A bug hunter’s guide to bounty universe
-
Upload
zenodermus-javanicus -
Category
Education
-
view
118 -
download
4
Transcript of A bug hunter’s guide to bounty universe
Tips, tricks and things you should know
A BUGHUNTER’S GUIDE TO BOUNTY UNIVERSE
2
WHOAMI$ id -unFaraz Khan
$ groups farazkhanBugcrowd Application.Security.Engineer Hacker _Bountyhunter Penetration.tester
$ lastcomm farazkhan [Activity logs]Bugcrowd Tech-OPS team memberBounty HuntingWriting Articles at SecurityIdiots.comWorking as a penetration tester
3
AGENDAHow we handle Generic ScenariosHow and when to escalateThings we consider when Inviting researchers for PrivatesUnderstanding the Program briefsVulnerabilities Taxonomy Standards
SYSTEMIC BUGS
– How we handle such situations– Vulnerabilities that may fall under this criteria• CSRF• Missing Authentication/Authorization• SQLi• XSS• File Upload
– Why/how Systemic bugs may cause
4
DUPLICATES BUT DIFFERENT PRIORITY/IMPACT
– Finding out the difference.– Minor Impact submission after higher risk– Higher Impact submission after lower risk – Prioritize as per the extra Impact found
5
SAME BUG IN A URL BUT DIFFERENT PARAMETER
– Reflected XSS– Stored XSS– SQLi– Missing Auth– Open Redirect
6
SUBMISSION WAS ONLY REPRODUCIBLE WHEN REPORTED.
– Proof of concept– Applicability of the vulnerability existence– Current behavior of the application
7
SCOPE CONTAINS MULTIPLE DOMAINS, BUT ONLY THEIR LANGUAGE VARY
– Why would they Insert such domains.– Same bugs on different domains, will they be considered as single
8
WHY XSS PRIORITIES MAY VARY
– Self Reflected/Stored XSS– Authenticated XSS– UnAuthenticated XSS– Higher level User to Lower level– Lower level User to higher level
9
SUBMISSION CLOSED EVEN AFTER GETTING TRIAGED
– Closed as N/A– Closed as P5/Won’t fix– Closed as duplicate
10
DIFFERENT URLS BUT STILL CLOSED AS DUPLICATE
– RESTFul URL– Universally Vulnerable Parameter– Systemic Bugs
11
XSS - INSERTION POINT VS EXECUTION POINT
– Insertion Point– Execution Point– Different ways to patch
12
HOW AND WHEN TO ESCALATE
– Standard response time– Unclear closure of submission– Lesser Priority– Lower Reward
13
THINGS WE CONSIDER WHEN INVITING RESEARCHERS FOR PRIVATES
– Under 250 rank– Verified researcher – Higher impact vulnerabilities finder– Activity logs– Trusted Researchers– Researcher’s behavior
https://blog.bugcrowd.com/a-look-at-private-bounty-program-invitations/https://blog.bugcrowd.com/become-part-of-the-id-verified-crowd
14
UNDERSTANDING THE PROGRAM BRIEFS
– Scope– Out of Scope– Exclusion list– Other Exceptions
15
Vulnerabilities Taxonomy Standards
– Vulnerability standards and priority taxonomy– Bugs variants– Standard Taxonomies vs Program briefs
16
Questions?
Learn more and get in touch:
BUGCROWD.COM
Code:
Bountycraft code for attending this talk: tuner lure diopside