Whoami? ▪ Web application security engineer @Arisglobal. ▪ Security Researcher @Synack, @Bugcrowd. ▪ Hacker with an ethical bent of mind. ▪ Developer with skills. ▪ Known as Hacker2202 ▪ Find more details about me & my work @ ninadmathpati.com
Disclaimer ▪ Nothing presented here in todays session gives you permission to hack. ▪ Always hack with proper approvals. ▪ Use this knowledge for educational purpose only.
What is this talk about? ▪ My Journey & Experience in Cybersecurity. ▪ How can you be a successful bug hunter? ▪ Things needed to move forward in Bug Bounties ▪ Can Bug Bounty be opted as a career option. ▪ Myths about the certifications. ▪ Tips/Tricks
Journey & Experience in Cybersecurity. ▪ Hacking is in my veins, started at early age near to 10 years back form now. ▪ As it was my passion due to no access to PCs and Laptops, used internet cafes to learn and try stuff. ▪ All these years I was passively working in this field, from past 3 years I though of becoming active in this field. ▪ In past 3 years I have achieved many things that I haven’t though of too.
Journey & Experience in Cybersecurity. ▪ Journey in this field is a bit difficult but possible. ▪ Some people take up to 6 months of continuous hard to get 1st bounty. ▪ Be motivated, today might not be yours but tomorrow will be definitely yours. ▪Eat -> Sleep -> Hack -> Repeat
How can you be a successful bug hunter? ▪ Start with basics. ▪ Understand the workflow of the applications. ▪ Like for example start with some basic development (Web/Mobile) ▪ Understand how the data is transferred for browser to servers. ▪ Then move forward with hacking, Application security, Network security, IOT security…etc. ▪ Nowadays almost in every field there is a bug bounty program.
How can you be a successful bug hunter? ▪ Once you know how to built, then it would be a lot easier for you to break it. ▪ Learn the “Art of googling” ▪ Something you might lose up you patience too like, you might work for 15-18hrs per day for continuous 10-15 days, and end up not getting anything. ▪ Learn to use all the resources over the internet like, try read blog that might open up your mind. ▪ If you are okay with coding learn to automate stuff. Like automating your information gathering process or git recon process.
Things needed to move forward in Bug Bounties ▪ Do follow my mind map that is update on regular bases, so you might gets best of best resources to any vulnerabilities over the internet. ▪ Try to escalate the vulnerabilities like if you found HTML injection escalate it to XSS attack. ▪ If you found CSRF vulnerability try to escalate it to Full account takeover. ▪ Earlier Bug Bounty was about any vulnerabilities now its all about it’s bypass. ▪ Automation is the key, Automate as much as possible.
Can Bug Bounty be opted as a career option. ▪ Bug Bounty can definitely chosen as a career option. ▪ If you start bug bounty at early age and are eager to move your career in cybersecurity domain, you need not worry about your job. ▪ As cybersecurity is the only domain, whatever might be the situation jobs will be there. ▪ Try joining some Private bug bounty platforms like Synack, Detectify, cobalt (SAAS)...etc
Myths about the certifications. ▪ Is it necessary to do certifications to be successful in life? ▪ Does all the certs really value? ▪ If you are eager to learn something new, Give a try for Offensive- Security certifications like (OSCP,OSEE,OSWE)
Tips/Tricks ▪ Read blogs, keep yourself updated ▪ Be unique and try to escalate issues instead of simply reporting it. ▪ Read H1 Hacktivity. ▪ Google, Censys, Shodan. ▪ Learn the ways to bypass the vulnerabilities. ▪ Get started with bugcrowd platform as its more researcher supportive platform.