bug bounty cash for hack

#Remember?

# And?

One More last And

What Common?

#BugBounty

Bug Bounty

Cash for Hack

Who Am I (#whoami)

Atul Shedage

@atul_shedage

Instructor at suruji.com

Bug Bounty Hunter (only when ever I run out of money :P)

Creator of SVWA (suruji vulnerable web application)

Laravel Developer (PHP Framework)

Bsc Graduate (Msc Under Progress)

Lucky Enough

And

Anddddd

Agenda

• What is BugBounty.

• History.

• Why to join BugBounty.

• Bug Bounty Programs and Platforms.

• How to Start with Bug Bounties.

• Tools to Use.

• Reporting / Bug Submission

• My Experience with Bug Bounty.

What is #BugBounty?

• Also called As VRP (Vulnerability Reward Program)

• Company (Security Team/Vendor) Create Program. Offer Cash , HOF , Swag. Fix Bugs. Acknowledge Your work.

• Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometimes Swag. Recheck Bug after fix. Write Blog Post.

History

Image Credit crowdcurity.com

Why to Join BugBounty?

• $$$$

• Swag (Tshirts + Stickers + Mugs + Company Gadgets)

• Free Service

• HOF

Bug Bounty Program and Platform

• Popular Programs– Google (Min 100$ & Max 20000$)

– Yahoo (Min 50$ & Max 15000$)

– Facebook (Min 500$)

– Want to know more?• Github

• Twitter

• Etsy

Want few more?

• https://bugcrowd.com/list-of-bug-bounty-programs/

• https://hackerone.com/programs

• https://www.crowdcurity.com/programs

Popular Platform

• BugCrowd

– Managed Security Programs for company

– 14300 world wide researchers

– 200+ Programs

• HackerOne

– Security Inbox for company

– 70+ Public Programs

– $1.9M Paid

• Synack

• CrowdCurity

How to start with BugBounties

• Theory OWASP Top 10 WASC 26 Classes

• Practical's SVWA (Suruji Vulnerable Web Application) OWASP Mutillidae DVWA Hack.me

• Read Blog Post

• Follow Some researchers on Twitter

http://h1.nobbd.de/

Key Points

Ninja Skills? No Way!!!!

Common Bugs

• Xss

• CSRF (Cross Site Request Forgery)

• Business Logical

• Insecure Direct Object References

• ClickJacking

• Session Management and BruteForce

• 0 Day CMS Vulnerabilities

• BurpSuite (http://portswigger.net/)

• Google,Bing,Yahoo (Google Dorks)

• Mozilla Addons

Tampar Data

HackBar

Live HTTP Headers

User Agent Switcher

Reporting and Bug Submission

• Make Standard format

Vulnerability Name

Domain

Vulnerable Subdomain

Infected URL

POC (Proof Of Concept)

Browser / Operating System

Description

My Experience

https://hackerone.com/reports/41409

Any Questions?