https://www.hackerone.com/resources/i/1464962-2022-attack-resistance-report/0?ungated=

Attended the NUS Bug Bounty pre-event training workshop. Some interesting points:

• Consider the perspective of the organisation hosting the bug bounty program when looking for vulnerabilities, e.g. typically no social engineering to avoid spam to employees
• Bug bounty reporting details: (1) Vulnerability + Conditions + Impact, (2) Proof-of-concept, (3) CVSS.

Signed up for the NUS Bug Bounty program, which has a workshop for some basic training. Figured might be good to force myself to gradually pick up skills again.

• Burp Suite Community Edition
  • YesWeBurp Burp Suite Extension: For listing current YesWeHack programs
  • Hackvertor: For entity parsing
• GoBuster: For web probing, gobuster
• SqlMap: For SQL probing (git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev, requires Python)
• Interactsh: For out-of-band vulnerable server interactions, interactsh-client
• Surge: Native web app publishing on Surge.sh (requires Node.js, npm install --global surge)
• Hashcat: For breaking password hashes (requires 7zip for unpacking, sudo apt install 7zip; 7zz x hashcat-6.2.6.7z)