Last month at DEF CON, Bugcrowd released our second round of updates to Bugcrowd University (BCU). BCU is our free, ungated library of educational hacking tutorials that have been co-curated by our community and security experts to help other hackers hone their skills.

Our most recent collection of BCU includes the following five modules:

  • Burp Suite Advanced Module
  • Server Side Request Forgery (SSRF)
  • XML External Entity Injection
  • GitHub Recon and Sensitive Data Exposure
  • Recon and Discovery

Each of these modules dives into techniques and vulnerabilities that can result in large bounty payouts to the reporting researcher. The bug types we’ve focused on are high impact, rated as P1-P3 on Bugcrowd’s Vulnerability Rating Taxonomy. We believe that mastering even just a couple of these bug types can deliver great results for hackers.

Want to learn more? Here’s a snapshot of each module:

Burp Suite Advanced
Module Trainer: Jasmin Landry, @JR0ch17

Burp Suite is one of the most powerful tools in the web hacker’s toolkit. This module dives into advanced uses of the tool, including hotkeys that will save you time AND make you money.

Server Side Request Forgery (SSRF)

Module Trainer: Jay Turla, @shipcod3 and Alyssa Herrera, @alyssa_herrera_

SSRF bugs are high impact and pay well, with a rating as high as P1. This module dives into both external and internal SSRFs and includes a lab URL that researchers can use to practice.

XML External Entity Injection

Module Trainer: Aditya Gujar, @fyoorer

XML External Entity Injection vulnerabilities have been one of the most critical bug types found in web bounty programs through the platform. Our XML module goes through a variety of scenarios where researchers can commonly find this bug type, the types of attacks used to exploit, and tools and labs for researchers.

Github Recon and Sensitive Data Exposure

Module Trainer: Majd Aldeen Atiyat, @th3g3ntl3man 

Sensitive Data Exposure is in the Top 5 vulnerabilities found on the Bugcrowd platform. Bugcrowd’s Ambassador, Abartan “Haxormad” Dhakal, had this to say about the module “gitrecon actually gave me a filter (that I learned for the first time) and just by doing gitrecon, I managed to earn >$1.5k due to token leak.”

Recon and Discovery

Module Trainer: Sajeeb Lohani, @sml555_

Recon and Discovery is the backbone of a hacker’s methodology. A researcher’s gathered information and intel will help them discover what targets are available and the opportunities within. Bugcrowd researcher Vortex said this about the module, “some amazing tips in there that I had no idea existed.”

Uplevel your bug hunting skills with BCU today!