An introductory presentation for testers with the scope of motivating to try security bug bounties. It is less theoretical and focuses on practical tips. It is intended to be structured in a way that presents security bug hunting in a non-intimidating way (no super hacking skills needed necessarily, no certifications needed) http://www.testalways.com/

1. Testers, get into
security bug bounties!
by Eusebiu Blindu
CzechTest 2013

2. I am a tester, not a security expert

6. http://www.utest.com/

7. • potential cash
• some reputation
• experience
• skill improvement

8. • "It's hard and I never did security
stuff before" (psychological)
• "I don't have the skills" (technical)
• "I don't have time, I have to do
something else, I can't fit it in my
schedule" (logistics)

9. • you don't have to totally hack exposing
a major flaw in order to be rewarded in
security bug bounties
• you don't have to know that "much" to
get started in sending bug reports
• you don't need to be an expert in the
field of security

10. • Try to find small vulnerabilities
• Try bug bounty programs that don't
offer cash, only mentions
• Try to read blog containing reports of
already rewarded bugs

11. • A tester has the reflex of finding and
sending general bug reports
• Can send "without shame" a bug
report without fear of rejection
• Has a lot of skills that can be focused
on security

12. Reasons:
• it is usually rewarded by every bug
bounty program
• most feasible to look for ( considering
time spent, chances of finding and the
reward value)
• for testers should be easy, because
there is not too much new techical
knowledge

13. (for testers to understand)
Simply put: "Make the website popup a
window with your desired message on
the vulnerable domain by inserting an
input"
(but read more about it on the "internets"...)

15. (... a tester might ask)
• With an XSS you can attack other
users (not the server)
• It's one of the most common attacks

16. 1) Attacker sends email with a link to
victim
2) Victim clicks on the link
3) Attacker steals session cookie and has
access to victim's account

17. • error pages
• server banner pages
• clickjacking

19. • payed much more
• harder to find
• requires more "out of the box" thinking
• need little bit of luck
• can be find as a result of one or more
low level bug findings

23. • https://www.site_to_be_tested.com/
• https://www.site_to_be_tested.com/
download?filename=D://www_conten
t/reports/12_01_2010.csv

24. • Main tool should be your brain
• Scanners: Acunetix WVS, Burp Suite
Pro, Dirbuster, SqlMap
• Visibility : Fiddler2
• Flash: HP SWFScan
• -... and Google Advanced Search

26. • it will show you types of bugs on a
website that you might not be familiar
with
• do a crawling of a website
• do certain activities faster than you
• find occasionally small or medium bugs
that are rewardable

27. • think like a human
• find major flaws
• it will find lots of false positives (fake
bugs)
• guarantee a totally safe product

28. Recommandation:
You can use the tool in the beginning,
after you identified an area. Then go
try manually with complex steps and
deeper investigation.

29. Battlefield Bug bounty
attack field
Small Plan
Know where you can
search for bugs

30. • more chances to find bugs in newer
bug bounty programs
• more chances to find bugs in newly
added functionalities
• more chances to find bugs in products
that are part of new acquisitions

32. • you have to be faster especially in the
beginning of a new bug bounty
program than the competition
• you have to be more creative than the
competition to find complex issues

33. • you can learn from what others already
reported before you
• Little bit of healthy competition
increases motivation
• the application will seem easier to hack
after you saw someone else doing it

34. • read the requirements and see what is
rewardable
• list all the rewardable domains
• list all the rewardable subdomains
(see if Android or iOS platforms are
rewardable etc)

35. • read bug bounty requirements
• read about the product (on main
website for example)
• read what was rewarded (social
media, blogs, news articles)
• similar domains with the known valid
ones
• whois records for domains belonging
to the same company
• decrypt data from client app
(Desktop,Android,iOS)

36. • DNS records lookup
• similar IPs (consecutive) as other valid
subdomains
• brute force for possible subdomain
name
"qa.domain.com,db.domain.com"
• Google search: "site:domain.com",
"site:domain.com -
site:www.domain.com"
• data analysed (image files on main
site are listed on a different unknown
subdomain)

37. Just send something!

39. • tools (helps, but it's not the main
thing)
• learning about the business logic and
complex functionality helps
• similar bugs in another area could exist
• the same techniques work differently
for different people

40. • hack the database by finding
credentials using scanners and
manually analyzing files
• hack the database credentials by
decompressing a flash file
• hack the database credentials by using
an unfiltered download functionality

41. • keep an open mind (Avoid "I will use
only Ubuntu")
• overcome fear of succeeding
(subconscious fear of winning, fear or
envious reprisals at workplace)
• see more ideas and approaches (social
media)
• avoid "expert complex" (fear of trying
"stupid" stuff)

42. • social media can help you
• your personal standards go higher so
you aim for higher

43. • there are not too many testers to
promote it
• the current format of bug bounties is
new
• seen a as a separate domain

44. Give a try to security bug bounties
And..
See if it works for you

45. Thanks!
Eusebiu Blindu
http://www.testalways.com
eusebiu.blindu@testalways.com
@testalways