Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/bugcrowd/bugcrowd_university

Open source education content for the researcher community
https://github.com/bugcrowd/bugcrowd_university

Last synced: 20 days ago
JSON representation

Open source education content for the researcher community

Awesome Lists containing this project

README 

        
# Bugcrowd University








## Created by

[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhaddix)

[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/swagnetow)



## Contributors

[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/chloemessdaghi)

[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jeffboothby)

[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/samhouston)

[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/danaepp)



## What is Bugcrowd University?

Bugcrowd University is a free and open source project to help level-up our security researchers. It includes content modules to help our researchers find the most critical and prevalent bugs that impact our customers. Each module will have slide content, videos, and labs for researchers to master the art of bug hunting. As time goes on we hope the community will help us curate BCU and create a new standard for security testing training!



# Modules



|Module|Slides|Video|Lab Guide|Authors|

|------|--------|-----------|---------|---------|

|An Introduction to BCU|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/Introduction/BCU%20Introduction.pdf)|[Video](https://bugcrowd.com/resource/introduction-to-bugcrowd-university/)|N/A|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhaddix), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/swagnetow)||

|How to Make a Good Submission|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/How_to_make_a_good_submission/Bugcrowd%20University%20-%20How%20to%20Make%20a%20Good%20Submission.pdf)|[Video](https://bugcrowd.com/resource/how-to-make-a-good-bug-submission/)|N/A|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/swagnetow)||

|An Introduction to Burp Suite|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/An_introduction_to_Burp_Suite/Bugcrowd%20University%20-%20Burp%20Suite%20Introduction.pdf)|[Video](https://www.bugcrowd.com/resource/introduction-to-burp-suite/)|N/A|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhaddix), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/swagnetow)||

|Broken Access Control Testing|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/Access_control_testing/Bugcrowd%20University%20-%20Broken%20Access%20Control%20Testing.pdf)|[Video](https://www.bugcrowd.com/resource/broken-access-control-testing/)|[Labs](https://github.com/bugcrowd/bugcrowd_university/blob/master/Access_control_testing/BOSS%20Lab%20Guide%20-%20Broken%20Access%20Control%20Testing.pdf)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhaddix)||

|Cross Site Scripting|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/Cross_site_scripting/Bugcrowd%20University%20-%20Cross%20Site%20Scripting.pdf)|[Video](https://www.bugcrowd.com/resource/cross-site-scripting-xss/)|[Labs](https://github.com/bugcrowd/bugcrowd_university/blob/master/Cross_site_scripting/BOSS%20Lab%20Guide%20-%20Cross%20Site%20Scripting.pdf)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/swagnetow)||

|Recon and Discovery|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/Recon%20and%20Discovery/Bugcrowd%20University%20-%20Recon%20%26%20Discovery.pdf)|[Video](https://www.bugcrowd.com/resources/webinars/recon-discovery)|N/A|[![Twitter](https://img.shields.io/badge/Twitter-@sml555_-blue.svg)](https://twitter.com/sml555_)||

|Server Side Request Forgery|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/Server%20Side%20Request%20Forgery/Bugcrowd%20University%20-%20Server%20Side%20Request%20Forgery.pdf)|[Video](https://www.bugcrowd.com/resources/webinars/server-side-forgery-request)|N/A|[![Twitter](https://img.shields.io/badge/Twitter-@alyssa%5Fherrera_-blue.svg)](https://twitter.com/Alyssa_Herrera_), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/shipcod3)||

|GitHub Recon and Sensitive Data Exposure|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/GitHub%20Recon/Bugcrowd%20University%20-%20GitHub%20Recon%20and%20Sensitive%20Data%20Exposure.pdf)|[Video](https://www.bugcrowd.com/resources/webinars/github-recon-and-sensitive-data-exposure)|N/A|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/th3g3nt3lman)||

|XML External Entity Injection|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/XML%20External%20Entity%20Injection/Bugcrowd%20University%20-%20XML%20External%20Entity%20Injection.pdf)|[Video](https://www.bugcrowd.com/resources/webinars/xml-external-entity-injection)|N/A|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/fyoorer)||

|Burp Suite Advanced|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/Burp%20Suite%20Advanced/Bugcrowd%20University%20-%20Burp%20Suite%20Advanced.pdf)|[Video](https://www.bugcrowd.com/resources/webinars/advanced-burp-suite)|N/A|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/JR0ch17)||



## Planned Modules



|Module|Slides|Video|Lab Guide|Authors|

|------|--------|-----------|---------|---------|

|To Be Determined|Slides|Video|N/A|N/A||



### Previous Work



Bugcrowd believes in empowering its crowd through education. Some portions of Bugcrowd University were inspired by the DEF CON 23 talk, *How to Shot Web*, as well as several iterations of *The Bug Hunter\'s Methodology* talks. Because these talks outgrew the standard conference slot, each topic is represented in Bugcrowd University here as an entire module. **Below are those past talks archived for your viewing should you want to add them to your education.** We have also added several other useful talks and presentations by Bugcrowd staff that we think highlights great learning opportunities for our researchers: 



|Topic|Slides|Video|Authors|

|------|--------|-----------|---------|

|How to Shot Web (DEF CON 23) / The Bug Hunter's Methodology 1.0|[Slides](https://docs.google.com/presentation/d/1FiquBESCWAVmIuc769IfIrTtKYgipUuEBt_5gtl5A58/edit#slide=id.p)|[Video](https://www.youtube.com/watch?v=-FAjxUOKbdI)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhaddix)||

|The Bug Hunter's Methodology 2.1 (Nullcon)|[Slides](https://drive.google.com/open?id=1VpRT8dFyTaFpQa9jhehtmGaC7TqQniMSYbUdlHN6VrY)|[Video for 2.0](https://www.youtube.com/watch?v=C4ZHAdI8o1w)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhaddix)||

|The Bug Hunter's Methodology 3(ish) (Bugcrowd LevelUp 0x02)|[Slides](https://drive.google.com/open?id=1R-3eqlt31sL7_rj2f1_vGEqqb7hcx4vxX_L7E23lJVo)|[Video](https://www.youtube.com/watch?v=Qw1nNPiH_Go)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhaddix)||

|Practical Tips For Running A Successful Bug Bounty Program (AppSecUSA 2016 & AppSecEU 2016)|[Slides](https://github.com/bugcrowd/bugcrowd_university/blob/master/assets/If_You_Cant_Beat_Em_Join_Em_Grant_McCracken_Daniel_Trauner_v6.pdf)|[Video 1](https://www.youtube.com/watch?v=ZkvR0rai4Vo) [Video 2](https://www.youtube.com/watch?v=uN-R8txJ2q0)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/grantmcmusic), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/shpendk), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/dantrauner)||

|HUNT: Data Driven Web Hacking & Manual Testing (DEF CON 25 & AppSecUSA 2017)|[Slides](https://docs.google.com/presentation/d/1qfc3fPgVs8DPcWRYz13kCZ5awUCitWaw5Qn-ZgTW_Sk/edit#slide=id.p)|[Video 1](https://www.youtube.com/watch?v=0CU75vPfIS4) [Video 2](https://www.youtube.com/watch?v=IEak_-SG8xM)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhaddix), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/swagnetow)|



### Bugcrowd's LevelUp 0x03



|Topic|Video|Authors|

|------|-----------|---------|

|LevelUp 0x03 - Why humans suck at calculating risk and how it affects security|[Video](https://youtu.be/RBoI0sSBeDo)|[![Twitter](https://img.shields.io/badge/twitter-modMasha-blue.svg)](https://twitter.com/modmasha)|

|LevelUp 0x03 - Serverless Top 10 Vulnerabilities|[Video](https://youtu.be/C61PJKumlcQ)|[![Twitter](https://img.shields.io/badge/twitter-4ppsec-blue.svg)](https://twitter.com/4ppsec)|

|LevelUp 0x03 - Profiling the Attacker - Using Offender Profiling In SOC Environments|[Video](https://youtu.be/SQM6c6wlwL4)|[![Twitter](https://img.shields.io/badge/twitter-_JamesStevenson-blue.svg)](https://twitter.com/_JamesStevenson)|

|LevelUp 0x03 - AEM hacker - approaching Adobe Experience Manager webapps|[Video](https://youtu.be/EQNBQCQMouk)|[![Twitter](https://img.shields.io/badge/twitter-0ang3el-blue.svg)](https://twitter.com/0ang3el)|

|LevelUp 0x03 - Social Engineering 101|[Video](https://youtu.be/NpMmd6ODkfc)|[![Twitter](https://img.shields.io/badge/twitter-pizzahax-blue.svg)](https://twitter.com/pizzahax)|

|LevelUp 0x03 - Finding Bugs with Binary Ninja|[Video](https://youtu.be/55gClG-sjWc)|[![Twitter](https://img.shields.io/badge/twitter-psifertex-blue.svg)](https://twitter.com/psifertex)|

|LevelUp 0x03 - API Security 101|[Video](https://youtu.be/ijalD2NkRFg)|[![Twitter](https://img.shields.io/badge/twitter-bugcrowd-blue.svg)](https://twitter.com/bugcrowd)|

|LevelUp 0x03 - Bad API, hAPI Hackers!|[Video](https://youtu.be/UT7-ZVawdzA)|[![Twitter](https://img.shields.io/badge/twitter-jr0ch17-blue.svg)](https://twitter.com/jr0ch17)|

|LevelUp 0x03 - What's in my hacking tool box?|[Video](https://youtu.be/P1LV2yYuijw)|[![Twitter](https://img.shields.io/badge/twitter-secrich-blue.svg)](https://twitter.com/secrich)|

|LevelUp 0x03 - From CTF to CVE|[Video](https://youtu.be/1N2Y4c1JqAc)|[![Twitter](https://img.shields.io/badge/twitter-C_3PJoe-blue.svg)](https://twitter.com/C_3PJoe)|

|LevelUp 0x03 - Behind the Curtain: Safe Harbor and Department of Defense|[Video](https://youtu.be/-hgGyL58wZc)|[![Twitter](https://img.shields.io/badge/twitter-AmitElazari-blue.svg)](https://twitter.com/AmitElazari),[![Twitter](https://img.shields.io/badge/twitter-DC3VDP-blue.svg)](https://twitter.com/DC3VDP),[![Twitter](https://img.shields.io/badge/twitter-ChloeMessdaghi-blue.svg)](https://twitter.com/ChloeMessdaghi)|

|LevelUp 0x03 - What you reap, is what you sow|[Video](https://youtu.be/hPSkbHjMzsI)|[![Twitter](https://img.shields.io/badge/twitter-Sidragon1-blue.svg)](https://twitter.com/Sidragon1)|

|LevelUp 0x03 - From an IVI in a box to a CAR in a box|[Video](https://youtu.be/qO795qZO87w)|[![Twitter](https://img.shields.io/badge/twitter-mintynet-blue.svg)](https://twitter.com/mintynet)|

|LevelUp 0x03 - IoT - Attacker Point of View|[Video](https://youtu.be/xK7uSdlxgf4)|[![Twitter](https://img.shields.io/badge/twitter-vulcainreo-blue.svg)](https://twitter.com/vulcainreo)|

|LevelUp 0x03 - Turbo Intruder: Abusing HTTP Misfeatures to Accelerate Attacks|[Video](https://youtu.be/vCpIAsxESFY)|[![Twitter](https://img.shields.io/badge/twitter-albinowax-blue.svg)](https://twitter.com/albinowax)|

|LevelUp 0x03 - iPhone Baseband Research + Reversing|[Video](https://youtu.be/Mwh1PsfEerw)|[![Twitter](https://img.shields.io/badge/twitter-userlandkernel-blue.svg)](https://twitter.com/userlandkernel)|

|LevelUp 0x03 - The Law and You: Reducing the Cost of Free Speech|[Video](https://youtu.be/Qx_xPDfWbUg)|[![Twitter](https://img.shields.io/badge/twitter-bugcrowd-blue.svg)](https://twitter.com/bugcrowd)|

|LevelUp 0x03 - Mach0 and the App Store|[Video](https://youtu.be/-nPXpfiqmiw)|[![Twitter](https://img.shields.io/badge/twitter-manizzler-blue.svg)](https://twitter.com/manizzler)|



### Bugcrowd's LevelUp and LevelUp 0x02



Bugcrowd also has run several community-driven and researcher testing based conferences. These presentations are full of great educational content for a bug hunter. These are highly recommended supplemental materials:



|Topic|Video|Authors|

|------|-----------|---------|

|LevelUp 0x02 - Intro & Bugcrowd Ambassador Program announcement|[Video](https://www.youtube.com/watch?v=oKQYd2Pxn2Y)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/samhouston)||

|LevelUp 0x02 - Small Files And Big Bounties, Exploiting Sensitive Files|[Video](https://www.youtube.com/watch?v=pzH-gytUWWI)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/internetwache), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/gehaxelt), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/TimPhSchaefers)||

|LevelUp 0x02 - Trickle Down PwnOnomics|[Video](https://www.youtube.com/watch?v=Vp03EtR5-TY)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/hateshaped)||

|LevelUp 0x02 - Meet a Bugcrowd Program Admin, Twitch|[Video](https://www.youtube.com/watch?v=_xYyonJbpbY)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/jhebertocx)||

|LevelUp 0x02 - Practical recon techniques for bug hunters & pen testers|[Video](https://www.youtube.com/watch?v=McLdm4c1oLs)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/appsecco)||

|LevelUp 0x02 - Back to Basics: Application Security Practices in Smart Contract Auditing|[Video](https://www.youtube.com/watch?v=7V9EEGNMicI)|[![Twitter](https://img.shields.io/badge/twitter-@Jon_A_Hass-blue.svg)](https://twitter.com/Jon_A_Hass)||

|LevelUp 0x02 - Hardware Hacking 101|[Video](https://www.youtube.com/watch?v=KJHM0gUoCAg)|[![Twitter](https://img.shields.io/badge/twitter-@Ben_RA-blue.svg)](https://twitter.com/Ben_RA)||

|LevelUp 0x02 - Hacking OAuth 2.0 For Fun And Profit|[Video](https://www.youtube.com/watch?v=X0mV9HXbKHY)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/PeritusInfosec)||

|LevelUp 0x01 - Welcome to LevelUp 2017! Intro from Sam Houston|[Video](https://www.youtube.com/watch?v=BR6QgzudquE)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/samhouston)|

|LevelUp 0x01 - Casey Ellis on the State of Bug Bounties & Ask Me Anything |[Video](https://www.youtube.com/watch?v=sOSoG3ysbH8)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/caseyjohnellis)|

|LevelUp 0x01 - Targeting for Bug Bounty Research|[Video](https://www.youtube.com/watch?v=hYJ7ipSOplw)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/mattreduce)|

|LevelUp 0x01 - Giving Back to the Bug Bounty Community|[Video](https://www.youtube.com/watch?v=BEaMhs9LmoY)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/ZSeano)|

|LevelUp 0x01 - Finding Hidden Gems in Old Bug Bounty Programs|[Video](https://www.youtube.com/watch?v=-FLzKJ3IAAQ)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/Yappare)|

|LevelUp 0x01 - How to Fail at Bug Bounty Hunting|[Video](https://www.youtube.com/watch?v=XAjpilWbSSQ)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/aphire)|

|LevelUp 0x01 - Esoteric sub-domain enumeration techniques|[Video](https://www.youtube.com/watch?v=e_Gq99CKAys)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/appsecco)|

|LevelUp 0x01 - MarkDoom: How I Hacked Every Major IDE in 2 Weeks|[Video](https://www.youtube.com/watch?v=nnEnwJbiO-A)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/mattaustin)|

|LevelUp 0x01 - How does unicode affect our security?|[Video](https://www.youtube.com/watch?v=VtbVkG3_NsE)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/schniggie)|

|LevelUp 0x01 - Browser Exploitation for Fun and Profit |[Video](https://www.youtube.com/watch?v=j3SbkXxdvnE)|[![Twitter](https://img.shields.io/badge/twitter-@mishradhiraj_-blue.svg)](https://twitter.com/mishradhiraj_)|

|LevelUp 0x01 - Hidden in Plain Site: Disclosing Information via Your APIs|[Video](https://www.youtube.com/watch?v=jBi3a-dXsM8)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/yaworsk)|

|LevelUp 0x01 - Doing recon like a boss|[Video](https://www.youtube.com/watch?v=1Kg0_53ZEq8)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/nahamsec)|

|LevelUp 0x01 - Identifying & Avoiding Android app Protections|[Video](https://www.youtube.com/watch?v=MH1gQLDxx2w)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/timstrazz)|

|LevelUp 0x01 - Hacking Internet of Things for Bug Bounties|[Video](https://www.youtube.com/watch?v=AKoyZLibIeo)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/adi1391)|

|LevelUp 0x01 - Advanced Android Bug Bounty skills|[Video](https://www.youtube.com/watch?v=OLgmPxTHLuY)|[![Twitter](https://img.shields.io/badge/twitter-@Ben_RA-blue.svg)](https://twitter.com/Ben_RA)|

|LevelUp 0x01 - Car Hacking 101|[Video](https://www.youtube.com/watch?v=P-mzo2X47sg)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/mondalan)|

|LevelUp 0x01 - OWASP iGoat - Learning iOS App Penetration Testing & Defense|[Video](https://www.youtube.com/watch?v=VeW_G4xoh5Q)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/swaroopsy)|

|LevelUp 0x01 - Do you like fuzzing?|[Video](https://www.youtube.com/watch?v=uOfXud0iVf8)|[![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/abhijeth), [![Twitter](https://img.shields.io/badge/[email protected])](https://twitter.com/lalithr95)|

|LevelUp 0x01 - Reverse Engineering iOS Mobile Apps|[Video](https://www.youtube.com/watch?v=ONTvixnUVPw)|Emily Walls|

|LevelUp 0x01 - Breaking Mobile App Protection Mechanisms|[Video](https://www.youtube.com/watch?v=jFBFh9QfmjM)|[![Twitter](https://img.shields.io/badge/twitter-@Ben_RA-blue.svg)](https://twitter.com/Ben_RA)|



## License



CC-BY-4.0 - Creative Commons Attribution 4.0 International