The Bug Hunters Methodology Live - DEF CON Edition
Jason Haddix (@jhaddix)
Workshop | Village Classroom
Abstract:
The Bug Hunter's Methodology (TBHM) is a series of talks done by Jason exposing new advents in tools, tactics, and procedures used in web pentesting, bug bounty, and red teaming. In this talk, Jason will explore the mindset of approaching a hardened web target and how he breaks up finding vulnerabilities across its' stack. Many talks can teach you how to exploit a certain vulnerability, less can teach you how to find out where they are in complex pieces of software. TBHM also covers Jason's personal tips/tricks in the areas of automation, content discovery, javascript analysis, spidering, parameter analysis, functionality ""heatmapping"", and more. The DEF CON edition will not be recorded and will release some free cutting edge content usually only available in Jasons live courses!
A Zero to Hero Crash Course to Server-Side Request Forgery (SSRF)
Ben Sadeghipour (@nahamsec)
Workshop | Village Classroom
Abstract:
Server-Side Request Forgery is now one of the most widely recognized and significant vulnerabilities that bug hunters should have in their arsenal. This interactive workshop covers basic exploitation of SSRF, as well as tackling more intricate vulnerabilities that involve chaining multiple exploits, a thorough comprehension of the target's infrastructure, and other advanced techniques.
​
Pre-Prerequisites
-
Basic understanding of web application hacking
-
Knowledge of Web Proxies
-
Working laptop
-
Working WiFi (Will not be doable without access to a working WiFi)
-
Caido (BurpSuite or similar works too!)
Top War Stories from a TryHard Bug Bounty Hunter
Justin Gardner (@Rhynorater)
Talk | Creator Stage
Abstract:
Ask any top bug bounty hunter: the best part of a live hacking event is the Show & Tell; the time when the veil is lifted and we collectively revel in the ingenuity of the best finds from the competition. The goal of this talk is to give you that same experience. I will speak to you as the competent hackers that you are, not withholding the nitty-gritty technical details and the Ls along the way. Together, we’ll journey through the highs and the lows of my hunts, both solo and in a Live Hacking Event context. You’ll see everything from RCE to SQL injection, mass PII leakage to spying on people’s homes and workplaces. You’ll find some bugs mind-numbingly simple, and some bugs mind-bogglingly complex. Each bug in this talk was assigned the highest severity possible, and awarded somewhere between $10k-$60k in bounties.
Practical Exploitation of DoS in Bug Bounty
Roni Carta (@0xlupin)
Talk | Creator Stage
Abstract:
The talk "Practical Exploitation of DoS in Bug Bounty" explains methods for identifying and exploiting Denial of Service (DoS) vulnerabilities in bug bounty programs. Starting with an overview of DoS attacks and their impact, we will highlight how these attacks disrupt services by overwhelming resources or exploiting flaws. The talk covers various DoS attack types, including N+1 errors, in-depth GraphQL crashing, and Cache Poisoning, with real-world examples demonstrating their effects. We will then detail practical techniques for discovering DoS vulnerabilities. This includes automated scanning tools, manual testing methods, and understanding the target system's architecture. N+1 errors occur when an application makes redundant database queries, significantly impacting performance. Attackers can exploit this by triggering numerous unnecessary queries, causing severe slowdowns or crashes. GraphQL, a query language for APIs, can be vulnerable to complex queries that consume excessive resources, leading to server crashes. We will show how to craft such queries and the resulting impact. Cache Poisoning involves manipulating cached data to serve malicious or incorrect content, which can disrupt services or degrade performance. We will explore techniques to poison caches and demonstrate the potential consequences. Additionally, the talk emphasizes the importance of responsibly reporting discovered vulnerabilities to bug bounty programs. Best practices are shared for effectively communicating findings and ensuring timely mitigation. Of course, there are some fails during this path, and those are going to be covered too. The session wraps up by stressing the need for continuous learning and staying updated on the latest trends in DoS attack vectors and mitigation strategies
From Easy Wins to Epic Challenges: Bounty Hunter Edition
Daniel Le Gall (@Blaklis_)
Talk | Creator Stage
Abstract:
Step into the mind of a bug bounty hunter as I take you on a journey through my own adventures in vulnerability hunting. In this presentation, I’ll share some of the most intriguing bugs I've discovered, from the shockingly/stupidly simple to the mind-bendingly complex. We'll start with the surprising simplicity of some bugs, but as the hunt isn’t always so simple, I’ll also reveal some complex bug chains that required advanced knowledge, lot of work and probably some hacker's intuition to know it was worth pushing further. If you want to know how a coffee break gave me the opportunity to get infinite money, or how a vulnerable CAPTCHA helped me to break the encryption of a sensitive application - you're in the right place!
Efficient Bug Bounty Automation Techniques
Gunnar Andrews (@G0LDEN_infosec)
Talk | Creator Stage
Abstract:
If you're a bug bounty hunter, time can literally mean money. For this reason, automation can be a vital part of how you hunt. But automation has limits. Whether this is hardware limits, target rate limits, WAFs & bot detection, and the list goes on. Successful automation techniques should EFFICIENTLY enhance your hunting. Whether it is being first to a fresh target, or finding targets other hunters haven't. We will go over some techniques and tools to get ahead of the pack, without wasting all your time and money.
Leveraging AI for Smarter Bug Bounties
Joel Alexis Noguera (@niemand_sec)
Diego Jurado Pallarés (@djurado9)
Talk | Creator Stage
Abstract:
As security researchers, we constantly attempt to stay ahead of the curve, seeking innovative solutions to enhance our offensive security strategies. In recent years, the advent of artificial intelligence (AI) has introduced a new dimension to our efforts, particularly in the realm of bug bounties and pentesting. While significant attention has been given to understanding and mitigating attacks against AI systems, the potential of AI to assist in the offensive security field remains largely unclear. This talk pretends to dig into the research and development process undertaken to create an AI agent designed to augment the bug bounty and pentesting workflow. Our AI agent is not merely a theoretical concept but a practical tool aimed at enhancing the efficiency and effectiveness of security researchers. We have conducted extensive research to understand how AI can mimic and enhance human intuition and creativity in identifying vulnerabilities. While this may sound trivial, there is little evidence of this being tested before on generative AI agents. Our work breaks new ground by pushing the boundaries of what AI can achieve in offensive security. Will AI become an indispensable tool in our arsenal, capable of autonomously identifying and exploiting vulnerabilities? Join us as we explore the possibilities and implications of AI as an offensive assistant in this new era of offensive security.
Reflections on a Decade in Bug Bounties: Experiences and Major Takeaways
Nikhil Shrivastava (@niksthehacker)
Charlie Waterhouse
Talk | Creator Stage
Abstract:
In this talk, I will share my journey from a novice to a seasoned hunter. I will explore how I used to report low-impact, informative bugs when I first started, and how I progressively improved by learning from the community, embracing failures/duplicates, and incorporating feedback from triage teams and clients. This journey of continuous learning and adaptation led me from reporting low vulnerabilities to effectively chaining and converting them into critical impacts. This session is designed for both aspiring and experienced bug bounty hunters. By reflecting on a decade of lessons learned, I will aim to provide valuable takeaways that can help others navigate their own paths in bug bounty hunting and enhance their skills. Additionally, one Synack triage team member will join me on this talk to help differentiate triage thinking from bug bounty hunters' thinking, providing valuable insights into the collaborative process of vulnerability reporting to acceptance.
I've got 99 problems but a prompt injection ain't pineapple
Chloé Messdaghi (@ChloeMessdaghi)
Kasimir Schulz (@abraxus7331)
Talk | Creator Stage
Abstract:
The ethical and secure disclosure of vulnerabilities in AI has emerged as a pivotal challenge, compounded by the need to address biases and misinformation that often cloud the true nature of these vulnerabilities. This talk delves into the intricate dynamics of vulnerability disclosure within AI, balancing transparency with security. We'll dissect the unique challenges AI presents, such as data bias exploitation and model manipulation, which can amplify the impact of vulnerabilities. Through a lens of real-world examples and recent disclosures, we'll navigate the complexities of responsible vulnerability management in AI. Our discussion will not only aim to shed light on these critical issues but also inspire a unified approach to refining disclosure processes. This concerted effort is vital for enhancing the integrity of AI systems and bolstering public trust in their use.
Hunters and Gatherers: The Realities of Bug Bounty Life
Logan MacLaren (@maclarel_)
Jeffrey Guerra (@s2jeff_gh)
Johnathan Kuskos
Katie Noble
Sam Erb (erbbysam)
Panel Discussion | Creator Stage
Abstract:
Join us for an insightful panel discussion where we bring together seasoned Bug Bounty Program Managers and adept bug bounty hunters. This panel aims to address pressing questions and share diverse perspectives on the evolving landscape of bug bounties. We will dive into the challenges faced by both hunters and managers, discuss strategies to enhance the impact of submissions, and explore the future of bug bounties in the face of emerging technologies, evolving trends, and threats. We will also highlight the importance of bug bounties in the current cybersecurity landscape and share the top elements that contribute to a successful bug bounty program. Lastly, we will provide recommendations for organizations looking to mature their bug bounty programs but are hesitant about expanding. This panel promises to be a valuable opportunity for learning, sharing, and networking for anyone involved or interested in the world of bug bounties.
​
Meet the PortSwigger Research Team
James Kettle (@albinowax)
Gareth Heyes (@garethheyes)
Martin Doyhenard (@tincho_508)
Q/A | Village Classroom
Abstract:
Meet the minds behind a decade of acclaimed web security research. Whether you'd like to query our thoughts on technical matters or career decisions, share something cool you've found, flood us with Burp Suite feature requests, or simply say hi, this is your chance! We're also giving three presentations at DEF CON so if you'd like to treat this as an extended Q&A for those, that's cool too. Please note this session may be chaotic.​
A Bug Hunter's Guide to Account Takeover
Ben Sadeghipour (@nahamsec)
Workshop | Village Classroom
Abstract:
This is a hands-on workshop with a lab that will help students and attendees learn some of the common and interesting ways to takeover accounts or escalate access while looking for vulnerabilities in a web app. These labs are all based on valid and have been awarded bounties by multiple large organizations such as Amazon, Zoom, PayPal, Yahoo, and more!
​
Pre-Prerequisites
-
Basic understanding of web application hacking
-
Knowledge of Web Proxies
-
Working laptop
-
Working WiFi (Will not be doable without access to a working WiFi)
-
Caido (BurpSuite or similar works too!)
Panel of Bug Bounty Community Leaders
Roni Carta (lupin) - Moderator
Jessica Sexton - Senior Director of Community at HackerOne
Ryan Rutan (r00br1q) - Senior Director of Community at SynAck
Lucas (BitK) - YesWeHack Tech Ambassador
Inti De Ceukelaire - Chief Hacker Officer at Intigriti
Michael Skelton (codingo) - VP of Operations at Bugcrowd
Panel Discussion | Village Classroom
Abstract:
Join us for an engaging and insightful panel discussion at the Bug Bounty Village, where community leaders from four of the world's leading bug bounty platforms—HackerOne, Synack, YesWeHack, and Intigriti—come together to share their expertise and vision for the future of bug bounty programs. This panel, moderated by a prominent hacker from the community, will explore the latest trends, challenges, and innovations in the bug bounty space.
​
Attendees will gain valuable insights into how these platforms are evolving to meet the growing demands of cybersecurity, the strategies they employ to attract and retain top talent, and their perspectives on the impact of bug bounty programs on the broader security landscape. Through a crowdsourced Q&A session, community-driven questions will take center stage, allowing participants to delve into topics that matter most to them.
​
Whether you are a seasoned bug bounty hunter, a security professional, or someone new to the field, this panel offers a unique opportunity to learn from the leaders shaping the future of vulnerability disclosure and rewarding ethical hacking. Don't miss this chance to connect with industry pioneers and contribute to the dialogue that drives innovation and collaboration in cybersecurity.
​
Leveraging Internal Systems for Enhanced Bug Bounty Success
Rotem Bar (@rotembar)
Workshop | Village Classroom
Abstract:
Every bug hunter knows the initial steps: reconnaissance, fuzzing, and asset enumeration, But what if I told you there's a way to get everything you need internally and have it handed to you on a silver platter? Join me as I share my journey as part of different security teams across my career. I'll reveal the methods and tricks I've developed to utilize internal systems to retrieve crucial data, significantly boosting productivity in finding and exploiting flaws in our code. I'll present success stories and real-life examples where researchers uncovered critical vulnerabilities with internal assistance. Additionally, I'll delve into the tactics and techniques I employ to obtain this valuable data, providing program owners with insights to elevate their game—if they dare to expose this information.
Unveiling Vulnerabilities: A Comprehensive Guide to Bug Bounty Recon
Prince Chaddha (@princechaddha), Tarun Koyalwar (@KoyalwarTarun), Dhiyaneshwaran Balasubramaniam (@DhiyaneshDK)
Workshop | Village Classroom
Abstract:
In the rapidly evolving landscape of cybersecurity, effective reconnaissance is the cornerstone of successful bug bounty hunting. This presentation will guide you through identifying, enriching, and prioritizing targets before any scanning occurs, emphasizing the importance of uncovering "unknown unknowns." We will cover the use of tools like subfinder and amass for asset discovery, followed by httpx for extracting relevant data such as titles and ports. Prioritization will be discussed to focus efforts on high-potential targets, including those requiring sign-in. Once prioritized, we'll move to scanning, employing advanced techniques to uncover hidden files and functionalities, targeting both known vulnerabilities and the elusive "unknown unknowns." Finally, we'll focus on exploiting discovered functionalities, equipping you with the skills to uncover and exploit weaknesses. Join us to enhance your bug bounty hunting capabilities with a methodical approach to reconnaissance and exploitation, ensuring no stone is left unturned in your quest for vulnerabilities.
High ROI Manual Bug Hunting Techniques
Justin Gardner (@Rhynorater)
Workshop | Bug Bounty Village Classroom
Abstract:
Who isn’t busy nowadays? When you sit down to hack, you want to find a bug, or at least know you’re on the right track to find one. Over the past 5 years of full-time bug bounty, I’ve identified a couple of techniques that will get you some quick wins on most applications. I’ll show you how to apply these techniques, and then, building upon them, direct your longer-term testing to keep finding bugs and getting the best ROI for your time hunting. This workshop is oriented toward equipping you to make the most money with the least time investment. These are not the most technical bugs. These are the bugs that pay the bills and keep you well-fed, dopamine'ed up, and pushing deeper into these apps. In this workshop, we'll target REAL bug bounty targets, and apply the very techniques I've used in the past to find bugs on these targets. We'll cover mega-efficient testing techniques for various types of client-side access controls and IDORs. We'll cover polyglot usage for generic injection testing. We'll cover attack vector ideation, friction minimization, gadget hunting, organization. And much, much more. All of these things will keep you motivated, on track, and efficient as you push through the slog of HTTP requests between you and your next pay day. Leggo.
​
What skill level is your presentation aimed at?
All skill levels, but attendees should have a basic understanding of web architecture and web vulnerabilities such as XSS, CSRF, IDOR, and Broken Access Controls.
​
Pre-Requisites:
Bring your laptop. Please come with Caido installed (or Burp, if you must) and a general understanding of HTTP requests and web testing.
Why you should be hunting on Web3 Bug Bounties
Gonçalo Magalhães (@realgmhacker)
Workshop | Village Classroom
Abstract:
The presentation will feature a brief introduction to Web3 and Web3 bug bounties, notoriously some of the differences that the typical blockchain transparency brings in comparison to web2. Then we will explain what’s at stake in Web3. In traditional bug bounties, what's most often at stake is PII data, as well as critical infrastructure. In the blockchain world, money is at malicious actors' finger tips - extremely large sums of money. We will go over some of the most notorious hacks that happened in Web3, and we will look at real blockchain data:
-
The technical details of the exploit
-
The money flows
-
The out of this world messages sent in the negotiation process between the hackers and the hacked protocol. Yes, often this negotiation actually happens through transparent blockchain transactions.
Finally, we will recreate some of the most iconic +$1M bounties and their proof of concepts. At least one will be on smart contracts, one will be on the blockchain stack and one on will be in novelty zero knowledge circuit technology.
LFG! Forming a Bug Bounty Hunting Party
Harrison Richardson (@rs0n_live)
Workshop | Village Classroom
Abstract:
James "Jimmy" Donaldson, better known by his online handle Mr. Beast, is the most successful YouTuber of all time. The digital superstar has often spoken about how learning to make digital content with a group was the reason he was able to grow so quickly. By collaborating with a small cohort of people who shared his passion, each individual was able to not only learn from one another's unique skills, but most importantly, they learned from each other's failures and made corrections to avoid those pitfalls themselves. This workshop is designed to help you learn to apply this same principle to Bug Bounty Hunting and grow exponentially faster than you can on your own.
After sharing some success stories from his own journey, Harrison Richardson (rs0n) will lead the audience in forming small bug bounty hunting groups optimized for success. Attendees will be grouped based on their technical skills, bug bounty experience, and work experience to build an effective cohort. Next, rs0n will guide each group in selecting a public Bug Bounty Program based on their combined skills and will coach the groups individually on working together to find and report bugs. Special emphasis will be placed on learning to take essential notes and build a custom hunting methodology that works for you and your team. Finally, rs0n will host a live Q&A session to answer any "burning" questions the participants have about bug bounty hunting and/or transitioning to a career of Application Security.
There have been massive strides made in the bug bounty industry over the past few years, but one problem continues to persist. Researchers at all levels view other bug bounty hunters as competition who will steal their techniques. The goal of this workshop is not only to teach the skills needed to effectively collaborate on bug bounty programs, but also to demonstrate the immense value of collaboration when learning offensive security.
Lost in Translation - WAF Bypasses By Abusing Data Manipulation Processes
Ryan Barnett (@ryancbarnett)
Isabella Barnett (@4ng3lhacker)
Workshop | Village Classroom
Abstract:
In today's dynamic web application ecosystem, there exists numerous data manipulation processes to sanitize, translate and manipulate data for use by applications, for storage in back-end systems or sent to clients in web browsers. These same processes, however, can also be leveraged by bug hunters to obfuscate attack payloads from intermediary security systems such as web application firewalls (WAFs). In this workshop we will discuss several abuse scenarios including Edge-Side Includes (ESI), XSS Sanitizers and Unicode Normalizations.
Pre-Requisites:
Hands-on labs will be hosted on YesWeHack’s free DOJO platform (https://dojo-yeswehack.com/). Participants are encouraged to sign up for an account in advance and will use their own laptops for labs.
Caido Internals Deep-Dive
Emile Fugulin (@TheSytten)
Workshop | Village Classroom
Abstract:
Get a deep-dive into the more complex and powerful parts of Caido by its creators. We will cover various topics ranging from:
-
Using HttpQL at its full potential
-
Creating complex workflows and leveraging them in your day-to-day
-
Using the Caido GraphQL API to extend the tool
-
Building frontend plugins
-
And more!
​
We will also be there to answer all your complex technical questions.
Pre-Requisites:
Install Caido if you want to follow along.
Prototype Pollution in Depth, From Beginner to 0-day Hunter.
Lucas Philippe (@BitK_)
Workshop | Village Classroom
Abstract:
Prototype pollution is a vulnerability in JavaScript applications that can have varying impacts depending on the complexity and nature of the affected app. By manipulating an object's prototype chain, an attacker can introduce malicious properties, leading to unexpected behavior and potentially allowing the attacker to execute arbitrary code.
In this workshop, we will first try to understand the subtleties of the Javascript prototype chain. Then, we will explore different techniques for black box detection. Finally, we will use pp-finder to find new RCE gadgets in popular libraries.
Pre-Requisites:
Attendees are expect to have basic Javascript knowledge and have a computer with docker ready