Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Bug hunting for education, fun and profit 11-12-2018

233 vues

Publié le

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Bug hunting for education, fun and profit 11-12-2018

  1. 1. BUG HUNTING FOR EDUCATION, FUN AND PROFIT
  2. 2. INTRO PHILLIP WYLIE, CISSP, OSCP, GWAPT • PENTESTER @ U.S. BANK • ADJUNCT INSTRUCTOR OF ETHICAL HACKING @ RICHLAND COLLEGE • BUGCROWD AMBASSADOR • PWN SCHOOL FOUNDER
  3. 3. WHAT ARE BUG BOUNTIES? • CROWDSOURCED PENTESTS/SECURITY ASSESSMENTS • MOSTLY WEB APPLICATION , BUT ALSO NETWORK, DEVICES, AUTOMOBILE • BUG BOUNTY PROGRAMS CAN BE MANAGED BY THE COMPANY UTILIZING BUG HUNTERS OR MANAGED BY A BUG BOUNTY PROGRAM MANAGEMENT COMPANY LIKE BUGCROWD
  4. 4. BUG HUNTING BENEFITS • • • •
  5. 5. EARNING POTENTIAL Totally ballpark estimates, not official data •10-20 hours a week: $20k-$90k •20+ hours a week: $100k-$500k
  6. 6. KNOW YOUR SKILLSET
  7. 7. WEB APP PENTESTING METHODOLOGIES
  8. 8. CORE TOOL: AN INTERCEPTION PROXY
  9. 9. DIVERGING PATHS FOR TESTING
  10. 10. RECON (METHODOLOGY AND OSS TOOLS)
  11. 11. MAPPING AND APPLICATION, KEYS FOR SUCCESS • Discern what valuable data is for the end user • Register multiple accounts • Register multiple roles • Exercise forms • Change account data • Upload files • Bookmark non-standard return content types • Profile OSS (Open Source Software) software • Try default creds • Profile dynamic inputs
  12. 12. EDUCATIONAL RESOURCES
  13. 13. EDUCATIONAL RESOURCES • BUGCROWD.COM/UNIVERSITY/ • • • SAMURAI-WTF.ORG • • •
  14. 14. Q&A
  15. 15. PWN SCHOOL LAB DEMO

×