Webinar at Fergusson College Pune about Bug Bounty in Cyber Security.

Transcript

1. Bug Bounty As a Career
   “Create you own path and live it”
   Ninad Mathpati
   

   View Slide

2. Whoami?
   ▪ Web application security engineer @Arisglobal.
   ▪ Security Researcher @Synack, @Bugcrowd.
   ▪ Hacker with an ethical bent of mind.
   ▪ Developer with skills.
   ▪ Known as Hacker2202
   ▪ Find more details about me & my work @
   ninadmathpati.com
   

   View Slide

3. Disclaimer
   ▪ Nothing presented here in todays session gives you
   permission to hack.
   ▪ Always hack with proper approvals.
   ▪ Use this knowledge for educational purpose only.
   

   View Slide

4. What is this talk about?
   ▪ My Journey & Experience in Cybersecurity.
   ▪ How can you be a successful bug hunter?
   ▪ Things needed to move forward in Bug Bounties
   ▪ Can Bug Bounty be opted as a career option.
   ▪ Myths about the certifications.
   ▪ Tips/Tricks
   

   View Slide

5. Journey & Experience in Cybersecurity.
   ▪ Hacking is in my veins, started at early age near to 10 years back
   form now.
   ▪ As it was my passion due to no access to PCs and Laptops, used
   internet cafes to learn and try stuff.
   ▪ All these years I was passively working in this field, from past 3
   years I though of becoming active in this field.
   ▪ In past 3 years I have achieved many things that I haven’t
   though of too.
   

   View Slide

6. Journey & Experience in Cybersecurity.
   

   View Slide

7. Journey & Experience in Cybersecurity.
   ▪ Journey in this field is a bit difficult but possible.
   ▪ Some people take up to 6 months of continuous hard to get
   1st bounty.
   ▪ Be motivated, today might not be yours but tomorrow will be
   definitely yours.
   ▪Eat -> Sleep -> Hack -> Repeat
   

   View Slide

8. How can you be a successful bug hunter?
   ▪ Start with basics.
   ▪ Understand the workflow of the applications.
   ▪ Like for example start with some basic development
   (Web/Mobile)
   ▪ Understand how the data is transferred for browser to
   servers.
   ▪ Then move forward with hacking, Application security,
   Network security, IOT security…etc.
   ▪ Nowadays almost in every field there is a bug bounty
   program.
   

   View Slide

9. How can you be a successful bug hunter?
   ▪ Once you know how to built, then it would be a lot easier for
   you to break it.
   ▪ Learn the “Art of googling”
   ▪ Something you might lose up you patience too like, you might
   work for 15-18hrs per day for continuous 10-15 days, and
   end up not getting anything.
   ▪ Learn to use all the resources over the internet like, try
   read blog that might open up your mind.
   ▪ If you are okay with coding learn to automate stuff. Like
   automating your information gathering process or git recon
   process.
   

   View Slide

10. Things needed to move forward in Bug
    Bounties
    

    View Slide

11. Things needed to move forward in Bug
    Bounties
    “As your methodology of approaching bugs will be different than
    others”
    “Thinking out of the box”
    

    View Slide

12. Things needed to move forward in Bug
    Bounties
    ▪ Do follow my mind map that is update on regular bases, so you might
    gets best of best resources to any vulnerabilities over the internet.
    ▪ Try to escalate the vulnerabilities like if you found HTML injection
    escalate it to XSS attack.
    ▪ If you found CSRF vulnerability try to escalate it to Full account
    takeover.
    ▪ Earlier Bug Bounty was about any vulnerabilities now its all about it’s
    bypass.
    ▪ Automation is the key, Automate as much as possible.
    

    View Slide

13. Web App Pen-test Mindmap
    

    View Slide

14. Can Bug Bounty be opted as a career option.
    ▪ Bug Bounty can definitely chosen as a career option.
    ▪ If you start bug bounty at early age and are eager to
    move your career in cybersecurity domain, you need
    not worry about your job.
    ▪ As cybersecurity is the only domain, whatever might
    be the situation jobs will be there.
    ▪ Try joining some Private bug bounty platforms like
    Synack, Detectify, cobalt (SAAS)...etc
    

    View Slide

15. Myths about the certifications.
    

    View Slide

16. Myths about the certifications.
    ▪ Is it necessary to do certifications to be successful in life?
    ▪ Does all the certs really value?
    ▪ If you are eager to learn something new, Give a try for Offensive-
    Security certifications like (OSCP,OSEE,OSWE)
    

    View Slide

17. Tips/Tricks
    ▪ Read blogs, keep yourself updated
    ▪ Be unique and try to escalate issues instead of simply reporting it.
    ▪ Read H1 Hacktivity.
    ▪ Google, Censys, Shodan.
    ▪ Learn the ways to bypass the vulnerabilities.
    ▪ Get started with bugcrowd platform as its more researcher
    supportive platform.
    

    View Slide

18. Q/A
    

    View Slide

19. Thank You
    

    View Slide