Bug bounty Hunting Workshop
Philippe Delteil


Abstract

Bug bounty hunting is (probably) the most hype topic in the hacking subworld, some people read amazing stories of how a 18 years old won 1 million dollars only doing legal hacking. Many hit a wall when they realize that after two months they only won points, thanks or cheap swag. Where's the money?, they ask. What should I learn and how? How many books should I read? How many minutes of Youtube tutorials? What if I lose some weight? [always recommended] How can I be the next bug bounty millionare?

In this workshop I will show you a path to be a bug bounty hunter, from my experience starting by chance and from scratch. I will teach you how to use the tools I use everyday to find bugs, but most importantly how to see bug bounty hunting as a complex business process .

What to know before
  • Basic idea of bugs (and bounty hunting)
  • Basic Linux commands (sed, awk, grep)
  • Shell scripting basics
  • Have some practice doing recon

What you will learn
  • How bug bounty programs/platforms work
  • What tools hunters use and how do they work
  • How to hunt for bugs (hopefully for profit)
  • Automatization of your hunting process
How technical is the class
  • 30% theory and concepts
  • 70% Installing, configuring and using tools to find bugs. Send some reports if we are lucky.
  • What tools are we going to use
  • Scanners/automated tools: nuclei, axiom, bbrf, dalfox, Burp.
Recon tools: (subfinder, amass, assetfinder, waybackurls, httpx and more)

What to read/watch in advance
Books
  • The Web Application Hacker's Handbook, 2nd Edition
  • Hands-On Bug Hunting for Penetration Testers (Joseph E. Marshall)
  • Web Hacking 101 (Peter Yaworski)
VideosTrainer Bio(s):
Philippe Delteil is Computer Science Engineer from the University of Chile, he gave his first talk at Defcon 26 Skytalks, called "Macabre stories of a hacker in the public health sector", his country's government sent 3 officials to record the talk, they did. He's been reporting bugs for a year. He's an annoying github issue opener of some opensource tools like axiom, nuclei, dalfox and bbrf; also makes small contributions to 'Can I take Over XYZ?'

Rene Silva is an electrical engineer and part-time bug bounty hunter. He’s been a hacker for 2 years and bug hunter for only a year. He likes CTFs, web hacking and reverse engineering.