By Ben Sadeghipour

Twtiter.com/NahamSec

BenSadeghi@gmail.com

http://nahamsec.com

WHEN I GROW UP I WANT TO BE A (BUG) BOUNTY HUNTER

WHO AM I• STUDENT AT CSUS.

• SECURITY ANALYST AT BUGCROWD .

• FREELANCER AND INDEPENDENT REEARCHER SINCE 2014.

WHY BUG BOUNTIES?• As a Student:

• Gives you a chance to work with great successful and new companies.

• You can put your work on your resume.

• Job offer(s).

• Make money on your own schedule

• As a company:

• Less security breaches (hopefully)

• More researchers from across the world.

• More experience.

• Unique bugs.

WHERE CAN I START?• Books:

• The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws Paperback – September 27, 2011 ($35)

• The Mobile Application Hacker's Handbook Paperback – February 24, 2015 ($54)

• Android Hacker's Handbook ($30)

• iOs Hacker's Handbook ($30)

• Twitter – Great communication tool between researchers.

• Online bug bounty communities:

• Bugcrowd

• HackerOne

• CrowdCurity

• Synack

TOOLS• Firefox Extensions:

• Tamper Data is a Firefox Extension which gives you the power to view, record and even modify outgoing HTTP

• Live http Headers

• User agent switcher - To test mobile versions of sites

• Hackbar: It helps us In SQL as well as XSS, also it encode & decode the string, ASCII conversion

• Burp Suite

• WHAT DOESN’T IT DO?

• Conferences – Great networking tool

• DefCon ~$150 (VEGAS)

• BlackHat (VEGAS)

• APPSEC (Varies)

BUGCROWD• Managed or unmanaged programs.

• 16,000+ Researchers from all over the world.

• ~160 Bounties.

• 40,000+ Submissions.

• Max Single Payout: $13,000.

• Bugcrowd Forum

• Lots of Private Programs (!)

HACKERONE• “Security Inbox”.

• 1,374 Hackers thanked.

• 84 Public programs.

• $2.78M Bounties paid.

• ~9,000 Bugs fixed

• Internet bug bounty:

• PHP

• Ruby

• Apache.

• Etc.

• Private Programs(!)

SYNACK• Who knows?

• Ex-NSA

• Everything is unknown

• Don’t like to share

CROWDCURITY• CrowdCurity

• Web application security

• Main focus on bitcoin

• ~1700 Researchers

• No public data.

WHO HAS A BUG BOUNTY?WHO DOESN’T (obviously Sony!)

• https://bugcrowd.com/list-of-bug-bounty-programs

POPULAR YOU SAY?• Why?

• Yahoo pays a minimum of $50 and up to $15,000

• Google pays a minimum of $100 and up to $20,000

• Facebook pays a minimum of $500 and no max payout

• Github Pays a minimum of $500

QUANTITY VS QUALITY?• Most programs have an accurate reputation system:

• Google.

• Yahoo.

• BugCrowd (accuracy).

• HackerOne (reputation).

• Better reputation = more opportunities:

• Private events.

• Private Programs.

MAXIMIZING YOUR PAYOUT• Don’t doubt yourself.

• You may still be the first to find it.

• Check Everything!

• Every parameter

• Every POST request

• User input validation

• Forms

• Profile pages.

• Filters (Can you bypass it?)

• Don’t go for the low hanging fruits:

• Higher payout for critical vulnerabilities.

• You may find some low severity bugs while looking for more critical ones

• Less chances of duplicates.

METHODOLOGY• Pick a target.

• Pick an application.

• Pick a vulnerability type.

• Google:

• site:tw.*.yahoo.com -news -sports -knowledge -house -travel -money -fashion -dictionary -charity -autos -emarketing -maps -serviceplus -screen -tech -mail -talk -bid -uwant -stock -mall -buy -myblog -movies -games -safely -bigdeals -finance -info -mobile -help

PICK UP A PATTERN• Look for the same parameter, functionality, file type or file name in the same or other subdomains of

the website.

• 3 SQL Injection on Yahoo by using Google.

• Site:hk.*.yahoo.com + inurl:”id” + filetype:html

• Try the same vulnerability with other programs.

• Profit!

PICKING UP A PATTERN?

(Not my sponsors. Just vulnerable to the same bug)

MAKING A REPORT• Be very specific.

• Provide step-by-step instructions.

• Include all the details needed in order to reproduce the issue.

• Provide an attack scenario.

• Why is it a big deal?

• Can you access major private data?

• Are you targeting a single use?

• Provide screenshots if needed.

• If you create a video, make it accurate, quick, and professional.

• Ask for permission before you decide to publish your findings.

ACHIEVEMENTS FROM BUG BOUNTIES• Connections.

• Free services from different companies.

• Job offer(s).

• Some cash.

• Lots of experience.

LEARN FROM YOUR PEERS!• Read on how others are approaching different vulnerabilities:

• @NahamSec (http://nahamsec.com)

• @Securatary (http://uzbey.com/bbp-funding)

• @FransRosen (http://detectify.com)

• @BitQuark (http://bitquark.co.uk)

• @Fin1te (http://fin1te.net)

• More awesome researchers:

• http://Bugcrowd.com/leaderboard

• https://www.crowdcurity.com/hall-of-fame

• http://Hackerone.com/thanks

QUESTIONS?• Ben Sadeghipour (@NahamSec)

• http://nahamsec.com