A virtual bug bounty conference for the community!
March 12th, 2022, 4PM CET
First edition of the Intigriti 1337UP LIVE virtual conference 2022
Intigriti 1337UP Live is a free online conference for everyone interested in bug bounty and security vulnerability research. With a line-up of 10 excellent speakers, Intigriti is bringing you a knowledge-packed program straight into your homes (Covid safety included!).
Sign up right now and book your calendars because this is going to be a must-watch!
Please do us a favour and fill out our survey (https://forms.office.com/r/GALAhGfqsh) at the end of the virtual event!
Intigriti 1337UP LIVE CTF
Intigriti proudly presents the first-ever 1337UP LIVE CTF. As a precursor to the online conference, this capture the flag event will have researchers fighting in teams of 4 in a Jeopardy-style event. The live CTF starts 24 hours before the online conference.
There will be challenges in many disciplines where you can show your skills! Prizes are ranging from swag to other exciting prizes that are kept secret for now. Additionally, top teams will receive a trophy.
Don't think you'll reach the top? Don't worry, we will also be handing out loads of invites after the event to people who played and performed well! Sign up now and get a team of 4 ready!
Make sure to sign up right now @ https://ctf.intigriti.io/ and follow us on Twitter for updates (Intigriti Twitter)!
Partners
An event like this would not be possible without our trusted partners.
Conference sponsors:
CTF sponsors:
Intigriti is donating all the earnings from the conference directly to the "Women in Cybersecurity" organization (https://www.wicys.org/). If you also want to donate, make sure to visit this link https://go.intigriti.com/WiCyS.
Speakers
Joakim Tauren
Spend a lifetime scanning or pay hackers to find REAL exploitable vulnerabilities! In this talk Joakim reflects on his experiences running Bug Bounty programs on two different platforms with thousands of vulnerabilities found over the years. He will go through some of the best reports he has seen and give you direct advice on working with hackers as a program manager and tips for hackers working on Bug Bounty.
John Hammond
Sometimes being in cybersecurity isn't all that it is cracked up to be. Whether it is developing tools, reporting bugs and vulnerabilities, or even making educational resources; the work can take a toll on you. Join this session for some unorthodox venting on what no one tells you about "being a cOnTeNt cReAtOr" in bug bounty topics, ethical hacking, and more. In this presentation, John Hammond pulls back the curtain and publicly discloses the most critical vulnerabilities there are: ... your own.
Jasmine Jackson
Let’s face it, most of us have a mobile device. For most of us, we use the mobile device to take pictures, record videos, and use social media apps. Wouldn’t it be cool to learn how to find bugs in mobile apps? This presentation will discuss how to create and use a methodology for finding bugs in Android devices. At the end of the presentation, participants will have a good understanding of how to look for bugs in Android devices.
Tom Wyckhuys
Why hack a single company if you can get thousands at the same time?
A lot of companies rely on third-party hosting providers to accommodate several services such as web application hosting, databases, email services, and domain registration. A lot of effort is put into securing these individual applications but what about the infrastructure they are running on? This presentation will illustrate common vulnerabilities within hosting provider platforms and how they allow multi-customer exploitation using critical bugs like code execution and SQL vulnerabilities.
Flo van der Vlist
Adding an additional layer to the regular login sounds like a good plan right? You need something you know and something you have to login to the platform. If this is implemented in a correct way it indeed adds a good layer of extra security and username/password brute-force attacks are no longer useful.
However during some of my testing I came across various websites which did not implement the 2FA correctly which led to a 2FA bypass or even opened up a completely new spectrum which allowed me to take over millions of accounts. I would have been able to gain access to the hosting management of millions of websites.
Two companies had a secure regular login but with the 2FA login functionality I was able to login to anyones account. No password or 2FA token was required to login. In the talk I will go into the details of how this exploit was possible and also how this could have been prevented.
Since multi factor authentication is implemented in a lot of different ways it is really important to be creative while testing the security of the 2FA implementation. No login is the same. One of the most important things is to ask yourself the question: “How does the server know who is logging in?”
This way you will keep an eye out for IDs, Tokens or cookies during the 2FA login. I will explain various common ways how 2FA can be bypassed and also some of my interesting findings I came across.
Too many times a website already gives some kind of token or cookies after the regular login is successful. This can be dangerous and not necessary. Keeping the login simple is most of the time a very good idea.
I will explain more about certain measurements which can be taken to prevent 2FA bypasses from happening in the last part of the talk.
Katie Paxton-Fear
We've all felt it, the excitement of having a new invite or an update to a program land in our inbox, clicking through and oh no, the excitement turns to dread, how on earth are you supposed to actually find something here? You look at the target info puzzled, where do you even start here? This talk will go over almost all the steps, from receiving a private invite, figuring out the start point, working out what bugs to hunt for, then once we find a bug how we figure out the impact and write a great report. If you've always wanted to start hunting but you're not sure how to start or if you want to better understand the impact of your findings and get higher bounties this is the talk for you!
Roni Carta
In this presentation Roni Carta, alias Lupin will share how it was possible to gain access to one of ManoMano’s servers by finding exploiting a vulnerability trough a Red Team Operation.
Sebastian Stohr
Today there are many CTFs and online platforms which allow you to test your hacking skills with vulnerabilities in prepared environments.
But what goes on behind the scenes? How do you build a vulnerable machine or vulnerable challenges for a CTF? Where do you start and where do you go next?
This will be a motivational talk with real life experience from becoming part of the ethical hacking community, creating content (challenges) and making friends!
Pieter Hiele
In his talk, Pieter discusses the journey of building a custom bug bounty tool from initial idea to public release. He will talk about the process of translating the idea into a first working proof of concept, provide examples of some pitfalls he encountered, show what a development cycle can look like, and share some practical tips on how to get started with writing your own bug bounty tool.
Sander Wind
Most information nowadays is freely available on the internet. Along with this information can be precious details about your next (bug bounty) target. In this talk, I will try to give you more details about how OSINT can be used to discover: new targets, hidden gems, misconfigurations/vulnerabilities, and even 0days.
OSINT does not need to be done manually as tools and services are available (for free). Some of those tools will be highlighted with use cases.
Finally, I’ll show some details about some of my submissions using mostly / only OSINT.
Presenters
