The document provides an overview of the game of bug bounty hunting, including a brief history of bug bounty programs, the present state of platforms like HackerOne and BugCrowd, tips for getting started, techniques for finding different types of vulnerabilities, examples of famous bounty submissions, and potential drama one may face. It also includes suggestions for resources, tools, blogs, and people to follow to continue learning and developing skills in bug bounty hunting.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Presented at OWASP AppSecUSA 2011
It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good.
This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market?
In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.
Meet the hackers powering the world's best bug bounty programsHackerOne
Not even the strongest or most skilled organizations have the headcount and capacity to avert system vulnerabilities on their own.
There is strength in numbers.
Hackers are that army - and at HackerOne, there's 80,000+ white hat hackers who want to make your software more secure.
Hackers ARE: Problem-solvers, Curious, Technically skilled, Diverse in background and education
Hackers are NOT: Criminals. Using their skills for a malicious purpose
This presentation dives into *who these hackers are and what motivates them. We look at some successful hacker profiles and see what separates the best from the rest.
Recon and Bug Bounties - What a great love story!Abhijeth D
n this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Hi Everyone,
This presentation is on Logical Attacks it can be helpful in Bug Bounties while doing Bug Hunting, Vulnerability Research in web applications, mobiles(andriod, ios, win), webservices, apis etc and for making a career in information security domain.
Its not an introduction to Web Application Security
A talk about some new ideas and cool/obscure things in Web Application Security.
More like “Unusual Bugs”
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters of today, and discuss the future of ransomware. It's no longer just for windows anymore. Linux, Mac and Mobile platforms are all ripe for extortion.
This humorous and entertaining talk teaches everyone, from Mom and Pops to large enterprise organizations what's really happening and how to protect themselves.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
This talk is going to talk about how I got 50 CVE's in a week. I used to play bug bounties and other security penetration testing challenges. After realization I started contributing to Open Source Community and found several critical bugs and got proper satisfaction for the work. Then I met like minded people and started bug hunter with Code Vigilant (http://codevigilant.com), Project for Securing Open Source Software.
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
Presented at OWASP AppSecUSA 2011
It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good.
This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market?
In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.
Meet the hackers powering the world's best bug bounty programsHackerOne
Not even the strongest or most skilled organizations have the headcount and capacity to avert system vulnerabilities on their own.
There is strength in numbers.
Hackers are that army - and at HackerOne, there's 80,000+ white hat hackers who want to make your software more secure.
Hackers ARE: Problem-solvers, Curious, Technically skilled, Diverse in background and education
Hackers are NOT: Criminals. Using their skills for a malicious purpose
This presentation dives into *who these hackers are and what motivates them. We look at some successful hacker profiles and see what separates the best from the rest.
Recon and Bug Bounties - What a great love story!Abhijeth D
n this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Hi Everyone,
This presentation is on Logical Attacks it can be helpful in Bug Bounties while doing Bug Hunting, Vulnerability Research in web applications, mobiles(andriod, ios, win), webservices, apis etc and for making a career in information security domain.
Its not an introduction to Web Application Security
A talk about some new ideas and cool/obscure things in Web Application Security.
More like “Unusual Bugs”
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Just as the title says, we go over the humble origins, touch on the notable variants of yesteryear, the big hitters of today, and discuss the future of ransomware. It's no longer just for windows anymore. Linux, Mac and Mobile platforms are all ripe for extortion.
This humorous and entertaining talk teaches everyone, from Mom and Pops to large enterprise organizations what's really happening and how to protect themselves.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
This talk is going to talk about how I got 50 CVE's in a week. I used to play bug bounties and other security penetration testing challenges. After realization I started contributing to Open Source Community and found several critical bugs and got proper satisfaction for the work. Then I met like minded people and started bug hunter with Code Vigilant (http://codevigilant.com), Project for Securing Open Source Software.
This is the slide deck I gave when presenting at FSU's AITP Meeting. The goal was to give a high level description of what Pen Testing/Red Teaming is and what the job entails.
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
A simple PoC shown how insecure random http proxies are. And how easy you can trick people into traps.
Disclaimer: No data collected under the PoC was saved after the presentation, and everything was removed from the user browsers without any harm or stealing of information or any criminal activity at all.
ExpoQA 2018 - Why software security has gotten worse? And what can we do abou...Santhosh Tuppad
As technology evolved, software security faced huge challenges and as the years passed, the world has seen drastic changes far too quickly. And along with these advancements, even black-hat hackers or malicious hackers have evolved also very well. Today, the internet is the place for everyone where hackers dwell almost all the time. Every day new applications are released to the web and users start using them and even get addicted to them due to outstanding UX. But, wait! Did someone think about the "security" layer of these applications? Well, we often don’t and most of the applications today suffer from "beggarly / bad security".
In this talk, Santhosh Tuppad will focus on the pitfalls of bad security and why software security has failed in a pretty way. He will also shed light on how your users may be facing bigger problems than you can imagine due to bad software that lacks security testing. He will also demonstrate some of the lethal problems that exist in the industry and will talk about technical impact, business impacts like reputation damage, revenue loss and a lot more.
Not only that, Santhosh won’t end his talk without some hacking demonstrations that will for sure wow you. Finally, he will tell you how you can start security testing from day 1 and start contributing in terms of building secure software.
From this talk, you will gain an understanding about the problems that a lack of security testing presents and you find out about tool-assisted security testing; performing security tests through questioning. After the talk, you will be able to start identifying risks and report comm.on vulnerabilities giving you a feeling of “I can do this”
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
This slide is all about Google bug hunting.
How you should report the bug?
What things you should consider while reporting?
Life cycle of your Vulnerability report submission
Find my tea [sync ipswich] a technical journey through new product developmentPaulGrenyer1
There is more to having a great idea for an app than just building the app. You’re not only required to be a full stack developer (whatever that means), which doesn’t usually include the skills for building an app, you need to understand and be competent in ‘Ops’ (there’s really no such thing as DevOps) and the automated pipelines used for testing and deploying the app, it’s backend services and supporting applications. And there is so much to choose from!
In this session I will take you on the journey of discovery from having an idea, to choosing, re-choosing and choosing again the different technologies and platforms I used to build and release a new product from scratch.
This session will be focussed on the technology choices made and the reasoning and not on the product itself - although of course this will feature. This will include the mobile technology, the technology used for the web applications, backed services, hosting and development pipelines.
What we will cover:
✔ Product development journey
✔ Full stack development
✔ Mobile development
✔ DevOps
Hit by a Cyberattack: lesson learned. When you get hacked, how did it happen and what do you do? Rough side notes of a presentation for IFE, 8 december 2015.
I am often asked how to contribute to Open Source. We all use it, benefit from it and we the value added, and at some point we start to feel bad of being just consumers. "Maybe I should help out? What if I fixed these 2 bugs I hit everyday?", some of us think. In this talk I'm going to talk about what I learned about dynamics of open source projects and how you can make contributing back to them your daily habit. Open source often has high quality bar and some of us are hesitant to publicly making mistakes during learning curve, but I found that it's the best way to learn as an engineer. After this talk I hope you'll see how leaving your mark in your favorite tools can be useful and fulfilling.
In today's charged atmosphere, activists (and anyone who is politically active) are targeted for surveillance, hacking, and even threats to their safety from police, the government, hackers, even white surpemacists.
This introductory class explains the basics of computer security and offer tips on protecting your privacy online. We talked about using encryption to communicate with your friends and comrades, how to select passwords and use a password manager, the basics of Virtual Private Networks, and other introductory topics.
This is the slides of the online talk given at @NullBhopal. This introduces people to Open Source INTelligence and their uses in daily life and pentesting.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
TESDA TM1 REVIEWER FOR NATIONAL ASSESSMENT WRITTEN AND ORAL QUESTIONS WITH A...
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
1. The Game of Bug Bounty
Hunting
Money, Drama, Action and Fame
By,
Abhinav Mishra | 0ctac0der
2. Let’s get a bit friendly first
Me?
Abhinav Mishra | @0ctac0der | Bug Bounty Hunter | Freelancer . Have Quest?
And you?
Name? | What are you? | Security Exp? | Bug Hunter?
In the meantime, copy the content to your laptops. Install VirtualBox and copy the Kali ISO. Run Kali
Linux as a virtual machine. Help your neighbors (yes, this applies even if he is a guy)
3. What’s on the plate?
● All you need to know about bug bounty and platforms
○ History & present | Who can do it? What are the skill needed? Where to start from?
○ About Hackerone. | About BugCrowd.
○ Penetration Testing and Bug Bounties
● Need Some Motivation?
○ How much money are we talking about? MONEY
○ Where do you stand? Where do I stand?
● Bug Hunter’s Avenue
○ How do I do it? Building your approach?
○ Choose your Goose (to get golden eggs) and Let’s do it …. ACTION
○ Resources and Tools I use (suggest), Blogs and People to follow
● Best submissions H1 (those I love ) Fame
● Dark Side: Mishaps, Blunders and some (ugly) famous reports :) - DRAMA
4. Bug Bounties
What is it? Hack → Report → Get Paid
History of Bug Bounties:
Read more & Image credit : https://cobalt.io/blog/the-history-of-bug-bounty-programs/
5. Present Status of Bug Bounty Programs
● Most Famous Platforms:
○ HackerOne - Founded in 2012
○ BugCrowd - Founded in 2012
● Worldwide 488+ Public Programs (as per BugCrowd List)
● What you get? Cash | Bitcoins | Swag | Hall Of Fame
● Who can participate?
○ Technically? Anyone.
● What are the skills required?
○ Web/Mobile/Infra hacking skills, reporting skills, sharp mind, out of the “room” thinking (because
the box is too small)
● Where to start?
○ Process is very simple. Register to BB platforms → Choose program → Hack → Report
7. About HackerOne, BugCrowd & Public programs
● Two most popular Bug Bounty Platforms.
● Provide a great platform for white hats to sharpen the skills and earn cash.
● Public and Private programs to participate.
● Individual bug bounty platforms: Facebook, Google, Microsoft.
● List of all bug bounty programs:
○ BugCrowd Maintained List
○ FireBounty List
● Openbugbounty : Link
8. Bug Bounty Motivation #1 (Money)
Let’s have a tea break… 10 min.
If we started at right time, it should be 11.45 AM now.
9. Approach
What To Do
● The earlier, the better
● Be the user first
● Understand the logic, to break it
● Have custom methods, payloads
● Not just XSS, CSRF, IDOR, SQLi…
● Reporting is the money multiplier
● Be professional
What Not To Do
● XSS : ctrl c → ctrl v everywhere
● Low fruits are never the best
● The easy way is not the right way
● Half filled submissions
● Only OWASP Top 10?
● Irresponsible in responsible
disclosures.
● Don’t do #Beg-Bounty
10. Enough. So what next?
Next 1 Hour:
● Exploring the scope of a program. Building the approach.
● Lookout for low hanging fruits.
● Some cool tricks to speed up the hunting
● Tools and scripts which might help
● Reporting .. how to do this?
● Attack scenario and Exploit
After that (for 0.5 Hours):
● Choose your target
● Hunt for bugs, let’s see who is going to buy us a drink.
11. Action Begins Here...
● Exploring the scope
○ Read the “Rules of Engagement” and “Program Description”
○ Knockpy www.mydomain.com or Recon-ng Link
○ If scope is “*.mydomain.com” then do “Inurl:mydomain.com -www”
○ Mobile apps? Reverse engg to find URLs.
○ Mobile websites… https://m.mydomain.com
● Port scan, service detection & low hanging fruits
○ Do not miss the server
■ Port scanning: nmap is your buddy nmap -sS -A -PN -p mydomain.com
○ Publicly accessible grails console, fuzz for hidden files or insecure urls.
■ Wfuzz, google
12. Low hanging fruits….
Remember everyone is looking for it, but the only the one wins.
● Finding XSS
○ - Inject to find XSS Link
○ - Unicode transformation issues- By @tbmnull - PDF here
● CSRF: (Ref: https://whitton.io/)
13. Low hanging fruits…. Chase #2
● SSL issues (SSLscan),
● Wordpress bugs (WPScan)
○ Wpscan --url “www.mydomain.com/blog”
● Fuzzing (Wfuzz)
○ Wfuzz -c -z file,”SecList” --hc 404 https://www.mydomain.com/admin/FUZZ
● Session related vulnerabilities
○ Fixation, Reuse, Expiration
○ Insecure cookies, no account lockouts
○ Password reset bugs: token reuse, token generation etc.
○ Auto session logout on all devices? And mobile app?
○ Account enumeration, Clickjacking, Info disclosures
14. Bug Bounty Motivation #2
Let’s have a tea break… 10 min.
If we started at right time, it should be 1.30 PM now.
15. Slightly higher
● SQLi | Sample report: Link
● Insecure direct object reference (Game of “Eena Meena Deeka“) | Sample
report: Link
● XXE vulnerabilities | Sample report: Link (My personal fav)
● Remote code execution | Sample report: Link
● Priv Esc or Authorization bypass | Sample report: HackerOne Link
● Server Side request forgery (SSRF) | Sample report: HackerOne Link
● HTTP response splitting | Sample report: HackerOne Link
16. Out of the “room” findings (Fame)
Refer these incredible findings:
● Uber Bug Bounty: Turning Self-XSS into Good-XSS : Link
● How I hacked Hotmail : Link
● Command injection which got me "6000$" from #Google : Link
● Content Types and XSS: Facebook Studio : Link
17. Time is the “BOSS”
Any specific vulnerability that you want to know how to hunt?
18. Bug Bounty Motivation #3
Let’s have a tea break… 10 min.
If we started at right time, it should be 2.45 PM now.
19. Choose your Goose (for golden eggs)
What now? (30 Min)
● Register on any platform (BugCrowd or HackerOne) or Choose a public
program if you want.
● Hunt for bugs.
● Ask questions. Push yourself to go beyond just salary :)
At the same time:
● Follow the bounty rules.
● Follow the responsible disclosures. Do not public the bug (if you get lucky).
● Reporting is the hidden secret.
20. Bug Bounty Motivation #4
Let’s have a tea break… 10 min.
If we started at right time, it should be 3.30 PM now.
21. The Dark side (Drama)
Case 1. The unexpected “Facebook” and an over-curious hacker.
The story from Wes’s point of view: Link
22. The Dark side Part 2
Case 2. A desperate, unprofessional, greedy, abusive report, deserve this.
23. Where to go next?
Resources:
● How to become a Bug Bounty Hunter (BugCrowd)
● Researcher Resources - Tutorials (BugCrowd)
● The Bug Hunters Methodology (Jason Haddix)
● Researcher Resources - Tutorials (BugCrowd)
Public Bug Reports:
● Bug Bounty POC. All Bug Bounty POC write ups by Security Researchers. Link
● the unofficial HackerOne disclosure timeline. (HackerOne Reports) Link
● Public Pentest reports : Link
24. Where to go next?
Blogs to Follow:
● BugCrowd Blog
● HackerOne Blog
● Jack Whitton’s Blog
● Hack 2 Learn. Master the art of Cross Site Scripting. Brute Logic’s Blog
● Bug Bounty Findings by Meals. Meal’s Blog
Remember, all the resources, tools, blogs, examples shown by me in this session are one of those
hundreds (if not thousand) which are there on internet. The best way to find is, do not remain AFK
25. "Computers are useless. They can only give you answers."
- Pablo Picasso
If we started at right
time, it should be 4 PM
now.