Practical Bug Bounty — TCM Academy | Module 1

1- Importance of Web Application Security

Securing web applications and making sure they are safe for variety of reasons. You access Facebook, Amazon that's a web application and there’s always a security aspect. We always keep hearing about data breaches. The goal of web application security is to prevent this and to make sure our data is protected. We have to keep our customers trust.

Protecting the data of users.Maintaining the customers trust or else they will go for alternatives.Legal and regulatory compliance.Protecting business from crashing.Protecting brand’s repuation, it takes alot of time to re-build trust.If any of these thing happens, we would have to face financial loss.With your data, hackers can steal your identity.

2- Web Application Security Best Practices

Regularly patching vulnerabilities and installing updates.Giving least privilege to users and giving un-necessary access.Secure coding input validation and sanitization, developers ignore this but this is crucial.Implementing 2FA is important because hackers would have to then bypass it by social engineering etc. and hackers are lazy so they are mostly looking for easy wins.Logging and monitoring to keep in-check of what’s going on.Training users is important because now hackers can write comprehensive emails using AI tools like chatGPT and they can even clone your voice now.

3) Web Application Security Standards

OWASP Top 10 :- It keeps changing every year.Common Weakness Enumeration :- You can check for different issues. Errors and Problems.SANS TOP 25 :- You can learn about different vulnerabilities and how they’re mapped.

4- Bug Bounty Hunting vs Penetration Testing

Impact is everything in Bug Bounty.In bug hunting might be looking for a specific bug, but in pentesting our goal is whole application.Compliance.

A- Non Impact Findings

Allowing password less than 8 digits.We can try login attempts un-limited.We guess username, password and our username comes out to be correct and password wrong because web application is showing us error stating that your password is wrong, which means that our username was right? right?Using outdated software.Cookies (Flags, Expiration)CIPHERS and CERTIFICATES.In general Bug hunting: impact, impact, impact and Pentesting: we are looking at everything all vulnerabilities no matter how small they are.

5- Phases of a Web Application Penetration Test