虫子屏保_虫子赏金动物园之旅-CSDN博客

虫子屏保

Bug bounty programs… They all seem similar, but are they really all the same?

Bug赏金计划……它们看上去都相似，但是真的一样吗？

Finding the right program to target is the first step to being successful in bug bounties. But a large number of programs have emerged within the past few years, and it is becoming difficult to figure out which ones will provide the maximum ROI and learning opportunities.

找到正确的目标程序是成功获得漏洞赏金的第一步。但是在过去的几年中，出现了许多计划，并且越来越难弄清楚哪个计划将提供最大的ROI和学习机会。

So how should I pick a program? And how do I prioritize the different metrics of programs, such as payout amount, response time and asset type?

那么我应该如何选择一个程序？以及如何确定程序的不同指标的优先级，例如支出金额，响应时间和资产类型？

Today, we are going to explore the different types of bug bounty programs in terms of their asset type, analyze the benefits and drawbacks of each type, and figure out which one you should go for!

今天，我们将根据资产类型来研究不同类型的漏洞赏金计划，分析每种类型的利弊，并确定您应该选择哪一种！

首先，有趣的历史课 (First, A Fun History Lesson)

How did we end up here in the first place? Has bug bounties always been a big thing like it is now?

首先我们是怎么到这里来的？像现在这样，赏金赏金一直是一件大事吗？

Bug bounties are currently one of the most popular ways for organizations to find security bugs. From large corporations, like PayPal and Facebook to government agencies like the US Department of Defense have all embraced the idea.

漏洞赏金是当前组织发现安全漏洞的最流行方法之一。从PayPal和Facebook这样的大公司到美国国防部这样的政府机构，都接受了这个想法。

先锋漏洞赏金计划 (The pioneer bug bounty programs)

Not too long ago, reporting a vulnerability to a company will more likely land you in jail than get you a reward.

不久之前，向公司报告漏洞将使您更有可能入狱，而不是获得奖励。

Until in 1995, Netscape launched the first-ever bug bounty program. They encouraged users to report bugs in their brand new browser, the Netscape Navigator 2.0. This was the first time the idea of crowdsourced security testing was introduced to the Internet world. This means that the first bug bounty program was created 25 years ago. Isn’t that amazing?

直到1995年，Netscape才启动了有史以来第一个漏洞赏金计划。他们鼓励用户报告其全新浏览器Netscape Navigator 2.0中的错误。这是将众包安全测试的想法首次引入Internet世界。这意味着第一个漏洞赏金计划是25年前创建的。那不是很神奇吗？

The next corporate bug bounty program was launched by Mozilla only nine years later in 2004, encouraging users to identify bugs in Firefox.

Mozilla仅在九年后的2004年推出了下一个公司漏洞赏金计划，鼓励用户识别Firefox中的错误。

漏洞赏金热潮 (A bug bounty boom)

But it was not until the 2010s did bug bounties become popular. Google launched its bug bounty program in 2010 and Facebook in 2011. These two programs kickstarted the trend of using bug bounties as an augmentation to a corporation’s in house security infrastructure.

但是直到2010年代，错误赏金才开始流行。 Google分别于2010年和2011年启动了漏洞赏金计划，并于2011年启动了Facebook。这两个计划掀起了使用漏洞赏金作为公司内部安全基础设施扩充的趋势。

虫子赏金动物园 (The bug bounty zoo)

Soon after bug bounties became a more well-known strategy, bug bounty as-a-service platforms emerged. The two largest bug bounty platforms, HackerOne and Bugcrowd were both launched in 2012. After that, a few more platforms, such as Synack, Cobalt, and Intigriti emerged.

在漏洞赏金成为一种更为知名的策略后不久，漏洞赏金即服务平台就出现了。两个最大的漏洞赏金平台HackerOne和Bugcrowd均于2012年启动。此后，出现了更多平台，例如Synack，Cobalt和Intigriti。

Bug bounty platforms and managed bug bounty services allow companies with limited resources to run a program. And now, bug bounties are widely adopted as an additional security measure for large corporations, small startups, non-profits, and government agencies alike.

错误赏金平台和受管理的错误赏金服务使资源有限的公司可以运行程序。现在，漏洞赏金已被广泛用作大型公司，小型初创公司，非营利组织和政府机构的附加安全措施。

Today, the bug bounty world is a diverse marketplace with tons of different programs, all with their own characteristics, difficulties, benefits, and drawbacks. This is what I call “The Bug Bounty Zoo”.

如今，bug赏金世界已经变成了一个多元化的市场，拥有众多不同的程序，每个程序都有各自的特点，困难，好处和缺点。这就是我所说的“ The Bug Bounty Zoo”。

Image for post — Photo by Shyam Jadav on Unsplash

物种一：社交网站和应用程序 (Species One: Social Sites and Applications)

Anything that says “social” makes my hacker-heart happy. That’s why the first “species” we’re going to talk about in the bug bounty world are social sites and applications.

任何说“社交”的东西都会让我的黑客之心高兴。这就是为什么我们要在漏洞赏金世界中谈论的第一个“物种”是社交网站和应用程序。

Social sites are a special breed worthy of extra attention because they are typically full of potential for critical web vulnerabilities such as IDORs, info leaks, and account takeovers. They are also often complex applications with a lot of user input opportunities, so they are prone to input bugs like SQLi, XSS and other injections as well.

社交网站是一个值得特别关注的特殊类别，因为它们通常具有潜在的严重Web漏洞的潜力，例如IDOR，信息泄漏和帐户接管。它们通常也是复杂的应用程序，具有很多用户输入机会，因此它们也容易出现输入错误，例如SQLi，XSS和其他注入。

So if you are a newcomer to bug bounties, I recommend that you start with social sites first. Targetting social sites means that you will have a large number of programs to choose from, will have a large attack surface to attack, and will be able to quickly build a wide range of web security knowledge.

因此，如果您是第一次获得赏金赏金，建议您先从社交网站入手。定位社交网站意味着您将有大量程序可供选择，将有大量攻击面可攻击，并且将能够快速建立广泛的Web安全知识。

Skillset needed: Knowledge about client-side web vulnerabilities, Proxy skills (Required), Javascript programming skills, Knowledge about web development (Preferred).Number of programs: High.Competition: High.Barrier of entry: Low.Examples: Facebook, Twitter, HackerOne, Github, Line.

My past blog posts are mostly about web hacking and will give you a good starting point to building these skills:

我过去的博客文章主要是关于网络黑客的，这将为您建立这些技能提供一个良好的起点：

A good resource that helped me tremendously when starting to hack web applications is Peter Yaworski’s book Web Hacking 101:

Peter Yaworski的书Web Hacking 101是一个很好的资源，对我开始入侵Web应用程序很有帮助。

种类二：非社交Web应用程序 (Species Two: Non-social Web Applications)

Non-social web applications are also a good target for beginners. However, in my experience, they tend to be a little more difficult to hack than social applications and have less attack surface. But this is probably because I prefer to look for IDORs and info leaks when I first start out with a program!

非社交Web应用程序也是初学者的良好目标。但是，以我的经验来看，相比于社交应用程序，它们更难被黑客入侵，攻击面也更少。但这可能是因为当我第一次开始使用程序时，我更喜欢查找IDOR和信息泄漏！

Non-social web applications could also be a very fruitful target. The types of bugs that you should look for in these applications are slightly different than social applications. For these applications, focus on server-side vulnerabilities and vulnerabilities specific to the application’s technology stack.

非社交Web应用程序也可能是一个非常富有成果的目标。在这些应用程序中应查找的错误类型与社交应用程序略有不同。对于这些应用程序，重点关注服务器端漏洞和特定于应用程序技术堆栈的漏洞。

Skillset needed: Knowledge about client-side web vulnerabilities, Knowledge about server-side web vulnerabilities, Proxy skills (Required), Javascript programming skills, Knowledge about web development (Preferred).Number of programs: High.Competition: High.Barrier of entry: Low.Examples: Google, US Department of Defense, Credit Karma.

种类三：移动应用程序(Android，IOS和Windows) (Species Three: Mobile Applications (Android, IOS and Windows))

After you get a hang of the basics of hacking a web application, you can choose to specialize in mobile applications.

在掌握了入侵Web应用程序的基础知识之后，您可以选择专门研究移动应用程序。

Hacking mobile applications require the skillset you’ve built from hacking web applications, as well as additional skills like certificate pinning bypass, mobile reverse engineering, and cryptography. It also requires a little more set up than hacking web applications and requires you to own a mobile device that you can experiment on.

黑客攻击移动应用程序需要您具备黑客攻击Web应用程序所积累的技能，以及其他技能，例如证书钉扎绕过，移动反向工程和加密。与黑客攻击Web应用程序相比，它还需要进行更多设置，并且需要您拥有可以进行实验的移动设备。

However, the higher barrier of entry for mobile programs is also an advantage: these programs are less competitive and only a small proportion of hackers will attempt them.

但是，更高的移动程序进入门槛也是一个优势：这些程序竞争性较低，只有一小部分黑客会尝试使用它们。

Skillset needed: Knowledge about web vulnerabilities, Proxy skills, Knowledge about the structure of mobile apps (Required), Programming skills related to the platform, Cryptography skills, Reverse engineering skills (Preferred).Additional requirements: Mobile device.Number of programs: High.Competition: Low to Moderate.Barrier of entry: Moderate.Examples: Facebook Messenger, Twitter App, Line, Yelp, Gmail.

Check out my post here for an introduction to hacking Android applications:

在这里查看我的帖子，以了解如何入侵Android应用程序：

物种四：源代码和可执行文件 (Species Four: Source Code and Executables)

If you have more advance programming and reversing skills, you can give source code programs and executable programs a try.

如果您具有更高级的编程和反转技能，则可以尝试使用源代码程序和可执行程序。

These programs can entail analyzing code for web vulnerabilities in open source projects and fuzzing binaries for potential buffer overflows. You usually have to understand advanced coding and computer science concepts in order to be successful in these programs.

这些程序可能需要分析开放源代码项目中的Web漏洞代码，并对可能的缓冲区溢出的二进制代码进行模糊处理。通常，您必须了解高级编码和计算机科学概念，才能在这些程序中获得成功。

Keep in mind that these programs are diverse and you have a lot of them to choose from. This means that you don’t have to be a master programmer to hack these programs, but rather, aim for a solid understanding of the project’s tech stack and underlying architecture.

请记住，这些程序是多种多样的，您可以从中选择很多。这意味着您不必成为精通这些程序的高级程序员，而是希望对项目的技术堆栈和底层体系结构有深入的了解。

Skillset needed: Knowledge about web vulnerabilities, Programming skills related to codebase, Code analysis skills (Required), Cryptography skills, Software development skills, Reverse engineering skills (Preferred).Number of programs: High.Competition: Low.Barrier of entry: High.Examples: The Internet Bug Bounty, PHP, WordPress.

For an introduction to reviewing source code, read my post here:

有关查看源代码的介绍，请在此处阅读我的文章：

物种五：硬件和物联网 (Species Five: Hardware and IoT)

Last but not least, we have Hardware and IoT programs. These are programs that require you to hack devices like cars, smart televisions, and thermostats.

最后但并非最不重要的一点是，我们有硬件和物联网程序。这些程序要求您入侵汽车，智能电视和恒温器等设备。

The skills that you need to hack these programs are highly specific: you often need to acquire a deep understanding of the type of device that you are hacking, in addition to understanding common IoT vulnerabilities.

破解这些程序所需的技能是高度特定的：除了了解常见的IoT漏洞外，您通常还需要深入了解要入侵的设备的类型。

In addition, although some programs will provide you with a free device to hack on, that often only applies to select hackers who’ve already established a relationship with the company. So you might also need the funds to acquire a device on your own to experiment on.

此外，尽管某些程序会为您提供免费的设备进行黑客攻击，但这通常仅适用于已与公司建立关系的部分黑客。因此，您可能还需要资金自行购买一台设备进行试验。

Skillset needed: Knowledge about web vulnerabilities, Programming skills related to codebase, Code analysis skills, Specific hardware and IoT skills (Required), Cryptography skills, Software development skills, Reverse engineering skills (Preferred).Additional requirements: Hardware or IoT device.Number of programs: Low.Competition: Low.Barrier of entry: High.Examples: Tesla, Ford.

祝好运！ (Good Luck!)

Choosing the right program for your skillset is crucial if you want to break into the world of bug bounties. I hope this post helped you sort out the various programs that you might be interested in. Good luck and happy hacking!

如果您想闯入漏洞赏金领域，为您的技能选择正确的程序至关重要。我希望这篇文章可以帮助您整理出各种您可能感兴趣的程序。祝您好运，黑客愉快！

For more bug bounty tips, like how to get private invites, read this:

有关更多漏洞悬赏技巧(例如如何获得私人邀请)的信息，请阅读以下内容：

For an overview of the types of vulnerabilities and concepts that you’ll need to understand to become a successful hacker, read this:

有关成功成为黑客所需了解的漏洞类型和概念的概述，请阅读以下内容：

For tips on writing good vulnerability reports, read this:

有关编写良好漏洞报告的提示，请阅读以下内容：

Thanks for reading. Is there anything I missed? Feel free to let me know on Twitter: https://twitter.com/vickieli7.

谢谢阅读。我有什么想念的吗？随时在Twitter上告诉我： https : //twitter.com/vickieli7 。

Special thanks to Darkerhack for the topic suggestion. Got any topic ideas for me? Send me a message!

特别感谢Darkerhack提出的主题建议。对我有任何主题想法？给我发一条信息！