In this blog I will try to give an
introduction to Bug Bounty Program and some basics on what are the basics,
prerequisites and the approach to perform a Bug hunting.
Web Application Security is a vast
field and with the advent of Web 2. 0 the attack surface has increased
exponentially. Internet has become wilder with the number of web applications
that are getting hosted every day. Doing business and reaching to the end user
has become easier with the web application revolution.
While hosting these web applications
there is seldom importance given to the security. Developers concentrate more
on functionality and with the time lines on their head it becomes a little
difficult for them to keep security in mind. Though I will agree that security
has now taken pace and people have become more aware but where there is code,
there are chances of vulnerability.
Big firms have realised this that it
is very difficult to hunt down all the bugs before they set to release in the
market. So there came the concept of Bug Bounty program.
This program was initially introduced
to narrow down the number of security bugs with the help of security
researchers around the world. The concept was very much similar to the earlier
concept of the Bounty Hunters who were hired by the police to catch hold of
notorious guys. To appreciate their contribution they were paid a good amount
of money which also helped them to keep going.
This programme with the advent of
time has converted into a process wherein people/security researchers/evangelists/developers
can responsibly disclose the potential bugs on the web applications.
Here the word RESPONSIBLE DISCLOSURE has to be
kept in mind. May be I will write some other day on what it is all about.
These guys who hunt down the bugs are
usually referred to as BUG HUNTERS. To reward them the companies have chosen
variety of ways which can be anything from a monetary reward to some cool tee
shirts to an entry in their HALL-OF-FAME.
This is a very good way to develop
your skills on Web Application Security domain meanwhile earning a bit as well.
Though the main attractions are money oriented, but you cannot deny the fact on
how cool Tee-Shirts and fame you get along with it.
Let’s get down on what are the pre
requisites which can get you going for a Bug HuntingJ
Pre
Requisites
To start hunting it is very important to know the basic concepts on
how a web application works. A normal architecture concept really helps in the
real scenario.
There are various websites and material available on internet
through which this can be done.
The Web Application Hackers Handbook is a
very good book which explains the concepts from very basics and is a must read
for every guy in web application security domain or who wants to jump in this
domain.
Apart from this one should also be well acquainted with the OWASP
Top 10 vulnerabilities. (You can get more details about OWASP on its website www.owasp.org).
TOOLS
Tools are the ammunition that you will want while hunting those bugs
down. You can always write scripts to do the job but tools come in handy.
Some tools which are awesome are as under:
The very famous BURP SUITE: It is the most famous and widely used
proxy which helps you modify requests on the fly. This is famous because of its
versatility of use (The web application hackers handbook uses this proxy with
respect to its research and examples)
Apart from this there are 100 of different tools available which can
be used as per the requirement or the type of vulnerability you are hunting
for.
BLOGS:
Most importantly you should sign up for some security blogs which
help you understand different aspects on how to find bugs and learn. There are
a lot of security researchers who also disclose on how they have performed the
hunt post having a consent with the company they have found bug on and submit
complete reports which are readily available for studying purpose.
Apart from this you should also sign up for websites who have
started the programme of hosting bug bounties on behalf of the participating
firms. This makes the job of the bug hunter very easy as such wherein they can
submit reports in a common format and track the progress.
Some common websites are:
The most important part in any bug hunting program is on how you
report them. There are different ways of submitting. An email explaining the
scenario or a video will be helpful as a part of POC.
Be polite to the guy on the
other side of the table. Just think about his job on handling so many issues J
There are many criteria’s which actually decide on the amount of
bounty or reward that you are entitled. Every company has their own rules on
which they decide to do this.
DO get disheartened if you receive less money. Do it for the fun of
itJ
Things
To Remember: READ READ READ READ.
Some
useful resources:
No comments:
Post a Comment