Your Cart
Loading

The New TBHM format:

Until Jan of 2025, TBHM was offered as a live three day virtual class. After running the course for 11 cohorts we can no longer fit the content we want to teach the students in three days. At the three day mark, students have trouble attending and prices have to go up. So Arcanum had a decision to make. We could increase the cost of the course and expand it to five days, or make it on-demand with recorded videos. We chose the latter for a few reasons. First, we want to keep updating this course to be one of the the best in the industry. Our students routinely send us amazing feedback, especially on new modules we build and keep adding to the course. By recording modules we can keep our affordable price point and continue to update the course. Second, we know that the students really enjoy a live component. To keep this vibe we will be doing course Q&A days once every two months where I will hold "office hours" or just do some live recon and hacking for 4 hours. Any student can join! We are working hard in Jan-Feb to get all the modules into the Payhip Platform.


Course Info


I am thrilled to introduce you to The Bug Hunter's Methodology, my masterclass designed for aspiring and seasoned offensive security professionals, including web application security testers, red teamers, and bug bounty hunters.


The Bug Hunter's Methodology (TBHM) is a paid training that aims to equip you with the latest tools, techniques, and strategies, plus provide a data-driven methodology on how and where to search for vulnerabilities that are currently common in the wild.


Unlike other courses, TBHM Live is not an A-Z or beginner-oriented course.


True to the spirit of my public TBHM talks, my emphasis is on expert tips, time-saving tricks, practical Q&As, automation strategies, vetted resources, and engagement via the dedicated community on Discord.


Each module will be driven live, using real-time targets where possible. You'll have access to all source material to refer back to after the training.


TBHM is also much more than just a course. I am dedicated to fostering a vibrant and supportive community for our learners. In keeping with this commitment, I will maintain a Discord channel for ongoing support, including resume guidance and job placement assistance.


Join us for TBHM and get ready to supercharge your skills, refine your strategies, and join an active community of like-minded professionals.


I look forward to seeing you in the class!




TBHM

$1,000

Attendees should have:


  • Burp Suite (PRO preferably), VM or equivalent access to *nix command line.


Pre-requisites for attendees:


  • General Web application and network security testing knowledge required. Some topics will assume some knowledge of OWASP Top Ten type vulnerabilities and previous experience.
  • A full list of tools needed will be posted is included after purchase.



Full Syllabus:


General Topics

  • Project tracking for Large scope assessments (Red Team and Bounty)
  • Mental Health in Offensive Security
  • Templating and Reporting
  • Testing Env
  • Providers
  • Tools



Recon Topics


Recon Concepts

  • Introduction to Recon

Recon Techniques:

  • Acquisitions and Domains
  • Shodan
  • ASN Analysis
  • Crunchbase ++
  • SSL Recon
  • ReconGTP
  • Reverse WHOIS
  • Reverse DNS
  • Reverse IP
  • DMARC Analysis
  • Add and Analytics Relationships
  • Supply chain investigation and SaaS
  • Google-fu (trademark & Priv Pol)
  • TLDs Scanning
  • 0365 Enumeration for Apex Domains
  • Subdomain Scraping (all the best sources and why to use them)
  • Sources
  • Brute force
  • Wildcards
  • Permutation Scanning
  • Linked Discovery
  • Wordlists
  • Advantageous Subs (WAF bypass - Origins)
  • Favicon analysis
  • Sub sub domains
  • Port Scanning
  • Screenshotting
  • Esoteric techniques
  • Service Bruteforce

Application Analysis Topics

Best resources to follow to stay sharp

  • print resources
  • trainings
  • podcasts and youtube
  • labs

Recon Adjacent Vulnerability Analysis

  • CVE scanners vs Dynamic Analysis
  • Subtakover
  • S3 buckets
  • Quick Hits (swagger, .git, configs, panel analysis)

Analysis Concepts

  • Indented usage (not holistic, contextual)
  • Analysis Layers
  • Application Layers as related to success.
  • Tech profiling
  • The Big Questions
  • Change monitoring

Vulnerability Automation

  • More on CVE and Dynamic Scanners
  • Dependencies
  • Early running so you can focus on manual.
  • Secrets of automation kings

Content Discovery

  • Intro to CD (walking, brute/fuzz, historical, JS, spider, mobile, params)
  • Importance of walking the app
  • Bruteforce Tooling
  • Bruteforce Tooling Lists:
  • based on tech
  • make your own (from-install, dockerhub, trials, from word analysis)
  • best base wordlists
  • quick configs
  • API lists
  • Bruteforce Tooling Tips: Recursion
  • Bruteforce Tooling Tips: sub as path
  • Bruteforce Tooling Tips: 403 bypass
  • Historical Content Discovery
  • Spidering
  • Mobile Content Discovery
  • Parameter Content Discovery

JavaScript

  • Cheatsheets (BETA)
  • Raw Analysis
  • Inline JS
  • Obfuscated JS
  • Lazy Loaded JS
  • Minified JS
  • Mobile JS Analysis
  • Advanced tooling and tips for all the above

The Big Questions

  • How does the app pass data?
  • How/where does the app talk about users?
  • Does the site have multi-tenancy or user levels?
  • Does the site have a unique threat model?
  • Has there been past security research & vulns?
  • How does the app handle common vuln classes?
  • Where does the app store data?

Application Heat Mapping

  • Common Issue Place: Upload functions
  • Common Issue Place: Content type multipart-form
  • Common Issue Place: Content type XML / JSON
  • Common Issue Place: Account section and integrations
  • Common Issue Place: Errors
  • Common Issue Place: Paths/URLs passed in parameters
  • Common Issues Place: Chatbots

Web Fuzzing & Analyzing Fuzzing Results

  • Parameters and Paths (generic fuzzing)
  • Reducing Similar URLs
  • Dynamic only fuzzing
  • Fuzzing resources SSWLR - "Sensitive Secrets Were Leaked Recently”
  • Backslash powered Scanner

XSS Tips and Tricks

  • Stored and Reflected
  • Polyglots
  • Blind
  • DOM Tools
  • Common Parameters
  • Automation and Tools

IDOR Tips and Tricks

  • IDOR, Access, Authorization, MLAC, Direct browsing Business logic, parameter manipulation
  • Numeric IDOR
  • Identifying user tokens GUID IDOR
  • Common Parameters
  • Resources

SSRF Tips and Tricks

  • SSRF intro
  • Schemas
  • Alternate IP encoding
  • Common Parameters
  • Resources

XXE

  • Common areas of exploitation
  • Payloads
  • Common Parameters
  • Resources

File Upload Vulnerabilities Tips and Tricks

  • Common bypasses
  • Common Parameters
  • Resources

SQL Injection Tips and Tricks

  • SQLmap tamper
  • ghauri
  • Resources
  • Common Parameters

Bypass of Security Controls

  • Sec control types (CDN, Server, Code-level)
  • Block Triggers
  • Bypass techniques

Dependency Confusion

  • How it works
  • Where and what to looks for
  • Resources


What people are saying

Artboard 1

If you ever get the opportunity to take The Bug Hunter's Methodology by @Jhaddix do it! Seriously, it is 100% worth the investment. Many courses teach techniques, but his does that in addition to context, real examples, and how to approach a target! 10/10 recommendation!

— @_ghsinfosec

Artboard 1

The best god damn money I've ever spent...

— Jonathan Dunn (XSSDocotor)

Artboard 1

Just had an incredible weekend taking @JHaddix’s #TBHM course! Mind-blowing tips & tricks for bug bounty hunting. Even if your skills are at a Black Belt level you should take it! The group chats with other fellow hackers were constantly flowing with side content!

— Marco Figueroa (Mozilla)