The Bug Hunter's Methodology Live Course June 2024
TBHM Live - Course Info
I am thrilled to introduce you to The Bug Hunter's Methodology LIVE, my masterclass designed for aspiring and seasoned offensive security professionals, including web application security testers, red teamers, and bug bounty hunters.
The Bug Hunter's Methodology (TBHM) is a two-day, paid, virtual training that aims to equip you with the latest tools, techniques, and strategies, plus provide a data-driven methodology on how and where to search for vulnerabilities that are currently common in the wild.
Unlike other courses, TBHM Live is not an A-Z or beginner-oriented course. True to the spirit of my public TBHM talks, my emphasis is on expert tips, time-saving tricks, practical Q&As, automation strategies, vetted resources, and engagement via the dedicated community on Discord.
Here are the details for the upcoming masterclasses:
- Class 1 for US Timezone: June 26-27, 10am-6pm MST
- Class 2 for EU Timezone: June 28-29, 5am-1pm MST
Each module will be driven live, using real-time targets where possible. You'll have access to all source material to refer back to after the training. Plus, a video recording of the class will be available for all participants shortly after the course concludes.
TBHM Live is also much more than just a course. I am dedicated to fostering a vibrant and supportive community for our learners. In keeping with this commitment, I will maintain a Discord channel for ongoing support, including resume guidance and job placement assistance.
Join us for TBHM Live and get ready to supercharge your skills, refine your strategies, and join an active community of like-minded professionals.
I look forward to seeing you in the class!
Full syllabus:
Day 1 - Recon
Recon Part 1: Recon Concepts
- Introduction to Recon
Recon Part 2: Acquisitions and Domains
- Scope
- Shodan
- ASN Analysis
- Crunchbase ++
- SSL Recon
- ReconGTP
- Reverse WHOIS
- Reverse DNS
- Reverse IP
- DMARC Analysis
- Add and Analytics Relationships
- Supply chain investigation and SaaS
- Google-fu (trademark & Priv Pol)
- TLDs Scanning
- 0365 Enumeration for Apex Domains
Recon Part 3: Subdomain Enumeration
- Subdomain Scraping (all the best sources and why to use them)
- Security Trails + Netlas
- Brute force
- Wildcards
- Permutation Scanning
- Linked Discovery
- Wordlists
- Advantageous Subs (WAF bypass - Origins)
- Favicon analysis
- Sub sub domains
- Esoteric techniques
Recon Part 4: VPS
- Providers
- Blocking
Recon Part 5: Server & App Level Analysis
- Port Scanning
- Service Bruteforce
- Tech Stack
- Screenshotting
- WAF Bypass
Recon Part 6: Profiling People for Social Engineering
- Linkedin (people, tech)
- Hunter.io
- Hiring Sites
Recon Part 7: Recon Adjacent Vulnerability Analysis
- CVE scanners vs Dynamic Analysis
- Subtakover
- S3 buckets
- Quick Hits (swagger, .git, configs, panel analysis)
Recon Part 8: Recon Frameworks and Helpers
- Frameworks
- Understanding your framework
- Tips for success (keys)
- Distribution and Stealth
Day 2 - Application Analysis
Application Analysis Part 1: Analysis Concepts
- Indented usage (not holistic, contextual)
- Analysis Layers
- Application Layers as related to success.
- Tech profiling
- The Big Questions
- Change monitoring
Application Analysis Part 2: Vulnerability Automation
- More on CVE and Dynamic Scanners
- Dependencies
- Early running so you can focus on manual.
- Secrets of automation kings
Application Analysis Part 3: Content Discovery
- Intro to CD (walking, brute/fuzz, historical, JS, spider, mobile, params)
- Importance of walking the app
- Bruteforce Tooling
- Bruteforce Tooling Lists: based on tech
- Bruteforce Tooling Lists: make your own (from-install, dockerhub, trials, from word analysis)
- Bruteforce Tooling Lists: generic/big
- Bruteforce Tooling Lists: quick configs
- Bruteforce Tooling Lists: API
- Bruteforce Tooling Tips: Recursion
- Bruteforce Tooling Tips: sub as path
- Bruteforce Tooling Tips: 403 bypass
- Historical Content Discovery
- Newschool JavaScript Analysis
- Spidering
- Mobile Content Discovery
- Parameter Content Discovery
Application Analysis Part 4: JavaScript
- Raw Analysis
- Inline JS
- Obfuscated JS
- Lazy Loaded JS
- Minified JS
- Mobile JS Analysis
Application Analysis Part 5: The Big Questions
- How does the app pass data?
- How/where does the app talk about users?
- Does the site have multi-tenancy or user levels?
- Does the site have a unique threat model?
- Has there been past security research & vulns?
- How does the app handle common vuln classes?
- Where does the app store data?
Application Analysis Part 6: Application Heat Mapping
- Common Issue Place: Upload functions
- Common Issue Place: Content type multipart-form
- Common Issue Place: Content type XML / JSON
- Common Issue Place: Account section and integrations
- Common Issue Place: Errors
- Common Issue Place: Paths/URLs passed in parameters
- Common Issues Place: chatbots
Application Analysis Part 7: Web Fuzzing & Analyzing Fuzzing Results
- Parameters and Paths (generic fuzzing)
- Reducing Similar URLs
- Dynamic only fuzzing
- Fuzzing resources SSWLR - "Sensitive Secrets Were Leaked Recently”
- Backslash powered Scanner
Application Analysis Part 8: Introduction to Vulnerability Types
- Indented usage (not holistic. Tips and Contextual)
- Covered vulns and why
Application Analysis Part 9: XSS Tips and Tricks
- Stored and Reflected
- Polyglots
- Blind
- DOM
- Common Parameters
- Automation and Tools
Application Analysis Part 10: IDOR Tips and Tricks
- IDOR, Access, Authorization, MLAC, Direct browsing Business logic, parameter manipulation
- Numeric IDOR
- Identifying user tokens GUID IDOR
- Common Parameters
Application Analysis Part 11: SSRF Tips and Tricks
- SSRF intro
- schemas
- Alternate IP encoding
- Common Parameters
Application Analysis Part 12: XXE
- Common areas of exploitation
- Payloads
- Common Parameters
Application Analysis Part 13: File Upload Vulnerabilities Tips and Tricks
- Common bypasses
- Common Parameters
Application Analysis Part 14: SQL Injection Tips and Tricks
- SQLmap tamper
- ghauri
- Common Parameters
Application Analysis Part 15: Command Injection Tips and Tricks
- Common Parameters
Application Analysis Part 16: COTS and Framework Scanning
- Default Creds
- CMS's WordPress + Adobe Experience Manager
- Others
Application Analysis Part 17: Bypass of security controls
- Subdomains where controls are not applied
- Origins
- TLDs (.jp, .uk, .xx)
Attendees should have:
Burp Suite (PRO preferably), VM or equivalent access to *nix command line.
Pre-requisites for attendees: General Web application and network security testing knowledge required. Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities and previous experience.
A full list of tools needed will be posted in the class discord before class.
**Students who have previously taken the course**
Having had the privilege to lead the course numerous times now, it becomes evident that each session cultivates unique queries, responses, and input from students. This diversity presents a wonderful opportunity for thought-provoking discussions on various tools, techniques, and invaluable teachings. Every time the class is conducted, there's a fresh lesson to be learned. For former participants who have previously purchased this course, I extend an invitation to join any future sessions at a cost of $100 USD. Please feel free to reach out to me on the class discord channel to further discuss this opportunity.