Page 38 - Hands-On Bug Hunting for Penetration Testers
P. 38

Choosing Your Hunting Ground                                                Chapter 2

            Their blog is a good source for more general Infosec analysis. In one series, they provide an
            in-depth analysis, including source code examples, of Windows exploits used by the
            Shadow Brokers, the infamous hacking syndicate known to have leaked NSA hacking tools
            in the summer of 2016.


            Finding Other Programs


            Many companies have bug bounty programs. If there's a particular site or app you're
            interested in testing, finding out whether it's supported by a bug bounty is as easy as a
            couple of searches. Queries that take advantage of Google's expressive search syntax, such
            as JOVSM  TFDVSJUZ , JOUFYU CVH CPVOUZ, and JOUFYU SFXBSE are all great building
            blocks you can use to discover new programs. You can even combine them to drill down
            into bounty programs that are specific to a certain application d a query such
            as JOUFYU  #VH #PVOUZ  "/% JOUFYU  WVMOFSBCJMJUZ  "/% JOUFYU  SFXBSE
            "/% JOVSM   XQ DPOUFOU    can be used to return program pages for Wordpress sites
            (credit to Sachin Wagh (@tiger_tigerboy) for the dorks).
            You can even set up a Google alert using these search terms and others, to give you a
            simple, automated way of discovering new programs to participate in.

            For something a little less ad-hoc: in addition to the great teaching resources it provides,
            Bugcrowd curates a list populated by its members on what bug bounty programs are
            available as well as whether they provide financial compensation versus company swag,
            their age, and whether or not they feature a "Hall of Fame" for successful researchers. You
            can find the table at IUUQT   XXX CVHDSPXE DPN CVH CPVOUZ MJTU .

            Firebounty, mentioned earlier as a product of YesWeH4ck, is a hybrid that shows that
            bounty programs from other platforms as well as its own unique offerings. As a product of
            the French security scene, it has an interesting mix of both transatlantic and European
            websites, mobile apps, and APIs.



            Money Versus Swag Rewards

            Many of the programs you'll find won't provide a cash payout, but instead company swag
            (shirts, water bottles, and so on). Don't skip over these programs. In addition to being less-
            trafficked d upping your chances of finding a bug d and giving you great practice at finding
            vulnerabilities on a live production site, many swag programs supported by third-party
            marketplaces will also count toward your profile's chances of being invited to a private
            program, for those that support them.



                                                    [ 23 ]
   33   34   35   36   37   38   39   40   41   42   43