After presenting this topic at NULL Bangalore Jan
Meet, I got loads of appreciation from various peopl,
and one such appreciation I got was from my friend
marge sketell. And that’s why I decided to write an
article about the presentation I gave.
This article gives you an insight with hunting bugs,
and hopefully it becomes a kick-starter guide for the
beginners who want to start off with bug bounty.
Well, today hunting bugs in the wild has become a
new trend. Coz almost every company has started a
responsible disclosure page and hence allows
hackers like us to make some name, fame and
money…:P I too was fascinated to start off with bug
bounty when I saw my friends around me getting those flashy Facebook Bug Bounty Whitehat Card or
when they got a new payment for finding a bug or
when they got a new T-Shirt from a company.
Before knowing about BUG BOUNTY, let’s see the
types in which the Vulnerability Disclosure is done.
We generally have two ways of disclosing
vulnerabilities:
- Full Disclosure
- Responsible Disclosure
Full Disclosure is when a person goes onto his blog or any other form of public media and writes about
the vulnerability that he discovered in the wild most
of the times without informing the company where
he found the vulnerability. This would allow various
other hackers around the world to exploit this
vulnerability. This would sometimes lead to problems because the company where you found the bug has got every right to take legal actions against you for letting out the information.
Responsible Disclosure Responsible Disclosure is where the person who finds
a vulnerability in a website directly tells it to the
authorities of that website, so that they can rectify
the issue as early as possible. And most of the
companies reward them in return for reporting the
vulnerability.
And this is what is BUG BOUNTY. Well, bug bounty is indeed really a nice way to earn money. But more than money when your name comes up in their HALL OF FAME or the company’s RESPONSIBLE DISCLOSURE page, then that’s priceless. Coz that is what gives your resume some extra weightage and makes you stand out when compared to your peers.
Books to read before Hunting Bugs:
Well, these are the book I generally recommend
anyone who wants to start off with web application
pen-testing or particularly BUG BOUNTY.
- Web Application Hackers Handbook ,
Second Edition(Considered to be the Bible
of Web Application Pen-testers) - Hacking- The Art Of Exploitation
- OWASP Testing Guide v3.0
BUG Hunter’s TOOLKIT: These are the basic tools that most of the bug hunters
generally use and suggest.
Proxy:
- Burp Suite
- Web Scarab
- Fiddler
- Paros Proxy
Mozilla Firefox is the best browser if you want to hunt
bugs. And it is the best one coz of its awesome
addons that ease our job.
Mozilla Firefox ADDONS
- Tamper Data
- web Developer Extensions
- Live HTTP Headers
- Firebug
- XSS Me Sidebar
- Hackbar
- And many more...
Other Useful Tools:
- IRONWASP
- XENOTIX
Optional Tools:
Camtasia Sreen Recorder and Snipping Tools (Useful
for creating Proof Of Concepts).
List Of BUG BOUNTY Programs:
Well here is the link that provides you a BIG list of Bug Bounty Programs and Responsible Disclosure Pages. http://www.ehackingnews.com/2012/12/list-of-bug-bounty-program-for.html
Other ways to earn BOUNTY:
Recently I came across this new startup called
BugCrowd that manage organized Bug Bounty for
various companies. Just register yourself to start off with hunting bugs and earn money. http://bugcrowd.com/?kid=NG66
It’s a nice initiative indeed where in it’s a win-win situation for everyone. The company gets its site tested from best of the best hackers across the globe and indeed the hackers get paid for finding bugs and reporting it to them. Anyways, I hope the above article gives enough info
to start off with Bug Hunting.
Anyways I wish ALL THE BEST to all the beginners who want to start off with Bug Hunting.
Always Remember: “If you’re good at Something, then never do it for FREE…!!!”
Happy Hunting…;-D
Happy Hunting…;-D
wow....this is great for newbie hackers, thanks for your help
ReplyDelete