WEBVTT

1
00:00:00.080 --> 00:00:03.720
<v Speaker 1>Imagine getting paid to find like the digital version of

2
00:00:03.759 --> 00:00:07.240
<v Speaker 1>an unlocked door, not to break in, but just to

3
00:00:07.519 --> 00:00:09.160
<v Speaker 1>point it out so the owner can fix it.

4
00:00:09.359 --> 00:00:12.199
<v Speaker 2>Yeah, that's pretty much the gist of ethical hacking and

5
00:00:12.199 --> 00:00:12.960
<v Speaker 2>bug bounties.

6
00:00:13.080 --> 00:00:15.480
<v Speaker 1>It's this really fascinating world where you can sharpen your

7
00:00:15.480 --> 00:00:19.359
<v Speaker 1>cybersecurity skills and well maybe even earn some serious rewards.

8
00:00:19.480 --> 00:00:24.160
<v Speaker 2>Absolutely, and it's a field that's constantly changing, always needing

9
00:00:24.239 --> 00:00:27.359
<v Speaker 2>shirt people to spot those weaknesses that crop up with

10
00:00:27.440 --> 00:00:29.839
<v Speaker 2>new tech companies. See the value in.

11
00:00:29.800 --> 00:00:33.000
<v Speaker 1>It definitely, and that's exactly what we're diving into today.

12
00:00:33.039 --> 00:00:35.640
<v Speaker 1>On the deep Dive. We got some great source material

13
00:00:35.679 --> 00:00:39.280
<v Speaker 1>from a listener, excerpts from bug Bounty from Scratch by

14
00:00:39.320 --> 00:00:41.520
<v Speaker 1>Francisco Javier Santiago Vasquez.

15
00:00:41.560 --> 00:00:42.759
<v Speaker 2>Oh yeah, that sounds useful.

16
00:00:42.880 --> 00:00:45.240
<v Speaker 1>It really looks like it seems perfect for anyone curious

17
00:00:45.240 --> 00:00:47.079
<v Speaker 1>about this or you know, maybe already in it but

18
00:00:47.320 --> 00:00:48.439
<v Speaker 1>wanted to sharpen their game.

19
00:00:48.640 --> 00:00:52.000
<v Speaker 2>Right and looking at the author, Francisco Oscrez, he's got

20
00:00:52.039 --> 00:00:57.359
<v Speaker 2>real hands on experience red teaming pen testing across different industries.

21
00:00:57.399 --> 00:00:58.799
<v Speaker 2>That counts for a lot.

22
00:00:58.880 --> 00:01:02.119
<v Speaker 1>It does. Plus, the book's got endorsements from people like

23
00:01:02.159 --> 00:01:06.799
<v Speaker 1>Muhammad Hadji, big name in bug bounties, and doctor Shifah Cyklwala,

24
00:01:07.200 --> 00:01:10.280
<v Speaker 1>another cybersecurity leader, add some weight, doesn't it?

25
00:01:10.519 --> 00:01:12.920
<v Speaker 2>Yeah, definitely suggests it's a credible resource.

26
00:01:13.159 --> 00:01:16.959
<v Speaker 1>So our mission today is basically to pull out the

27
00:01:17.319 --> 00:01:21.000
<v Speaker 1>essential stuff about bug bounties from this book. What they are,

28
00:01:21.400 --> 00:01:24.159
<v Speaker 1>how they actually work, the kind of skills and tools

29
00:01:24.159 --> 00:01:24.840
<v Speaker 1>you need, and.

30
00:01:24.760 --> 00:01:26.799
<v Speaker 2>Some of the core techniques bug hunters use.

31
00:01:26.879 --> 00:01:29.799
<v Speaker 1>Right exactly. Think of this is like your shortcut to

32
00:01:29.920 --> 00:01:32.760
<v Speaker 1>understanding the basics without getting totally bogged down in detail.

33
00:01:32.959 --> 00:01:35.120
<v Speaker 2>Sounds good, Let's get into it, Okay.

34
00:01:34.879 --> 00:01:37.680
<v Speaker 1>So let's kick things off. What is a bug bounty

35
00:01:37.840 --> 00:01:38.959
<v Speaker 1>in simple terms?

36
00:01:39.400 --> 00:01:43.040
<v Speaker 2>Okay? Essentially, it's when a company puts out an open invitation.

37
00:01:43.280 --> 00:01:46.439
<v Speaker 2>They're basically saying, hey, find security flaws in our systems,

38
00:01:46.480 --> 00:01:48.480
<v Speaker 2>tell us about them, responsibly.

39
00:01:48.040 --> 00:01:50.840
<v Speaker 1>Follow our rules, and we'll reward you exactly.

40
00:01:51.239 --> 00:01:54.480
<v Speaker 2>And that reward it can be cash, sometimes small, sometimes

41
00:01:54.519 --> 00:01:57.400
<v Speaker 2>pretty substantial, depending on how critical the bug is, or

42
00:01:57.799 --> 00:02:00.519
<v Speaker 2>it might be public recognition like getting your on a

43
00:02:00.560 --> 00:02:01.079
<v Speaker 2>hall of fame.

44
00:02:01.359 --> 00:02:05.480
<v Speaker 1>Okay, but how do these companies actually connect with the hackers,

45
00:02:05.560 --> 00:02:08.759
<v Speaker 1>the researchers looking for these bugs. It's not like the

46
00:02:08.919 --> 00:02:10.439
<v Speaker 1>post job ads, is it No?

47
00:02:10.520 --> 00:02:14.199
<v Speaker 2>Not? Usually that's where bug bounty platforms come in. Think

48
00:02:14.199 --> 00:02:19.280
<v Speaker 2>of them as middlemen, like brokers sort of platforms like

49
00:02:19.319 --> 00:02:23.000
<v Speaker 2>hacker one, bug Craft, they're big ones. They connect the

50
00:02:23.039 --> 00:02:27.639
<v Speaker 2>companies running these programs with the security researchers. So researchers

51
00:02:27.680 --> 00:02:31.000
<v Speaker 2>sign up, find programs that fit their skills and get

52
00:02:31.080 --> 00:02:32.000
<v Speaker 2>hunting right.

53
00:02:32.039 --> 00:02:34.840
<v Speaker 1>So a company lists their program on hacker one, for instance,

54
00:02:35.120 --> 00:02:37.319
<v Speaker 1>how does it actually work? Then? What are the steps?

55
00:02:37.400 --> 00:02:39.520
<v Speaker 2>Well, the company first sets out the rules, the terms

56
00:02:39.520 --> 00:02:43.800
<v Speaker 2>of engagement. This includes what kinds of vulnerabilities they care about,

57
00:02:43.840 --> 00:02:47.759
<v Speaker 2>which systems are in scope that's crucial, what you're allowed.

58
00:02:47.360 --> 00:02:50.280
<v Speaker 1>To test, and what you're not allowed to touch precisely.

59
00:02:49.919 --> 00:02:52.800
<v Speaker 2>And they'll also list the rewards for different bug severities.

60
00:02:53.280 --> 00:02:55.800
<v Speaker 2>Then the researchers get to work. If they find something

61
00:02:55.919 --> 00:02:59.080
<v Speaker 2>valid and it's within that defined scope, they write up

62
00:02:59.080 --> 00:03:03.199
<v Speaker 2>a report yes submitted to the platform. The company's security

63
00:03:03.240 --> 00:03:06.439
<v Speaker 2>team reviews it. If they agree it's a real in

64
00:03:06.560 --> 00:03:09.639
<v Speaker 2>scope vulnerability, the researcher gets the reward.

65
00:03:09.879 --> 00:03:13.159
<v Speaker 1>Okay, are all these programs pretty much the same or

66
00:03:13.199 --> 00:03:14.319
<v Speaker 1>do they vary? Oh?

67
00:03:14.319 --> 00:03:17.280
<v Speaker 2>They vary quite a bit. Some are really specific, like

68
00:03:17.360 --> 00:03:19.919
<v Speaker 2>focusing only on their mobile app, maybe an Android or

69
00:03:19.919 --> 00:03:23.520
<v Speaker 2>iOS app, or just one specific API, while others are

70
00:03:23.560 --> 00:03:26.599
<v Speaker 2>broader exactly, some might cover a much wider range of

71
00:03:26.639 --> 00:03:29.400
<v Speaker 2>their digital assets. And then there's a difference between public

72
00:03:29.439 --> 00:03:30.520
<v Speaker 2>and private programs.

73
00:03:30.680 --> 00:03:31.800
<v Speaker 1>Ah okay, what's that.

74
00:03:32.039 --> 00:03:36.080
<v Speaker 2>Public programs are open to basically anyone registered on the platform.

75
00:03:36.360 --> 00:03:40.159
<v Speaker 2>Private ones, though, are invitation only. Usually you get invited

76
00:03:40.199 --> 00:03:43.240
<v Speaker 2>based on your track record, your reputation on the platform.

77
00:03:42.840 --> 00:03:45.400
<v Speaker 1>So proving yourself in public programs can lead to private.

78
00:03:45.120 --> 00:03:50.560
<v Speaker 2>Invites potentially, Yes. And one more type, Vulnerability disclosure programs

79
00:03:50.680 --> 00:03:54.560
<v Speaker 2>or vdps. They're similar. They want you to report vulnerabilities,

80
00:03:54.560 --> 00:03:57.759
<v Speaker 2>but they typically offer recognition, maybe some swag, but not

81
00:03:57.879 --> 00:03:59.000
<v Speaker 2>usually cash rewards.

82
00:03:59.360 --> 00:04:02.680
<v Speaker 1>Got it? So? Okay, someone's listening, Maybe they have some

83
00:04:02.759 --> 00:04:06.479
<v Speaker 1>tech background and they're thinking, hmm, this sounds interesting. What

84
00:04:06.599 --> 00:04:09.439
<v Speaker 1>kind of foundational knowledge is really needed to even start

85
00:04:09.439 --> 00:04:10.120
<v Speaker 1>thinking about this?

86
00:04:10.400 --> 00:04:13.759
<v Speaker 2>Yeah, the book really stresses having a basic grasp of

87
00:04:15.080 --> 00:04:19.439
<v Speaker 2>core computer science concepts, things like networking fundamentals, how systems

88
00:04:19.480 --> 00:04:20.079
<v Speaker 2>generally work.

89
00:04:20.240 --> 00:04:22.120
<v Speaker 1>You don't need to be an expert pen tester.

90
00:04:22.000 --> 00:04:23.959
<v Speaker 2>From day one, no, not at all, but having that

91
00:04:24.040 --> 00:04:27.680
<v Speaker 2>solid base helps you understand how things are built, which

92
00:04:27.720 --> 00:04:29.680
<v Speaker 2>then helps you figure out where they might be weak.

93
00:04:29.920 --> 00:04:32.319
<v Speaker 1>You know, right, makes sense. So you've got that foundation.

94
00:04:32.480 --> 00:04:34.639
<v Speaker 1>You go onto one of these platforms and there are

95
00:04:34.639 --> 00:04:37.600
<v Speaker 1>maybe hundreds of programs. How do you even pick where

96
00:04:37.600 --> 00:04:38.040
<v Speaker 1>to start?

97
00:04:38.680 --> 00:04:42.240
<v Speaker 2>That's a really good question. It's strategic. The book suggests

98
00:04:42.360 --> 00:04:46.600
<v Speaker 2>looking at a few things. First, does the program focus

99
00:04:46.639 --> 00:04:49.000
<v Speaker 2>align with your skills? If you know web apps, well,

100
00:04:49.120 --> 00:04:49.839
<v Speaker 2>maybe start there.

101
00:04:49.959 --> 00:04:51.439
<v Speaker 1>Play to your strengths exactly.

102
00:04:52.000 --> 00:04:54.399
<v Speaker 2>Second, and this is super important, you have to understand

103
00:04:54.480 --> 00:04:58.720
<v Speaker 2>the program's scope, what domains What apps are okay to test,

104
00:04:59.240 --> 00:05:01.120
<v Speaker 2>what's exc implicitly forbidden.

105
00:05:01.439 --> 00:05:05.439
<v Speaker 1>The book mentioned some examples right from hacker own, Snapchat,

106
00:05:05.480 --> 00:05:06.000
<v Speaker 1>and Visa.

107
00:05:06.199 --> 00:05:08.800
<v Speaker 2>Yeah, those are good examples because they show the contrast.

108
00:05:09.199 --> 00:05:13.319
<v Speaker 2>Snapchat apparently gives a really detailed list of what's in scope.

109
00:05:13.439 --> 00:05:15.879
<v Speaker 2>Visa's example in the book is more about illustrating the

110
00:05:15.920 --> 00:05:18.519
<v Speaker 2>reward structure. You know, how much they might pay for

111
00:05:18.560 --> 00:05:20.160
<v Speaker 2>different types of flaws.

112
00:05:19.759 --> 00:05:23.199
<v Speaker 1>And getting that scope wrong is bad news, very bad news.

113
00:05:23.560 --> 00:05:26.800
<v Speaker 2>Testing things that are explicitly out of scope can land

114
00:05:26.839 --> 00:05:29.720
<v Speaker 2>you in serious legal trouble. It's not worth the risk.

115
00:05:29.839 --> 00:05:36.279
<v Speaker 1>Definitely not so scope skills what else? Rewards must play

116
00:05:36.319 --> 00:05:36.639
<v Speaker 1>a part?

117
00:05:36.759 --> 00:05:39.199
<v Speaker 2>Oh for sure? I mean learning is great, the challenge

118
00:05:39.240 --> 00:05:41.680
<v Speaker 2>is fun, but let's be honest, the potential payout is

119
00:05:41.720 --> 00:05:45.040
<v Speaker 2>a big motivator for many people. Looking at the reward

120
00:05:45.079 --> 00:05:47.439
<v Speaker 2>tiers can help you decide where to invest your time.

121
00:05:47.600 --> 00:05:50.439
<v Speaker 2>Makes sense, But beyond the practical stuff, the book really

122
00:05:50.480 --> 00:05:52.839
<v Speaker 2>hammers home the ethical side. The whole idea is think

123
00:05:52.920 --> 00:05:55.439
<v Speaker 2>like a bad guy, but don't be one. Right to

124
00:05:55.480 --> 00:05:59.680
<v Speaker 2>the rules, Absolutely, follow the program rules, strictly, test ethically.

125
00:05:59.720 --> 00:06:02.240
<v Speaker 2>Don't cause disruption, that's non negotiable.

126
00:06:02.439 --> 00:06:05.279
<v Speaker 1>Yeah, you're helping them, not hurting them. Okay. The book

127
00:06:05.279 --> 00:06:08.839
<v Speaker 1>also mentioned identifying critical systems. Why is that important for

128
00:06:08.879 --> 00:06:09.480
<v Speaker 1>a bug hunter?

129
00:06:09.879 --> 00:06:12.199
<v Speaker 2>Well, think about it. If you understand what a company

130
00:06:12.240 --> 00:06:16.800
<v Speaker 2>considers its crown jewels, maybe their main customer database, or

131
00:06:16.839 --> 00:06:20.480
<v Speaker 2>the payment system, or how users log in the really

132
00:06:20.519 --> 00:06:24.439
<v Speaker 2>sensitive stuff exactly, focusing your efforts there means finding a

133
00:06:24.560 --> 00:06:27.600
<v Speaker 2>vulnerability could have a much bigger impact, And the book

134
00:06:27.600 --> 00:06:31.560
<v Speaker 2>points out breaches in those areas cause huge reputational damage,

135
00:06:31.600 --> 00:06:34.199
<v Speaker 2>maybe lose customers, cost a lot of money.

136
00:06:34.399 --> 00:06:37.720
<v Speaker 1>So finding bugs and critical systems is generally more valuable.

137
00:06:37.439 --> 00:06:41.800
<v Speaker 2>Usually, yes, and often those findings carry higher rewards too.

138
00:06:42.000 --> 00:06:45.639
<v Speaker 1>Okay, this is great, We've covered the basics, how programs work,

139
00:06:45.759 --> 00:06:49.720
<v Speaker 1>prep ethics. Now that really hands on part. What tools

140
00:06:49.720 --> 00:06:52.959
<v Speaker 1>and techniques do bug hunters actually use? This is where

141
00:06:52.959 --> 00:06:54.759
<v Speaker 1>it gets exciting for someone wanting to try this.

142
00:06:55.000 --> 00:06:57.199
<v Speaker 2>Right the practical side, The book breaks down the tools

143
00:06:57.279 --> 00:07:00.519
<v Speaker 2>quite nicely. First up, information gathering, This is key.

144
00:07:00.560 --> 00:07:01.560
<v Speaker 1>What kind of tools.

145
00:07:01.360 --> 00:07:05.759
<v Speaker 2>Tools like sublister a mass, DNA s dumpster, subfinder, aquatone.

146
00:07:06.279 --> 00:07:09.519
<v Speaker 2>These are mainly for finding subdomains, discovering all the different

147
00:07:09.519 --> 00:07:11.759
<v Speaker 2>web addresses associated with a company.

148
00:07:11.519 --> 00:07:13.079
<v Speaker 1>Like finding hidden doors and windows.

149
00:07:13.199 --> 00:07:16.040
<v Speaker 2>Kind of Yeah, it increases the potential area you can test.

150
00:07:16.199 --> 00:07:18.920
<v Speaker 2>Then you have standard stuff like who's lookups for domain

151
00:07:18.959 --> 00:07:23.160
<v Speaker 2>ownership info and DNS tools like en slok up or

152
00:07:23.279 --> 00:07:24.040
<v Speaker 2>dig okay.

153
00:07:24.079 --> 00:07:28.199
<v Speaker 1>So mapping out the territory first, what about testing web applications?

154
00:07:28.199 --> 00:07:32.720
<v Speaker 2>Specifically for web stuff. Burps suite is pretty much the standard.

155
00:07:32.839 --> 00:07:36.560
<v Speaker 2>It's mentioned repeatedly as essential. It lets you like intercept

156
00:07:36.560 --> 00:07:41.240
<v Speaker 2>web traffic, mess with it, analyze requests, automate tests. It's powerful,

157
00:07:41.319 --> 00:07:44.879
<v Speaker 2>the go to tool for web hunters largely yes. The

158
00:07:44.879 --> 00:07:48.480
<v Speaker 2>book also mentions wp scan, which is specifically for WordPress sites,

159
00:07:48.480 --> 00:07:52.199
<v Speaker 2>finding known vulnerabilities there, and der search which helps find

160
00:07:52.279 --> 00:07:54.240
<v Speaker 2>hidden folders and files on a web server.

161
00:07:54.480 --> 00:07:56.600
<v Speaker 1>What if you need to look deeper at the network.

162
00:07:56.439 --> 00:07:59.160
<v Speaker 2>Level, then NMP is your friend. Often called the King

163
00:07:59.240 --> 00:08:02.680
<v Speaker 2>of Network scan. It finds live computers, checks for open ports,

164
00:08:03.000 --> 00:08:05.560
<v Speaker 2>tries to identify what services are running on those ports,

165
00:08:05.600 --> 00:08:08.120
<v Speaker 2>even guesses the operating system sometimes.

166
00:08:07.720 --> 00:08:10.439
<v Speaker 1>So NMAP maps the network itself. And if you think

167
00:08:10.480 --> 00:08:14.399
<v Speaker 1>you found something a potential vulnerability.

168
00:08:14.000 --> 00:08:17.040
<v Speaker 2>That's where something like exploit dB comes in handy. It's

169
00:08:17.079 --> 00:08:21.319
<v Speaker 2>a big public database of known vulnerabilities and crucially exploit

170
00:08:21.360 --> 00:08:24.279
<v Speaker 2>code or proof of concepts showing how they can be triggered.

171
00:08:24.399 --> 00:08:27.560
<v Speaker 1>Ah, so you can see how a theoretical vulnerability actually

172
00:08:27.560 --> 00:08:29.360
<v Speaker 1>works in practice exactly.

173
00:08:29.920 --> 00:08:33.360
<v Speaker 2>Understanding the exploit helps you confirm and report the issue effectively.

174
00:08:33.720 --> 00:08:37.679
<v Speaker 2>The book also touches on ossent open source intelligence.

175
00:08:37.279 --> 00:08:39.080
<v Speaker 1>Using publicly available info.

176
00:08:39.120 --> 00:08:42.440
<v Speaker 2>Right tools like multago or showdand can help gather that

177
00:08:42.799 --> 00:08:46.039
<v Speaker 2>and even simple things like clever Google searches Google dorks.

178
00:08:46.480 --> 00:08:49.279
<v Speaker 2>The book gives examples like searching and title index of

179
00:08:49.399 --> 00:08:51.159
<v Speaker 2>password dot txt.

180
00:08:50.960 --> 00:08:52.679
<v Speaker 1>Wow, finding password files just.

181
00:08:52.639 --> 00:08:56.559
<v Speaker 2>With Google sometimes or intex dot username, intex dot password.

182
00:08:56.799 --> 00:08:59.919
<v Speaker 2>It's surprising what gets left exposed sometimes due to simple mistakes.

183
00:09:00.120 --> 00:09:03.320
<v Speaker 1>That really highlights how basic errors can create openings. Okay,

184
00:09:03.320 --> 00:09:05.600
<v Speaker 1>so those are some tools. What about the actual techniques

185
00:09:05.600 --> 00:09:06.399
<v Speaker 1>for finding bugs?

186
00:09:06.679 --> 00:09:09.919
<v Speaker 2>Well, reconnaissance is the foundation, Like we said, gathering info,

187
00:09:10.120 --> 00:09:14.399
<v Speaker 2>identifying services, running, maybe doing initial automated scans to see

188
00:09:14.399 --> 00:09:16.000
<v Speaker 2>if any low hanging fruit pops up.

189
00:09:16.039 --> 00:09:17.720
<v Speaker 1>You can lay the land definitely.

190
00:09:18.159 --> 00:09:21.080
<v Speaker 2>Then the book talks about exploring human errors.

191
00:09:21.120 --> 00:09:23.440
<v Speaker 1>This can be really effective Tawso like.

192
00:09:23.559 --> 00:09:27.000
<v Speaker 2>Checking the robots dot txt file on a website. It

193
00:09:27.039 --> 00:09:29.919
<v Speaker 2>tells search engines what not to index, but sometimes it

194
00:09:29.960 --> 00:09:33.759
<v Speaker 2>points directly to admin pages or sensitive areas developers didn't

195
00:09:33.759 --> 00:09:34.759
<v Speaker 2>want public.

196
00:09:34.440 --> 00:09:36.559
<v Speaker 1>Huh, telling people where the hidden stuff is.

197
00:09:36.679 --> 00:09:41.000
<v Speaker 2>Ironically yeah. Also, using the Wayback Machine the Internet archive,

198
00:09:41.360 --> 00:09:43.399
<v Speaker 2>you can look at old versions of websites. The book

199
00:09:43.440 --> 00:09:46.639
<v Speaker 2>mentions an example where someone found deleted resources on packed

200
00:09:46.679 --> 00:09:50.200
<v Speaker 2>Pubs site. This way old info might still be relevant

201
00:09:50.279 --> 00:09:51.279
<v Speaker 2>or expose something.

202
00:09:51.440 --> 00:09:54.159
<v Speaker 1>It's clever using web history for security.

203
00:09:54.320 --> 00:09:57.320
<v Speaker 2>It can be also just looking for general information leaks,

204
00:09:57.320 --> 00:10:00.799
<v Speaker 2>maybe databases left open, credentials and so code comments.

205
00:10:01.039 --> 00:10:02.480
<v Speaker 1>Right. What other techniques?

206
00:10:02.639 --> 00:10:07.000
<v Speaker 2>Subdomain takeover is another interesting one. Sometimes a company stops

207
00:10:07.039 --> 00:10:10.320
<v Speaker 2>using a subdomain, but the DNS record still points to

208
00:10:10.360 --> 00:10:13.480
<v Speaker 2>a third party service if that service allows you to

209
00:10:13.480 --> 00:10:16.600
<v Speaker 2>claim unused names. You might be able to take over the.

210
00:10:16.519 --> 00:10:18.440
<v Speaker 1>Subdomain and then potentially misuse it.

211
00:10:18.759 --> 00:10:22.679
<v Speaker 2>Potentially, yes, which is why it's a vulnerability. Also, checking

212
00:10:22.679 --> 00:10:27.919
<v Speaker 2>GitHub repositories is common now, looking for apikeys, passwords, or

213
00:10:28.200 --> 00:10:30.879
<v Speaker 2>just badly configured code accidentally pushed.

214
00:10:30.600 --> 00:10:34.600
<v Speaker 1>Publicly developers leaving secrets in the code happens all the time.

215
00:10:34.440 --> 00:10:38.039
<v Speaker 2>I bet more often than you'd think. Local file inclusion

216
00:10:38.200 --> 00:10:42.399
<v Speaker 2>or LFI is another classic web vulnerability, basically tricking the

217
00:10:42.440 --> 00:10:46.399
<v Speaker 2>server into letting you read files It shouldn't like configuration files.

218
00:10:46.639 --> 00:10:48.559
<v Speaker 1>It sounds like a mix of technical skill and being

219
00:10:48.600 --> 00:10:50.720
<v Speaker 1>really observant looking for those small mistakes.

220
00:10:50.879 --> 00:10:53.120
<v Speaker 2>That's a huge part of it. The book also mentions

221
00:10:53.159 --> 00:10:56.759
<v Speaker 2>things like deeper enumeration, trying to find lists of directories, files,

222
00:10:56.879 --> 00:11:00.480
<v Speaker 2>even usernames, and analyzing.

223
00:11:00.080 --> 00:11:02.320
<v Speaker 1>Jobascript file that was a script. Why is that important?

224
00:11:02.360 --> 00:11:05.679
<v Speaker 2>Because they often get overlooked, but they can contain hints

225
00:11:05.720 --> 00:11:10.720
<v Speaker 2>about atis, internal URLs, other interesting bits of information. Sometimes

226
00:11:10.799 --> 00:11:13.960
<v Speaker 2>the code is obfuscated made hard to read, but tools

227
00:11:14.000 --> 00:11:16.879
<v Speaker 2>like beautifier or defogs can help decode it.

228
00:11:17.480 --> 00:11:21.080
<v Speaker 1>Ah, so hidden clues within the script itself interesting.

229
00:11:20.799 --> 00:11:25.759
<v Speaker 2>Definitely worth digging into and Finally, file upload vulnerabilities. Can

230
00:11:25.960 --> 00:11:29.519
<v Speaker 2>someone upload malicious file like a webshow or maybe just

231
00:11:29.559 --> 00:11:32.240
<v Speaker 2>a huge file to crash the server? That's another area

232
00:11:32.320 --> 00:11:35.360
<v Speaker 2>to test. The book even circles back to Google dorking,

233
00:11:35.600 --> 00:11:39.279
<v Speaker 2>like finding WordPress login pages, which could then be a

234
00:11:39.320 --> 00:11:42.679
<v Speaker 2>target for trying to guess passwords like brute forcing. Exactly

235
00:11:42.759 --> 00:11:43.759
<v Speaker 2>that could be the next step.

236
00:11:43.960 --> 00:11:46.960
<v Speaker 1>Okay, wow, lots of tools, lots of techniques. So let's

237
00:11:47.000 --> 00:11:48.639
<v Speaker 1>say you use these, you follow the rules, and you

238
00:11:48.679 --> 00:11:52.240
<v Speaker 1>find something. Okay, real vulnerability. What's next? You can't just

239
00:11:52.320 --> 00:11:53.519
<v Speaker 1>like post it on Twitter? Right?

240
00:11:53.600 --> 00:11:57.919
<v Speaker 2>Absolutely not. Responsible disclosure is key. The book really emphasizes

241
00:11:57.960 --> 00:12:00.799
<v Speaker 2>submitting a high quality report back through the platform.

242
00:12:00.879 --> 00:12:02.759
<v Speaker 1>What makes a report high quality.

243
00:12:02.559 --> 00:12:05.960
<v Speaker 2>Clarity is crucial. You need to explain what you found,

244
00:12:06.600 --> 00:12:09.840
<v Speaker 2>why it's a security risk, the potential impact. You need

245
00:12:09.919 --> 00:12:12.639
<v Speaker 2>to provide a clear proof of concept or.

246
00:12:12.639 --> 00:12:14.600
<v Speaker 1>PC like step by step instructions.

247
00:12:14.639 --> 00:12:18.080
<v Speaker 2>Exactly show them exactly how to reproduce the vulnerability you found,

248
00:12:18.320 --> 00:12:21.320
<v Speaker 2>and ideally maybe suggest how they could fix it.

249
00:12:21.759 --> 00:12:24.720
<v Speaker 1>And do this ethically. Right, don't grab more data than

250
00:12:24.759 --> 00:12:25.679
<v Speaker 1>you need to prove the point.

251
00:12:25.799 --> 00:12:30.320
<v Speaker 2>Absolutely, stay within the program's rules. Respect privacy, only access

252
00:12:30.320 --> 00:12:32.720
<v Speaker 2>what's necessary. To demonstrate the flaw.

253
00:12:32.720 --> 00:12:35.159
<v Speaker 1>And then if all goes well, comes the reward.

254
00:12:35.240 --> 00:12:37.840
<v Speaker 2>Hopefully, Yes, The rewards vary a lot, Like we said,

255
00:12:37.879 --> 00:12:40.879
<v Speaker 2>depends on the company, the platform, and especially the severity

256
00:12:40.919 --> 00:12:43.919
<v Speaker 2>and impact of the bug you found. Critical flaws usually

257
00:12:43.919 --> 00:12:44.559
<v Speaker 2>pay the most.

258
00:12:44.879 --> 00:12:47.519
<v Speaker 1>It feels like this whole area must be changing constantly,

259
00:12:47.960 --> 00:12:51.480
<v Speaker 1>new bugs found, new defenses built, new attack techniques. How

260
00:12:51.559 --> 00:12:52.399
<v Speaker 1>do people keep up?

261
00:12:52.559 --> 00:12:55.639
<v Speaker 2>Yeah, continuous learning is just essential. You can't learn this

262
00:12:55.720 --> 00:12:58.120
<v Speaker 2>once and be done. The booklists a bunch of resources

263
00:12:58.399 --> 00:13:02.559
<v Speaker 2>like what Well. Getting securities certifications can help structure your learning.

264
00:13:02.639 --> 00:13:08.399
<v Speaker 2>Improve skills. Things like cech oscp gpamos do are mentioned.

265
00:13:08.879 --> 00:13:12.639
<v Speaker 2>Keeping an eye on exploit databases like exploitdb tells you

266
00:13:12.679 --> 00:13:14.720
<v Speaker 2>about the latest discovered vulnerabilities.

267
00:13:14.879 --> 00:13:17.159
<v Speaker 1>So staying current on threats right.

268
00:13:17.440 --> 00:13:21.840
<v Speaker 2>And actively using the tools we talked about experimenting Using

269
00:13:21.879 --> 00:13:25.720
<v Speaker 2>security focused operating systems like Collie Linux or Parrot Security

270
00:13:25.759 --> 00:13:28.080
<v Speaker 2>OS helps with that they come pre loaded with lots

271
00:13:28.120 --> 00:13:28.600
<v Speaker 2>of tools.

272
00:13:28.639 --> 00:13:30.279
<v Speaker 1>Sands on practice definitely.

273
00:13:30.840 --> 00:13:34.200
<v Speaker 2>The book also suggests following good security blogs. Sam Curry's

274
00:13:34.200 --> 00:13:37.559
<v Speaker 2>blog gets a mention. Using online training platforms is huge too.

275
00:13:38.000 --> 00:13:41.759
<v Speaker 2>Hack the box, try hack me, Portswigger's web security Academy.

276
00:13:41.799 --> 00:13:45.320
<v Speaker 2>They offer challenges and labs learning by doing exactly, and

277
00:13:45.360 --> 00:13:49.240
<v Speaker 2>even YouTube channels hacker on TV, Live Overflow Ports, Swigger's channel.

278
00:13:49.240 --> 00:13:51.039
<v Speaker 2>They often have great practical content.

279
00:13:51.120 --> 00:13:53.240
<v Speaker 1>So it really is a commitment to ongoing learning. It's

280
00:13:53.320 --> 00:13:54.480
<v Speaker 1>not static, not at all.

281
00:13:54.480 --> 00:13:56.159
<v Speaker 2>The landscape shifts constantly.

282
00:13:56.320 --> 00:13:58.480
<v Speaker 1>Okay, let's try and wrap this up then, Based on

283
00:13:58.519 --> 00:14:01.559
<v Speaker 1>our deep dive into bug bound from scratch, what are

284
00:14:01.600 --> 00:14:03.480
<v Speaker 1>the main takeaways for someone listening?

285
00:14:03.639 --> 00:14:06.600
<v Speaker 2>Well? I think first, bug bounties are a really dynamic

286
00:14:06.639 --> 00:14:10.960
<v Speaker 2>way to learn cybersecurity hands on. You test real systems, sharpen.

287
00:14:10.639 --> 00:14:12.600
<v Speaker 1>Skills, you potentially get paid for it right.

288
00:14:13.240 --> 00:14:18.000
<v Speaker 2>Second, ethics are paramount. It's ethical hacking, follow the rules,

289
00:14:18.200 --> 00:14:24.600
<v Speaker 2>report responsibly. Third, preparation is key. Understand your skills, understand

290
00:14:24.600 --> 00:14:27.840
<v Speaker 2>the program, scope, identify critical systems, don't just.

291
00:14:27.879 --> 00:14:28.759
<v Speaker 1>Jump in blindly.

292
00:14:28.879 --> 00:14:33.720
<v Speaker 2>Yeah. Fourth, you need the right tools and techniques reconnaissance,

293
00:14:33.879 --> 00:14:37.799
<v Speaker 2>web testing, network scanning, knowing where to look for common flaws.

294
00:14:38.360 --> 00:14:42.240
<v Speaker 2>And finally, communication matters, write clear, detailed reports.

295
00:14:42.279 --> 00:14:45.399
<v Speaker 1>It definitely sounds challenging, but also yeah, potentially very rewarding.

296
00:14:45.440 --> 00:14:47.519
<v Speaker 1>You're helping make things more secure exactly.

297
00:14:47.720 --> 00:14:50.759
<v Speaker 2>It's a way to contribute positively while building your own expertise.

298
00:14:51.039 --> 00:14:54.000
<v Speaker 2>Hopefully this chat gave you the listener a good overview

299
00:14:54.039 --> 00:14:56.679
<v Speaker 2>without being too overwhelming. Maybe sparks some ideas.

300
00:14:56.960 --> 00:14:59.879
<v Speaker 1>Yeah, absolutely so. If this did peak your interest, maybe

301
00:15:00.000 --> 00:15:02.159
<v Speaker 1>how's the time to explore further, check out one of

302
00:15:02.159 --> 00:15:04.879
<v Speaker 1>those platforms, Perhaps try a tool like endmap or burp

303
00:15:04.919 --> 00:15:07.200
<v Speaker 1>suite on a test system, or read up on a

304
00:15:07.200 --> 00:15:08.279
<v Speaker 1>technique like LFI.

305
00:15:08.559 --> 00:15:10.679
<v Speaker 2>And maybe a final thought to leave you with. In

306
00:15:10.720 --> 00:15:14.240
<v Speaker 2>a world that's so reliant on digital systems and where

307
00:15:14.279 --> 00:15:18.440
<v Speaker 2>threats are everywhere, is this kind of ethical hacking, this

308
00:15:18.519 --> 00:15:21.360
<v Speaker 2>bug bounty approach actually becoming one of the most crucial

309
00:15:21.360 --> 00:15:23.159
<v Speaker 2>ways we defend ourselves collectively.

310
00:15:24.080 --> 00:15:26.320
<v Speaker 1>That a really interesting question to ponder. Is it becoming

311
00:15:26.399 --> 00:15:29.240
<v Speaker 1>essential food for thought? Okay, thanks for joining us on

312
00:15:29.240 --> 00:15:31.120
<v Speaker 1>this deep dive. We'll catch you on the next one.