Finding Your First Bug: Getting Started on a Target (Part 1)
Рет қаралды 38,105
Күн бұрынHi everyone, welcome to this video in the "Finding Your First Bug" in this series I'm going to go over some good first bugs: explain what they are, how to find them, show some examples of real bugs in the wild that paid out and finally do a practical example with Burp on a real target.
In this video, we follow up from: "Choosing Your Target" and go in-depth on what to do next. This is all about creating your own bug bounty methodology and figuring out how to approach the target. We cover choosing an asset, recon, poking the application, note-taking and when to give up.
Resources I mention in the Video:
- FuzzDB Discovery github.com/fuzzdb-project/fuz...
- Payload All The Things methodology + recon github.com/swisskyrepo/Payloa...
- FuzzDB API fuzzing github.com/fuzzdb-project/fuz...
Further Watching:
- STÖK Bug Bounty Methodology with Jason Haddix • HOW TO APPROACH A NEW ...
- Nahamsec It’s the little things BSides Portland (Recon talk) • Ben Sadeghipour - It’s...
- Bug Bounty Hunter Methodology Bug Crowd Level Up • LevelUp 0x02 - Bug Bou...
@selimeneskaraduman6935 4 жыл бұрын
"You can go back when you become more experienced" this advice great same thing happened to me last week :) thank you
@timo5473 4 жыл бұрын
I love it how you combine an academic approach with well designed slides and case studies on the one hand and practical advices on the other hand. Your tutorials are more helpful than any book, or any other tutorial I have watched about these topic. Thank you so much!
@InsiderPhD 4 жыл бұрын
You're very welcome! I'm glad you enjoy the semi-lecture style approach!
@DelowarHossain 4 жыл бұрын
Better than any other methodology out there, for a beginner. It's good to know people do hack, without using tons of recon tools. RESPECT
@johndecosta8266 4 жыл бұрын
Thank you for taking the time to break down and explain the steps to bug bounty hunting for the beginner. Great job. Please, without burning yourself out, keep creating this amazing content.
@danielhemmati 4 жыл бұрын
I love it when you said it is okay to give up, and that's true. thanks
@newlife5775 3 жыл бұрын
Enjoyed it thoroughly. Thanks for your work.
@actual_0xatul 4 жыл бұрын
Came for some recon, stayed for the accent!!
@InsiderPhD 4 жыл бұрын
Lmao, thank you
@babaloveyou11 4 жыл бұрын
InsiderPhD can you share this powerpoint file?my English is not good.
@danielmcpherson9062 3 жыл бұрын
@@babaloveyou11 From a native English speaker, what you just put there was perfect English!
@tyresewhyte9364 Жыл бұрын
Omg thank you so much for dropping this video ik it’s been two years ago but thank I been struggling to figure out what to do and you just made my Journey a little better thank you so much 😊
@2424aditya 4 жыл бұрын
Thanks A Lot...I Have Been In A Search Of This Kind Of Video..This Helped A Lot..
@PTD2023 4 жыл бұрын
Excellent videos -looking forward to more content
@AnjilNiraula 4 жыл бұрын
You're awesome. Thanks for these series of video
@openentmizantropia4922 4 жыл бұрын
Thank you very much for share your knowledge❤️
@ImranKhan-tc8jz 3 жыл бұрын
THANK YOU SO MUCH FOR MAKING THIS. THERE IS NO OTHER VIDEO SERIES OR EVEN A SINGLE VIDEO LIKE YOURS ON THE KZbin. I AM JUST GETTING STARTED AND HAVE LEARNED ALOT.
@InsiderPhD 3 жыл бұрын
THANK YOU FOR ENJOYING MY CONTENT I'M GLAD YOU'RE FINDING IT USEFUL FEEL FREE TO ASK ME ANY QUESTIONS YOU HAVE
@ImranKhan-tc8jz 3 жыл бұрын
@@InsiderPhD Yes I'll surely ask. Thankyou.
@zevenbite4553 3 жыл бұрын
I really appreciate what you do, I love you.
@derelictmanchester8745 4 жыл бұрын
Excellent course...very concise...thank you**
@fakermankumar1327 3 жыл бұрын
you just cleared so much of doubts and insecurities thanks
@omprakash-uu2ly 4 жыл бұрын
thanks or another great vedio // always waiting for your upload
@shubham_srt 4 жыл бұрын
love your videos!! keep uploading good stuff
@0x1h0b 4 жыл бұрын
after watching this i believe this video was just made for me.... trust me i have solved many labs but still get confused when approaching a target.... Thank you very much @InsiderPhD
@oxovi 4 жыл бұрын
Thank u so much Awesome talk ❤
@evasmith9149 3 жыл бұрын
Thanks it is very useful 😊
@firstname8325 4 жыл бұрын
Wow!! These series are exactly the ones I've been wanting to look for a quite some time. How com youtube didn't recommend me this? I searched a lot of videos about recon (some of them are very good, like from NahamSec, JHadix), and i think this video is awesome too. Thanks for making these kind of videos. Can i request smthing? Other than recon/ finding my own methodology to approach targets, I've been struggling on the logic of finding vuln, i don't know what to look for (sinxe there are so many vulns to get startes with), and I don't know the logic between advanced things like filters, etc. THANKS SO MUCH
@InsiderPhD 4 жыл бұрын
Yes! For sure I will have a few more videos with technical content coming in January, focusing on the technical side, especially on how to approach things like APIs or chaining vulnerabilities together. I think both sides are really important though, choosing a target that works for you is a game changer when finding bugs
@Death_User666 9 ай бұрын
YOU ARE A LEGEND
@fabiosanchez9595 4 жыл бұрын
Thanks for the video, I have experience as a developer and I would like to try. Your video gave me a clearer idea of how to start.
@InsiderPhD 4 жыл бұрын
Definitely have a go, being a developer gives you a huge advantage! Especially when it comes to bugs like IDORs/business logic. It’s a rush like no other!
@ark3r745 4 жыл бұрын
Thanks alot !
@PedroPerez-ii4dx 3 жыл бұрын
This is one of the most usefull videos about bughunting recon. I always get stucked after/while doing recon, because I dont know what to do with all the data. I guess I've found a lot of answers on this video. All the hackers have diferents points of view, but I think all agree on the "intuituion" , which i think is quite of hard of understand/develop.
@InsiderPhD 3 жыл бұрын
Intuition is for sure the most difficult bug bounty skill to learn, it just takes time though, eventually you'll be a pro. At the start it can help to look for things that are out of place, eg 1 PUT req when the others are POST/GET or subdomain with an older looking website, or an API than returns back a ton of info...
@medicineman7894 9 ай бұрын
You are a legend
@khageshsharma1014 2 жыл бұрын
This is an awesome video. I learnt a lot. Thank you very much! One small complaint that I have is voice in your videos is bit low.
@maven6093 3 жыл бұрын
She described my background immaculately at 3:00
@revwrapz8279 2 жыл бұрын
Awesome videos thank you, not sure how much of this is still relevant now but crashed coursed myself into, burp, zap,nmap,linux, cmdprompt, python and good knows what else.......now on try hack me and hack the box heading into bug bounty hunting, no idea what im doing atm just know how to use a ton of stuff, but these videos have really given me some amazing food for thought, thank you so much how you put these across is perfect :) :) :) but it is all still massivly over whelming....all of it hahaha
@kiragranwyl4194 3 жыл бұрын
Hi there, newb here first time hunting and only knew idor, i would like to ask. do i have to find this kind of bug on multiple programs or should i focus on just one.
@Dhruv-te6dy 4 жыл бұрын
Hay Dear Thanks for upload this , Please create a video about RCE (Basic TO Advanced ) with live demo , if possible for you once again Thank you .
@mamadikaba1307 4 жыл бұрын
thks for your hard work to help newies to get in BB.. when will the part2 be release.?
@InsiderPhD 4 жыл бұрын
Next week :)
@televizyoncum6108 4 жыл бұрын
Thank you very much❤️Greetings from Turkey❤️
@InsiderPhD 4 жыл бұрын
Televizyoncum you’re very welcome! Greetings from a very grey, cold England 🥶👋👋
@terminator_363 3 жыл бұрын
Please reply! I know about each and every bug and read 2-3 books. I haven’t solved labs. I want to start my journey with real world bug hunting. Will be able to find bugs?🥺
@theedmbrewery6234 4 жыл бұрын
You are awesome my friend. I am trying to be something useful myself, but seems like an entire class of vulnerabilities have gone obsolete. Many programs do not pay for low impact or information bugs. Also the big guys sweep away the big ones really quick. How do you stay inspired?
@InsiderPhD 4 жыл бұрын
Well, don't assume that they have, even really good hackers miss things. During the last live hacking event where you have big name hackers like DISTURBANCE, I was still able to find bugs that weren't dupes! The best hackers often can't see the forest through the trees, they're looking for the RCEs, the bug chains, the SQL injection points. When bugs like IDORs + Business Logic aren't as high impact and can be time-consuming to look for. When it comes to impact focus on bugs that are legitimate security concerns, they will pay out :).
@secdive5123 3 жыл бұрын
@@InsiderPhD Thats a dope-ass piece of advice. Love it.
@nilanjenator 3 жыл бұрын
What is the HackerOne GraphQL reference?
@StefanRows 4 жыл бұрын
Hey Katie :) Got a good resource that covers exploiting XSS? Never actually tried that. Thanks for the great vid! Ceo.
@InsiderPhD 4 жыл бұрын
I’ve made a few videos on XSS I recommend those of course but PortSwigger has a fantastic XSS guide portswigger.net/web-security/cross-site-scripting
@yogteacherdilipmotkar8801 4 жыл бұрын
Plz can u suggest any tool for endpoints of api
@InsiderPhD 4 жыл бұрын
The best tool imo is Burp intruder with some good lists for API endpoints I recommend FuzzDB discovery lists and PayloadAllTheThings GraphQL
@weniweedeewiki.6237 Жыл бұрын
I have said it before and i wil say it again your kung fu is dope............🕺
@goooooo9197 4 жыл бұрын
Plz do one video on api and endpoints
@InsiderPhD 4 жыл бұрын
Already planned will come out in January!
@goooooo9197 4 жыл бұрын
@@InsiderPhD ok but plz upload at least 2 video a week it is a request
@InsiderPhD 4 жыл бұрын
Sorry I have a full time job which limits my time and I don’t make any money off of these videos which limits my resources. I can only do a few videos when my time and resources allow :)
@faique2995 3 жыл бұрын
what if I find a bug in out of scope
@InsiderPhD 3 жыл бұрын
Try not to go out of scope, but you can report it, likely you won't get a bounty unless you can pivot to an inscope domain!
@weniweedeewiki.6237 Жыл бұрын
After 4 hours of sleep I am back again........
@ArunKumar-sg6jf 3 жыл бұрын
learning basic programming knowledge is enough or not for bug hunter
@InsiderPhD 3 жыл бұрын
You don't need to be a programmer to be successful with bug bounties, but I do think it's kinda like a cheat code. If you know how applications are built you can understand how they break. On the other hand coming in without any programming knowledge can also mean you think outside of the box. STÖK is an amazing hacker, and he has no prior knowledge for example!
@shubhamtripathi9902 2 жыл бұрын
Make a live video from getting domain from hackerone to recon and enumerate finally submitting with reports. Once you upload please let me know while I will be in touch with your channel.
@prob_here 4 жыл бұрын
canwe get your social profile like twitter or linkedin to follow
@InsiderPhD 4 жыл бұрын
Social Media links :) Twitter twitter.com/insiderphd/ HackerOne hackerone.com/insiderphd I don’t use any other social media
@v3n0mh4ckng9 4 жыл бұрын
British accent is so sexy :p
@hermajaystey Жыл бұрын
You’re the only person I can fully understand! 🫶🏻 thank you! You make me want to start searching for bugs today. But I’m not ready 🤣
thehackerish
Рет қаралды 22 М.
InsiderPhD
Рет қаралды 19 М.