BUG

BOUNTY
Work Smarter, Not Harder

CTJB 2019 @vavkamil

 WHOAMI?
Kamil Vavra - Ethical hacker, penetration tester, bug bounty hunter

Ways to Contact Me Contact Me Through Social Media

@vavkamil twitter.com/vavkamil

vavkamil.cz reddit.com/u/_vavkamil_

[email protected] github.com/vavkamil
 WHOAMI?
https://vavkamil.cz/whoami/bug-bounty
 WHOAMI?
https://vavkamil.cz/whoami/bug-bounty
 What is bug bounty & main platforms
01 Quick recap for beginners

Knowledge sharing & free resources

02 How to gain skill and learn faster

Useful open-source tools & scripts

03 What is everybody using for automation

AGENDA Methodology, know-how, tips & tricks

WTF is this talk about?! 04 How to catch 'em all
What is bug bounty &
main platforms
Quick recap for beginners
3-STEPS BUG BOUNTY MODEL
How does a bug bounty program work?

Find a Bug
Learn to hack, hack to learn

Report a Bug
Don't underestimate quality of report

Get a Bounty
Be kind and respect the amount
 MAIN PLATFORMS
Crowdsourced security & vulnerability disclosure platforms

Bugcrowd Inc. HackerOne, Inc.

Website www.bugcrowd.com Website www.hackerone.com

Founded 2012 Founded 2012

Funding raised $51.7M Funding raised $74M

Estimated Employees 111 Estimated Employees 366

Estimated Annual Estimated Annual

$3.8M $4.9M
Revenue Revenue

Twitter @Bugcrowd Twitter @Hacker0x01

Should I start?

Is it worth it?
...it is worth a try!

A major chunk of the hacker's mindset consists of

wanting to learn more.

While bug bounty hunting, you will learn a lot;

will practice on real world targets, build your
reputation and get paid for it ...
 Pros Cons

You will learn a lot It takes a lot of time

Knowledge never ends, sharing is caring, If you get lucky, you can score your first bounty quite
fast. But as every hobby, it takes time to master
and bug bounty community is awesome

You will earn $$ There is a lots of competition

Money shouldn't be the main reason, but it You can expect skilled rivals, duplicate reports,
feels nice to be rewarded and recognized boring targets, delayed triagings and payouts
HOW TO Learn to make it; then break it!

BECAME A
HACKER Read blogs, articles, books; lots of content!

Join community; ask questions!

Participate in open-source projects; learn to code!

Smile when you get feedback; don't be a jerk!

Learn to approach targets; reconnaissance is a must!

Knowledge sharing &
free resources
How to gain skill and learn faster
WHAT TO READ?

Web Hacking 101

Peter Yaworski

Using publicly disclosed vulnerabilities, Web Hacking 101

explains common web vulnerabilities and will show you
how to start finding vulnerabilities and collecting
bounties.
After reading this book, your eyes will be opened to the
wide array of vulnerabilities that exist and you'll likely
never look at a website or API the same way..

https://leanpub.com/web-hacking-101
https://www.hackerone.com/blog/Hack-Learn-Earn-with-a-Free-E-Book
REDDIT

/r/bugbounty
3k+ subscribers

Moderator; sharing interesting bug bounty

write-ups almost every day
 WHO TO FOLLOW ON TWITTER

@Bugcrowd @PentesterLand @intigriti

https://twitter.com/bugcrowd https://twitter.com/pentesterl https://twitter.com/intigriti
/lists/security-researchers and

@Hacker0x01 @BugBountyHQ @disclosedh1

https://twitter.com/Hacker0x https://twitter.com/bugbount https://twitter.com/disclosed
01 yhq h1
 GitHub
List of bug bounty write-ups

awesome-bug-bounty
https://github.com/djadmin/awesome-bug-bounty

bug-bounty-reference
https://github.com/ngalongc/bug-bounty-reference
 Pentester Land
https://pentester.land/

List of bug bounty writeups

https://pentester.land/list-of-bug-bounty-
writeups.html

The 5 Hacking NewsLetter

https://pentester.land/newsletter

The Bug Hunter Podcast

https://pentester.land/podcast
 6,000+
HackerOne

Disclosed Reports
http://sec.eddyproject.com/6000-
hackerone-disclosed-reports/
Useful open-source
tools & scripts
What is everybody using for automation
OWASP Juice Shop is probably the most modern
and sophisticated insecure web application!

Written in Node.js, Express and Angular.

https://github.com/bkimminich/juice-shop
https://www.owasp.org/index.php/OWASP_Juice_Shop_Projec
t

OWASP
JUICE SHOP
 XSS IS EVERYWHERE

XSS Polyglot XSStrike

A XSS payload which runs in multiple Cross Site Scripting detection suite
contexts. Useful in testing XSS because equipped with four hand written
it minimizes manual efforts and parsers, an intelligent payload
increases the success rate of blind XSS. generator, a powerful fuzzing engine
and an incredibly fast crawler.
https://polyglot.innerht.ml
https://github.com/s0md3v/XSStrike

KNOXSS
KNOXSS is an online XSS tool with LinkFinder
demonstration of vulnerability (PoC -
Python script written to discover
Proof of Concept).
endpoints and their parameters in
JavaScript files.
https://knoxss.me/
https://github.com/GerbenJavado/Link
Finder
 RECOMMENDED TOOLS
Open-source tools for target/scope recon & enumeration
https://blog.appsecco.com/a-penetration-testers-guide-to-sub-domain-enumeration-7d842d5570f6

Amass Sublist3r
Obtains subdomain by scraping data sources, Python tool that enumerates
recursive brute forcing, crawling web archives, subdomains using many search
permuting/altering names and reverse DNS. engines such as Google, Yahoo, Bing,
Baidu, and Ask, VirusTotal.
https://github.com/caffix/amass
https://github.com/aboul3la/Sublist3r

DNSdumpster Masscan
FREE domain research tool that can Internet-scale port scanner. It can scan the entire
discover hosts related to a domain. Internet in under 6 minutes, transmitting 10 million
packets per second, from a single machine.
https://dnsdumpster.com/
https://github.com/robertdavidgraham/masscan
 RECOMMENDED TOOLS
Open-source tools for subdomain take-overs
https://www.hackerone.com/blog/Guide-Subdomain-Takeovers
https://github.com/EdOverflow/can-i-take-over-xyz
subjack https://0xpatrik.com/ aquatone
Tool written in Go designed to scan a list Tool for visual inspection of websites across a large
of subdomains concurrently and identify amount of hosts and is convenient for quickly
ones that are able to be hijacked. gaining an overview of HTTP-based attack surface.

https://github.com/haccer/subjack https://github.com/michenriksen/aquatone

SubOver Subdomain takeover detection with AQUATONE

Tool originally written in python but rewritten A new addition to the AQUATONE toolset is aquatone-
from scratch in Golang. Since it's redesign, it takeover which can detect potential subdomain takeover
has been aimed with speed and efficiency in issues across a bunch of popular external services.
mind.
https://michenriksen.com/blog/subdomain-takeover-
https://github.com/Ice3man543/SubOver detection-with-aquatone/
 RECOMMENDED TOOLS
Open-source tools for AWS buckets take-overs
https://github.com/toniblyx/my-arsenal-of-aws-security-tools

S3Scanner cloudfrunt
Tool to find open S3 buckets and dump Tool for identifying misconfigured CloudFront domains.
their contents CloudFront is a Content Delivery Network (CDN)
provided by Amazon Web Services (AWS).
https://github.com/sa7mon/S3Scanner
https://github.com/MindPointGroup/cloudfrunt

CloudScraper pacu
Tool to enumerate targets in search of cloud AWS exploitation framework, designed for offensive
resources. S3 Buckets, Azure Blobs, Digital security testing against cloud environments.
Ocean Storage Space.
https://github.com/RhinoSecurityLabs/pacu
https://github.com/jordanpotti/CloudScraper
dkimsc4n

Asynchronous wordlist based DKIM scanner

Useful during bug bounty hunting or red teaming to find

insufficient DKIM records with RSA 512-bit keys

CWE-326: Inadequate Encryption Strength

Insufficient DKIM record with RSA 512-bit key used

https://github.com/vavkamil/dkimsc4n
https://asciinema.org/a/243588
Methodology, know-how,
tips & tricks
How to catch 'em all
YOUTUBE

Bug Bounty Hunter

Methodology v3
Jason Haddix (Bugcrowd)

https://www.youtube.com/watch?v=Qw1nNPiH_Go
 KNOW-HOW, TIPS & TRICKS

bounty-targets-data SecLists bugbounty-cheatsheet

This repo contains data dumps of Hackerone Collection of list include usernames, passwords, A list of interesting payloads, tips and
and Bugcrowd scopes (i.e. the domains that are URLs, sensitive data patterns, fuzzing payloads, tricks for bug bounty hunters.
eligible for bug bounty reports). web shells, and many more.
https://github.com/EdOverflow/bugbou
https://github.com/arkadiyt/bounty-targets-data https://github.com/danielmiessler/SecLists nty-cheatsheet

PayloadsAllTheThings EyeWitness gobuster

A list of useful payloads and bypass for Web Designed to take screenshots of websites, provide Directory/file & DNS busting tool
Application Security and Pentest/CTF some server header info, and identify default written in Go.
credentials if possible.
https://github.com/swisskyrepo/PayloadsAllThe https://github.com/OJ/gobuster
Things https://github.com/FortyNorthSecurity/EyeWitness
YOUTUBE

Bug Bounty Hunting on

Steroids
DEF CON 26 RECON VILLAGE
- Anshuman Bhartiya, Glenn Grant

https://www.youtube.com/watch?
v=7WYjSDZxFYc&index=21&list=PL9fPq3eQfaaCkilMUOZD4T
nvr8T9bFgjH
 DON'T BE EVIL

Google Hacking Database

https://www.exploit-db.com/google-hacking-database

Open Bug Bounty Community

https://www.openbugbounty.org/
YOUTUBE

O ensive JavaScript
Techniques for Red Teamers
BSidesSF 2019
(Dylan Ayrey • Christian Frichot)

https://www.youtube.com/watch?v=HfpnloZM61I
 #bugbountytip
https://twitter.com/search?q=%23bugbountytip
 #bugbountytip
https://twitter.com/search?q=%23bugbountytip
 #bugbountytip
https://twitter.com/search?q=%23bugbountytip
 #bugbountytip
Sharing is caring, follow the tips on Twitter

"
https://bugbountytip.com

https://github.com/vavkamil/bugbountytip.com
 THANK YOU! DO YOU HAVE ANY BITCOINS?

1Hx7eLzzUyAqM6k8d8AVffCVYeFv7b2sw7

https://vavkamil.cz/whoami/public-talks
https://vavkamil.cz/wp-content/uploads/2019/05/ctjb_2019_bugbounty.pdf