Resources listed include active bug bounty program lists and tools like Firefox to aid the process. The overall message is having a dream and asking questions to continue learning about security.

1. Bug Bounty
Hunter's Confession

2. About Me
Web App Guy
Google, Facebook, Twitter
Member of garage4hackers.com
HackIM CTF Team member
@amolnaik4

3. Dream
Hall of Fame

4. Inspiration

5. Plan
I know XSS
Payloads available
Target sub-domains, example codes

6. Bug

7. What was it ?
XHR call
No GET/POST payload
Victim types XSS payload
Self-XSSSelf-XSS

8. Solution
Use UI Redressing
HTML5 Drag-Drop
Thanks to @Lavakumar

9. PoC

10. What Next ?

11. Clickjacking
Source: Imperva.com

12. Why Clickjacking ?
No one found it in Bounty program
Easy to find & exploit
– Look for iFramable Pages
– And interesting Action
HTML5 Drag-Drop

13. Bugs
Remove Google Books

14. More...
Remove Google Health, Orkut

15. And More...
Facebook ClickJacking

17. CSRF
Source: @johnwilander

18. CSRF in Bounty Programs
Actions with NO CSRF Token
– Simple
Actions with CSRF Token
– Remove token
– Garbage token

20. Suggestions
Participate in Bounty program
– To learn
– To earn
– Fame
Not only XSS
Use manual testing

21. Resources
Bounty Programs
– List of active bug bounty programs:
– http://blog.bugcrowd.com/list-of-active-bug-bounty-programs/
Read the scope !!
Tools
– Firefox
– Tamper Data
– Live HTTP Headers
– And many more ...

22. And...
Have a Dream

23. Questions
AMol NAik
http://amolnaik4.blogspot.com
@amolnaik4