This document provides an introduction to bug bounty programs. It discusses what a bug bounty is, which are popular bug bounty platforms, how to choose target programs, reconnaissance methods like subdomain enumeration and content discovery, attacking single domains by analyzing requests and responses and hidden endpoints, and provides examples of the author's past bug bounty finds. The presentation ends by answering any questions about bug bounty programs.

1. Saying Hello
To Bug Bounty
Shakti Ranjan Mohanty (3ncryptsaan)

2. [~]$ whoami
 Brand Ambassador at Hackerone.
 Hackerone verified clear hacker.
 Security Researcher at Hackerone.
 Lead security Engineer at Threatsys
Technologies Pvt. Ltd.
 Hall of Fames at Microsoft, Google,
Twitter, Shopify and many more.
Shakti Ranjan Mohanty

3. 01
Introduction To Bug
Bounties
Recon Methodology
Attacking single
Domains
02
03
04
05
Case Studies of My
findings
Ask your Questions ?

4. Introduction To Bug
Bounties
01

5. Bug Bounty ??
A bug bounty is a monetary reward given to ethical hackers for successfully
discovering and reporting a vulnerability or bug to the application's developer.
What is Bug Bounty Program ?
Bug bounty programs allow independent security researchers to report bugs to an
organization and receive rewards or compensation.
Popular Platforms ?
Hackerone, Bugcrowd, Yeswehack, Intigriti, Yogosha, Synack, Immunefi etc.
Cvss, CIA?
Eligibility ?

6. How to choose a Target ?
Scope:
Generally, we have two type of scopes in Web apps ( single or main domain ,
wildscope domain)
Bounty Amount:
Bounty amount matters as all have different prospective for money. People often
wants high payout targets.
Response Time:
Slow response time will lead to frustration and laziness, as a hunter we always
want quick responses.
Platform:
We will always love a place where we can track everything about our bug report,
this is what lacks on a self hosted Bug bounty program.
Policy:
Reading out the rules by program and acknowledging what they focus on

7. Recon
02

8. Recon on wild scope target
Bruteforcing Subdomains?
For bruteforcing subdomains of the target, we can use Assetfinder, Subfinder , Amass etc.
For better result use all
subfinder -d example.com -o sub.txt
assetfinder example.com --subs-only | tee -a asset.txt
Filtering Out Unique ones
From the above , we may have got the same results on both file, To filter unique ones For better result use
all.
cat *.txt | sort -u | tee -a unique.txt
Finger printing the live domains
cat live-domain.txt | httpx --title -tech-detect -status-code --follow-redirect

9. Recon on wild scope target
Content discovery
There are lots of way to gather contents.
a- Google Dorking
inurl:
site:
intext:
index of "value"
intitle:
b- Fuzzing directory
python3 dirsearch.py -u example.com
c- Archieve pages
Waybackurls example.com

10. Attacking single
domain Target
03

11. Attacking single domain Target
• Analyzing The requests and
Response
• Observing the app more than anyone
• Analyzing the Js files for
hidden endpoints
• Trying to access premium
features for free
• xss, injections, ssrf, Access
control issues etc.

12. Case Studies of My
findings
04

13. My Findings
https://medium.com/@shakti.gtp/
an-out-of-scope-domain-leads-
to-a-critical-bug-1500-
f228d2c7db4b
Finding Two
https://medium.com/@shakti.gtp/i
f-its-a-feature-let-s-abuse-it-
for-750-19cfb9848d4b
Finding One

14. Takeaways
 Before reporting Don't think that the
bug may have been reported, there is
always a bug waiting for you.
 Report and Forget, Don't expect Too
much from that.
 Don't learn bug bounty, Learn
Cybersecurity. Bug bounty is just a
part of it.

15. Ask your Questions ?
05

16. CREDITS: This presentation template was created
by Slidesgo, including icons by Flaticon,
infographics & images by Freepik and
illustrations by Stories
THANKS!
Do you have any questions?
shakti.gtp@gmail.com
+91 7008978755
https://twitter.com/3ncryptSaan
https://www.linkedin.com/in/shakti-
ranjan-mohanty/
https://www.instagram.com/3ncrypts
aan