Bug Bounty Village (BBV)

hands-on

BUG BOUNTY Village is a platform for bug bounty researchers and Infosec professionals to come and share their experiences. It’s an apt place to learn bug bounty, report writing, teach and learn from others. With a series of talks/trainings and awards, we want to bring this fun platform to everyone.

Bug Bounty village includes two things :

The first one is “Unique Bug of the Year award / Best Bounty Hunter of the Year”. It aims to motivate and encourage researchers to write good and effective vulnerability reports. More interestingly if your vulnerability/ bug finding report gets duplicate ,do not worry, be happy, as we will also consider the duplicate reports in the submission. We understand how much time and effort a researcher/bug bounty hunter puts into finding a bug/vulnerability.

The second is “Talks and Workshops”. It aims at sharing knowledge with the bug bounty hunters and security community people who are already in Infosec field/ getting-started/ want to start a career in information security domain.

Speaker Name Talk Title Short Description Register link
Dhamotharan Decoding Multiple Vulnerabilities on Pulse Secure VPN? Pre-authentication arbitrary file read vulnerability (CVE-2019-11510) that revealed sensitive information like VPN client credentials, private SSH keys, and session cookies. They showed how this information was used to compromise a client session and gain access to a VPN network, then demonstrated additional post-authentication exploits that resulted in complete takeover of the VPN server. In order to exploit the issue, an attacker can send a malicious HTTP request containing directory traversal sequences along with a crafted Uniform Resource Identifier (URI) and access any file on the device. Register
Nimisha Dugalya Exploiting Server-Side Applications The workshop is hands-on white-box testing of a php-based application. Most of the server-side web applications are made up of Php, this workshop will introduce the attendees to some common vulnerabilities in php applications. This session will be a ctf based session where the related challenges will be hosted and the participants who are well ahead of the basic topics can solve them while others catch up. Topics that will be covered in this session are - common php coding mistakes, code reviewing for loopholes, server-side request forgery, deserialization vulnerability. After the session participants will have a clear understanding of how to analyze a web application for php bugs. Register
Shikhar Joshi Kubernetes - Overview and Exploitation What to expect in the session: Overview of Docker (demo): - Creating a docker image user dockerfile - Uploading the docker image to docker hub - Creating a container from the image - Getting a shell within the container - Linux namespace Overview of kubernetes architecture (theory/demo if time persists) - API Server - etcd - Controller - Scheduler - Kubelet - Nodes Creation of kubernetes resources (demo) - pods - namespaces - replication controllers/sets - services - roles Exploiting kubernetes cluster (demo) - Understanding authentication and authorisation in kubernetes cluster - Understanding kubernetes secrets - Exploiting the cluster via misconfigured RBAC - Exploiting the cluster via exposed resources. Register

JOIN