Ahmad Ashraff
XSS Curioxssity
Today, all bugbounty hunters have a methodology for hunting bugs. Some focus on an intensive recon approach to identify their 'golden pots'. Some spend time analysing the source codes before the hunt and others rely exclusively on automation tools.
Name: Ahmad Ashraff Ahmad
Known as: yappare
Working: Lead Security Consultant at ZX Security
Exp in bugbounty since 2013. Achievements include:
- Top 5 in Bugcrowd 2013-2015
- Synack's Rookie of the year 2019
- Few times highlighted in Google's VRP G+ Community
- Listed in several HoF companies
- Presented about bugbounty in several security conferences such as Bugcrowd's LevelUp, NanoSec Malaysia, Christchurch Hacker's Conference
Whatever approach you choose, there will be a result. In this presentation, the speaker will share his experience with bugbounty by focusing on only one type of vulnerability, Cross-site Scripting (XSS).
While most of the web applications tested are generally vulnerable to this vulnerability, there are times when they are not thoroughly tested due to the annoying filters or WAF enabled on them. Does that mean they are bulletproof?
In this presentation, the presenter will share tips and tricks that he used during this situation to get a decent amount of side income.