$30 off During Our Annual Pro Sale. View Details »

Webinar at Fergusson College Pune about Bug Bounty in Cyber Security.

Webinar at Fergusson College Pune about Bug Bounty in Cyber Security.

Ninad Mathpati

July 11, 2020
Tweet

More Decks by Ninad Mathpati

Other Decks in Technology

Transcript

  1. Bug Bounty As a Career
    “Create you own path and live it”
    Ninad Mathpati

    View Slide

  2. Whoami?
    ▪ Web application security engineer @Arisglobal.
    ▪ Security Researcher @Synack, @Bugcrowd.
    ▪ Hacker with an ethical bent of mind.
    ▪ Developer with skills.
    ▪ Known as Hacker2202
    ▪ Find more details about me & my work @
    ninadmathpati.com

    View Slide

  3. Disclaimer
    ▪ Nothing presented here in todays session gives you
    permission to hack.
    ▪ Always hack with proper approvals.
    ▪ Use this knowledge for educational purpose only.

    View Slide

  4. What is this talk about?
    ▪ My Journey & Experience in Cybersecurity.
    ▪ How can you be a successful bug hunter?
    ▪ Things needed to move forward in Bug Bounties
    ▪ Can Bug Bounty be opted as a career option.
    ▪ Myths about the certifications.
    ▪ Tips/Tricks

    View Slide

  5. Journey & Experience in Cybersecurity.
    ▪ Hacking is in my veins, started at early age near to 10 years back
    form now.
    ▪ As it was my passion due to no access to PCs and Laptops, used
    internet cafes to learn and try stuff.
    ▪ All these years I was passively working in this field, from past 3
    years I though of becoming active in this field.
    ▪ In past 3 years I have achieved many things that I haven’t
    though of too.

    View Slide

  6. Journey & Experience in Cybersecurity.

    View Slide

  7. Journey & Experience in Cybersecurity.
    ▪ Journey in this field is a bit difficult but possible.
    ▪ Some people take up to 6 months of continuous hard to get
    1st bounty.
    ▪ Be motivated, today might not be yours but tomorrow will be
    definitely yours.
    ▪Eat -> Sleep -> Hack -> Repeat

    View Slide

  8. How can you be a successful bug hunter?
    ▪ Start with basics.
    ▪ Understand the workflow of the applications.
    ▪ Like for example start with some basic development
    (Web/Mobile)
    ▪ Understand how the data is transferred for browser to
    servers.
    ▪ Then move forward with hacking, Application security,
    Network security, IOT security…etc.
    ▪ Nowadays almost in every field there is a bug bounty
    program.

    View Slide

  9. How can you be a successful bug hunter?
    ▪ Once you know how to built, then it would be a lot easier for
    you to break it.
    ▪ Learn the “Art of googling”
    ▪ Something you might lose up you patience too like, you might
    work for 15-18hrs per day for continuous 10-15 days, and
    end up not getting anything.
    ▪ Learn to use all the resources over the internet like, try
    read blog that might open up your mind.
    ▪ If you are okay with coding learn to automate stuff. Like
    automating your information gathering process or git recon
    process.

    View Slide

  10. Things needed to move forward in Bug
    Bounties

    View Slide

  11. Things needed to move forward in Bug
    Bounties
    “As your methodology of approaching bugs will be different than
    others”
    “Thinking out of the box”

    View Slide

  12. Things needed to move forward in Bug
    Bounties
    ▪ Do follow my mind map that is update on regular bases, so you might
    gets best of best resources to any vulnerabilities over the internet.
    ▪ Try to escalate the vulnerabilities like if you found HTML injection
    escalate it to XSS attack.
    ▪ If you found CSRF vulnerability try to escalate it to Full account
    takeover.
    ▪ Earlier Bug Bounty was about any vulnerabilities now its all about it’s
    bypass.
    ▪ Automation is the key, Automate as much as possible.

    View Slide

  13. Web App Pen-test Mindmap

    View Slide

  14. Can Bug Bounty be opted as a career option.
    ▪ Bug Bounty can definitely chosen as a career option.
    ▪ If you start bug bounty at early age and are eager to
    move your career in cybersecurity domain, you need
    not worry about your job.
    ▪ As cybersecurity is the only domain, whatever might
    be the situation jobs will be there.
    ▪ Try joining some Private bug bounty platforms like
    Synack, Detectify, cobalt (SAAS)...etc

    View Slide

  15. Myths about the certifications.

    View Slide

  16. Myths about the certifications.
    ▪ Is it necessary to do certifications to be successful in life?
    ▪ Does all the certs really value?
    ▪ If you are eager to learn something new, Give a try for Offensive-
    Security certifications like (OSCP,OSEE,OSWE)

    View Slide

  17. Tips/Tricks
    ▪ Read blogs, keep yourself updated
    ▪ Be unique and try to escalate issues instead of simply reporting it.
    ▪ Read H1 Hacktivity.
    ▪ Google, Censys, Shodan.
    ▪ Learn the ways to bypass the vulnerabilities.
    ▪ Get started with bugcrowd platform as its more researcher
    supportive platform.

    View Slide

  18. Q/A

    View Slide

  19. Thank You

    View Slide