Low Competition Bug Hunting (What to Learn) - ft.
Рет қаралды 19,646
Күн бұрынA lot of people have anxiety that every bug has already been found. So they should learn something really new or obscure, even if it’s completely above their skill level. Here’s some advice if this is specifically giving you anxiety. TL;DR: Private programs, mobile apps, and IDORs can be great locations for lower competition, but still beginner-friendly, bugs. This is my quick answer to "What should I learn first to find a bug quickly?" and "What should I learn so I avoid dupes?"
'Katie Explains' videos are going to be shorter videos about smaller topics that don't need more in-depth explanations, which are news/updates or that update or give extra info to an existing video. I would usually just reply to these or tweet or something but I decided to make a video so more people will see the info!
- Also as a bonus, HackerOne are currently running #AndroidHackingMonth you can check out some awesome Android tips on twitter: search?q=%23andro...
- And check out this beginners guide from HackerOne www.hackerone.com/blog/androi...
Further Reading
- Setting up Burp on Android: blog.ropnop.com/configuring-b...
- Setting up Burp + Frida on iOS: spaceraccoon.dev/from-checkra...
- Introduction to Frida by Dawn Isabel: • LevelUp 0x04 - Fun wit...
@astrix8812 4 жыл бұрын
This video is filled with awesomeness! Thank you very much
@akshanshshriwatri8060 4 жыл бұрын
Damn! You've got a solution to every problem. So simple yet so effective. Thanks for this Katie!😊
@elliotalderson9774 4 жыл бұрын
This was great, thank you! I stopped hunting after just a month or so because I was highly discouraged. Now I have multiple avenues to try out. It was inspiring to hear about your experiences going up against pros and finding things they did not. So glad I found you from the 5 Hacking Newsletter :-)
@InsiderPhD 4 жыл бұрын
Aww thank you, I know it can really feel like everything has already been found but honestly there are definitely options, the h1 report showed that 71% of hackers prefer to hack web, so even just thinking about mobile or APIs (or code or physical devices) I think there are definitely some good bugs in that 29%
@ggmaxx66 3 жыл бұрын
a very motivational clip, thank you!
@Loveless9619 4 жыл бұрын
I was very skeptical before I started watching your videos and now after 3 videos I have become a huge fan of yours, I love your sincerity and openness to Sec's topic! Thank you so much, if it wasn't for you I wouldn't have found that bounty yesterday (business logic - payment bypass)! Everything you say is true, each of us has a different mentality and this leads us to find different bugs! Honestly I prefer you to all the others Sec's youtubers. Thank you so much.
@InsiderPhD 4 жыл бұрын
Omg! Congrats on finding a business logic error! They are some of my favourite bugs! Thank you for your kind comments it really brightens my day to read them, thank you for taking the time to not just watch my videos but also to write a comment! I hope my future videos will keep you coming back
@sohammogarekar4295 4 жыл бұрын
Awesome video considering realistic scenario ! Great 🤟
@InsiderPhD 4 жыл бұрын
Thank you! 👍
@raymatp1 4 жыл бұрын
Wow. Thanks for this video. Im one of those people who thinks all the bugs are gone because most of my submissions are duplicates. After listening to you, i was inspired to do bug hunting again. Hope i can find my 1st valid submission.
@InsiderPhD 4 жыл бұрын
I hope you can find something but don't be too disappointed if you find dupes, dupes are still valid bugs! It sucks that you don't get paid but as a beginner finding a dupe is an achievement! You found something!!! Just keep on doing what you do :)
@shrirangkahale 4 жыл бұрын
One Word for this video "GREAT"
@noobhunter2986 4 жыл бұрын
Good stuff
@testerstatus2355 4 жыл бұрын
The way you select the program, I do the same too. It is great some teaching my mindset and help everyone. Beginners like me keep on asking me this question. Hope, they will get some nice idea after watching this. Great Work @insiderPhD
@InsiderPhD 4 жыл бұрын
Thank you, I think this is a start but I'm sure as you work on your own methodology you will pick out stuff you like to hack on!
@ramkumar-lc1st 3 жыл бұрын
hey thanks for the video, subscribed..pls do more thanks Katie...
@jasonmikinskiwallet4308 4 жыл бұрын
This video was 15 minutes but I was like. Damn it's already over I didn't feel time past by.
@ahmedelgaidi 4 жыл бұрын
How are you, do you think studying from sans will be helpful for me(still beginner) Great video as usual!
@johnphiri9418 4 жыл бұрын
" All the bugs are all gone...no they are not"....nice dating advice :) love this thanks
@InsiderPhD 4 жыл бұрын
Plenty of fis- I mean bugs in the ocean of lazy developers
@KtosZPlanetyZiemia 4 жыл бұрын
@@InsiderPhD of wut ? :D o7
@renslakens4759 4 жыл бұрын
Great video! Motivated to pick this up again and start hunting. Which iOS hackers on KZbin do you recommend?
@InsiderPhD 4 жыл бұрын
So not on KZbin but I highly recommend Dawn Isabel (her talk is the one I recommend), Spaceraccon has some EXCELLENT newbie resources, and Teknogeek is the king of mobile. I recommend learning how to use Frida because once you learn that you are honestly right at the top of iOS bounty hunters
@selimeneskaraduman6935 4 жыл бұрын
Can u make a video for source code bug bounty I cant find resource for beginner on source code analys I love reading codes and I wanna do this on bug bounty programs but there is no resource about source code bug bounty as much as web/mobile. This would be so good
@gustavodutra1082 4 жыл бұрын
About the pyramid of hunters' niche, you've mentioned web and mobile. Do you think that source code review and binary exploitation is also a niche with less competition? I know that there is different skills you need, but that could be easier for example if someone is new to bug bounty and is a C/C++ developer. Awesome video btw, you're doing an awesome work!! Thank you"
@InsiderPhD 4 жыл бұрын
Definitely! I mention mobile because it's easiest for beginners to learn but with the right experience code review+binary is definitely worth learning. I met someone at a recent h1 live event who had earned his place at the event, but had never ever used burp before, the guy was a pro at code review and a bloody genius. In fact one of the challenges involved an extra bounty if you also submitted a fix, he was able to find bugs in other hackers fixes. Honestly incredible.
@KtosZPlanetyZiemia 4 жыл бұрын
@@InsiderPhD great stuff, could you tell credits about him? Twitter or sth?
@InsiderPhD 4 жыл бұрын
Wojciech Błaszczuk twitter.com/not_aardvark I highly recommend this article on this crazy complex vulnerability blog.teddykatz.com/2019/11/23/json-padding-oracles.html
@ca7986 4 жыл бұрын
♥️
@joelcantu5357 4 жыл бұрын
Hi katie, If the endpoint do works with the cookie by changing the cookie of UserB, (this cookie has lots of variables but just chaning PHPSESSIONID of UserB works) is it consider a IDOR? I mean i haven't decipher the PHPSSESIONID but just changing it to a valid one will make the action as correct. Should I report it? is is a low finding???
@InsiderPhD 4 жыл бұрын
If you have an endpoint which does something for User A, like change their email, and you replace the cookies with User B's and it still affects User A's account that's definitely a bug!
@joelcantu5357 4 жыл бұрын
@@InsiderPhD thanks a lot!!!
@jacobpetrov4041 4 жыл бұрын
Are there other sites like bug crowd or hacker one just for mobile bounties? I know both bugcrowd and h1 have mobile bounties but, a source for just mobile would be a huge time saver.
@InsiderPhD 4 жыл бұрын
No, but a ton of h1 programs have mobile apps in scope! there are so many options for mobile apps atm.
@bunhthachau3587 4 жыл бұрын
Hello
@Edysamaha 4 жыл бұрын
Oh my god your voice is really shocking how old are you😂
@InsiderPhD 4 жыл бұрын
Mid 20s! But I'm guessing you thought I was a young man/teenager I'm actually a woman!