Bugcrowd Blog

Bugcrowd announces LevelUp virtual hacking conference

Posted by Sam Houston on May 11, 2017 2:32:50 PM
Bugcrowd is putting on a conference for bug bounty hunters, but over the internet! On July 15th 2017, we will host an all-day conference with presentations from bug bounty hunters & penetration testers sharing their best practices, strategies, and research to help level-up their fellow bug hunters.

Our goal for this conference is to create opportunities for researchers to learn and level-up their skills. We're also working on ways that we can help researchers network and meet one another during the conference.

Read More
Bugcrowd News, Bug Hunter Tips and Tricks

XSS Polyglots - The Context Contest

Posted by Shpend Kurtishaj on Nov 25, 2016 10:25:00 AM

That title is in fact a tongue twister, but it helps to describe this post, which will take a look at XSS polyglot payloads. For the newcomers: dafuq is a polyglot? Now since you’re done with reading the first paragraph of that article, let's dive into XSS vectors with the motto "One payload to rule them all."

Read More
Bug Hunter Tips and Tricks

Tips from Top Hackers - Bug Hunting methodology and the importance of writing quality submissions

Posted by Sam Houston on Oct 18, 2016 1:25:05 PM

Yesterday we shared how some of Bugcrowd’s top-ranked bug hunters fit bounties into their schedule and maximize payouts, and today we’re going to dive a bit deeper with one of those researchers. In today's post, Brett Buerhaus, ranked 16 on Bugcrowd and experienced security researcher, shares his method for approaching new bug bounties and writing bug submissions.

Read More
Bug Hunter Tips and Tricks, Researcher Resources

[Guide] Getting Started with OWASP's Bug Bounties

Posted by Payton O'Neal on Sep 20, 2016 1:22:11 PM

"Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software." In keeping with their mission statementOWASP has adopted the bug bounty model, tapping into the broader community of global security researchers to secure their defender libraries and open source projects. Since June of this year, they have launched bug bounty programs for four OWASP open source projects:

Read More
Bug Hunter Tips and Tricks

Mobile Testing: Setting Up Your Android Device Pt. 1

Posted by Paul Ivanivsky on Aug 25, 2016 1:33:58 PM

In this post, I will provide a brief overview of the anatomy of a mobile penetration test, and cover the first step in getting started with mobile testing on an Android device. My goal is to help folks that are new to mobile testing break the barrier of getting started, and debunk the assumption that mobile application testing is too difficult.  

Read More
Bug Hunter Tips and Tricks

Big Bugs Podcast Episode 4: Fun and Hacking with Pokemon Go!

Posted by Jason Haddix on Jul 29, 2016 2:30:11 PM

This week's Big Bugs podcast is near and dear to my heart, combining three of my favorite things: mobile hacking, gaming, and security in general. In this episode, I'll start by giving a brief history of Niantic and Pokemon Go and review some of the few technical issues that the game has experienced. The bulk of this podcast will be focused on how the hacking scene found ways to reverse engineer the game, and of course some tips and tricks so you can catch 'em all.

It's a bit longer than the usual Big Bugs podcast, but I feel like it's well worth it, as the Pokemon Go phenomenon has been amazing to experience and be part of. Below the recording, I've included some notes to accompany this episode, and resources referenced as well.

Subscribe to our Bugcrowd Podcast RSS feed here: 

Read More
Interesting, Bug Hunter Tips and Tricks

Discovering Subdomains

Posted by Shpend Kurtishaj on May 26, 2016 1:31:14 PM

When coming across a *.target.com scope, it’s always a good idea to seek the road less travelled. Exotic and forgotten applications running on strangely named subdomains will quickly lead to uncovering critical vulnerabilities and often high payouts. Discovering such subdomains is a critical skill for today's bug hunter and choosing the right techniques and tools is paramount.

Read More
Bug Hunter Tips and Tricks

[Guest Blog] Using a Braun Shaver to Bypass XSS Audit and WAF by Frans Rosen, Detectify

Posted by Sam Houston on Apr 19, 2016 1:12:14 PM

This post was contributed by Frans Rosen, Bug Bounty Hunter and Knowledge Advisor at Detectify

TLDR: Sometimes you just need to spend a couple of months to exploit a XSS with a hygiene product.

For a couple of months this specific bug was on my "check later" list. I later reported it to the company running a private bug bounty. I had been messing with it back and forth and was never been able to do something that actually made sense – and as soon as I had some progress – a new obstacle came crashing in my face. After a few months returning to the same endpoint, I was finally able to create a PoC to show that a security issue was present.

It's a freaking XSS, but hey, the story is what counts, right..? :)

Read More
Guest Blog, Bug Hunter Tips and Tricks

"Writing Vulnerability Reports that Maximize Your Bounty Payouts" + My Trip to Nullcon

Posted by Kymberlee Price on Apr 1, 2016 1:14:37 PM

This March I had the opportunity to travel to India and speak at the Nullcon security conference as part of the first Bounty Craft Track - 1.5 days devoted entirely to the art of bug bounty hunting with researchers and members of the security teams from Bugcrowd, Microsoft, Google, Facebook, and Mozilla.  This was a great opportunity for vendors and researchers to engage in interactive conversations, and to share techniques and war stories. And it was awesome to meet dozens of our Crowd members in person, including two of our 2016 Buggy Award winners, Harie_cool and Vishnu_Vardhan_Reddy!  

 

Read More
Conferences, Bug Hunter Tips and Tricks

The Benefits of Public Disclosure

Posted by Kymberlee Price on Mar 9, 2016 4:09:46 PM

As we discussed in the first blog post of this series, Bugcrowd believes that public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process, and encourages organizations and researchers to work together to share information in a coordinated and mutually agreed upon manner. But why? To quote Bruce Schneier,

"Secrecy prevents people from accurately assessing their own risk. Secrecy precludes public debate about security, and inhibits security education that leads to improvements. Secrecy doesn't improve security; it stifles it."

Read More
Interesting, Bug Hunter Tips and Tricks