Bug Hunter's Methodology
28th February 09:00 AM - 6:00 PM IST
Course Abstract
Bugcrowd is happy to offer a full day workshop for bug hunters to learn both intro and advanced topics in web bug hunting. Each BCU module will go over a vulnerability describing it's nature, how to identify it, how to exploit it, relevant tools associated to it, and have labs for students to test their skills. These Bugcrowd University modules are designed to enable the crowd to spot and exploit Priority One level bugs, even in seemingly complex web applications.
    (Intro) What makes a good submission
    (Intro) Burp Suite Workshop
    (Intermediate) Asset Discovery and Recon- IP enumeration (ASNs and Cloud)
      Brand Enumeration (Acquisitions, RevWHOIS, Reverse tracker Analysis)
      Subdomain Enumeration (Scraping and Bruteforcing)
      Effective Port Scanning
      Version based vulnerability analysis
      Directory Bruteforcing / Content Discovery best practices
      Prioritizing target testing areas by technology and features(Advanced)
    (Advanced) XML External Entity Injection
      An introduction to XXE
      XXE Identification
      XXE Tooling / payloads
        XXE LABS
    (Advanced) Authorization & Access Control Testing (MFLAC, IDOR)
      The ever-giving IDOR and MFLAC
    (Advanced) Server Side Request Forgery- An introduction to SSRF
      SSRF Identification
      SSRF Tooling
        SSRF LABS
    (Advanced) Security Misconfiguration (Git, AWS, Subdomain, ++)
      introduction to AWS s3 Permissions
      git pillaging
      Github robbing
        Live exercise
      CI/Code repositories exploitation (no lab)
      Subdomain takeover
Upon Completion of this training, attendees will know: At the end of this course, students should have some solid fundamentals in web testing for vulnerabilities that are more likely to show up in the wild TODAY. Not only does the course aim to arm the student with the technique, tools, and labs, but also a contextual and data-driven methodology on where and how to look for each vulnerability.
Attendees should bring: Laptop, Burp Suite (PRO preferably), VM or equivalent access to *nix command line.
Pre-requisites for attendees: General Web application security testing knowledge required. Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities.
These trainings are 100% FREE to all OWASP Seasides attendees, first come first served basis only!
About the trainer Jason Haddix is the VP of Researcher Growth at Bugcrowd. Jason trains and works with internal analysts to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include mobile penetration testing, black box web application auditing, network/infrastructural security assessments, wireless network assessment, binary reverse engineering, and static analysis.
The registration is closed. However, all the events and workshops are on first come first serve basis. Please reach the venue early to grab your spot.
Last modified 1yr ago
Export as PDF
Copy link