Aye matey! Bring home the bounty. Don’t just find bugs-- Find an SSRF.

Presented at CactusCon 12 (2024), Feb. 16, 2024, 10:30 a.m. (60 minutes).

Looking to boost your income without quitting your day job? Forget the usual "Top 10 Side Jobs" list! Want to know what's rewarding and can fetch you a solid payout? Bug Bounties. On average, bug bounty hunters make just under $3,000 per submission—pretty sweet, right? But what type of findings see these larger payouts? I've seen rewards above that average for solo SSRF findings, and that's the finding I want to give you the tools to replicate. Ready to dive into the hunt for SSRF vulnerabilities? This talk is your launching pad. In this session, you'll learn the core concepts behind SSRF, master identifying these types of vulnerabilities, and how to tap into an array of free online resources to guide your exploration. Together, we’ll develop a process for writing an SSRF and the step-by-step execution of one of these techniques. Gain insights into fundamental penetration testing methodologies tailor-made for SSRFs and walk away armed with essential remediation tools. With this newfound knowledge, you can replicate your own findings on approved resources for Bug Bounty and Responsible Disclosure programs, opening doors to substantial rewards and reputation. Amidst the vast realm of web app vulnerabilities, uncovering an SSRF isn't just a discovery—it's a voyage into the heart of hidden networks and larger bounties. It's the secret passage that separates the audacious from the ordinary, making you not just a bug hunter but a true navigator of the digital seas.

Presenters:

• Yelena Williams - A red teamer specializing in web apps
  Yelena Williams is a cyber security researcher for a large financial institution and is committed to empowering newcomers to grow within the field. She does this by helping them navigate complex topics while offering a relatable perspective rooted in her own experiences with “starting over.” In the middle of her 15-year career in tech, Yelena attended her first DEFCON event and fell in love with cyber security. Being in the US Army at the time, she switched to Cyber Warfare the very next year. While in Cyber Warfare, Yelena received extensive training in multiple disciplines in a way that she would describe as "an inch-deep, mile-wide in white-hat hacking." Post-military, Yelena has taken her unique experience and continued to apply that knowledge in new and exciting ways. Recently, she has shifted her focus to specialize in web applications. Ultimately though, her mission is to empower others with accessible knowledge while fostering a community of learners and risk-takers.

Links:

• https://cactuscon-12.sessionize.com/session/538063

Similar Presentations:

• DEF CON 22 (2014) / Screw Becoming A Pentester - When I Grow Up I Want To Be A Bug Bounty Hunter!
• Texas Cyber Summit 2019 / HX-3014 Owning the Cloud through SSRF – Service-Side Request Forgery
• CackalackyCon 2 (2023) / Uncovering Vulnerabilities: An Introduction to Bug Bounty Programs