Home

Awesome

Bugcrowd University

<p align="center"> <img src="https://github.com/bugcrowd/bugcrowd_university/blob/master/assets/logo.png" height="70%" width="70%"> </p>

Created by

Twitter Twitter

Contributors

Twitter Twitter Twitter Twitter

What is Bugcrowd University?

Bugcrowd University is a free and open source project to help level-up our security researchers. It includes content modules to help our researchers find the most critical and prevalent bugs that impact our customers. Each module will have slide content, videos, and labs for researchers to master the art of bug hunting. As time goes on we hope the community will help us curate BCU and create a new standard for security testing training!

Modules

ModuleSlidesVideoLab GuideAuthors
An Introduction to BCUSlidesVideoN/ATwitter, Twitter
How to Make a Good SubmissionSlidesVideoN/ATwitter
An Introduction to Burp SuiteSlidesVideoN/ATwitter, Twitter
Broken Access Control TestingSlidesVideoLabsTwitter
Cross Site ScriptingSlidesVideoLabsTwitter
Recon and DiscoverySlidesVideoN/ATwitter
Server Side Request ForgerySlidesVideoN/ATwitter, Twitter
GitHub Recon and Sensitive Data ExposureSlidesVideoN/ATwitter
XML External Entity InjectionSlidesVideoN/ATwitter
Burp Suite AdvancedSlidesVideoN/ATwitter

Planned Modules

ModuleSlidesVideoLab GuideAuthors
To Be DeterminedSlidesVideoN/AN/A

Previous Work

Bugcrowd believes in empowering its crowd through education. Some portions of Bugcrowd University were inspired by the DEF CON 23 talk, How to Shot Web, as well as several iterations of The Bug Hunter's Methodology talks. Because these talks outgrew the standard conference slot, each topic is represented in Bugcrowd University here as an entire module. Below are those past talks archived for your viewing should you want to add them to your education. We have also added several other useful talks and presentations by Bugcrowd staff that we think highlights great learning opportunities for our researchers:

TopicSlidesVideoAuthors
How to Shot Web (DEF CON 23) / The Bug Hunter's Methodology 1.0SlidesVideoTwitter
The Bug Hunter's Methodology 2.1 (Nullcon)SlidesVideo for 2.0Twitter
The Bug Hunter's Methodology 3(ish) (Bugcrowd LevelUp 0x02)SlidesVideoTwitter
Practical Tips For Running A Successful Bug Bounty Program (AppSecUSA 2016 & AppSecEU 2016)SlidesVideo 1 Video 2Twitter, Twitter, Twitter
HUNT: Data Driven Web Hacking & Manual Testing (DEF CON 25 & AppSecUSA 2017)SlidesVideo 1 Video 2Twitter, Twitter

Bugcrowd's LevelUp 0x03

TopicVideoAuthors
LevelUp 0x03 - Why humans suck at calculating risk and how it affects securityVideoTwitter
LevelUp 0x03 - Serverless Top 10 VulnerabilitiesVideoTwitter
LevelUp 0x03 - Profiling the Attacker - Using Offender Profiling In SOC EnvironmentsVideoTwitter
LevelUp 0x03 - AEM hacker - approaching Adobe Experience Manager webappsVideoTwitter
LevelUp 0x03 - Social Engineering 101VideoTwitter
LevelUp 0x03 - Finding Bugs with Binary NinjaVideoTwitter
LevelUp 0x03 - API Security 101VideoTwitter
LevelUp 0x03 - Bad API, hAPI Hackers!VideoTwitter
LevelUp 0x03 - What's in my hacking tool box?VideoTwitter
LevelUp 0x03 - From CTF to CVEVideoTwitter
LevelUp 0x03 - Behind the Curtain: Safe Harbor and Department of DefenseVideoTwitter,Twitter,Twitter
LevelUp 0x03 - What you reap, is what you sowVideoTwitter
LevelUp 0x03 - From an IVI in a box to a CAR in a boxVideoTwitter
LevelUp 0x03 - IoT - Attacker Point of ViewVideoTwitter
LevelUp 0x03 - Turbo Intruder: Abusing HTTP Misfeatures to Accelerate AttacksVideoTwitter
LevelUp 0x03 - iPhone Baseband Research + ReversingVideoTwitter
LevelUp 0x03 - The Law and You: Reducing the Cost of Free SpeechVideoTwitter
LevelUp 0x03 - Mach0 and the App StoreVideoTwitter

Bugcrowd's LevelUp and LevelUp 0x02

Bugcrowd also has run several community-driven and researcher testing based conferences. These presentations are full of great educational content for a bug hunter. These are highly recommended supplemental materials:

TopicVideoAuthors
LevelUp 0x02 - Intro & Bugcrowd Ambassador Program announcementVideoTwitter
LevelUp 0x02 - Small Files And Big Bounties, Exploiting Sensitive FilesVideoTwitter, Twitter, Twitter
LevelUp 0x02 - Trickle Down PwnOnomicsVideoTwitter
LevelUp 0x02 - Meet a Bugcrowd Program Admin, TwitchVideoTwitter
LevelUp 0x02 - Practical recon techniques for bug hunters & pen testersVideoTwitter
LevelUp 0x02 - Back to Basics: Application Security Practices in Smart Contract AuditingVideoTwitter
LevelUp 0x02 - Hardware Hacking 101VideoTwitter
LevelUp 0x02 - Hacking OAuth 2.0 For Fun And ProfitVideoTwitter
LevelUp 0x01 - Welcome to LevelUp 2017! Intro from Sam HoustonVideoTwitter
LevelUp 0x01 - Casey Ellis on the State of Bug Bounties & Ask Me AnythingVideoTwitter
LevelUp 0x01 - Targeting for Bug Bounty ResearchVideoTwitter
LevelUp 0x01 - Giving Back to the Bug Bounty CommunityVideoTwitter
LevelUp 0x01 - Finding Hidden Gems in Old Bug Bounty ProgramsVideoTwitter
LevelUp 0x01 - How to Fail at Bug Bounty HuntingVideoTwitter
LevelUp 0x01 - Esoteric sub-domain enumeration techniquesVideoTwitter
LevelUp 0x01 - MarkDoom: How I Hacked Every Major IDE in 2 WeeksVideoTwitter
LevelUp 0x01 - How does unicode affect our security?VideoTwitter
LevelUp 0x01 - Browser Exploitation for Fun and ProfitVideoTwitter
LevelUp 0x01 - Hidden in Plain Site: Disclosing Information via Your APIsVideoTwitter
LevelUp 0x01 - Doing recon like a bossVideoTwitter
LevelUp 0x01 - Identifying & Avoiding Android app ProtectionsVideoTwitter
LevelUp 0x01 - Hacking Internet of Things for Bug BountiesVideoTwitter
LevelUp 0x01 - Advanced Android Bug Bounty skillsVideoTwitter
LevelUp 0x01 - Car Hacking 101VideoTwitter
LevelUp 0x01 - OWASP iGoat - Learning iOS App Penetration Testing & DefenseVideoTwitter
LevelUp 0x01 - Do you like fuzzing?VideoTwitter, Twitter
LevelUp 0x01 - Reverse Engineering iOS Mobile AppsVideoEmily Walls
LevelUp 0x01 - Breaking Mobile App Protection MechanismsVideoTwitter

License

CC-BY-4.0 - Creative Commons Attribution 4.0 International