WHO I AM ?
Indian
Bugcrowd Top 100
Bug bounty hunter & trainer
Slide 3
Slide 3 text
-Understanding codes and repo
-Checking view and laziness
-Date , Person, Authentication
-Luck
Your target & mind workflow
Slide 4
Slide 4 text
"site.com" password
"site.com" key=
"site.com" access token
"site.com" secret key
"site.com" st no
"site.com" uri=
--branch=
--username=
-Dmaven.javadoc.skip=
0GITHUB_TOKEN=
--username=
FIREBASE_KEY=
ENV_KEY=
END_USER_USERNAME=
END_USER_Password=
On point !!!
Basic Dorks
Slide 5
Slide 5 text
Wait !!! Need to verify it ?
-What to check ?
-Keys, Password, Data etc ?
-Who posted data
-Guy from org
-Interns & Dev
-Not every key is issue
-Use curl for keys, Search API docs
-Password ! Access it bro...
Slide 6
Slide 6 text
Example <3
Slide 7
Slide 7 text
GOOGLE
Search on google for main org
repo of github
"ea" github
High chance
to get valid in
main
Slide 8
Slide 8 text
Happy ?? Wait wait wait !!
-Got information ,Reported
-Happy xD, Don't post tips instantly
-You may disclose bug
-People are here to ask
-You cant ignore
-Verify, Craft report, Send them, Wait
for patch
Slide 9
Slide 9 text
-Remote access
-Employee information
-DB access
-No data related to customer
-Intranet access
-Default URL of projects
Need of program ?
Slide 10
Slide 10 text
Bounty Rules
-Don't expect anything
If you did it in passion,
you'll get dollars
-Constant Recon impotant
-Recon guy's are hero
Slide 11
Slide 11 text
VERIFY DATA
Some data are intended, No bug here
REPORTED > INVALID
Don't get angry, You may lose good bonds with program
YES THEY DO ACCEPT THIRD PARTY
Your crafting and exploits are gold. Make it high as you can
BE HUMBLE WITH PROGRAM
Money going no where. Don't message constant to team
Final tips
Slide 12
Slide 12 text
Tools ???
-Gitrob
-GitHound
-Your mind
Note: I don't use tools, My all git recon is manual