Introduction to Bug Bounties How to find bugs hands-on How to use popular bug bounty programs Case evaluation: Facebook page takeover bug Conclusions and surprises

1. SQUASHING
BUGS
Introduction to Bug Bounties

2. SESSION OUTLINE
 Introduction to Bug Bounties 2:05-2:15
 How to find bugs hands-on 2:15-2:35
 How to use popular bug bounty programs 2:35-2.45
 Case evaluation: Facebook page takeover bug 2:45-2:255
 Conclusions and surprises 2:55 onwards

3. INTRODUCTION

4. BUG BOUNTY
 A bug bounty program is a deal offered by many websites and software
developers by which individuals can receive recognition and compensation
for reporting bugs, especially those pertaining to exploits and
vulnerabilities.
 These programs allow the developers to discover and resolve bugs before
the general public is aware of them, preventing incidents of widespread
abuse.
 Bug bounty programs have been implemented by Facebook,Yahoo!,
Google, Reddit, Square and Microsoft.

5. REWARDS
 Hall of fame(s)
 $$$
 Study grants and scholarships for research
 Recognition

6. FAQS &
MISCONCEPTIONS I do not have any of those fancy security research tools
 I do not have excellent coding knowledge
 How do I begin and where do I begin?

7. WHAT YOU NEED
 Be able to read and understand code
 Keep an open eye for different attack possibilities
 Keep updated with the latest attacks and see their POCs (Proof of Concept)
 Differentiate between bugs and false positives
(https://www.facebook.com/notes/facebook-bug-bounty/commonly-
submitted-false-positives/744066222274273 )
 Don’t give up!

8. FLOW
 Know about bugs! Refer OWASPTop 10
 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
 Use a testing guide!
 OWASPTesting Project (https://www.owasp.org/images/1/19/OTGv4.pdf )
 Follow researchers and their updates!

9. FAMOUS
RESEARCHERS http://www.breaksec.com/?page_id=6002
 http://homakov.blogspot.in/
 https://bitquark.co.uk/blog/
 https://nealpoole.com/blog/
 http://nahamsec.com/
 http://stephensclafani.com/
 http://insertco.in/articles
 arunsureshkumar.me

10. PRACTICE AT
 http://www.dvwa.co.uk/
 https://www.vulnhub.com/
 https://github.com/WebGoat/WebGoat

11. HANDS ON
Search “Google dorks” to find vulnerable websites. Sample strings:
Inurl:admin_login.php site:.pk
SQL Injection string to be entered in username and password fields: ' or 1=1--

12. BURP SUITE
 Burp Suite: Burp Suite is an integrated platform for performing security testing of
applications. Its various tools work seamlessly together to support the entire
testing process, from initial mapping and analysis of an application's attack
surface, through to finding and exploiting security vulnerabilities. Burp gives you
full control, letting you combine advanced manual techniques with state-of-the-
art automation, to make your work faster, more effective, and more fun.
 (It is one of the most awesome tools i have ever come across. there are a lot of
features you can use, just make sure you understand each and every function from
burp suite). I’m sure you know all the functionality will make your task way easier
if it is related to security. But be sure to manually validate your findings as it does
report false positives.
Download: http://portswigger.net/burp/download.html

13. USING BUG BOUNTY
PLATFORMS

14. FACEBOOK WHITEHAThttps://www.facebook.com/whitehat

15. HACKERONEhttps://hackerone.com/internet-bug-bounty

16. GITHUB SECURITYhttps://bounty.github.com/

17. INTERNET BUG
BOUNTYhttps://internetbugbounty.org/

18. PAYTMhttps://paytm.com/offer/bug-bounty/

19. OLAhttps://www.olacabs.com/whitehat

20. MOBIKWIKhttps://www.mobikwik.com/bug-bounty

21. OTHERS
 http://bugsheet.com/directory
 https://www.mozilla.org/en-US/security/bug-bounty/
 https://bugcrowd.com/

22. SOME TERMS USED IN
CLASS
 IDOR: Insecure Direct Object Reference
https://www.owasp.org/index.php/Top_10_2013-A4-
Insecure_Direct_Object_References
 Rate Limiting:
http://www.websecresearch.com/2014/05/a-way-to-bypass-rate-limiting.html

23. RESOURCES TO SCAN WEBSITES
 https://hackertarget.com/joomla-security-scan/
 https://hackertarget.com/wordpress-security-scan/
 https://hackertarget.com/drupal-security-scan/
 https://pentest-tools.com/website-vulnerability-scanning/discover-hidden-directories-and-files
 https://www.magereport.com/
 https://pentest-tools.com/information-gathering/find-subdomains-of-domain
 http://savanttools.com/test-frame
 https://bugcrowd.com/resources
 https://www.ssllabs.com/ssltest/
 http://www.kitterman.com/spf/validate.html
 https://forum.bugcrowd.com/t/researcher-resources-tools/167
 https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102

24. RESOURCES
 Tamper Data:Tamper Data is a Firefox Extension which gives you the power to view, record and
even modify outgoing HTTP requests. If you are not familiar with then just take a look at it once, It is
very helpful in identifying the CSRF issues as well as Finding IDOR.
Download: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
 Live http Headers:To be very frank I rarely use this extension, as it has exactly the same function as
in tamper data the only difference is that, you can capture and reply within the same session.
Download: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
 Default user agent switcher: It gives your ability to change your user agent. Basically i use it to find
mobile version of any site.And you may utilize it whenever you want to see the mobile version of
any website. mostly developers host mobile version on m.xyzdomain.com, but sometimes website
load mobile version after detecting the user agent.With this extension you can change user agent as
mobile and view mobile version of the sites.
Download: https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
 Hackbar: It helps us In SQL as well as XSS, also it encode & decode the string,ASCII conversion.This
extension will help you in exploiting sql injections, XSS holes. If you know what you’re doing, this
extension will help you do it faster. If you want to learn SQL exploitation, you can also use this
extension, but you will probably also need a book, a lot of Google and a brain :)
Download: https://addons.mozilla.org/en-US/firefox/addon/hackbar/

25. FREEBIES
 http://www.autodesk.com/education/free-software/all
 https://aws.amazon.com/grants/
 https://education.github.com/pack

26. LINKS TO CASE
STUDIES Facebook PageTakeover Bug:
http://arunsureshkumar.me/index.php/2016/09/16/facebook-page-takeover-zero-
day-vulnerability/
 Ola Free Rides Bug:
https://blog.appknox.com/major-bug-in-ola-app-can-make-you-either-rich-or-
poor/

27. CONTACT
Avi Sharma – 7830993535 – sharma.avi14@stu.upes.ac.in

28. THANK YOU