| Date | Day | Time | Duration |
| 9 May | Monday | 0900-17:00 CEST/GMT+2 | 8 Hours |
| 10 May | Tuesday | 0900-17:00 CEST/GMT+2 | 8 Hours |
Bug bounty programs are put in place so that the security community can help vendors discover application security flaws that are difficult to discover and exploit. The scope of such programs includes security bugs for web apps, mobile apps, APIs, and more. Large IT companies, such as Google, Facebook, Twitter, and PayPal, have participated in such programs.
“Bug Bounties and Responsible Disclosure” is inspired from case studies found in various bug bounty programs, drawing on recent real-life examples of web and mobile app attacks. The experiences of different researchers yield ideas for pen testers and developers about unconventional attack techniques and mindsets. Each section of the course is influenced by bug bounty stories that are examined through the following structure:
Day 1: Authentication Bypass, Logic, and Blind SQLi Attacks
Day 1 begins by introducing you to setting up a bug bounty program in an organization, and how to get started and manage the process. Understanding an app’s functionality can open attack ideas and facilitate catching tricky app security bugs.
You will learn and practice mapping the app logic and features into HTTP requests of real-life apps. You will learn different techniques inspired from real-life case studies in order to perform authentication bypass and account takeover. You will discover and exploit real-life bugs manually in an authentication bypass exercise. We’ll inspect source code to understand the root cause of the bug, and all exercises will be performed on real-life apps using a trial license for Burp Suite. You’ll be hunting security bugs like professionals. Tricky logic bugs are some of the hardest to discover and catch in complex apps. You will learn different tricks to conduct logic and authorization bypass attacks while walking through real-life cases in bug bounty programs.
An authorization bypass lab will enable you to practice catching tricky logic bugs. Finally, you will learn about various methods to perform SQL injection attacks in different contexts inspired by real-life bug bounty case studies.
Exercises
Students will perform labs on real-world applications using professional tools to practice hunting genuine security bugs. We will then examine web application defenses and extra code review exercises to close the loop on the attacks covered. Finally, we’ll look at reporting and responsible disclosure, ensuring delivery of quality app security bug reports with proper description, evidence, and recommendations.
Topics
Day 2: SSRF, Client-Side and Mobile API Attacks
Day 2 continues covering various attack techniques for different security bugs such as Open Redirect, Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). The attack techniques covered will draw on real-life bug bounty stories that give different attack ideas for discovery, filter bypass, and exploitation.
You will learn attack techniques on modern apps that are rich with client-side code and API calls. You will also learn how to chain different bugs to cause a greater security impact. The day is filled with exercises that will walk you through real-life apps. During the exercises, you’ll learn how to discover the bug manually, how to inspect the root cause of the bug from the source code, and how to fix the bug. Finally, you will learn how to deliver quality app security bug reports with proper descriptions and evidence.
Exercises
Topics
Day 1 begins by introducing you to setting up a bug bounty program in an organization, and how to get started and manage the process. Understanding an app’s functionality can open attack ideas and facilitate catching tricky app security bugs. You will learn and practice mapping the app logic and features into HTTP requests of real-life apps. You will learn different techniques inspired from real-life case studies in order to perform authentication bypass and account takeover. You will discover and exploit real-life bugs manually in an authentication bypass exercise. We’ll inspect source code to understand the root cause of the bug, and all exercises will be performed on real-life apps using a trial license for Burp Suite. You’ll be hunting security bugs like professionals. Tricky logic bugs are some of the hardest to discover and catch in complex apps. You will learn different tricks to conduct logic and authorization bypass attacks while walking through real-life cases in bug bounty programs. An authorization bypass lab will enable you to practice catching tricky logic bugs. Finally, you will learn about various methods to perform SQL injection attacks in different contexts inspired by real-life bug bounty case studies. Exercises • Exercise 1.1: App Mapping • Exercise 1.2: Authentication Bypass • Exercise 1.3: Authorization Bypass • Exercise 1.4: SQL injection • Exercise 1.5: Boolean-Based SQL Injection Topics • Bug hunting challenges - Preparationforbughunting o Reconnaissanceandtools • App mapping and analysis - Identifying app components - Translating business into HTTP requests o Tracingthedataflow • Authentication and session analysis - Parameter manipulation and account takeover - Improper reset password implementation - Multi-factor authentication bypass - Improper validation on session variables - Real-life case studies - Authentication and session defenses • Authorization and business rules - Logic attacks and authorization bypass - Parameter manipulation and IDOR - Bypassing client-side authorization controls - Second order authorization bypass - Business rules bypass and lack of integrity checks o Improper synchronisation between modules - Real-life case studies - Logic attacks defenses • SQL injection - Blind SQL injection context - Boolean-based SQL injection - Time-based SQL injection - Real-life case studies - SQL injection defenses
Day 2 continues covering various attack techniques for different security bugs such as Open Redirect, Server-Side Request Forgery (SSRF), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). The attack techniques covered will draw on real-life bug bounty stories that give different attack ideas for discovery, filter bypass, and exploitation. You will learn attack techniques on modern apps that are rich with client-side code and API calls. You will also learn how to chain different bugs to cause a greater security impact. The day is filled with exercises that will walk you through real-life apps. During the exercises, you’ll learn how to discover the bug manually, how to inspect the root cause of the bug from the source code, and how to fix the bug. Finally, you will learn how to deliver quality app security bug reports with proper descriptions and evidence. Exercises • Exercise 2.1: CSRF • Exercise 2.2: Discovering stored XSS • Exercise 2.3: XSS bypassing filters • Exercise 2.4: API attacks • Exercise 2.5: Chaining logic attacks Topics • Open redirect and server-side request forgery (SSRF) - Stealing OAuth access tokens using open redirect - SSRF and stealing metadata API key in cloud environments - Blind SSRF and mapping internal infrastructure - Chaining open redirect and SSRF attacks - Real-life case studies • Cross-site request forgery (CSRF) - Account takeover using CSRF - Anti-CSRF token implementation - Bypassing CSRF defenses - Real-life case studies • Cross-site scripting (XSS) - Tracing the data flow and analyzing the context - Filter detection and WAF bypass - Discovering blind XSS - Improper input validation and output encoding - Real-life case studies • Client-side code and APIs - Mapping APIs attack surface - APIs authentication bypass - Mobile APIs authorization bypass - Improper OAuth implementation - XSS and insecure client-side code escaping - Real-life case studies - APIs defenses • Chaining attacks - Enumeration and logic attacks - Self-XSS and logic attacks - Escalating LFI to RCE - Command injection and CSRF - Real-life case studies • Reporting the findings • Managing a bug bounty program
Hassan began his career as a programmer developing enterprise software systems, during which he developed his passion for Information Security. He received his Master’s degree in Computer Science from the American University in Cairo with a thesis in the field of Secure Software Engineering. During this time he also published the research paper, Capturing Security Requirements for Software Systems.
Hassan went on to lead an application security team, performing security assessments and penetration tests for security critical applications. He has since become a security consultant and active security researcher in bug bounty programs. He was acknowledged and rewarded by severalvendors including Google, Apple, Facebook, Twitter, PayPal, eBay, AT&T, Yahoo, Oracle, GiftCards, Etsy, Groupon, Cisco Meraki and Olark.
In 2012, Hassan began teaching for SANS Institute. Hassan teaches SEC542: Web App Penetration Testing and Ethical Hacking and SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques.
What students say about this training:
“From my perspective this covered the full workflow of bug hunting. Impressive that you were able to fit it all in 2-days. This covered content relevant for bug hunters, threat hunters and developers alike. I think this course was also beneficial for any security org looking to establish internal or external bug hunting programs.”
“The content is very relevant. Much more than any other bug bounty type course I’ve taken. I love that every lesson/example are real world scenarios for us to look for. Too many courses show a couple command lines and say, “So that’s how it works.” Not good enough. This course was great.”
“I find the course valuable as I get to gain more insight into the area of bug bounties in the modern days and how could a bug bounties hunter do the preparation and also how to approach the web application to identify those bugs, especially business logic bugs. I enjoyed the case studies very much!”
“I really enjoyed the course for Hassan’s delivery method (stories tied to attacks to illustrate them in practical terms) and the labs. I’ve recently started participating in the bug bounty world, and this really helped push me in the right direction for how to approach testing. The labs having the purposeful “missteps” is also useful. I appreciate seeing what DOESN’T work and pivoting to what does!”
” This course has content that is friendly to people familiar with security concepts, but still enough new information for folks who haven’t been active in the bug finding business. It’s a good mix of reviewing basics without spending too much time, while giving time with practical tool sets and real world problems.”
“I would recommend this course as the bug bounties stories are interesting and relate well to the course content. One might be able to pick up some new knowledges and ideas on common application attacks.”
