SlideShare a Scribd company logo

Fun & Profit with Bug Bounties - Tips for Getting Started

n|u - The Open Security Community
n|u - The Open Security Community

null Dharmashal Chapter - July 2014 Meet

Education
1 of 22
Download to read offline
Fun & Profit with Bug Bounties - Madhu Akula Null - DharamshalaNull - Dharamshala
About Me ! root@localhost :~# whoami Madhu Akula Information Security Enthusiastic madhu.akula@hotmail.com www.madhuakula.com in.linkedin.com/in/madhuakula fb.com/madhu.akula twitter.com/madhuakula
Agenda What and how to start Bug Bounties & My experience with bug bounties...
What is bug bounty ? Vendor : ● Create a program ● Offer HOF (or) Swag (or) Reward (or) Duplicate ● Get the all vulnerabilities and Fix asap ! ● Make products and applications secure Researcher : ● Find the vulnerabilities in target ● Get mostly duplicates :P ● Other wise Hof, Swag (or) Reward ! ● Share in Social Network
History... https://blog.crowdcurity.com/the-history-of-bug-bounty-programs/
Who are eligible ? ● Are you able to p0p up
Where to find the list? ● Here you go...
How to start ??? ● Learn how things will work ● Owasp is our home to learn Web Application Security ● Do home work with Broken Web Apps ● Then apply what you learn ! Start with your requests untill you will get the response :)
How to start ??? ● Your main resource for bug bounties is gathering Proof Of Concepts (POC) ! ● Checking blogs for write up ● Adding bug hunters into your friends list to get PoC's as well as new programs :p ● Checking for new vulnerabilities site:hackerone.com/reports/
How to start ??? ● Take one site from the list of sites ● Check your luck with new sites ● Then try to map the target with attack surface ● Check for OWASP Vulnerabilities as first priority ● Check other type of vulnerabilities also ● Then get hof, swags and $$$$
Common checks ! ● Cross Site Scripting ● Cross Site Request Forgery ● Injections ● Authentication and Session Mechanism ● Remote Code Execution ● Other...
Resources Mozilla and addon's ● Live HTTP Headers ● Tamper Data ● Wappalyzer ● Foxyproxy ● Firebug ● Hack bar ● User switcher ● Others... writing custom scripts will give you more good and quick results searchdns.netcraft.com, www.wolframalpha.com - For subdomains finding ! Keep ready made report templates to become you are the first person to find ! Finally use https://pentest-tools.com Proxies ● Burp ● Owasp ZAP ● Any other Search Engine Discovery Google, Shodan, Bing, other Open Source ● Ironwasp ● Xenotix ● Many more... Bye bye to Scanners !
My Experiance with Bug Bounties ! Started with Duplicates... Don't know what is bug hunting (n00b)
Digging into deep ! ● only one target, find bugs untill you will be the first person to find ! ● Once you are the first person if is there any reward try more untill you will be listed in Top members...
After... Many More...Many More...
After... Many More...Many More...
After... Many More...Many More...
The End ! ● It's enough ● Realised that I'm wasting everyday 2hrs ● Luck is the best kick for duplicates ● Started as noob and got some expriance with app security ● Good friends in Social Networks ● Then started contributing to Open Source and got some CVE-2014-4329, CVE-2014-4722, CVE-2014-4853
Conclusion Bug bounties are not only for rewards (or) fame. You will learn about new attacks and exploitation techniques by playing with other applications.
Demo's & POC's
Walk Through !
Special Thanks ! http://null.co.infb.com/null0x00 twitter.com/null0x00

Recommended

My Bug Hunting With Open Source
My Bug Hunting With Open SourceMy Bug Hunting With Open Source
My Bug Hunting With Open SourceMadhu Akula
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansFelipe Prado
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
 

Recommended

My Bug Hunting With Open Source
My Bug Hunting With Open SourceMy Bug Hunting With Open Source
My Bug Hunting With Open SourceMadhu Akula
 
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAndroid "Fight Club" : In pursuit of APPiness -- null Humla Delhi Chapter
Android "Fight Club" : In pursuit of APPiness -- null Humla Delhi ChapterAbhinav Mishra
 
How you can become a hacker with no security experience
How you can become a hacker with no security experienceHow you can become a hacker with no security experience
How you can become a hacker with no security experienceAvădănei Andrei
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansFelipe Prado
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray
 
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,
Байки із пожежного депо або як працює Big Data в Sigma Software, Денис Пишьєв,Sigma Software
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Mazin Ahmed
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Osint ashish mistry
Osint ashish mistryOsint ashish mistry
Osint ashish mistryn|u - The Open Security Community
 
How to ship web software like pirates!
How to ship web software like pirates!How to ship web software like pirates!
How to ship web software like pirates!Sylvain Carle
 
Intro to Hackathons 101
Intro to Hackathons 101Intro to Hackathons 101
Intro to Hackathons 101Anna Goncharova
 
Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! St. Petersburg College
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
Notice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentNotice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentTomomi Imura
 
Lvl.up
Lvl.upLvl.up
Lvl.upswee meng ng
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Linuxmalaysia Malaysia
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Bug bounty cash for hack
Bug bounty cash for hackBug bounty cash for hack
Bug bounty cash for hackAtul Shedage
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! Sean Prunka
 
Open ID and Django
Open ID and DjangoOpen ID and Django
Open ID and Djangonathanflorea
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
gettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfgettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfroystoncdsouza7
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Osint primer
Osint primerOsint primer
Osint primern|u - The Open Security Community
 

More Related Content

Similar to Fun & Profit with Bug Bounties - Tips for Getting Started

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
How to ship web software like pirates!
How to ship web software like pirates!How to ship web software like pirates!
How to ship web software like pirates!Sylvain Carle
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reChandra Pratap
 
Notice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentNotice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentTomomi Imura
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)Mikal Villa
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialSecurity BSides London
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Linuxmalaysia Malaysia
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Bug bounty cash for hack
Bug bounty cash for hackBug bounty cash for hack
Bug bounty cash for hackAtul Shedage
 
Pentester++
Pentester++Pentester++
Pentester++CTruncer
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! Sean Prunka
 
Open ID and Django
Open ID and DjangoOpen ID and Django
Open ID and Djangonathanflorea
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
gettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfgettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfroystoncdsouza7
 

Similar to Fun & Profit with Bug Bounties - Tips for Getting Started (20)

The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Osint ashish mistry
Osint ashish mistryOsint ashish mistry
Osint ashish mistry
 
How to ship web software like pirates!
How to ship web software like pirates!How to ship web software like pirates!
How to ship web software like pirates!
 
Intro to Hackathons 101
Intro to Hackathons 101Intro to Hackathons 101
Intro to Hackathons 101
 
Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It! Learn to Code and Have Fun Doing It!
Learn to Code and Have Fun Doing It!
 
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|reBSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
BSidesLondon | Your Money, Your Media - A DRMtastic Android (reverse|re
 
Notice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical ContentNotice Me, Senpai! Get Discovered with Creative Technical Content
Notice Me, Senpai! Get Discovered with Creative Technical Content
 
Lvl.up
Lvl.upLvl.up
Lvl.up
 
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)TSC Summit #4 - Howto get browser persitence and remote execution (JS)
TSC Summit #4 - Howto get browser persitence and remote execution (JS)
 
Your money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorialYour money, your media a DRMtastic (reverse|re) eng. tutorial
Your money, your media a DRMtastic (reverse|re) eng. tutorial
 
Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011Introduction To ICT Security Audit OWASP Day Malaysia 2011
Introduction To ICT Security Audit OWASP Day Malaysia 2011
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon X
 
Bug bounty cash for hack
Bug bounty cash for hackBug bounty cash for hack
Bug bounty cash for hack
 
Pentester++
Pentester++Pentester++
Pentester++
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014
 
<?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny! <?php>Hello Worl...Ooo Shiny!
<?php>Hello Worl...Ooo Shiny!
 
Open ID and Django
Open ID and DjangoOpen ID and Django
Open ID and Django
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
gettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdfgettingintothetechfieldwhatnext-210526205624.pdf
gettingintothetechfieldwhatnext-210526205624.pdf
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 

Recently uploaded (20)

Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 

Fun & Profit with Bug Bounties - Tips for Getting Started

  • 1. Fun & Profit with Bug Bounties - Madhu Akula Null - DharamshalaNull - Dharamshala
  • 2. About Me ! root@localhost :~# whoami Madhu Akula Information Security Enthusiastic madhu.akula@hotmail.com www.madhuakula.com in.linkedin.com/in/madhuakula fb.com/madhu.akula twitter.com/madhuakula
  • 3. Agenda What and how to start Bug Bounties & My experience with bug bounties...
  • 4. What is bug bounty ? Vendor : ● Create a program ● Offer HOF (or) Swag (or) Reward (or) Duplicate ● Get the all vulnerabilities and Fix asap ! ● Make products and applications secure Researcher : ● Find the vulnerabilities in target ● Get mostly duplicates :P ● Other wise Hof, Swag (or) Reward ! ● Share in Social Network
  • 6. Who are eligible ? ● Are you able to p0p up
  • 7. Where to find the list? ● Here you go...
  • 8. How to start ??? ● Learn how things will work ● Owasp is our home to learn Web Application Security ● Do home work with Broken Web Apps ● Then apply what you learn ! Start with your requests untill you will get the response :)
  • 9. How to start ??? ● Your main resource for bug bounties is gathering Proof Of Concepts (POC) ! ● Checking blogs for write up ● Adding bug hunters into your friends list to get PoC's as well as new programs :p ● Checking for new vulnerabilities site:hackerone.com/reports/
  • 10. How to start ??? ● Take one site from the list of sites ● Check your luck with new sites ● Then try to map the target with attack surface ● Check for OWASP Vulnerabilities as first priority ● Check other type of vulnerabilities also ● Then get hof, swags and $$$$
  • 11. Common checks ! ● Cross Site Scripting ● Cross Site Request Forgery ● Injections ● Authentication and Session Mechanism ● Remote Code Execution ● Other...
  • 12. Resources Mozilla and addon's ● Live HTTP Headers ● Tamper Data ● Wappalyzer ● Foxyproxy ● Firebug ● Hack bar ● User switcher ● Others... writing custom scripts will give you more good and quick results searchdns.netcraft.com, www.wolframalpha.com - For subdomains finding ! Keep ready made report templates to become you are the first person to find ! Finally use https://pentest-tools.com Proxies ● Burp ● Owasp ZAP ● Any other Search Engine Discovery Google, Shodan, Bing, other Open Source ● Ironwasp ● Xenotix ● Many more... Bye bye to Scanners !
  • 13. My Experiance with Bug Bounties ! Started with Duplicates... Don't know what is bug hunting (n00b)
  • 14. Digging into deep ! ● only one target, find bugs untill you will be the first person to find ! ● Once you are the first person if is there any reward try more untill you will be listed in Top members...
  • 18. The End ! ● It's enough ● Realised that I'm wasting everyday 2hrs ● Luck is the best kick for duplicates ● Started as noob and got some expriance with app security ● Good friends in Social Networks ● Then started contributing to Open Source and got some CVE-2014-4329, CVE-2014-4722, CVE-2014-4853
  • 19. Conclusion Bug bounties are not only for rewards (or) fame. You will learn about new attacks and exploitation techniques by playing with other applications.