How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
Download as PPTX, PDF8 likes5,644 views
The document provides guidance on succeeding in bug bounty programs, including tips on target selection, information gathering, and methods to discover vulnerabilities. It emphasizes the importance of choosing the right domain and writing clear proofs of concept for submissions. The author shares personal experiences and encourages participation in the security community.
How to do well in Bug bounty programs. Presentation at @nullhyd by Abhijeth
- 1. How to do well with Bug bounties? -- ABHIJETH D
- 2. Agenda Introduction Finding the right target Information gathering Approach to discover vulnerabilities Using various vulnerability scanners POC writing Few sample potential RCEs Annnd thennnnnnn bug hunting
- 3. www.abhijeth.comwww.null.co.in@abhijeth @nullhyd Hello Time to brag: Security Consultant at TCS for bread and butter Love speaking and training Got lucky with Google, Y!, Microsoft, Twitter .. Etc Love anime and politics !! Trying to contribute to the security community and start-ups in Hyd. Abhijeth Dugginapeddi www.abhijeth.com @abhijeth Fb.com/abhijethd
- 4. What is a bug bounty program YOU FIND A VULNERABILITY DO SOME R&D GET FREE T SHIRTS FREE SWAG MOST IMPORTANTLY EARN SOME BOUNTY “HALL OF FAME”
- 5. ” “Why do companies run such programs ARE THEY DUMB TO PAY HACKERS?? Free publicity Cost efficient Improve security
- 6. Where to get the list !!!
- 7. Lets start …!! How do we start ?? Which hall of fame do you want to get into ?
- 9. The road not taken Start with easier sites Find sites which were not tested by many New bug bounty program leads to better success Find the right domain to find a bug.
- 10. Finding sub.sub.sub.domain It is always important to find a sub domain
- 11. They say ..!!! BBP is all about XSS
- 12. A better approach Mixed content Click Jacking Logical by pass Bruteforce Directory Listing Open redirects And When don’t “pay” don’t invest much time!! Remember even a CJ can give you a HOF
- 13. Few Tips Next time you get a single vuln in diff domains, make sure you submit "individual" reports. It is always important to find the “right” domain to attack A right sub domain can give you a HOF in less than an hour Understand the logic before you start your magic It is very very very important to write a neat POC. Presentation skills do matter!!!
- 14. My Dupe Stories….!! First Magento
- 15. Then Facebook and Yahoo
- 16. Even Google
- 17. What do you realize??
- 20. Special Thanks Harsha Vardhan Boppana For sharing his secrets Gineesh George In office, fortunately the only guy who can “hack” Lalith and Varun Kakumani My partners :D