Getting Started in Bug Bounty

Transcript

1. Getting Started in Bug Bounty What is bug bounty and

   how to get started?

2. GET /whoami HTTP/1.1 Jasmin Landry JR0ch17 Part time bug bounty

   hunter (I focus on web applications) Currently ranked 50th All-Time on Bugcrowd (Over 100k registered users)

3. GET /agenda HTTP/1.1 • What is bug bounty? • BBP

   vs VDP • Public vs Private • Scope • Policy • Earning Points on Bugcrowd • How do I get started? • Prerequisites • Resources • How do I become successful? • Background on my journey • Work Hard • My Methodology • Evolution • Bug bounty vs Pentesting • Live Hacking Events • Questions?

4. GET /what_is_bug_bounty HTTP/1.1 Bug bounty is a way for organizations

   to reward security researchers for finding vulnerabilities on their assets. • Rewards can be bounties , swag (t-shirts, stickers, etc), Hall of Fame, points • Bug Bounty Program (BBP) vs Vulnerability Disclosure Program (VDP) • BBP offers monetary (bounty) rewards • VDP doesn’t offer monetary rewards • Company can run their own BBP (independent) ie. • Company can use a 3rd-party company like • A BBP can be public (open to all) or private (invitation only)

5. GET /what_is_bug_bounty?page=2 HTTP/1.1 • Public BBP • Mature companies; have

   a S-SDLC in place • Typically rewards larger bounties (10-15k for critical bugs) • More competition since it’s open to the world • More challenging • Private BBP • A lot of time are companies that are just starting to do bug bounty • Typically rewards smaller bounties (1.5-5k for critical bugs) • Less competition since only a select few have been invited • Usually less challenging

6. GET /what_is_bug_bounty?programs=public HTTP/1.1

7. GET /what_is_bug_bounty?page=3 HTTP/1.1 What kind of bugs can we report?

   Depends on the scope! • Web • API • Mobile (iOS & Android) • IoT • Cars • Browsers • Code Review • Others

8. GET /what_is_bug_bounty?page=4 HTTP/1.1 Scope can be really big, like Tesla’s.

   or really small (ie. A single web application)

9. GET /what_is_bug_bounty?page=5 HTTP/1.1 There are rules to follow!!! • Carefully

   read the program’s policy • You may be unauthorized to do certain stuff • There is stuff you need to do • Can get you in trouble

10. GET /what_is_bug_bounty?page=6 HTTP/1.1 How to get invited to private programs?

    • Submit valid bugs on public programs to get points (and bounties) • Consider starting with VDPs • Less competition • Good for practice and to get started (I started with VDPs) • More chances of finding high-impact bugs (P1-P2)

11. GET /what_is_bug_bounty?page=7 HTTP/1.1 How does the point system work? Based

    on the VRT https://bugcrowd.com/vulnerability-rating-taxonomy • Critical (P1): 40 Points • Duplicate: 10 Points • High (P2): 20 Points • Duplicate: 5 Points • Medium (P3): 10 Points • Duplicate: 0 Point* • Low (P4): 5 Points • Duplicate: 0 Poin • Informational (P5): 0 Points The hacker that reports the bug first gets all of the points and the bounty. Every other report for the same bug gets duplicate points without any bounty.

12. GET /how_to_get_started HTTP/1.1 • Prerequisites: None • Anybody can register

    an account and start hacking • • Web Application Hacker’s Handbook • Real World Bug Hunting • • STÖK • Codingo • Hakluke • Farah Hawa • Insiderphd • Nahamsec • Jhaddix • The Cyber Mentor

13. GET /how_to_get_started?page=2 HTTP/1.1 • Practice • Web Security Academy •

    Pentesterlab • Hack The Box • TryHackMe • CTFs • Online Resources • Bugcrowd University • Hacker101

14. GET /how_to_get_started?page=3 HTTP/1.1 • Suggestions • Know how to code

    • Stay up to date with current security news and trends • Go on and follow people who post interesting write ups, tips, etc • Automate as much as you can • Be unique, don’t do exactly what others do, else you’ll get duplicates • Take your time, there’s no rush, there will always be bugs • Learn as much as you can – don’t do it for the money when starting out • Have fun!

15. GET /how_to_become_successful HTTP/1.1 • Background on my journey to bug

    hunting 1) Worked as a Systems Administrator for 5 years - Specialized in networking (Cisco) and virtualization (VMware) 2) Started to get bored 3) Curious of the infosec industry 4) Did a few security related certifications (Security+, CCNA: Security, CEH, SSCP, OSCP) 5) Got my first job in security as a Jr. Security Analyst in February 2017 6) Started doing some bug bounty – Got my first bounty in February 2017 ...

16. GET /how_to_become_successful?page=2 HTTP/1.1 ... ... ... ... ... ... Didn’t

    find another valid bug until August 2017

17. GET /how_to_become_successful?page=3 HTTP/1.1 What did I do during those 6

    months? • Read as many write ups as I could • Read the books (twice) mentioned earlier • Practiced in CTFs • Spent a lot of time on reading #bugbountytips • I WORKED HARD AND LEARNED AS MUCH AS I COULD

18. GET /how_to_become_successful?page=4 HTTP/1.1 • What do you need to be

    successful? 1. Fast (Automation) 2. Unique (think out of the box) 3. Experience 4. Luck • Automate as much as you can • Look for low-hanging fruit • Be proactive, find bugs while you eat and sleep like todayisnew

19. GET /how_to_become_successful?page=5 HTTP/1.1 • Think outside of the box •

    What did the other hackers didn’t think of? • What possible mistake did the developer do? • What is the intended functionality? How can I make it do other stuff instead? • Experience • It simply comes with time and practice • You’ll start noticing certain patterns that leads to bugs • You’ll learn frameworks and their common vulnerabilities • Luck • Sometimes, you just need to be lucky

20. GET /how_to_become_successful?page=6 HTTP/1.1 Bug bounty is not for everyone •

    Required qualities/characteristics • Perseverant • Curious • Able to manage stress • Confident • Watch out! • Burn out • Depression

21. GET /methodology HTTP/1.1 What do I look for in a

    program? • I don’t necessarily like wide scopes like *.domain.com • I prefer smaller scopes (ie. 5 web apps and an API) • I like web apps with a lot of features and RBAC • A program that pays well and triages and resolves fast

22. GET /methodology?page=2 HTTP/1.1 1. What’s the app’s business purpose? 2.

    Focus areas & bonuses 3. CTF mindset 1. Create your own flag 2. Do what it takes to find it 4. Other hackers have looked at this app 1. What did they miss? 2. What did they not think of and didn’t try 5. Recon

23. GET /methodology?page=2 HTTP/1.1 Recon 1. Identify what technologies are being

    used • Look at headers • Use tools like Wappalyzer/BuiltWith • Looks at job postings • Look at developers on LinkedIn -> GitHub 2. Identify as many endpoints as possible • GitHub • Google Dork • WayBackMachine 3. Take note of anything potentially useful • User roles • 3rd party integrations • Goal of the recon is to maximize the attack surface

24. GET /methodology?page=3 HTTP/1.1 2. Learn how to use the application

    • Use the application like a regular user would • Identify intended behavior • See how certain functionality interacts with each other • Identify functionality only available to certain users • Identify potential attack plans and scenarios 3. Start Hacking!!!

25. GET /methodology?page=4 HTTP/1.1 • Create your own methodology • Do

    what works best for you • Do what you like doing

26. GET /evolution HTTP/1.1 Bug bounty is evolving very quickly •

    More and more companies are starting a bug bounty program • Average bounty is constantly increasing • Number of hackers is constantly increasing • Starting to become a competition with pentesting

27. GET /evolution?page=2 HTTP/1.1 Bug Bounty vs Pentesting Qualified Hackers Continuous

    testing Cost Pentest Yes * No Bug Bounty Yes & No Yes * Limited with company’s pentesters skills ** In a pentest, you pay for the time spent, even if the report is empty *** In bug bounty, you pay for results

28. GET /evolution?page=3 HTTP/1.1 Bug Bash • invites some of their

    top hackers to participate in a private event • Las Vegas, San Francisco, Miami, Vancouver, Buenos Aires, San Luis Obispo, Australia, etc • Scope is normally new • Bonuses and prizes • Collaboration with other hackers Bug bashes is starting to become hackers’ goal!

29. Thank you for listening Questions? More questions? DMs are open

    on and