Shubham Gupta, profile picture
Uploaded byShubham Gupta
PPTX, PDF2,014 views

Bug Bounty - Play For Money

This document provides an overview of bug bounty hunting. It discusses: - What bug bounty programs are and how they work - A brief history of major bug bounty programs from the 1990s to present day - Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment - Popular bug bounty platforms and programs - How to get started with the process of bug hunting - Tips for writing bug reports that document the issue and steps to reproduce it - Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept

Internet
Related topics:
Information Security

Embed presentation

Downloaded 86 times
{ Bug Bounty Play for Money
#Whoami
Shubham Gupta (@hackerspider1) Just another random lazy guy interested in security Security Consultant at Pyramid Cyber Security & Forensic Bug Bounty Hunter {Just do when I need money BCA Graduate {Doesn’t Matter Penetration tester
Lucky Enough
 Introduction  History  Why bug hunting?  How to do bug hunting?  Quick Tips  POC  Pros and Cons of bug hunting.  Q&A Agenda
What is #Bug Bounty • Also calls as VRP (Vulnerability Reward Program) • Company (Security Team/Vendor) Create Program. Offer Cash , HOF , Swag. Acknowledge Your Work. • Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometime Swag. Recheck Bug After Fix.
A Brief History of Bug Bounty Programs. - 1995 (Net Scape) - 2004 (FIREFOX) - 2005 - 2007 - 2010 - 2011 - 2012 - 2013 -2013 (Cobalt) - 2013 (Synac k)
Why bug hunting?  Chances of finding bugs to put on your cv.  Possibility of getting job.  lots of money in very less time  Cool T-shirts, Hoodies, Mugs and many more swags  Recognition  Connections  Less security breaches  Enjoyment  Person will Learn to work hard because of Competition
Bug Bounty Programs And Platforms • Popular Programs - Google (Min 100$ & Max 20000$) - Yahoo (Min 50$ & Max 15000$) - Facebook Min 500$ - Want to know More  Github  Twitter  Microsoft
Want Few More? https://bugcrowd.com/list-of-bug-bounty-programs https://hackerone.com/directory https://cobalt.io/programs
Popular Platform BugCrowd Managed Security Program for Company 27125 World Wide Researcher 200+ Programs HackerOne Security Inbox for Company 133+ Public Program 6.91M Paid Synack Everyone Want To Join Cobalt
How to kickoff for hunting bugs?
How to do bug hunting?  Bug hunting is all about Exploring Weaknesses and Experimentation.  It requires 30% programming knowledge and 70% logical out of box thinking.  Try each and every Combination to exploit bug .  Dig dipper.  Try more to find logical bugs it will increase your chance for higher payouts and reduce chances for Duplicates.
Quick Tips
How to Write Report? Title Issue Information Step by step instruction to reproduce the bug Impact Mitigation
POC
Video Demo
Yahoo Xss Filter Bypass
SVG XSS  One of the most unique bug of 2015 and easy to find.  Most of the web based projects include svg for a clear and interactive user experience.  To verify this answer I created an svg file with an XSS vector below and started testing the websites that allow images .
Live Demo of SVG XSS on BugCrowd
Tapjacking Live Demo POC Video
Thanks  -My Nigga

More Related Content

PPTX
Bug bounty
byn|u - The Open Security Community
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
PPTX
Bug Bounty 101
byShahee Mirza
 
PDF
Bug bounty null_owasp_2k17
bySagar M Parmar
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PDF
Bug Bounty Secrets
byn|u - The Open Security Community
 
PDF
Api security-testing
byn|u - The Open Security Community
 
Bug bounty
byn|u - The Open Security Community
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
Secure Code Review 101
byNarudom Roongsiriwong, CISSP
 
Bug Bounty 101
byShahee Mirza
 
Bug bounty null_owasp_2k17
bySagar M Parmar
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Bug Bounty Secrets
byn|u - The Open Security Community
 
Api security-testing
byn|u - The Open Security Community
 

What's hot

PDF
Introduction to Web Application Penetration Testing
byNetsparker
 
PPTX
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
byAdam Nurudini
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPTX
Introduction to path traversal attack
byPrashant Hegde
 
PPTX
Brute force attack
byjoycruiser
 
PDF
Bug Bounty - Hackers Job
byArbin Godar
 
PPTX
Introduction to penetration testing
byNezar Alazzabi
 
PPT
Penetration Testing Basics
byRick Wanner
 
PPTX
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PDF
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Introduction to Cybersecurity
byKrutarth Vasavada
 
PDF
Web application security & Testing
byDeepu S Nath
 
PPTX
security misconfigurations
byMegha Sahu
 
PDF
Simplified Security Code Review Process
bySherif Koussa
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
Introduction to Web Application Penetration Testing
byNetsparker
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
byAdam Nurudini
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Introduction to path traversal attack
byPrashant Hegde
 
Brute force attack
byjoycruiser
 
Bug Bounty - Hackers Job
byArbin Godar
 
Introduction to penetration testing
byNezar Alazzabi
 
Penetration Testing Basics
byRick Wanner
 
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
Waf bypassing Techniques
byAvinash Thapa
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
OWASP Top 10 2021 What's New
byMichael Furman
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
byAbhinav Mishra
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Introduction to Cybersecurity
byKrutarth Vasavada
 
Web application security & Testing
byDeepu S Nath
 
security misconfigurations
byMegha Sahu
 
Simplified Security Code Review Process
bySherif Koussa
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 

Similar to Bug Bounty - Play For Money

PPTX
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
PPTX
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
PPTX
Crypto Night at CSUS - Bug Bounties
byBehrouz Sadeghipour
 
PDF
Yet another talk on bug bounty
byvinoth kumar
 
PDF
Fun & profit with bug bounties
byn|u - The Open Security Community
 
PPTX
Getting_Started_with_Bug_Bounty program.
byglcrushgaming
 
PDF
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
PPTX
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
PPTX
Bug bounty
byRamin Farajpour Cami
 
PDF
Hunting bugs - C0r0n4con
byAnchises Moraes
 
PDF
Bug Bounty Career.pdf
byVishal318796
 
PPTX
Bug bounties - cén scéal?
byCiaran McNally
 
PPTX
Bug bounty cash for hack
byAtul Shedage
 
PPTX
Bug Bounty
byHariprasad KA
 
PPTX
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bybugcrowd
 
PDF
Owasp LA
byleifdreizler
 
PDF
Bug Bounty Blueprint : A Beginner's Guide
byVarun Mithran
 
PDF
BugBounty Tips.pdf
byKhaledMohamed767546
 
PPTX
Bug bounty hunting
byredteamacademypromo
 
PPTX
LKNOG3 - Bug Bounty
byLKNOG
 
Web Application Security And Getting Into Bug Bounties
bykunwaratul hax0r
 
Basics of getting Into Bug Bounty Hunting
byMuhammad Khizer Javed
 
Crypto Night at CSUS - Bug Bounties
byBehrouz Sadeghipour
 
Yet another talk on bug bounty
byvinoth kumar
 
Fun & profit with bug bounties
byn|u - The Open Security Community
 
Getting_Started_with_Bug_Bounty program.
byglcrushgaming
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
byMazin Ahmed
 
Bug Bounty #Defconlucknow2016
byShubham Gupta
 
Bug bounty
byRamin Farajpour Cami
 
Hunting bugs - C0r0n4con
byAnchises Moraes
 
Bug Bounty Career.pdf
byVishal318796
 
Bug bounties - cén scéal?
byCiaran McNally
 
Bug bounty cash for hack
byAtul Shedage
 
Bug Bounty
byHariprasad KA
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
bybugcrowd
 
Owasp LA
byleifdreizler
 
Bug Bounty Blueprint : A Beginner's Guide
byVarun Mithran
 
BugBounty Tips.pdf
byKhaledMohamed767546
 
Bug bounty hunting
byredteamacademypromo
 
LKNOG3 - Bug Bounty
byLKNOG
 

Recently uploaded

PDF
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
PPTX
TOPFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.ppX
bycontactvidyawan
 
PDF
Darknet Master Tor and Deep Web Secrets (Procolo Scotto).pdf
bykuldeepbauddh1
 
PDF
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
PDF
Trusted Phone Tracker App (2026)_ How to Choose a Legit, Secure, Consent-Base...
bySophia Clark
 
PDF
Openclaw Corporate Infrastructure at Risk.pdf
byGaneshShri2
 
PPTX
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 
AI Girlfriend Platforms Compared 2026 AI Angels Janitor AI Character AI Candy AI
byAi Angels
 
TOPFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.ppX
bycontactvidyawan
 
Darknet Master Tor and Deep Web Secrets (Procolo Scotto).pdf
bykuldeepbauddh1
 
Think before you Click (Ligap Project) - SI Ebhonu at FGGC.pdf
bySylvester Ebhonu
 
Trusted Phone Tracker App (2026)_ How to Choose a Legit, Secure, Consent-Base...
bySophia Clark
 
Openclaw Corporate Infrastructure at Risk.pdf
byGaneshShri2
 
Mind Sound Resonance Technique (MSRT) Teacher Training Course.pptx
byKaruna Yoga Vidya Peetham
 

Bug Bounty - Play For Money

  • 1.
  • 2.
  • 3.
    Shubham Gupta (@hackerspider1) Justanother random lazy guy interested in security Security Consultant at Pyramid Cyber Security & Forensic Bug Bounty Hunter {Just do when I need money BCA Graduate {Doesn’t Matter Penetration tester
  • 4.
  • 7.
     Introduction  History Why bug hunting?  How to do bug hunting?  Quick Tips  POC  Pros and Cons of bug hunting.  Q&A Agenda
  • 8.
    What is #BugBounty • Also calls as VRP (Vulnerability Reward Program) • Company (Security Team/Vendor) Create Program. Offer Cash , HOF , Swag. Acknowledge Your Work. • Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometime Swag. Recheck Bug After Fix.
  • 9.
    A Brief Historyof Bug Bounty Programs. - 1995 (Net Scape) - 2004 (FIREFOX) - 2005 - 2007 - 2010 - 2011 - 2012 - 2013 -2013 (Cobalt) - 2013 (Synac k)
  • 10.
    Why bug hunting? Chances of finding bugs to put on your cv.  Possibility of getting job.  lots of money in very less time  Cool T-shirts, Hoodies, Mugs and many more swags  Recognition  Connections  Less security breaches  Enjoyment  Person will Learn to work hard because of Competition
  • 11.
    Bug Bounty ProgramsAnd Platforms • Popular Programs - Google (Min 100$ & Max 20000$) - Yahoo (Min 50$ & Max 15000$) - Facebook Min 500$ - Want to know More  Github  Twitter  Microsoft
  • 12.
  • 13.
    Popular Platform BugCrowd Managed SecurityProgram for Company 27125 World Wide Researcher 200+ Programs HackerOne Security Inbox for Company 133+ Public Program 6.91M Paid Synack Everyone Want To Join Cobalt
  • 14.
    How to kickofffor hunting bugs?
  • 15.
    How to dobug hunting?  Bug hunting is all about Exploring Weaknesses and Experimentation.  It requires 30% programming knowledge and 70% logical out of box thinking.  Try each and every Combination to exploit bug .  Dig dipper.  Try more to find logical bugs it will increase your chance for higher payouts and reduce chances for Duplicates.
  • 16.
  • 17.
    How to WriteReport? Title Issue Information Step by step instruction to reproduce the bug Impact Mitigation
  • 18.
  • 20.
  • 21.
  • 22.
    SVG XSS  Oneof the most unique bug of 2015 and easy to find.  Most of the web based projects include svg for a clear and interactive user experience.  To verify this answer I created an svg file with an XSS vector below and started testing the websites that allow images .
  • 24.
    Live Demo ofSVG XSS on BugCrowd
  • 25.
  • 27.

Editor's Notes

  • #2 Before I start giving my presentation I just want to know how many of you are familiar with bug bo unty
  • #3 So ladies and gentleman I’m going to present the bug bounty play for money
  • #5 I’m lucky enough to find vuln. In google, yahoo, twitter actually there are so many company I don’t remember all of the name u can find all of them.
  • #9 Lets start with what is bug bounty? Bug bounty is also called as VRP vuln. Reward program bassically there are two section in bug bounty Company and researcher in professional we
  • #23 the page will render the content of the xml as html , so resulting on a xss vulnerability.
  • #24 23
  • #26 UI Redressing (Tap jacking) attack may trick users into tapping a specifically crafted malicious App popup window (e.g. toast view), making it a gateway for varied threats such as framing attack. Using this technique, a malicious App could potentially trick a user into making purchases, clicking on ads, installing Apps, or even wiping all of the data from the phone.