An introductory presentation for testers with the scope of motivating to try security bug bounties. It is less theoretical and focuses on practical tips. It is intended to be structured in a way that presents security bug hunting in a non-intimidating way (no super hacking skills needed necessarily, no certifications needed)
http://www.testalways.com/
8. • "It's hard and I never did security
stuff before" (psychological)
• "I don't have the skills" (technical)
• "I don't have time, I have to do
something else, I can't fit it in my
schedule" (logistics)
9. • you don't have to totally hack exposing
a major flaw in order to be rewarded in
security bug bounties
• you don't have to know that "much" to
get started in sending bug reports
• you don't need to be an expert in the
field of security
10. • Try to find small vulnerabilities
• Try bug bounty programs that don't
offer cash, only mentions
• Try to read blog containing reports of
already rewarded bugs
11. • A tester has the reflex of finding and
sending general bug reports
• Can send "without shame" a bug
report without fear of rejection
• Has a lot of skills that can be focused
on security
12. Reasons:
• it is usually rewarded by every bug
bounty program
• most feasible to look for ( considering
time spent, chances of finding and the
reward value)
• for testers should be easy, because
there is not too much new techical
knowledge
13. (for testers to understand)
Simply put: "Make the website popup a
window with your desired message on
the vulnerable domain by inserting an
input"
(but read more about it on the "internets"...)
14.
15. (... a tester might ask)
• With an XSS you can attack other
users (not the server)
• It's one of the most common attacks
16. 1) Attacker sends email with a link to
victim
2) Victim clicks on the link
3) Attacker steals session cookie and has
access to victim's account
17. • error pages
• server banner pages
• clickjacking
18.
19. • payed much more
• harder to find
• requires more "out of the box" thinking
• need little bit of luck
• can be find as a result of one or more
low level bug findings
24. • Main tool should be your brain
• Scanners: Acunetix WVS, Burp Suite
Pro, Dirbuster, SqlMap
• Visibility : Fiddler2
• Flash: HP SWFScan
• -... and Google Advanced Search
25.
26. • it will show you types of bugs on a
website that you might not be familiar
with
• do a crawling of a website
• do certain activities faster than you
• find occasionally small or medium bugs
that are rewardable
27. • think like a human
• find major flaws
• it will find lots of false positives (fake
bugs)
• guarantee a totally safe product
28. Recommandation:
You can use the tool in the beginning,
after you identified an area. Then go
try manually with complex steps and
deeper investigation.
29. Battlefield Bug bounty
attack field
Small Plan
Know where you can
search for bugs
30. • more chances to find bugs in newer
bug bounty programs
• more chances to find bugs in newly
added functionalities
• more chances to find bugs in products
that are part of new acquisitions
31.
32. • you have to be faster especially in the
beginning of a new bug bounty
program than the competition
• you have to be more creative than the
competition to find complex issues
33. • you can learn from what others already
reported before you
• Little bit of healthy competition
increases motivation
• the application will seem easier to hack
after you saw someone else doing it
34. • read the requirements and see what is
rewardable
• list all the rewardable domains
• list all the rewardable subdomains
(see if Android or iOS platforms are
rewardable etc)
35. • read bug bounty requirements
• read about the product (on main
website for example)
• read what was rewarded (social
media, blogs, news articles)
• similar domains with the known valid
ones
• whois records for domains belonging
to the same company
• decrypt data from client app
(Desktop,Android,iOS)
36. • DNS records lookup
• similar IPs (consecutive) as other valid
subdomains
• brute force for possible subdomain
name
"qa.domain.com,db.domain.com"
• Google search: "site:domain.com",
"site:domain.com -
site:www.domain.com"
• data analysed (image files on main
site are listed on a different unknown
subdomain)
39. • tools (helps, but it's not the main
thing)
• learning about the business logic and
complex functionality helps
• similar bugs in another area could exist
• the same techniques work differently
for different people
40. • hack the database by finding
credentials using scanners and
manually analyzing files
• hack the database credentials by
decompressing a flash file
• hack the database credentials by using
an unfiltered download functionality
41. • keep an open mind (Avoid "I will use
only Ubuntu")
• overcome fear of succeeding
(subconscious fear of winning, fear or
envious reprisals at workplace)
• see more ideas and approaches (social
media)
• avoid "expert complex" (fear of trying
"stupid" stuff)
42. • social media can help you
• your personal standards go higher so
you aim for higher
43. • there are not too many testers to
promote it
• the current format of bug bounties is
new
• seen a as a separate domain
44. Give a try to security bug bounties
And..
See if it works for you