Tweet
Bug bounty Hunting Workshop
Philippe Delteil
Philippe Delteil
Abstract
Bug bounty hunting is (probably) the most hype topic in the hacking subworld, some people read amazing stories of how a 18 years old won 1 million dollars only doing legal hacking. Many hit a wall when they realize that after two months they only won points, thanks or cheap swag. Where's the money?, they ask. What should I learn and how? How many books should I read? How many minutes of Youtube tutorials? What if I lose some weight? [always recommended] How can I be the next bug bounty millionare?
In this workshop I will show you a path to be a bug bounty hunter, from my experience starting by chance and from scratch. I will teach you how to use the tools I use everyday to find bugs, but most importantly how to see bug bounty hunting as a complex business process .
What to know before
- Basic idea of bugs (and bounty hunting)
- Basic Linux commands (sed, awk, grep)
- Shell scripting basics
- Have some practice doing recon
What you will learn
- How bug bounty programs/platforms work
- What tools hunters use and how do they work
- How to hunt for bugs (hopefully for profit)
- Automatization of your hunting process
- 30% theory and concepts
- 70% Installing, configuring and using tools to find bugs. Send some reports if we are lucky.
- What tools are we going to use
- Scanners/automated tools: nuclei, axiom, bbrf, dalfox, Burp.
What to read/watch in advance
Books
- The Web Application Hacker's Handbook, 2nd Edition
- Hands-On Bug Hunting for Penetration Testers (Joseph E. Marshall)
- Web Hacking 101 (Peter Yaworski)
- Live Recon and Distributed Recon Automation Using Axiom with @pry0cc (https://www.youtube.com/watch?v=tWml8Dy5RyM)
- The Bug Hunter's Methodology Full 2-hour Training by Jason Haddix (https://www.youtube.com/watch?v=uKWu6yhnhbQ)
- Finding Your First Bug: Choosing Your Target by InsiderPhD (https://www.youtube.com/watch?v=A0LTyH4tOmQ)
- HOW TO GET STARTED IN BUG BOUNTY (9x PRO TIPS) by STÖK (https://www.youtube.com/watch?v=CU9Iafc-Igs)
Philippe Delteil is Computer Science Engineer from the University of Chile, he gave his first talk at Defcon 26 Skytalks, called "Macabre stories of a hacker in the public health sector", his country's government sent 3 officials to record the talk, they did. He's been reporting bugs for a year. He's an annoying github issue opener of some opensource tools like axiom, nuclei, dalfox and bbrf; also makes small contributions to 'Can I take Over XYZ?'
Rene Silva is an electrical engineer and part-time bug bounty hunter. He’s been a hacker for 2 years and bug hunter for only a year. He likes CTFs, web hacking and reverse engineering.