Throughout the year, Bugcrowd hosts free conferences for hackers as part of our LevelUp series. These conferences are hosted online, broadcast via YouTube.
Below are the past LevelUp talks about Web Hacking:
Bug Hunting Methodology v3 (great for beginners!):
Esoteric sub-domain enumeration techniques - Bharath, from Bugcrowd’s LevelUp 2017
How does unicode affect our security? - Christopher Bleckmann-Dreher, LevelUp 2017
Finding Hidden Gems in Old Bug Bounty Programs - Yappare, Bugcrowd’s LevelUp 2017
There is something I don’t quite get about web hacking after having viewed the “Bug Hunting Methodology” videos.
You are supposed to start with loads of discovery.
However, wouldn’t most of the scanning for the discovery violate most programs rules against “automated scans”, DOS or downgraded service?
I mean all.txt has like 40k entries, If I try and run that to find directories, wouldn’t that be against the programs rules??
DOS means actually Dos-ing the website using zombies services. Directory brute force did not consider as Dos if you dont use high threads (on some programs) and if program specifically told about directory brute forcing out of scope then dont try to attempt it.