How to get experience with no experience? Have a look at bug bounty programs. Vickie Lee demos Insecure Direct Object References and tells us how to get into bug bounty. We also discuss why her book Bug Bounty Bootcamp is a fantastic book to buy if you want to get into bug bounty. Get real world experience today. // MENU // 00:00 - In plain text! 00:24 - Introducing//Vickie Li 00:58 - Part 1//The Interview 01:01 - Origin//Bug Bounty Bootcamp 03:37 - What are Bug Bounty Programmes? 05:26 - Part Time Bug Hunting? 05:44 - Easy Way to Get Experience 07:45 - Which Bug Bounty Programmes for Beginners? 10:51 - Beginners//Don't Compete with Pros 13:15 - Duplicates as Valid Experience 14:23 - What You Need to Start 14:59 - Linux//Do You Need It? 15:55 - Automate!//Which Programming Language? 18:03 - Beginner Friendly Vulnerabilities 21:17 - Part 2//Exploiting IDOR Vulnerability Demo 21:24 - What is IDOR? 22:51 - PortSwigger IDOR Lab 24:05 - Live Chat IDOR 24:48 - View transcript 25:12 - Burp Suite Intercept 26:05 - What to Look For//IDs Aren't Always Obvious 26:56 - Burp Suite//Looking Through Headers 27:56 - Burp Suite//Repeater 28:30 - Testing View Transcript Again 29:18 - GET Request//Identifying Exploitable Endpoint 30:26 - Modifying GET Request 31:35 - Finding the right headers to modify 33:47 - Why the first attempt didn't work 34:09 - IRL//What You Would Do 34:23 - Password in Live Chat Transcript 35:40 - How to Prevent IDORs 36:01 - IDORs//Worth Pursuing? 39:57 - Bug Bounties//How to Start 41:21 - Learn More!//Vickie's Blog 41:38 - Follow Vickie's Twitter! 41:52 - Thank You & Closing // Books // Bug Bounty Bootcamp: amzn.to/3K2YDeJ The Web Application Hacker's Handbook: amzn.to/3IZ2RTr Hacking API’s by Corey J Ball: amzn.to/3JOJG0E Alice and Bob learn application security by Tanya Janca: amzn.to/3oMyMij Automate the boring stuff with Python: amzn.to/3N2QuYu // Videos mentioned // Nahamsec: kzfaq.info/get/bejne/b9yReNqqyMvYaWQ.html Corey Ball: kzfaq.info/get/bejne/edGGqaVm3NW1goE.html Tanya Janca: kzfaq.info/get/bejne/pN-YrNeFl9q2fmQ.html Al Sweigart: kzfaq.info/get/bejne/bc9ypNKUkqrehIU.html // Vickie's social media // Twitter: twitter.com/vickieli7 Website: vickieli.dev/ KZfaq: kzfaq.info/love/jQHiY2JeOkBamHSg_6UeFw Medium: vickieli.medium.com/ // Connect with David // Discord: discord.com/invite/usKSyzb Twitter: twitter.com/davidbombal Instagram: instagram.com/davidbombal LinkedIn: www.linkedin.com/in/davidbombal Facebook: facebook.com/davidbombal.co TikTok: tiktok.com/@davidbombal KZfaq: kzfaq.info // Platforms mentioned // HackerOne: www.hackerone.com/ bugcrowd: www.bugcrowd.com/ Intigriti: www.intigriti.com/ Huntr: huntr.dev/ // Connect with Nahamsec // Twitter: twitter.com/nahamsec KZfaq: kzfaq.info Github: github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters Discord: discord.com/invite/ysndAm8 Instagram: instagram.com/nahamsec/ LinkedIn: www.linkedin.com/in/nahamsec/ Twitch: www.twitch.tv/nahamsec Website: nahamsec.com/ // MY STUFF // Monitor: amzn.to/3yyF74Y More stuff: www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! Disclaimer: This video is for educational purposes only.

I loved that ‘must be under 25 years old.... must have 35 years experience’ if that’s not the truth in absolutely every field. It’s quite ridiculous people with true passion and motivation are just thrown out to the curb. Your channel is a gold mine spewing with knowledge, thank you for helping everyone grow David!

I am big fan of Vickie Li. I have read Bug Bounty Bootcamp. After reading web hacking application edition 2. This is the best book for web application book.

David you just gave me what I wanted. I mostly hunt for IDORs… and I’m a great fan of Vickie Li’s articles and her book Bug Bounty bootcamp.👏🏽👏🏽👏🏽

I’m a huge fan of this book!! It was the first resource that gave me a true understanding of the topic; absolutely changed my life. Thrilled that you had her on the show! :)

David I know this has been said a lot but you're doing amazing and you're literally covering everything I am currently studying computer science and I share your channel with all of my friends who are into cybersecurity or networking

Thank you David and Vickie for this great video, it was informative and fun to watch.

Thank you David and Vickie for this Amazing great Video...!

Fair play David is always bringing the top tier guests

Great video and guest, the concepts were given in a succint yet informative manner.

Thank you David, Thank you Vickie for this eye opening video, book ordered :)

Thank you David for another amazing interview and for exposing me to Vickie Lee

Looking for unpaid bugs sounds like a great idea! I’ve been struggling lately staying up after every is sleeping to study my way into cybersecurity and this sounds like it can be a nice confidence boost. Thanks again for the quality content!

A great guest .. very valuable 👌 thank you to you both

Very Informative, helpful and Educational video! Thx for the tutorial man!

Great talk and something would love to work on. Currently doing Hack The Box and will have to read your book for sure.

Love your videos. It helped me a lot! Thank you!!

Great video! Thanks David and Vickie

Great book. Highly recommended for beginner.

Amazing Video David... Your guests are the best! Being a Vickie Li follower, I was extremely excited to view this. Thank you once again.. This channel just gets better after every post!!

I wish I have found this video sooner. Thank you.

Great interview and awesome advice 👏

We thank you very much for these videos David, you really inspires us to keeping on learning and see the side of real world of what we are learning.

Good mentoring video. Great Job David ! Thanks for inspiring people to this field.

Great video! Always love your content. Now I feel like I need to pick up another one of your guests’ books… your fans will end up paying the light bill at No Starch ha ha!

Thank you for this great content.

really great video..thanks for both of you.😀

Hi David, I see you have a wealth of knowledge (your bookshelf) while in this video, Vickie appears to have an eye for creativity. My question to you is ''How important is the left brain/right brain according to your line of work? Thanks and keep up the good work!

Not affiliated at all but as of 12/3/22 4 of the 5 books mentioned are available on humble bundle for less than one of the hard copies.

Thanks a lot David and Vickie...

Thanks you for this David.

Thank you man for sharing this stuff

Good evening sir David I'm huge fan of Li and it's seems to be like you have changed subject from python to bugbounty hope you have a amazing weekend and see you in next week in marvellous content perfect coach.

You really good at explaining thank you

Great content !!!

I had no idea the stuff I was doing on forums back in the day was an actual exploit ahaha good to learn :D Also damn IDOR exploits have been around for so long (I was messing with forums over 20 years ago now lol)

thank you for sharing this with us!!!

Useful for those starting out in BBH

I never used burp, just the dev console of the browser for this, and it seems to do the job. Good practice is getting bugs in the Facebook games of the smaller startups. Games? Yes! Finding ways to bypass paying for in-game bonuses, messing with other users data (these IDORs), cross site scripting... You may not get paid but you'll be thanked (usually).

Thanks for the video!!

Thanks a lot David for this video. I needed a video on website hacking badly. Thanks again. Please do more videos on website hacking and website pentesting.

Hey David 💪🏽, would you happen to have any friends in cyber law? It's a super underrated topic that I would love to learn more of

Amazing!

Keep it up sir ... Nice video

You should do episodes explaining real life hacks that’s happening in the real world today.

thank you so much for teaching us..

Hi Mr. David. Can you please tell us some important topics to learn to get a junior pentester job or something like that? Or perhaps you can interview someone related to offensive security and ask them this question?

Mr. Bombay, is there any bug bounty video course that you recommend.

Bought the book can’t wait to check this out I’ll let you know what I think.

Love your content :}

Best Video Sir

Awesome 👍 Sir

Hi David, Just curious, is there any e-book for this?

Interesting!

Thank you david

Should I learn Linux with WSL, or it is a bad idea(I have heard that it's not real linux, like Docker and other things don't work very well)?

I'm crushing on her😍, she is soon intelligent and wise. Wonderful content, learned a ton🔥💖

How does it with asking permission to hack them? if you dont ask firs they can sue you

Do we need to know command line, html, python to work by the method she present?

I have no linux knowledge nor basic IT. I'm 31 and my 1st cell phone was at 17. So where should I start? Coding languages first or basic IT terms. School? Or online academies ??

Are books still viable for learning or is it too slow, due to the speed of things?

Thanks

good video

thank you m8! big 'preciation!

nice video

very good！

When people start selling shovels, that should tell you that the gold mine is empty.

Does most of the bug bounty hunters are using the scripts, scanners to get bugs Does all the companies allows to use scripts and scan for bug bounty

I am 30+ years old and I have decided to learn bug bounty. I only know networking,os and a little bit of web development. Don't know if I will succeed or not. Trying my best.

Please make a video on, How to trace mobile with IMEI number?

Can you introduce resources for developers who want to become better web dev? My main focus is Javascript and python and Stanford have a good course about Security in Javascript and Node...looking for similar source to avoid writing insecure code or have checklist. I know 100% security is not possible however I look to learn to avoid 80% mistakes that could be avoided by putting resealable amount of time. (100-200 hours of studying).

Hey David, thanks for this interview videos! So usefull. I am preparing to take the CEH in two weeks. Your videos somehow help me to illustrate the study content. Appreciate

what if a pentester who is testing application of a company gets caught and his/her ip is traced under bug bounty program than what happens? is it considered safe ? will company take any action against a pentester or a bug hunter who is searching vulnerability?

Please I need a book

how much programming skilss

Is it actually websites to teach bug bounty?? Like freecodecamp or Odin project??

David please do video on how to hack wifi using termux without route

Wheres the list of ctfs

what websites that offer bug bounties?

How to get experience with no experience?

Hello David! Do you have a tutorial where we can try to hack a social media using hydra or other tools. Do you also have a tutorial where we can track someone's device without installing something on the target's device. I'm just curious on how to do it and just asking for educational purpose only. Thanks

I honestly thought this said "Big Booty Bootcamp". Time for a new glasses prescription...

Hey David, I have a question, If I want to get started with ethical hacking(probably not as a career) I think I will need to start with absolute basics of cyber security first but all the basic cyber security courses I saw on youtube mainly, were quiet old according to me and I am not also sure how to start with cyber secuirty as a hobby if I want to, so can you tell me a course or just a general road map or just how should I start with cyber security if I want to or what should I do. Thankyou.

Any way to get the book for free?

👍

Here, I live in a country where a hacker found a serious bug in the website of the Govt Telecommunications company which controls all the telecommunication things.... He informed the office but they did not pay any heed to him, let alone getting paid 😂😂😂😂😂😂. So, he hacked the website and got the server down for a certain time....

I'm in africa and I'd like to get those books how can I do to get them plz

This guy, David, really man, i mean seriously this guy earns from youtube by just posting his video calls with some guys in his field 😂😂

❤

3:34 looks like he is Maksim Yakubets

I love all of this. It's a bug in my cellphone that keeps deepfakeing me as if I work for the FBI. So I can be murder on the eastern Shore VA. But I'm going to figure this out and alleviate this bug.

integrity of Cybersecurity 💀

Alissa Knight is also an expert in hacking API's

Hey David I’m trying to install black arch Linux and I’m stuck on the rootfs what is the command I need to put in

Open soft soft and press F1 and you’ll never be a noob again

Hey can you do a termux hacking course.

image/pdf exploit rat tool one video plz sir

❤❤❤❤❤❤👍👍👍👍👍

Okay, okay yes, I get tNice tutorials and I get that-

:)