This is a presentation which talks about how to do well in Bug bounty programs. The slides explain few best practices suggested by top best bug hunters around the world.
For further details about the presentation/suggestions feel free to contact @abhijeth.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and Abroad
http://blog.mazinahmed.net/2016/10/bug-bounty-hunting-swiss-cyber-storm.html
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
This was part of a 3 hour talk for students at a local college. Introductipn to post exploitation with PowerShell Empire. Feel free to use and learn from.
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
CLOUD PROXY TECHNOLOGY [THE CHANGING LANDSCAPE OF THE NETWORK PROXY]
This class will cover the distinctions between traditional proxy technology and the emergence in recent years of cloud proxy and why it matters to organizations today. We will review real use cases and their corresponding screen shots to provide a stimulating session.
Our Website Hacked Trend Report provides insights on the top open-source CMS security, out-of-date software, and specific malware families we see on hacked websites in the Sucuri environment.
We’ve built this analysis from prior reports to identify the latest tactics, techniques, and procedures (TTPs) detected by our Remediation Group. A total of 18,302 infected websites and 4,426,795 cleaned files were analyzed in our recent publication.
Tony will discuss high-level findings on a range of topics, including:
- Affected open-source CMS applications
- Outdated CMS and blacklist analysis
- Malware families and their effects
Webinar: CWAF for Mid Market/Enterprise OrganizationsSucuri
In today's complex security landscape, web applications pose a significant risk to Mid-Market and Enterprise organizations.
The question is, how can an organization secure their web properties without sacrificing performance. The answer may be a Cloud-based Web Application Firewall.
This webinar will introduce the concept of the CWAF, and the benefits of web application security in the cloud.
Samples of topics covered include:
- What is a cloud-based web application firewall
- The benefits of using a CWAF
- How to improve security and performance
- How to implement a CWAF in complex web environments
This live Q&A-based webinar is designed for development managers, large websites with unique and complex infrastructure/server environments, and anyone who is concerned about securing their web applications.
Insights provided in the webinar will help you operate more secure networks, infrastructure, and web applications.
You can see the video recording of this webinar at the end of the slides.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)Nick Malcolm
Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.
Jason Yee - Chaos! - Codemotion Rome 2019Codemotion
As applications become more distributed and complex, so do our failure modes. In this presentation, I’ll share why you shouldn’t just embrace failure, but why you should induce it to intentionally cause and learn from failure. Together with the audience, I'll run a Chaos experiment to show how they can start their own Chaos engineering and make their systems more resilient.
What is bug bounty
How to start with bug bounty
My career as a bug bounty hunter
Advantages of participating in bug bounty programs
Advantages of conducting a bug bounty program
Disappointments in bug bounty
Popular bug bounty platforms
Tips and resources
Identity in the Future of Embeddables & WearablesJonathan LeBlanc
The audio recording of this talk is available at https://archive.org/details/identity_wearables_embeddables
Ways of identifying a person to the technology around them is shifting from antiquated external body definitions, to internal body functions. In this session, we'll explore how the technology behind this embeddable and wearable movement works, exploring vein recognition biometrics, heartbeat identification, and going into embeddable body modifications as sources of identification.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
This was part of a 3 hour talk for students at a local college. Introductipn to post exploitation with PowerShell Empire. Feel free to use and learn from.
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverEC-Council
CLOUD PROXY TECHNOLOGY [THE CHANGING LANDSCAPE OF THE NETWORK PROXY]
This class will cover the distinctions between traditional proxy technology and the emergence in recent years of cloud proxy and why it matters to organizations today. We will review real use cases and their corresponding screen shots to provide a stimulating session.
Our Website Hacked Trend Report provides insights on the top open-source CMS security, out-of-date software, and specific malware families we see on hacked websites in the Sucuri environment.
We’ve built this analysis from prior reports to identify the latest tactics, techniques, and procedures (TTPs) detected by our Remediation Group. A total of 18,302 infected websites and 4,426,795 cleaned files were analyzed in our recent publication.
Tony will discuss high-level findings on a range of topics, including:
- Affected open-source CMS applications
- Outdated CMS and blacklist analysis
- Malware families and their effects
Webinar: CWAF for Mid Market/Enterprise OrganizationsSucuri
In today's complex security landscape, web applications pose a significant risk to Mid-Market and Enterprise organizations.
The question is, how can an organization secure their web properties without sacrificing performance. The answer may be a Cloud-based Web Application Firewall.
This webinar will introduce the concept of the CWAF, and the benefits of web application security in the cloud.
Samples of topics covered include:
- What is a cloud-based web application firewall
- The benefits of using a CWAF
- How to improve security and performance
- How to implement a CWAF in complex web environments
This live Q&A-based webinar is designed for development managers, large websites with unique and complex infrastructure/server environments, and anyone who is concerned about securing their web applications.
Insights provided in the webinar will help you operate more secure networks, infrastructure, and web applications.
You can see the video recording of this webinar at the end of the slides.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
How To Spot a Wolf in Sheep's Clothing (a.k.a. Account Takeover)Nick Malcolm
Almost two thirds of confirmed breaches involve using weak or stolen passwords - it’s not a new threat, but it works. By the end of this talk you will understand the Account Takeover threat, and walk away with some techniques & tools for detection and response within your own web applications.
Jason Yee - Chaos! - Codemotion Rome 2019Codemotion
As applications become more distributed and complex, so do our failure modes. In this presentation, I’ll share why you shouldn’t just embrace failure, but why you should induce it to intentionally cause and learn from failure. Together with the audience, I'll run a Chaos experiment to show how they can start their own Chaos engineering and make their systems more resilient.
What is bug bounty
How to start with bug bounty
My career as a bug bounty hunter
Advantages of participating in bug bounty programs
Advantages of conducting a bug bounty program
Disappointments in bug bounty
Popular bug bounty platforms
Tips and resources
Identity in the Future of Embeddables & WearablesJonathan LeBlanc
The audio recording of this talk is available at https://archive.org/details/identity_wearables_embeddables
Ways of identifying a person to the technology around them is shifting from antiquated external body definitions, to internal body functions. In this session, we'll explore how the technology behind this embeddable and wearable movement works, exploring vein recognition biometrics, heartbeat identification, and going into embeddable body modifications as sources of identification.
This is my Robochat bonus and review. RoboChat is the just application that joins Google and Microsoft's man-made intelligence, making a strong man-made intelligence considerably more intense than ChatGPT. I will provide an overview of RoboChat and its features, how it works, how to make money with RoboChat, who is the best for RoboChat, whether RoboChat is a scam or not, whether RoboChat offers any Money back guarantee, and what you get inside the system throughout this article. I will also answer some of the most frequently asked questions (FAQs) about RoboChat.
Here's a workshop I gave on growth hacking. It's a presentation of 15 different practical startup growth hacks, plus a workshop session where we brainstorm how to market / grow 3 fictional startups.
How do we get beyond "blah blah blah?" How can non-profits use the web to get more done -- instead of drowning in chatter, overload, and distraction? How do we empower our supporters to participate and engage in depth, instead of just talking at them? How do we use the web as a smart collaboration engine, instead of just another communications medium?
In this keynote presentation and discussion, Matt Thompson, Chief Storyteller for the Mozilla Foundation, will share what he's learned from successes and failures in the space. His new mantra -- "think small, do less, work open" -- is a six-word manifesto for organizations seeking smarter collaboration, greater focus and agility, and reduced mental clutter and transaction cost.
In a world of overflowing inboxes and shrinking attention spans, content is no longer king -- meaningful engagement and participation is. So what can we learn from how leading organizations are using open web tools and thinking to let their audiences in, tap greater human potential, and unlock hidden superpowers? Join us for a lively exploration into where the web is headed.
Despite immense popularity and the growing resources put toward execution, the vast majority of content marketing efforts will fall flat. In this presentation, Rand will explain what’s gone wrong, and help show a path to content marketing investments that have a real chance of producing great success. From the strategic to the tactical, from measurement to process, we’ll explore the myths and realities that have made content such a powerfully, but often poorly wielded marketing tool.
This is a talk on the potential of Social Media for small businesses and solo entrepreneurs that I delivered at the September meeting of the small business networking and support group SOHO Solo West Cork
How to Build a Chatbot with Tom Martin, Founder of LawDroidThomas G. Martin
Thinking a chatbot can help your clients? Learn how the basics to building your own chatbot that can screen clients or complete documents, all while syncing with your Clio account. Tom Martin, creator of LawDroid corporate filings, shares his expertise in building your own chatbot in this hands-on session.
How to Use Content Marketing to Better Reach Your Ideal AudienceBrian Rotsztein
These are the slides from my talk at WordCamp Montreal. A lot of people have asked about the book (Content Marketing Ideas) that I talk about during the session. I added a slide at the end about it. These slides are for anyone looking for success online wether they have a business or a blog. The content marketing tips and ideas presented could help you take your online marketing to the next level. Thank you for all of the tremendous positive feedback on my talk!
Chatbots New York City and Global Meetup #001 - Talkabot HighlightsAlec Lazarescu
The first Talkabot Conference in Austin put on by Howdy was amazing and everyone had a great time. In this group's inaugural meetup, we want to share it with NYC and the world.
It featured a variety of expert speakers ranging from chatbot builders to tool makers to luminaries from adjacent industries.
In case that wasn’t enough, we were also joined by chatbot platform speakers from Facebook, Slack, Kik, Microsoft, and Google-owned API.ai.
How much should AI play a part in your chatbot? How do you keep your users engaged?
Find out the answers to those questions and more!
I am often asked how to contribute to Open Source. We all use it, benefit from it and we the value added, and at some point we start to feel bad of being just consumers. "Maybe I should help out? What if I fixed these 2 bugs I hit everyday?", some of us think. In this talk I'm going to talk about what I learned about dynamics of open source projects and how you can make contributing back to them your daily habit. Open source often has high quality bar and some of us are hesitant to publicly making mistakes during learning curve, but I found that it's the best way to learn as an engineer. After this talk I hope you'll see how leaving your mark in your favorite tools can be useful and fulfilling.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
1. How to do well with Bug
bounties?
-- ABHIJETH D
2. Agenda
Introduction
Finding the right target
Information gathering
Approach to discover vulnerabilities
Using various vulnerability scanners
POC writing
Few sample potential RCEs
Annnd thennnnnnn bug hunting
3. www.abhijeth.comwww.null.co.in@abhijeth
@nullhyd
Hello
Time to brag:
Security Consultant at TCS for bread and
butter
Love speaking and training
Got lucky with Google, Y!, Microsoft,
Twitter .. Etc
Love anime and politics !!
Trying to contribute to the security
community and start-ups in Hyd.
Abhijeth Dugginapeddi
www.abhijeth.com
@abhijeth
Fb.com/abhijethd
4. What is a bug
bounty program
YOU FIND A VULNERABILITY
DO SOME R&D
GET FREE T SHIRTS
FREE SWAG
MOST IMPORTANTLY EARN
SOME BOUNTY
“HALL OF FAME”
5. ”
“Why do companies run such
programs
ARE THEY DUMB TO PAY HACKERS??
Free publicity
Cost efficient
Improve security
9. The road not taken
Start with easier sites
Find sites which were not tested by many
New bug bounty program
leads to better success
Find the right domain to find a bug.
12. A better approach
Mixed content
Click Jacking
Logical by pass
Bruteforce
Directory Listing
Open redirects
And When don’t “pay” don’t invest much time!! Remember even a CJ
can give you a HOF
13. Few Tips
Next time you get a single vuln in diff domains, make sure you submit
"individual" reports.
It is always important to find the “right” domain to attack
A right sub domain can give you a HOF in less than an hour
Understand the logic before you start your magic
It is very very very important to write a neat POC.
Presentation skills do matter!!!
20. Special Thanks
Harsha Vardhan
Boppana
For sharing his secrets
Gineesh George
In office, fortunately the only guy
who can “hack”
Lalith and Varun
Kakumani
My partners :D