How What and Why of Bug Bounty (FQA Bug bounty)
A quick video by Kashif Iqbal covering some key questions about bug bounty. In this video we will talk about the How, what, and why of Bug bounty. We will explain what Bug Bounty is and why you should start it. This video is for all those who want to start a career in Bug Bounty.
Free Technology lectures in URDU and Hindi language. We will start from scratch, so don't worry, but once you start watching, please don't leave in between you will miss everything so LET'S GET STARTED.
TABLE OF CONTENTS:
00:00:06 Bug Bounty
00:01:54 Why Bug Bounty
00:04:13 Why You Should Not Start
00:05:08 How To Start
00:07:17 What Not to Do
00:07:56 What Platforms
ABOUT US:
Urdu IT Academy is a free online training platform that provides free training in technology. It’s time for students to take command of their learning without using a classroom. The Internet is a source that is convenient and easy to access. UITA gives an incredible opportunity to students who want to polish their skills in Technology. At UITA, we help people from all over the world, enabling them to learn and earn a living from what they love.
Free Technology lectures in URDU and Hindi language. We will start from scratch, so don't worry, but once you start watching, please don't leave in between you will miss everything so LET'S GET STARTED.
TABLE OF CONTENTS:
00:00:06 Bug Bounty
00:01:54 Why Bug Bounty
00:04:13 Why You Should Not Start
00:05:08 How To Start
00:07:17 What Not to Do
00:07:56 What Platforms
ABOUT US:
Urdu IT Academy is a free online training platform that provides free training in technology. It’s time for students to take command of their learning without using a classroom. The Internet is a source that is convenient and easy to access. UITA gives an incredible opportunity to students who want to polish their skills in Technology. At UITA, we help people from all over the world, enabling them to learn and earn a living from what they love.
Category
📚
LearningTranscript
00:00 (Scribbling)
00:04 (Bell)
00:05 Bismillah-ur-Rahman-ur-Rahim, Assalam-o-Alaikum, I am very excited to record a lecture today.
00:09 I am coming back after a long time.
00:11 So, the topic I have picked today is to talk about Bug Bounty.
00:17 Because for the last two years, I was very, very heavily involved in Bug Bounty program.
00:22 And recently, I have been sitting on the advisory board of a Bug Bounty platform.
00:28 So, I have learnt a lot, I have dealt with it a lot.
00:32 So, I thought why don't we start it.
00:34 And for the last one and a half years, I have helped out 3-4 students in the Bug Bounty world.
00:42 It's not like they are making millions, but they have started their journey.
00:46 And they are very early on in the stage of Bug Bounty.
00:49 But they are doing their part-time work.
00:52 To start with, today we will talk about how, what and why you should start Bug Bounty.
00:59 I am not begging you to start Bug Bounty.
01:02 But what are the capabilities you should possess to take part in this Bug Bounty program.
01:08 So, those who don't know what Bug Bounty is,
01:11 Bug Bounty is a program that allows security researchers or hackers in the airports
01:20 to find a problem or vulnerabilities within your environment.
01:24 And then they report you.
01:26 And when they report you, you pay them in return.
01:29 There is a slight variation in this, which we call VDP.
01:33 Vulnerability Disclosure Program or Bug Bounty Program.
01:36 Now, many branches have started forming in it.
01:39 So, I am recording this only for you guys who know about Bug Bounty.
01:44 And they were thinking whether to do it or not.
01:46 If they do it, then how to do it and all that.
01:48 And what are the capabilities I should have.
01:50 Where should I start from?
01:52 So, without a further ado, let's start.
01:56 You feel passionate about it.
01:58 Like, you like exploration work.
02:01 You need to look into the system.
02:02 You can explore them.
02:04 And you, not only passionate, you feel hungry about it.
02:07 That's a very, very fundamental thing.
02:09 If you don't feel hungry, then there is no point.
02:13 I won't tell you to go and get a 4-year degree and then you can start Bug Bounty.
02:16 You need to be passionate, rather hungry about it.
02:19 To be into that field.
02:21 Otherwise, you would not be able to make a cut.
02:23 I would be very honest, don't waste your time.
02:25 You need money.
02:27 Obviously, everybody needs money.
02:29 You can do it part-time.
02:30 You can start part-time and when you feel comfortable, you can do it full-time.
02:34 Many people have primary jobs.
02:36 Along with primary jobs, they also do part-time jobs.
02:38 So, the boys who are around 4 years old, within my circle,
02:43 they are doing part-time jobs.
02:46 One of them is planning to move full-time.
02:49 He started during COVID and he is working remotely.
02:52 And I can make him money.
02:54 If I have done a $1000 Bug Bounty,
02:57 within a month, that's enough for me.
02:59 Or $2000 Bug Bounty.
03:01 Again, it depends.
03:03 And you have a capability of thinking outside the box.
03:06 Always think outside the box.
03:08 I always use that analogy.
03:10 If there is a kid or a person who wants to study pen testing or Bug Bounty,
03:16 I tell him, "Jones, what will you do if I give you something?"
03:20 There is a person who needs a proper, manual approach.
03:24 A detailed approach.
03:25 There is a person who starts opening the package and tries to break it.
03:28 These are different mindsets.
03:30 It's not something that you can build by yourself.
03:33 It's how you are wired sometimes.
03:35 But again, if you keep the growth mindset in mind, you can do this.
03:38 And it's continuous learning.
03:40 It's not something that you learn everything beforehand and start Bug Bounty.
03:45 First, I will become a pen tester and then I will come back.
03:47 It's not a solution like this.
03:48 You need to start it and you need to continually learn it and evolve into it.
03:53 It's not something that you can learn overnight.
03:56 Or you can learn a course from Urdu IT.
03:58 There is a basic course on ethical hacking on Urdu IT.
04:01 That would cover a lot of things.
04:02 You should have basic knowledge of JavaScript.
04:04 You should have basic knowledge of PHP.
04:06 I think you should have enough knowledge to start with.
04:09 But I would cover a couple of other points that you can do.
04:11 That would be an added bonus.
04:13 Why you should not start?
04:17 Obviously, you know that you don't feel passionate about it.
04:20 Again, this is a Hungry's point.
04:21 I am repeating this again and again.
04:23 If you are not passionate,
04:24 If you can't consistently give 1 hour, 30 minutes or 5 hours on a daily basis.
04:30 It shouldn't be that you give 5 hours one day and you are gone for the next 15 days.
04:34 After 15 days, you don't remember what you have to do.
04:39 Consistency is the key here.
04:41 Not keen to learn new things.
04:44 You don't have out of box thinking.
04:45 You are in a stage of life where you don't want to learn anything.
04:50 It's a lie that everyone is continuously learning and you are continuously changing.
04:55 But there is a dynamic change.
04:57 Threat vectors are changing.
04:58 Different types of attacks are introduced.
05:01 You need to be keeping up to date on it.
05:03 If you are working for 1 hour, you are catching up for 1 hour.
05:06 I will tell you what to catch up.
05:08 How to start?
05:10 Understand the basics.
05:12 Have a website.
05:13 Create your own website.
05:15 I would not have been here if I hadn't created my own website and it hadn't been hacked.
05:19 Thanks to all the hackers that did it for me.
05:21 Understand the basics.
05:23 What are the security basics?
05:25 What are the fundamentals?
05:26 Where to start?
05:27 Do an ethical hacking course from Urdu IT.
05:30 Port Swiger Labs, their work suite is a really good tool.
05:35 It has trainings and a platform.
05:38 There are so many videos on YouTube.
05:41 And a very important thing for you is to read disclosure reports.
05:46 When hackers or security researchers hack a platform, they publish a report about it.
05:54 And they put a lot of details in the report about how I hacked it.
06:00 There is a Twitter handle, @pentesterland.
06:04 That's a very helpful Twitter handler.
06:07 There is a lot of information coming in here.
06:08 Like about IDOR, it is being discussed very commonly these days.
06:11 OS top 10.
06:13 You should know what is OS top 10.
06:15 SQL injection.
06:16 You will not get SQL injection for everything.
06:18 Maybe CSRF.
06:19 But one thing that is very common is IDOR.
06:21 Insecure Direct Object Reference.
06:23 Very easy.
06:25 I am not going to tell you what IDOR is.
06:27 I would ask you to go and explore it.
06:29 This is your growth mindset.
06:31 This is your hungriness.
06:33 That's where you need to be passionate about.
06:35 CSRF.
06:37 And you should know what is business logic.
06:40 Business logic is that a person has given an email address.
06:42 And we will not create an account without verification on the email address.
06:45 But what if they have put some parameter in the URL which is sort of IDOR.
06:51 You don't know what IDOR is.
06:53 That's why you might be struggling here.
06:55 But anyway, when you read IDOR, you will understand.
06:58 I am not teaching IDOR.
06:59 You have to Google it.
07:00 There is a very nice article written on the website of Portsweiger lab.
07:05 That's why I strongly suggest you if you have done a course on ethical hacking,
07:09 go work in Portsweiger lab.
07:11 There are labs on it and in great detail.
07:14 There are very good quality labs.
07:16 What not to do?
07:18 Don't burn out yourself.
07:20 My recommendation is that if you don't get anything in the first 60 minutes,
07:27 move on to the next target.
07:29 Is it clear?
07:31 And the second thing is that a slow and steady approach is important for you.
07:35 It shouldn't be that you have spent 5 hours a day and 1 hour a day.
07:42 Maybe you will be like, I will read different reports for the whole week.
07:48 And then I will take 2 shifts for 2 hours on weekends.
07:51 That's absolutely fine.
07:53 But don't disconnect yourself.
07:55 Now the question is about the platform.
07:57 I am a little biased about the platform.
07:59 Because I am on the advisory board of HackerOne.
08:02 But BugCrowd is also a very good platform.
08:05 There are two types of offerings in BugBounty.
08:11 One is called VDP, Vulnerability Disclosure Program.
08:14 If you find out any vulnerability, we will give you a kudos point.
08:18 Which will be on your badge.
08:20 You will get more positive feedback.
08:24 Unfortunately, you are not getting money in it.
08:26 You are getting it in BugBounty.
08:27 So the new companies that start, they go with the VDP.
08:30 Because it is cheaper, easier and you get lower hanging fruits.
08:33 And BugBounty is when your security researcher starts to look at you in detail.
08:42 So start with VDP.
08:44 You get a lot of things in it.
08:46 Like you will get an open S3 bucket.
08:49 Which is a nightmare for everyone.
08:51 Or if someone has done S3 bucket, it will be in the domain takeover category.
08:56 That can happen.
08:57 There are a lot of things, a lot of categories.
08:59 After that, if a company has programmed and you have reported 5 VDPs.
09:05 The way that company will open BugBounty program, it will invite you privately.
09:09 So the kudos points that you are getting, they always have a value around it.
09:14 So there is BugCrowd and HackerOne.
09:17 After that, what platform?
09:21 I have taken a screenshot of an account on HackerOne.
09:25 I am talking about HackerOne.
09:27 So it will ask you if you are a novice, a starter, an advanced expert or a legend.
09:31 And after that, they give a little training.
09:33 They don't give a lot of depth training but they give a little training.
09:35 So if you stay connected with these two platforms, I think you would cover pretty much everything.
09:39 And in this, if you want to do CTF, VDP, BugBounty program,
09:43 If you want to do a pen test, code review, you cannot do a code review.
09:46 Until and unless you are a professional.
09:48 Reconnaissance, we are talking about threat landscape mapping.
09:53 If a company has 15 servers, web servers,
09:55 Someone has done 16 servers but the security team doesn't know.
09:58 So they are looking for a way to find out the hackers community or security researcher community and tell you.
10:05 And then you would go back and talk to the web developer who has made it live.
10:10 I call it Shadow IT.
10:12 So you go and have a serious talk with him.
10:15 Okay?
10:16 After that, it asks you if you want to do part-time or full-time.
10:20 But as today's things are not live, there is no detail.
10:25 When you make an account on HackerOne, it starts showing you the details in the activity.
10:31 I was talking about the write-ups.
10:33 Now, one of my favorite ideas was
10:53 This on Reddit.
10:55 It has told in detail that
10:57 And then it has made this information public.
11:02 It is already fixed. You cannot hack it.
11:04 It was there that you can put your public link on someone's account.
11:09 When you read this write-up, you will understand.
11:12 If you don't understand this, then it is a separate issue for us.
11:15 Okay?
11:16 So coming back on to the slide.
11:19 So that is what is very important for you.
11:22 And for me, one important thing that I tell everyone.
11:27 If you are not looking, you will not find it.
11:29 If you are sitting at home and say, "I want to do this training, I want to do this training,
11:32 I want to find bug bounty, this will not happen.
11:34 Okay?
11:35 You will have to find it yourself.
11:36 Okay?
11:37 So, thank you again for listening.
11:39 Let's go and find the bugs.
11:41 Stay happy.
11:42 Remember in your prayers.
11:43 See you again.
11:44 Allah Hafiz.