A look inside the “So you wanna bughunt?” event

Sean (zseano)
Aug 2 · 5 min read

I’ve secured a venue, i’ve created the content and now i’m waiting to bring hackers together for the first ever “So you wanna bughunt” training event hosted by me, zseano, located in Cambridge (United Kingdom). I started mentoring via YouTube only a few months ago but i’ve been training people on a 1 to 1 basis for years, just as a friend, not an official ‘teacher’. Now I want to take my mentoring to the next level and bring hackers together in the same room, as you would like a live hacking event, except instead of earning we’re learning.

If you have had the privilege of attending a live event then you will know the atmosphere and vibe is out of this world. So many hacker thoughts flowing at once, it really is amazing to see. And so the birth of my training course meet live event idea was born, So you wanna bughunt?

(Snacks and drinks will be provided throughout the day and a lunch is provided from 12:30–13:30)

The “ZSEANO” Methodology

The day begins with me talking about my methodology when hunting on bugbounty programs, dubbed “the zseano methodology”. This will include literally everything I do, my entire thought pattern, and how you can replicate it and start your own journey in the world of bugbounties. I will tell you how I managed to go from no bugs on Bugcrowd all the way to #2 overall behind the legendary mongo in just 9months and how I then apply this same methodology on new programs.

Throughout this talk I will tell you all the tips & tricks i’ve learnt along the way to save you time and spend more time hands on hacking. Get an insight into what researchers have automated and what you should aim to automate.

I will end this talk by going through some interesting bugs & bypasses i’ve found in my years of bughunting and how I went about finding these, and how the same stuff I was doing years ago, still works today. (companies redacted)

Time to get your hack on

Laptops at the ready, burp (or a proxy tool of your choice) open, let’s hack!

So you’ve heard my methodology and how I hack, so now let’s apply this. For the next section of the session you will be hunting yourself on a range of custom-made websites containing vulnerabilities i’ve personally found in bugbounty programs, recreated for you to discover and get that same euphoric feeling. For this section I will be on hand to provide mentoring & help should you become stuck and we also have special guest hackers @nijagaw and @bitquark along side you providing their hacker thoughts and assistance. You will learn about XSS, CSRF, SSRF, account takeover methods, filter bypassing and more whilst also learning the methodology to finding these bugs. Get an insight into the common mistakes developers are making and learn how to discover vulnerable areas quickly.

Now it’s your turn, shades on, hacker mode engaged.

You’ve learnt my methodology, you’ve replicated a variety of bugs i’ve found, now it’s your turn! A complete blackbox approach, you will be given a policy & scope and it’s your chance to show the world the hacker inside you. Report issues like you would with a bugbounty program and I will be live triaging the issues as they come in. We have the following prizes available: (Of course our special guest hackers won’t be eligible for these :P)

  • Best proof of concept/written report
    This award will be for the user who creates the best proof of concept and writes the most detailed report. An example of could be weaponizing an XSS bug for account takeover rather than just alert(0)
  • Most bugs found
    Simple, this one’s for the user who finds the most bugs!
  • First Bug
    No dupes for you! A unique award for the first valid & accepted bug.

Show & Tell

Similar to other live events after we’ve done hacking (there is a break in between don’t worry!) I will be going through all the bugs you should of found. If anyone is feeling brave then this is their opportunity to come up and walk through their findings with everyone, of course this is optional and will be decided on the day.

Swag & Takeaways

It won’t just be a wrath of new knowledge you leave with. We have a very special goodie bag for you including some exclusive BugBountyNotes & HackenProof swag. Not only that but you get a copy of “the zseano methodology” to keep and always refer to. As well as all of that you also get all challenge material used throughout which includes notes from me on how the developer got it wrong. (Blackbox testing website is not included)

When & Where?

This event is hosted on 13th September 2019 at Homerton Conference Centre, located in Cambridge United Kingdom. We have 21 spaces available for this course and you can find ALL required information about attending here: https://www.bugbountynotes.com/mentoring/events

This event is kindly sponsored by HackenProof, a bugbounty platform connecting companies with hackers. Jane, the managing lead at HackenProof will be in attendance and will be bringing swag with her :)

-zseano

Sean (zseano)

Written by

UK WebApp Security Researcher. Creator of https://www.bugbountynotes.com/ — designed to help people learn and get involved with hacking.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade