Bug Bounty - Play For Money
•Download as PPTX, PDF•
1 like•1,894 views
This document provides an overview of bug bounty hunting. It discusses: - What bug bounty programs are and how they work - A brief history of major bug bounty programs from the 1990s to present day - Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment - Popular bug bounty platforms and programs - How to get started with the process of bug hunting - Tips for writing bug reports that document the issue and steps to reproduce it - Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept
Report
Share
Bug Bounty - Play For Money
- 1. { Bug Bounty Play for Money
- 2. #Whoami
- 3. Shubham Gupta (@hackerspider1) Just another random lazy guy interested in security Security Consultant at Pyramid Cyber Security & Forensic Bug Bounty Hunter {Just do when I need money BCA Graduate {Doesn’t Matter Penetration tester
- 4. Lucky Enough
- 7. Introduction History Why bug hunting? How to do bug hunting? Quick Tips POC Pros and Cons of bug hunting. Q&A Agenda
- 8. What is #Bug Bounty • Also calls as VRP (Vulnerability Reward Program) • Company (Security Team/Vendor) Create Program. Offer Cash , HOF , Swag. Acknowledge Your Work. • Researchers / Bug Hunter Hit Target and Get Bugs. Sometimes Duplicates , Sometime $$$ , Sometime Swag. Recheck Bug After Fix.
- 9. A Brief History of Bug Bounty Programs. - 1995 (Net Scape) - 2004 (FIREFOX) - 2005 - 2007 - 2010 - 2011 - 2012 - 2013 -2013 (Cobalt) - 2013 (Synac k)
- 10. Why bug hunting? Chances of finding bugs to put on your cv. Possibility of getting job. lots of money in very less time Cool T-shirts, Hoodies, Mugs and many more swags Recognition Connections Less security breaches Enjoyment Person will Learn to work hard because of Competition
- 11. Bug Bounty Programs And Platforms • Popular Programs - Google (Min 100$ & Max 20000$) - Yahoo (Min 50$ & Max 15000$) - Facebook Min 500$ - Want to know More Github Twitter Microsoft
- 13. Popular Platform BugCrowd Managed Security Program for Company 27125 World Wide Researcher 200+ Programs HackerOne Security Inbox for Company 133+ Public Program 6.91M Paid Synack Everyone Want To Join Cobalt
- 14. How to kickoff for hunting bugs?
- 15. How to do bug hunting? Bug hunting is all about Exploring Weaknesses and Experimentation. It requires 30% programming knowledge and 70% logical out of box thinking. Try each and every Combination to exploit bug . Dig dipper. Try more to find logical bugs it will increase your chance for higher payouts and reduce chances for Duplicates.
- 16. Quick Tips
- 17. How to Write Report? Title Issue Information Step by step instruction to reproduce the bug Impact Mitigation
- 18. POC
- 20. Video Demo
- 21. Yahoo Xss Filter Bypass
- 22. SVG XSS One of the most unique bug of 2015 and easy to find. Most of the web based projects include svg for a clear and interactive user experience. To verify this answer I created an svg file with an XSS vector below and started testing the websites that allow images .
- 24. Live Demo of SVG XSS on BugCrowd
- 25. Tapjacking Live Demo POC Video
Editor's Notes
- Before I start giving my presentation I just want to know how many of you are familiar with bug bo unty
- So ladies and gentleman I’m going to present the bug bounty play for money
- I’m lucky enough to find vuln. In google, yahoo, twitter actually there are so many company I don’t remember all of the name u can find all of them.
- Lets start with what is bug bounty? Bug bounty is also called as VRP vuln. Reward program bassically there are two section in bug bounty Company and researcher in professional we
- the page will render the content of the xml as html , so resulting on a xss vulnerability.
- 23
- UI Redressing (Tap jacking) attack may trick users into tapping a specifically crafted malicious App popup window (e.g. toast view), making it a gateway for varied threats such as framing attack. Using this technique, a malicious App could potentially trick a user into making purchases, clicking on ads, installing Apps, or even wiping all of the data from the phone.