|
Título: Necesito que me ayuden sobre lo de bug bounty Publicado por: Lino Romero en 6 Septiembre 2019, 06:38 am Alguien me puede guiar en sobre como comenzar bien en eso para poder ganar dinero? Osea me pueden guiar en que es lo mas recomendable para comenzar y poder ganar dinero encontrando mi primer bug? Porfavor se los agradeceria bastante Título: Re: Necesito que me ayuden sobre lo de bug bounty Publicado por: kub0x en 6 Septiembre 2019, 10:47 am Guiar en qué sentido. Primero has de descubrir el bug para tener algo que reportar. Las empresas conocidas tienen un programa de recompensa busca en Google si la empresa que estás evaluando aplica porque la inmensa mayoría de los bugs reportados acaban con palmadita en la espalda y sin recibir nada a cambio.
Título: Re: Necesito que me ayuden sobre lo de bug bounty Publicado por: @XSStringManolo en 6 Septiembre 2019, 16:01 pm Libros:
-The Art of Software Security Assessment Identifying and Preventing Software Vulnerabilities. -MySQL Cookbook Solutions for Database Developers and Administrators. https://leanpub.com/ltr101-breaking-into-infosec -HandsOn Bug Hunting for Penetration Testers. -Security for Web Developers Using javascript, HTML, and CSS. -Haking Workshops Web Application Hacking Advanced SQL Injection and Data Store Attacks. -Web for Pentester By Louis Nyffenegger. -Java Platform, Security Developer's Guide. -Cryptography and Network Security Principles and Practices. -Introduction to Modern Cryptography. -Anonymity, Hacking and Cloud Computing Forensic Challenges. -Computer Hacking, Security Testing, Penetration Testing and Basic Security. -Google Hacking for Penetration Testers. -Gray Hat Hacking. -Hacking The Art of Exploitation. -Hacking The Art of Exploitation second edition. -Mastering Kali Linux for Advanced Penetration Testing. -Metasploit Penetration Testing Cookbook second edition. -The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws -Penetration Testing a hands on introduction to hacking. Bug Bounty Hunting Essentials: Quick-paced Guide to Help White-hat Hackers Get Through Bug Bounty Programs -The Shellcoders Handbook. second edition. -Wireshark Network Analysis. - https://leanpub.com/web-hacking-101 https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Herramientas: http://netcat.sourceforge.net/ https://www.wireshark.org/docs/ https://fwhibbit.es/burp-suite-i-la-navaja-suiza-del-pentester https://www.metasploit.com/ https://nmap.org/ https://github.com/subfinder/subfinder http://blog.ironwasp.org/ https://github.com/guelfoweb/knock https://github.com/OWASP/Amass https://github.com/aboul3la/Sublist3r https://github.com/michenriksen/aquatone https://github.com/techgaun/github-dorks https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt Links: https://www.cvedetails.com http://elladodelmal.blogspot.com/2009/03/serialized-sql-injection-parte-i-de-vi.html https://www.attackflow.com/KnowledgeBase/ https://brutelogic.com.br/ https://github.com/s0md3v/MyPapers/blob/master/Bypassing-XSS-detection-mechanisms/README.md https://www.pentestpartners.com/security-blog/lan-surfing-how-to-use-javascript-to-execute-arbitrary-code-on-routers/ https://44con.com/44con-training/code-injections-from-beginner-to-advanced-for-defenders-and-attackers/ https://www.upguard.com/articles/top-20-owasp-vulnerabilities-and-how-to-fix-them?hs_amp=true http://www.elladodelmal.com/2010/02/robotstxt-sitemapxml.html https://portswigger.net/web-security/xxe https://www.netsparker.com/blog/web-security/crlf-http-header Laboratorios, wargames y similares: - https://xss-game.appspot.com - https://xss-quiz.int21h.jp/ - warzone.elhacker.net - hackthissite Sitios para bug hunting: https://www.bugcrowd.com/ https://www.hackerone.com/ https://www.zerocopter.com/ https://www.synack.com/ https://cobalt.io/ https://www.yeswehack.com/ https://www.intigriti.com/ https://www.vulnerability-lab.com/ Buscando la responsible disclosure policy de un sitio. https://bugbountyguide.com/hunters/proof-of-concepts.html Título: Re: Necesito que me ayuden sobre lo de bug bounty Publicado por: Lino Romero en 6 Septiembre 2019, 19:29 pm Libros: -The Art of Software Security Assessment Identifying and Preventing Software Vulnerabilities. -MySQL Cookbook Solutions for Database Developers and Administrators. https://leanpub.com/ltr101-breaking-into-infosec -HandsOn Bug Hunting for Penetration Testers. -Security for Web Developers Using javascript, HTML, and CSS. -Haking Workshops Web Application Hacking Advanced SQL Injection and Data Store Attacks. -Web for Pentester By Louis Nyffenegger. -Java Platform, Security Developer's Guide. -Cryptography and Network Security Principles and Practices. -Introduction to Modern Cryptography. -Anonymity, Hacking and Cloud Computing Forensic Challenges. -Computer Hacking, Security Testing, Penetration Testing and Basic Security. -Google Hacking for Penetration Testers. -Gray Hat Hacking. -Hacking The Art of Exploitation. -Hacking The Art of Exploitation second edition. -Mastering Kali Linux for Advanced Penetration Testing. -Metasploit Penetration Testing Cookbook second edition. -The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws -Penetration Testing a hands on introduction to hacking. Bug Bounty Hunting Essentials: Quick-paced Guide to Help White-hat Hackers Get Through Bug Bounty Programs -The Shellcoders Handbook. second edition. -Wireshark Network Analysis. - https://leanpub.com/web-hacking-101 https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Herramientas: http://netcat.sourceforge.net/ https://www.wireshark.org/docs/ https://fwhibbit.es/burp-suite-i-la-navaja-suiza-del-pentester https://www.metasploit.com/ https://nmap.org/ https://github.com/subfinder/subfinder http://blog.ironwasp.org/ https://github.com/guelfoweb/knock https://github.com/OWASP/Amass https://github.com/aboul3la/Sublist3r https://github.com/michenriksen/aquatone https://github.com/techgaun/github-dorks https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt Links: https://www.cvedetails.com http://elladodelmal.blogspot.com/2009/03/serialized-sql-injection-parte-i-de-vi.html https://www.attackflow.com/KnowledgeBase/ https://brutelogic.com.br/ https://github.com/s0md3v/MyPapers/blob/master/Bypassing-XSS-detection-mechanisms/README.md https://www.pentestpartners.com/security-blog/lan-surfing-how-to-use-javascript-to-execute-arbitrary-code-on-routers/ https://44con.com/44con-training/code-injections-from-beginner-to-advanced-for-defenders-and-attackers/ https://www.upguard.com/articles/top-20-owasp-vulnerabilities-and-how-to-fix-them?hs_amp=true http://www.elladodelmal.com/2010/02/robotstxt-sitemapxml.html https://portswigger.net/web-security/xxe https://www.netsparker.com/blog/web-security/crlf-http-header Laboratorios, wargames y similares: - https://xss-game.appspot.com - https://xss-quiz.int21h.jp/ - warzone.elhacker.net - hackthissite Sitios para bug hunting: https://www.bugcrowd.com/ https://www.hackerone.com/ https://www.zerocopter.com/ https://www.synack.com/ https://cobalt.io/ https://www.yeswehack.com/ https://www.intigriti.com/ https://www.vulnerability-lab.com/ Buscando la responsible disclosure policy de un sitio. https://bugbountyguide.com/hunters/proof-of-concepts.html Gracias, sos un angel de Dios, voy a leerlo todo Título: Re: Necesito que me ayuden sobre lo de bug bounty Publicado por: Lino Romero en 6 Septiembre 2019, 19:31 pm Guiar en qué sentido. Primero has de descubrir el bug para tener algo que reportar. Las empresas conocidas tienen un programa de recompensa busca en Google si la empresa que estás evaluando aplica porque la inmensa mayoría de los bugs reportados acaban con palmadita en la espalda y sin recibir nada a cambio. Las empresas que salen en hackerone te pagan por eso Título: Re: Necesito que me ayuden sobre lo de bug bounty Publicado por: @XSStringManolo en 6 Septiembre 2019, 20:08 pm Las empresas que salen en hackerone te pagan por eso As of July 2018, HackerOne's network consisted of approximately 200,000 researchers, had resolved 72,000 vulnerabilities across over 1,000 customer programs, and had paid $31 million in bounties.Depende del bug que reportes. Yo reporté varios y nunca me dieron nada. Por los que se paga suele ser solo por los de seguridad. Yo por ejemplo encontré muchos bugs en juegos con los cuales me ponía en el leaderboard pero como no comprometían la seguridad de los usuarios de ninguna forma... |