3. Introduction
• Rewards(Not always) & Credits for finding
loopholes
• Bugs in application, Network, product etc.
• Should be Responsible disclosure
4. Why #BBPs?
• Saves money getting job done by worldwide
researchers
• Different kind of bugs which owner never had
thought of
• Work directly with researchers
• It was all started by Netscape in 1995
6. Prerequisite
• You should read these,
– OWASP Testing Guide V3
– The Web application hacker’s handbook
– RFC 2616 - HTTP /1.1
• Have hands-on with few simulators e.g.
– Mutillidae
– DVWA
– etc.
7. Approach
• Develop your own
• Understand the Scope
• Gather Information about domain, services,
CMS & structures
• Understand the logic
• Avoid using automated tools
• Have standard template to report
8. Tools Required
• Proxy: Burp Suite, Fiddler etc.
• Browser extensions & Add-ons (Firefox)
– Live HTTP header
– Firebug/ Web developer tool
– ClickJacking Defense
– Wapplyzer
– User agent Switcher
– Many more
10. Avoid Duplicates
• Try on Sub domains
• Standard templates for common bugs can
save time
• Try with business logic flaws
– https://www.owasp.org/index.php/Testing_for_b
usiness_logic_(OWASP-BL-001)