Web Application Security And Getting Into Bug Bounties
Download as PPTX, PDF1 like268 views
The document provides an overview of bug bounty programs, including their history, significance, and various types available for both companies and researchers. It discusses essential resources and guidelines for getting started in bug hunting, emphasizing the importance of continuous learning and practice. Key topics include vulnerability prioritization, sample report formats, and popular platforms like HackerOne and Bugcrowd.
Web Application Security And Getting Into Bug Bounties
- 1. Web Application Security & Getting Into Bug Bounties Kunwar Atul (kunwaratulhax0r)
- 2. root@whoami • Kunwar Atul • Yet another Appsec and DevSecOps Guy • Break – Fix – Repeat • Part time Bug Hunter • Synack Red Team Member • OWASP MASVS Hindi Contributor (Ongoing Project) • DevSecOps University Contributor • I Love Knowing What’s Going On (emerging vulns, tools, PoC), CTFs, Offensive Security Work, Cricket, and no compromise with food and coffee. • Meme Lover • Social media- kunwaratulhax0r
- 3. Agenda • What Are Bug Bounty Programs? • Bug Bounty Programs History • Where Is India in Bug Bounty • Why Bug Bounty Programs? • Popular Bug Bounty Programs • Types of Bug Bounty Programs • Basic Technical Things to Get Started • Choosing Your Initial Path • Resources to Learn • Sample Report Format • Vulnerabilities Priorities • Don’t Forget to Read Terms • Practice • References • Q/A • Thanks
- 4. What are Bug Bounty Programs • A bug bounty program, also called a vulnerability rewards program (VRP), is a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs.
- 5. Bug Bounty Program History Source: https://blog.cobalt.io/the-history-of-bug-bounty-programs-50def4dcaab3
- 6. Where is India in Bug Bounty
- 7. • “As long as there are software vulnerabilities, there will be millionaire hackers!”- Mårten Mickos (CEO HackerOne). • No one will be able to tell you everything about this field, It’s a long path but you have to travel it alone with help from others. (Sudhanshu Rajbhar) • If you think you will become successful overnight or over the week or over a month, this is not a field you should join. Doing bug bounties are very competitive, it might take a year at least to do good in bug bounty. you have to continue your learning, sharing & more and more practice. You must-have curiousness to learn about new things and explore the field on your own. There is huge education content out there for free. (Sudhanshu Rajbhar)
- 8. Why Bug Bounty Programs (Company Wise) 1. More eyes than you could ever pay. When you open it to the crowd, you get a lot more people looking over your system than you could ever hire. And you only pay the ones who find problems. 2. Building it right the first time is a myth. The best developers in the world still leave unexpected vulnerabilities open. You can dream of bulletproof code, or you can be prepared in case your dreams don't come true. 3. It can save you money. Breaches are expensive to recover from. Way more expensive than a few thousand dollars for a bounty. Plus some bugs involve eliminating pricing problems or unearned discounts. 4. It's not a crazy new thing. Little companies like Google, Facebook, Microsoft, Mozilla and PayPal all have bug bounties, so you won't have to do a ton of explaining to bug hunters. They know the drill. 5. You don't have to do it all yourself. HackerOne provides a hosted bug bounty platform where you can define parameters eligibility and rewards. Similar services are also available from Cobalt and Bugcrowd. Source: https://www.techrepublic.com/article/top-5-reasons-you-need-a-bug-bounty-program/
- 9. Why Bug Bounty Programs (Researcher Wise) • Every time it will be a new learning. • New Challenges • New Technology • And of course $$$$$$
- 10. Popular Bug Bounty Programs • BugCrowd • HacekrOne • Synack (Require written exams, practical exams and BG checks) • Cobalt • ZeroCopter (Invite Base) • Intigriti • YesWeHack
- 11. Types of Bug Bounty Programs • Only Hall of Fame • Hall of Fame With Certificate of Appreciation • Hall of Fame with Swags / only Swags • Hall of Fame with Bounty • Only Bounty
- 12. Basic Technical Things to Get Started • Web & Network Basics • Linux Commands • Web App Technologies • Learn Basics of HTML, Java, PHP, Python, Java Script • OWASP Top 10
- 13. Choosing Your Initial Path • Web Application Pentesting • Mobile Application Pentesting (Android/iOS)
- 14. Resources to Learn • Web Basics Resources • https://www.tutorialspoint.com/web_de velopers_guide/web_basic_concepts.ht m • https://developers.google.com/web/fun damentals/security/ • http://www.alphadevx.com/a/7-The- Basics-of-Web-Technologies • http://www.cs.kent.edu/~svirdi/Ebook/ wdp/ch01.pdf • HTTP Resources • https://www.w3.org/Protocols/ • https://www.w3schools.com/whatis/whatis_htt p.asp • https://www.tutorialspoint.com/http/http_stat us_codes.htm • https://www.tutorialspoint.com/http/http_url_ encoding.htm • https://www.tutorialspoint.com/http/http_requ ests.htm • https://www.tutorialspoint.com/http/http_resp onses.htm • https://www.hacker101.com/sessions/web_in_ depth
- 15. Resources to Learn • Networking Resources • https://commotionwireless.net/docs/cck/networ king/learn-networking-basics/ • https://commotionwireless.net/docs/cck/networ king/learn-networking-basics/ • https://www.slideshare.net/variwalia/basic-to- advanced-networking-tutorials • https://www.cisco.com/c/en/us/solutions/small- business/resource- center/networking/networking-basics.html • http://www.penguintutor.com/linux/basic- network-reference • https://www.utilizewindows.com/list-of- common-network-port-numbers/ • https://code.tutsplus.com/tutorials/an- introduction-to-learning-and-using-dns- records–cms-24704 • https://www.digitalocean.com/community/tutori als/an-introduction-to-networking-terminology- interfaces-and-protocols • Linux Commands: • http://linuxcommand.org/ • HTML • https://www.w3schools.com/html/ • https://www.codecademy.com/learn/learn-html • https://learn.shayhowe.com/advanced-html-css/ • https://htmldog.com/guides/html/advanced/ • PHP • https://www.w3schools.com/php/ • https://stackify.com/learn-php-tutorials/ • https://www.codecademy.com/learn/learn-php • https://www.guru99.com/php-tutorials.html • https://www.codecademy.com/learn/paths/web -development
- 16. Resources to Learn • C/C++ • https://www.youtube.com/watch?v=vLnP wxZdW4Y • https://www.learncpp.com/ • https://www.codecademy.com/learn/learn- c-plus-plus • https://www.sololearn.com/Course/CPlus Plus/ • JavaScript • https://www.youtube.com/watch?v=PkZN o7MFNFg • https://www.codecademy.com/learn/introd uction-to-javascript • https://learnjavascript.today/ • https://www.thebalancecareers.com/learn -javascript-online-2071405 • SQL • https://www.youtube.com/watch?v=HXV3ze QKqGY • https://www.w3schools.com/sql/ • https://www.codecademy.com/learn/learn- sql
- 17. Resources to Learn • Bash • https://www.tutorialspoint.com/unix/shell_ scripting.htm • https://www.learnshell.org/ • https://medium.com/quick-code/top- tutorials-to-learn-shell-scripting-on-linux- platform-c250f375e0e5 • Python • https://realpython.com/ • https://comparite.ch/python-courses • https://docs.python.org/3/tutorial/ • https://drive.google.com/drive/u/0/folders/0 ByWO0aO1eI_MT1E1NW91VlJ2TVk?fbclid=I wAR35WNZwBQudINaZ10I5ZA2YDQdtNXSEw RyEiLEK91_csJ7ekN1ut7AQNeQ • Ruby • https://www.learnrubyonline.org/ • https://www.codecademy.com/learn/learn- ruby • Golang • https://tour.golang.org/welcome/1 • https://www.udemy.com/learn-go-the- complete-bootcamp-course-golang/
- 18. Resources to Learn • Web Pentesting • OWASP Testing Guide • OWASP Top -10 2013 • OWASP Top -10 2017 • Web Application Hackers Handbook • Web Hacking 101 • Mastering Modern Web Penetration Testing • Breaking Into Information Security • Mobile Pentesting • Mobile Application Hacker’s Handbook • Manifest Security By Aditya Agarwal • Application Security Wiki By Aditya Agarwal • The Mobile Application Security Guide • Mobile Application Verification Standards
- 19. Resources to Learn • YouTube Videos • HOW TO GET STARTED IN BUG BOUNTY (9x PRO TIPS) • Bug Bounty Hunting - Tools I Use • LevelUp 0x02 - Bug Bounty Hunter Methodology v3 • Bug Bounty 101 - How To Become A Bug Hunter - Bug Bounty Talks • The Truth About Recon (Bug Bounty Tips) • BUGBOUNTY PRO TIPS FOR BEGINNERS: With Nahamsec
- 20. Sample Report Format • Vulnerability Name • Vulnerability Severity and CVSS Score • Vulnerability Description • Vulnerable URL • Impact • Payload • Steps to Reproduce • Mitigation
- 21. Vulnerabilities Priorities • P1 -Critical: Vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, etc. • P2 -High: Vulnerabilities that affect the security of the software and impact the processes it supports. • P3 -Medium: Vulnerabilities that affect multiple users and require little or no user interaction to trigger. • P4 -Low: Vulnerabilities that affect singular users and require interaction or significant prerequisites to trigger (MitM) to trigger. • P5 -Informational: Non-exploitable vulnerabilities in functionality. Vulnerabilities that are by design or are deemed an acceptable business risk to the customer.
- 22. Don’t Forget to Read Terms • Before you start testing, please read the disclosure and terms plus keep within the scope, often I see newbies go out of scope, you don't want to start any dramas and a headache, please be responsible for yourself and the actions you take. Give adequate time for the companies to act on any bugs that need fixing and not to post a vulnerability until its fixed publicly.
- 23. Practice! Practice! and Practice 1. Hacker101 2. Web Security Academy by PortSwigger 3. Bug Bounty Notes 4. Pentesterlab 5. Hackthebox 6. Damn Vulnerable Web application 7. XSS Game by Google. 8. Vulnhub 9. hack me 10. And Many More ………..
- 25. Q/A