Web Penetration Testing & Bug Bounty
The course is part of this learning path
This course introduces the learning path on web penetration testing and bug bounties. We'll look at what you can expect to get out of this course and what it will cover.
Hi, within this lecture, we're going to cover what we're going to see in this course and you will understand how to approach this course depending on your knowledge of the cybersecurity area. And by the way, if you do not have any previous experience in the cybersecurity, that is no problem at all because we're going to start from scratch but if you know something, maybe you may want to skip a section or two and I'm going to explain what we're going to see. First of all, why did we do this course? Because we thought that the web security, web application and website security will be much more important in the upcoming days. Nowadays, it's already important in a million dollar or billion dollar industry, right? So, if you want to know about the cybersecurity side of the web applications and if you want to find the vulnerabilities and find some bugs that may lead to serious problems in that website or in that company, then you're absolutely right. For example, let me show you some article from hackerone.com. So, this is a website actually, hackerone.com and it's a perfectly good portal for you to find some businesses that pay rewards, that pay bounties for the bugs that you find, okay? So, a lot of bad hackers, a lot of black hat hackers actually try and find some vulnerabilities to exploit and gain some money out of those illegally. But white hat hackers, good hackers also do that but for some good reason, for gaining bounties. For example, in this article, we see hackers making seven figures. These hackers actually won more than one million dollar prizes, one million bounties from only this hackerone.com website. And as you can see this guy is only 19 years old, there are some senior pentesters here as well, okay? But they're all young, they're all hackers, they are all white hat hackers and they won more than one million dollars each, okay? And this is one of the things that you can do after just completing this course, of course, this course will not be sufficient alone for you to win one million dollar price. Okay, you're going to have to improve your knowledge of cybersecurity after that, but this course will provide you a very good basis in order to achieve these results. Okay, this is why we built this course. This is why we're going to show you the application fundamentals, security fundamentals for web applications and websites generally, and you're going to build on that and you're going to be on your way to become a good ethical hacker. So, if we google, if we search for hacker methodology. Okay, you don't have to do that by the way, I'm just showing you this as an example. You will come across a diagram showing that before you gain some authorization or before you hack into the website, you're going to have to do a reconnaissance and scanning and enumeration which is basically information gathering about the website that you're going to be searching or you're going to be scanning, okay? And this is of course one of the most important steps after you gather enough information, you will be on your way to gain your access, an escalation of privilege and stuff. And in this course, of course, we're going to cover that as well but we're going to cover this topic at the end of this course as a last section. So, don't be surprised the reason why we're doing that. If you don't know anything about web pentesting or cybersecurity at all, now you will be lost. You won't understand what to do with that information even if you understand how to gather information, okay? So, we're going to do this last. So, it's a little bit unorthodox to do that. Generally, you start with the information gathering part in web pentesting courses. But trust me, I have tried this a lot of times. I'm just teaching this subject for many years. If you learned that, at the end of the course, it will be much better for you, okay? So, we're going to start directly with searching vulnerabilities and exploiting those vulnerabilities to gain access and to find some bugs that may actually lead to bounties. And in the course, we're going to use a lot of different platforms like Beebox, Metasploitable, Juice Shop. Maybe you have heard them before, maybe you have worked with those before. Don't worry if you didn't work with any of those before, again you're more than welcome to just follow along with me and do what I do to understand the vulnerabilities and how to actually find the bugs and security flaws in the website. We're going to do like more than 100 examples. We're not going to neglect deteriorate at all, but we're going to do a lot of practices so that we will understand what we are doing. And at the end of the course, as I said before, we're going to see how to gather information and actually at the end of the course and in the last section, we're going to see how to submit our findings, submit our report to the site that may give us some bounties as well. So, my suggestion is that you follow along with the course, don't skip any sections. If you are really certain that you know what I'm going to talk about, then of course you can just skip it. But if you're starting from scratch, just follow along with me. Now, if you're ready, let's get started.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.