This course covers some additional resources that you can use to improve your web penetration testing skills, and how you can make money from them through legitimate means.
Hi, congratulations for making the end of this course, I hope you enjoyed this and now we're going to discuss some alternative ways for you to master your web pentesting and bug bounty skills and some legal ways for you to make money out of those skills so that you can just start pentesting. So, if you have completed this course, now we try to cover most of the OWASP Top 10 and most of the popular things that you can come across during real web pentesting, during real bug bounty hunting sessions, okay? But of course you need to make a little bit more effort to understand these vulnerabilities in a better way, you need to do much more practice before you become ready, right? Of course, you can just go directly into web pentesting but this kind of CTFs and these kind of practices will make you much more better. So, what I'm talking about is that this VulnHub for example. So, this works as a CTF website or vulnerable machine website, you can find a lot of vulnerable machines in this website and you can just download them for free and try to sharpen your skills. So, vulnhub.com is for free again, and there are a couple of other options like tryhackme.com and this is not free and hackthebox.eu, this is not free as well. So, you pay some price over here like 10 bucks a month, okay? And they give you some vulnerable machines, you try to hack them and you try to gather points and you try to make the charts. So, it's a very good scenario for you to learn much more about web pentesting, but they are not necessarily focusing on web pentesting by the way, you can see all other types of ethical hacking as well, like pentesting for Windows, pentesting for Linux, and pentesting for web. So, you have to cherry pick sometimes in order to understand the web pentesting in a real more depth, but it's worth a shot to come over here and look VulnHub, TryHackMe and Hack The Box. And after you do all of those things or if you feel ready right away, you can come over here to hackerone.com and sign up for trying to do real legal web pentesting or Bugcrowd or Intigriti. So, these are websites for bug bounty hunters, okay? So, as you can see Intigriti focuses on Europe's, Europe companies and this Bugcrowd and hackerone.com actually is more like a global website, so hackerone is the biggest one, okay? So, as you can see if you come over here, I'm going to just tell the thing inside of this hackerone.com, but they work all in the same way, so you can understand it in a better way. So, if you come over here, you can just search for the hackers and you can see the general information about hackerone.com. As you can see it's a collection of videos, resources, so it actually consists training as well, like instructors and stuff. But also they have some business side over here. So, if you come over here to leaderboard or any other program director, for example, you can see the enrolled companies, enrolled organizations and you can start web pentesting against them. So, I'm going to show you the list by the way, don't worry. As you can see, you can see the benefit. So, this is how it works. Hacker searches for vulnerabilities and then you submit it to this hackerone.com and organization finds you and gives you a reward if you're the first one to report this and if you actually follow their instructions. So, I'm going to talk about what kind of instructions they have. So, you have to stay in the legal side and the legal scope will be given to you by hackerone or Intigriti or any other website that you're trying on this tip. So, if you come over here to FORHACKERS, if you just come over here to start hacking, you can log in but I want to show you the program directory because that's where you will find the enrolled companies. As you can see, this is the directory and there are tons of companies over here that you can focus. For example, IBM, Ford, Uber, Twitter, Sony, Slack, Starbucks, Zomato, Vimeo, GitHub, HackerOne itself and you can find anything that you want actually over here like any website that is globally known because they're not taking risks. They're giving bounties to white heart hackers, ethical hackers so that they can actually close down the security risks and find the bugs and the vulnerabilities in their websites and just get rid of them. So, as you can see they're giving some generous bounties over here starting from maybe $100 up to thousands of thousands of dollars and you can get a reward for maybe 50 bucks but sometimes $15,000 depending on the severity, depending on the bug that you have found, severity of that bug that you have found actually. So, as you can see, even US Department of Defense, defense is here. You can just find one of the websites over there and you can click on them to see the details about the program because they're not saying that, you can just take me in a way that you want. For example doing a DDoS attack against them is most of the time forbidden because it doesn't make sense, right? So, let me come over here to AT&T for example, just to see the reverse and as you can see for critical rewards, AT&T give $2,000, for high $750, for medium $300 and for low $50. So, they're coming back to you in six hours, which is very good and let's see the guidelines. So, if you come over here you have to read this policy before you go and do pentesting because they will restrict you in some way. And as you can see they paid $1 million only, AT&T company paid $1 million in total in order to find their bugs and make them right. So, if you come over here, you're going to see program exclusions which is very important. As you can see, they say that DDS is forbidden, social engineering is forbidden, okay? Physical attacks is obviously forbidden. So, if you even hack into using a social engineering technique then it won't make sense, okay? So, we didn't even cover social engineering in this course anyhow because it's out of scope, 99% of the time. So, as you can see we have the scopes. So, these are all out of scope, so you cannot attack these websites. Even if you attack them, it would be illegal. Even if you find a bug, you won't get a reward out of it, okay? So, make sure you check this, make sure you check in scope and out of scope things, make sure you check the policies and program exclusions over here before you start a web pentesting or bug bounty session. So, again if for example over here it says that CSRF is out of scope, I don't know why they do that. CSRF is included in many of these scopes in other departments or other companies over here, okay? But they don't want it, so even if you find a CSRF thing in the AT&T, you won't get any money out of it. So, as you can see even DoD is here and you can see the guidelines of the DoD and you can see that you shouldn't compromise the privacy or safety of any DoD personnel, which is very understandable and you can see the legal scopes and illegal scopes. You have to respect that scopes, you have to respect that policy, otherwise it wouldn't be legal, otherwise you wouldn't get a reward out of it and it would be like a waste of your time, okay? So, after you find anything, you can just come here to submit a report and it will be logged into the system so they won't say that, you didn't submit this. You will see them with the timeline over here when you submitted it, where you actually get a response back and then you get rewarded and something like that. So, it's a very good system. Now, it's all up to you, I suggest you sharpen your skills and come back to hackerone.com or any other bug bounty websites and start earning money and start actually submitting these bugs. So, I hope you enjoyed the course, see you in another one.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.