Meetings ยป Bug Bounties, and Angular vs React at Zendesk

Bug Bounties, and Angular vs React at Zendesk

(released 31/08/2017)

This month we've got one hell of a double header. Two friends of the coders group Rhys Elsmore and Adam Cogan, who regularly speak at international events.

Rhys will be talking on Bug Bounties and his participation in these programs.

We only have a few details about what Adam will be talking about but what we do know is that it will be around Angular vs React at Zendesk

All the usual details are the same as always.

First Wednesday of the month (Wednesday September 6th) 6:00 pm in the ICT Building at the University of Newcastle.

This month we have 2 sponsors:

Rhys Elsmore:  Frontier Entomologist - Bug Bounty Hunting 101

Bug Bounty programs have exploded in popularity in the last few years. Participants are granted permission to use all the tricks in the book to attempt to "hack" the systems of prominent companies in return for reward and recognition.

Strangely enough, it isn't just security experts getting involved in these programs. Swarms of developers with an understanding of the nuances in their favourite languages are signing up to try to find bugs in big-name companies.

This talk will explain how these Bug Bounty programs work, offer some 101 guidance on the tools that are commonly used to perform reconnaissance and testing, and then move on to several proof of concepts for bugs that Rhys has discovered in the wild, including:

Utilizing mustache templates to exfiltrate and empty the databases of a rather large Australian company. Obtaining control of one of the largest Survey providers in the world through an incorrectly configured PDF exporter. Commandeering the records of several million jobseekers through leaked database configurations. Walking straight through the front door using incorrectly configured SAML. Taking over other people's accounts by sending them to a specially crafted URL. Reconfiguring a hardware WAF through an unauthenticated HTTP request. Obtaining a complete bash shell through the use of LESS templates. Using 8 iFrames to turn a harmless P5 bug into a more severe P2 bug.

He will also walk you through his testing methodology, and give some general tips for how you can make your systems more secure.

This talk is for anyone who writes code, administers systems, or utilizes an internet connection.

By day, Rhys Elsmore is a Platform Security Architect at Redacted - one of the largest PaaS providers in the world. By night, he hunts security bugs in the systems of companies such as Tesla, Twitter, Facebook, Pinterest, & Mastercard through Bug Bounty Programs. He has continued to rank in the Top 100 researchers on the program for the last 2 years.

It isn't all cybersecurifying though - he is also an amateur shooter, budding culinarian, and avid lover of staying the hell away from technology.

sign up for the newsletter

Contact Us