What is the background of the students? Do they know how to program? Do they have experience with web apps or operating systems?
If they have some basic coding and web app background, here are some suggestions: - Google has a good "Web Application Exploits and Defenses" tutorial named Gruyere: https://google-gruyere.appspot.com/part1 - There are dozens of Capture the Flag (CTF) competitions of varying difficulty. - Here's a list of CTFs: https://ctftime.org/ctfs - Here's an archive of UCSB's past CTFs: https://ictf.cs.ucsb.edu/pages/archive.html - Stripe also has good CTFs that they post the source to: https://github.com/stripe-ctf/stripe-ctf-2.0/tree/master/levels - This Square/Matasano CTF is assembly-oriented, but I liked it a lot: https://microcorruption.com/login - This is an (outdated) list of vulnerable web apps for learning purposes: http://blog.taddong.com/2011/10/hacking-vulnerable-web-applications.html - OWASP has educational and training materials, though they seem to be spread across several projects that you have to dig through: https://www.owasp.org/index.php/Main_Page - If the students literally want to go after bug bounties, I'd suggest reading through bug bounty reports by researchers. They will go into detail and show you the areas that are fruitful to focus on. - Here's a bounty hunter's guide: https://www.facebook.com/notes/facebook-bug-bounty/a-bounty-hunters-guide-to-facebook/946955115318715/ - Here's an good bug bounty post: https://whitton.io/articles/uber-turning-self-xss-into-good-xss/ - Here's a more typical bug bounty post: https://josipfranjkovic.blogspot.com/2014/12/reading-local-files-from-facebooks.html On Sun, Aug 28, 2016 at 8:33 PM Yosem Companys <compa...@stanford.edu> wrote: > Hi all, > > Some of our students are interested in learning how to hack and go > after bug bounties. > > Has anyone compiled good resources for getting started? Also, has > anyone created course syllabi to teach the subject? > > I don't want to reinvent the wheel, if the resources are already out there. > > Thanks, > Yosem > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.