What is bug bounty?
In this current world of emerging technology, we are heading towards web 3.0. which is just a small step for more enhanced web applications. But in between this reform, the main and most important task for an organization is how they tackle the hackers which intentionally attack the organization to gain unauthorized access to the web application [1-4].
so, to prevent these types of situations. organizations host events in which they invite and give a platform to the security researchers or web pentester who are more often called bug bounty hunters. These professionals fully packed with weapons in their hacking machine now attack the targeted website to find a bug or a loophole that can affect the web application’s security. if they are successful to accomplish this task, they will be paid a handsome amount for this achievement
What is the need of bug bounty programs?
In today’s world every tech giant including Google, Facebook and Microsoft has faced massive data breaches. affecting millions of industries around the world. according to the latest studies around 70 to 75% of websites on the internet are at risk
From where can I start my bug bounty carrier?
The Learning path for bug bounty Is not so easy and not even so hard. A normal computer science enthusiast can enter this field without any hesitation. There are not so many prerequisites, but it will be good if you give a read to the ‘web application hackers handbook’ by Dafydd Stuttard. And Marcus Pinto, and you should have also basic knowledge of the following topics.
- Computer networking
- How the internet works
- Some application protocols
And after you have cleared your fundamentals, you can practice some of the mentioned web attacks to sharpen your skills.
Top 5 web attacks [5-13].
- SQL injection (SQLi): – This web security vulnerability allows the hacker to manipulate the SQL queries which an application makes with its database. And it facilities the hacker to retrieve the data which normally can’t be viewed by the attacker. In many situations, an attacker can modify this data or can delete the data causing an irreversible change to the application’s content.
- CROSS-SITE SCRIPTING(XSS): -this vulnerability arises when untrusted data or Malicious Script is included on the web page. And when this malicious code runs in the victim’s browser, the attacker can fully comprise their interaction with the application this type of problem occurs due to improper validation or sanitization of the user input in the web page.
- OS command Injection: – This attack is also known as shell injection. As the name suggests this vulnerability allows the attacker to execute operating system commands on the server which is running the website.
- Distributed Denial of Service (DDoS): – In this attack the attacker bombards the sever with so many HTTP/HTTPS requests that it paralyzes the sever and prevents a normal user to use the service [5-10].
- Broken Access control: -Poorly designed access control system can led attackers to exploit the flaws such as access to others accounts, modifying other user’s data ,change access rights ,etc.
- Gupta, S., et al. (2017). Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challenges. International Journal of Cloud Applications and Computing (IJCAC), 7(3), 1-43.
- Gupta, S., et al. (2015, May). PHP-sensor: a prototype method to discover workflow violation and XSS vulnerabilities in PHP web applications. In Proceedings of the 12th ACM International Conference on Computing Frontiers (pp. 1-8).
- Gupta, B. B., & Chaudhary, P. (2020). Cross-site scripting attacks: Classification, attack, and countermeasures. CRC Press.
- Zargar, S. T., Joshi, J., & Tipper, D. (2013). A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE communications surveys & tutorials, 15(4), 2046-2069.
- Yan, Q., et al. (2015). Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges. IEEE communications surveys & tutorials, 18(1), 602-622.
- Tripathi, S., et al. (2013). Hadoop based defense solution to handle distributed denial of service (ddos) attacks. Journal of Information Security. Vol. 4 No. 3 (2013) , Article ID: 34629 , 15 pages DOI:10.4236/jis.2013.43018.
- De Donno, M., Dragoni, N., Giaretta, A., & Spognardi, A. (2017, September). Analysis of DDoS-capable IoT malwares. In 2017 Federated Conference on Computer Science and Information Systems (FedCSIS) (pp. 807-816). IEEE.
- Adat, V., et al. (2018, January). Economic incentive based solution against distributed denial of service attacks for IoT customers. In 2018 IEEE international conference on consumer electronics (ICCE) (pp. 1-5). IEEE.
- Jia, Y., Zhong, F., Alrawais, A., Gong, B., & Cheng, X. (2020). Flowguard: An intelligent edge defense mechanism against IoT DDoS attacks. IEEE Internet of Things Journal, 7(10), 9552-9562.
- Alieyan, K., Almomani, A., Anbar, et. al. (2021). DNS rule-based schema to botnet detection. Enterprise Information Systems, 15(4), 545-564.
- Hoque, N., Bhattacharyya, D. K., & Kalita, J. K. (2015). Botnet in DDoS attacks: trends and challenges. IEEE Communications Surveys & Tutorials, 17(4), 2242-2270.
- Cvitić, I., et al. (2021). Boosting-based DDoS Detection in Internet of Things Systems. IEEE Internet of Things Journal.
- Computer Security
- XSS Research Directions
- XSS Prevention Measures
- Network Coding: A Multi-Faceted Enabler for Next-Generation Wireless Networks!