Bug Bounty Village, c0c0n 2020

About Bug Bounty Village

BUG BOUNTY VILLAGE is a platform for bug bounty researchers and Infosec professionals to come and share their experiences. It's an apt place to learn, teach, and collaborate on bug bounty, report writing, and the various aspects of it. With a series of talks/training and awards, we want to bring this fun platform to everyone.

At c0c0n 2020, we would like to bring some prominent researchers and bug bounty stakeholders to join hands and present the benefits of the bug bounty.

Get ready for some awe-inspiring workshops, great talks, and boundless knowledge.

Bug Bounty from Paranoids


Abstract:

TBA

Sean Poris, Director, Product Security, Verizon Media

Sean Poris is the Director of Product Security and Assurance at Verizon Media, as part of its information security squad, The Paranoids. He also leads the bug bounty team for the number one bug bounty program on one of the top bug bounty platforms in the industry - working with a global ethical hacking community to eliminate Internet badness. Prior to working for Verizon Media, Sean was Senior Director of Software Security at The College Board, where his team equipped software development groups with the critical training, tools and processes needed to address information security holistically throughout the development lifecycle. Sean currently serves on the Board of the Northern Virginia Chapter of OWASP and was a conference co-chair for the 2019 Global OWASP AppSec DC conference.

Web Application hacking with WebZGround


Abstract:

A self contained training environment WebZGround is a Custom VM designed to help Students/bug bounty hunters/Web Application security enthusiasts/ /Penetration Testers/newcomers to learn and practise web application security concepts on a bunch of vulnerable lab apps locally.it also contains required tools for penetration testing of web applications

Parveen Yadav, Security Researcher

Security researcher , Synack red team member, Like DJ parties,foodie
Parveen Yadav is a security researcher and Synack red team member. Parveen Yadav is Co-Founder of OWASP Seaside Conference and presented Bugzee Soldering Village at Defcon China and presented Bug Bounty Village at OWASPSeaside Conference.

Narendra Kumar, Cyber Security Analyst

Web | mobile Penetration tester,Active member and contributor at various security communities including null, OWASP, G4H. Presenter at OWASPminicon,OWASP Seasides Goa 2018. Presenter/Speaker at Null & OWASP chapters. A Happy Volunteering team member of OWASP Seasides and Nullcon Security Conferences.

Broken Cryptography & Account Takeover


Abstract:

Applications still utilize weak cryptography generation methodologies which may lead to severe risk. In the world of Application Security, looking for all possible points to enumerate and find out how secrets, token and encryption is happening always gives an edge. Broken & Weak Cryptography canlead severe impact and account takeover is one of them. Account takeovers involves gaining a persistence access to the victim account impacting CIA completely. However, Both Broken Cryptography and Account Takeover are not just limited to a few attack vectors.

Harsh Bothra, Cyber Security Analyst, Detox Technologies

Harsh Bothra is currently working as a Cyber Security Analyst at Detox Technologies. Holding a bachelor's degree in Computer Science & Engineering, his major interests revolve around Information Technology and Security. He is a part-time Bug Hunter on Bugcrowd (Currently ranked under Top 150 Researchers & MVP Q1 & Q2) and Synack Red Team Member. He has spoken at various security events and conferences such as Cyber June'gle by Defcon Red Team Village & Texas Cyber, Bugcrowd LevelUp0x07, OWASP & Defcon local chapters. Harsh has authored two books on Hacking especially focusing on beginners. One of the books authored by Harsh has been previously recommended by NITTR-Chandigarh, AICTE (Govt. of India bodies). He holds 50+ Hall of Fames from various companies. He loves to talk about various cybersecurity stuff and has carried out a lot of sessions related to Cyber Security, Ethical Hacking & Application Security. (Full Bio: https://harshbothra.tech)


My top 3 findings in bug Bounty journey | Aiming for high impact issues


Abstract:

Interesting veryulnerabilities, their way of finding, impact and remediation What is the thought process to find such bug How is it different from day to day reported input validation and other such vulnerabilities How to plan, target and approach vulnerabilities Difference between pentest and bug Bounty

Ankit Giri

Mr. Ankit Giri is a Speaker, presenter and a blogger. He has diverse background in writing information blogs. Mr. Ankit is a penetration tester by profession with 5+ years of experience. He is also a part time bug bounty hunter, featured in Hall of Fames of multiple companies like EFF, SONY, HTC, AT&T, etc. He loves speaking in conferences and has been a feature in many conferences like AWS Community Day 2020, DeepSec Austria 2019 and many more. Our speaker has also published article in PenTest magzine on IOT Security and has been a featured profile at Peerlyst.

Automation in Bug Bounties to Work Smarter


Abstract:

Getting started with security research and bug bounties would be greatly complimented, if one knows some scripting/programming language to deal with everyday tasks to save time and work more efficiently. Through this talk, I aim to help beginners to get comfortable with one of the most praised scripting languages among the security researchers, i.e. python. Using this knowledge one can get started with their own custom automation scripts to have their own arsenal rather than relying on external toolkits and spending time on getting comfortable with someone else's methodologies

Prerak Mittal

Prerak Mittal is Co-Founder of Defcon Dehradun (DCG91135) security group. His major interests revolve around IT and network security and casual coding/scripting to automate the boring stuff. He is a part time bug bounty hunter and has spoken at numerous Security events and conferences such as OWASP Seasides and local Defcon and HackTheBox meetups and along with his Defcon Dehradun team has presented RFID hacking village at BSides Ahmedabad.

Preparing for a Car Hacking Program or Bug Bash


Abstract:

Car hacking programs, responsible disclosures and bug bashes are hot in this era of bug bounty hunting thanks to the initiative of car companies and hackers in the automotive industry. In this talk, we will focus on my experience of handling or being a part in triaging bugs related to automotive security and car hacking specifically on how security researchers prepare mentally and physically for a bash. Or how to have a win-win situation. This talk will help aspiring car hackers or probably car hackers I have already met on what to focus and expect when there is a car hacking event. What do we usually look or expect from researchers? Yes that hopefully will be answered. This is kind of a prequel to the speaker's talk entitled "Automotive Security Bugs".

Jay Turla

Jay Turla (@shipcod3) is a Manager, Security Operations (PH) at Bugcrowd Inc., and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Yahoo, Microsoft, Mozilla, etc. for his responsible disclosures. He has also contributed auxiliary and exploit modules to the Metasploit Framework. He has presented at ROOTCON, HITCON, PEHCON, DEFCON's Packet Hacking Village, DragonCon, Bsides Myanmar, Nullcon and other hacker conferences. He used to work for HP Fortify where he performed Vulnerability Assessment, Remediation and Advance Testing. His main interest or research right now is about car hacking and is currently one of the main organizers of the Car Hacking Village of ROOTCON / Philippines which is recognized and supported by the Car Hacking Village community.

Automate your Recon with ReconNote


Abstract:

I will be explaining about how to use bash to automate the recon process from basics one liner to gathering major assets of the target for attack surface. It will include Enumerating subdomains , resolving for alive hosts, port scanning, screenshots, extracting Js files, path fuzzing , using nuclei and then creating the bash script using those one liners to create your full automated web recon script. I will then Introduce my “ReconNote” Web framework which i have created using nodeJs/bootstrap for Web application recon and using the tool to map your attack surface and how to gain good insights by using this Web Recon Framework.

Prasoon Gupta

Prasoon Gupta is an Application Security Engineer at Paytm and part time bug bounty hunter with codename - dekster Working in Application security field since 5 years and he is mostly interested in Web application security and Automating the recon process for mapping large surface area for attack using bash and tweaking many tasks using bash.

PANELISTS

Abhinav Mishra, Founder, ENCIPHERS

Abhinav Mishra (0ctac0der) is the founder of ENCIPHERS, an information security consulting and training company. Abhinav takes care of managing the penetration testing, training and other offensive security projects for ENCIPHERS. Before starting his journey of entrepreneurship, Abhinav used to be a part time bugbounty hunter. He holds numerous accolades & rewards for finding security issues through responsible disclosure programs. Enciphers manages responsible disclosure programs for it's clients. Hence, Abhinav will be able to share a view from both sides i.e. bug bounty hunter as well as responsible disclosure program manager.

Bhavuk Jain, Bug Bounty Hunter

Bhavuk Jain is an independent security researcher and a full time bug bounty hunter. He has been acknowledged by dozens of companies including Apple, Facebook, Yahoo and has been to various live hacking events all around the world.

Nikhil Srivastava, Bug Bounty Hunter

Nikhil is a full-time bug bounty hunter and has been a top 5 Synack Red Team member for the past 6 years. He is also lead pentester at cobalt.io. He loves to travel and explore least visited natural spots and always keeps a "never give up" attitude in life.

Ryan Rutan, Director of Community, Synack Red Team

Ryan Rutan is currently the Director of Community for the Synack Red Team after having spent over a decade building distributed online communities for tech savvy enterprise developers. He is a long-time developer/maker at heart and technology innovator by trade, but his passion comes from uniting people, process and technology into fully sustainable communities capable of scaling to meet any challenge, regardless of industry. In his spare time, he enjoys flexing his creativity by writing books (such as Fork This Life ), hacking on custom IoT projects and furthering his cybersecurity skills by leveraging his strengths to build automation tools to streamline scanning and recon.


Hours Day 1
Fri, 18 Sep
CTF
10:00- 10:45
CTF

We will be organising an interesting CTF in collaboration with Security Innovation to play and explore different challenges, learn while having fun and get some awesome prizes All players have fun with exciting prizes to be won! Cash prizes of Rs.10,000 for 1st place, ₹8,000 for 2nd, and ₹5,000 for 3rd Swag boxes & giveaways to the Top 10 participants Certificates to all participants who score

10:45-11:00
Sean Poris

Bug Bounty from Paranoids

Sean will talk about Verizone Media bug bounty experience

11:00-11:30
11:30-13:00
13:00-14:00
BREAK

 

BREAK

 

14:00-14:30
Parveen Yadav
Narendra Kumar

Web Application hacking with WebZGround

14:30-15:30
15:30-16:00
16:00-16:30
BREAK

 

BREAK

 

16:30-17:00

Web Application hacking with WebZGround Continued

17:00-17:30
Hours Day 2
Sat, 19 Sep
09:00-09:45
[PANEL DISCUSSION]

Bug Bounty

11:00-11:30
Harsh Bothra

Broken Cryptography & Account Takeover

11:30-11:45
11:45-12:15
Ankit Giri

My top 3 findings in bug Bounty journey | Aiming for high impact issues

12:15-12:30
12:30-13:00
Jay Turla

Preparing for a Car Hacking Program or Bug Bash

13:00-13:15
13:1514:00
BREAK

 

14:0014:30
Prerak Mittal

Automation in Bug Bounties to Work Smarter

14:3015:00
15:0015:30
Prasoon Gupta

Automate your Recon with ReconNote

15:3016:00

CONFERENCE PARTNERS

PLATINUM SPONSORS

vensec

SILVER SPONSORS

BRONZE SPONSORS

SUPPORTING PARTNERS

CTF PARTNERS

COMMUNITY PARTNER

VILLAGE PARTNERS

VENUE PARTNER