Skip to content
This repository has been archived by the owner on May 7, 2020. It is now read-only.

Bug Browser provides information security, programming, and bug education and reference all in one skill. Bug Browser will teach you how to hack, tell you what a specific bug is, check if you have been hacked, provide a comprehensive briefing on cybersecurity around the world, a list of recent breaches, security tips, information about bug bount…

License

Hackdromeda/BugBrowser

Repository files navigation

Bug Browser License: MIT Build Status

Bug Browser provides information security, programming, and bug news, education, and reference all in one skill. Bug Browser will teach you how to hack, tell you what a specific bug is, check if you have been hacked, provide a comprehensive briefing on cybersecurity around the world, a list of recent breaches, security tips, information about bug bounty programs and bug bounty platforms, the BugCrowd VRT, active HackerOne programs, and active BugCrowd bounties as well as provide additional information on these bounties.

Developed in the Bay Area by Avi Shah and Naval Patel.

Testimonials

"For bug bounty hunters, bug hunting is a passion. The Bug Browser Alexa Skill allows a hacker to keep up to date with hacking news, helps them find stuff to hack on, and it can even teach some of the basics of hacking. And this can all come from a device on your countertop. Very cool!"

-Sam Senior Community Manager at BugCrowd

"Bug Browser is great. It lets me know if my data has been leaked as a result of data breaches as well as providing general cybersecurity information and news."

-Rasim Amazon User

Enable the Skill:

Bug Browser supports English

Amazon US Skill

Amazon UK Skill

Amazon Canada Skill

Amazon Australia Skill

Amazon India Skill

Enable on any international device set to an English locale

Definitions

Black-Hat Hacker (Criminal) - a hacker who finds vulnerabilities and abuses them for malicious purpose.

White-Hat Hacker (Security Researcher) - an ethical hacker who uses bug bounty platforms to ethically report security flaws. Bug Browser helps these hackers and the word hacker in the following text generally refers to these hackers unless otherwise specified.

Developer - anyone who has advanced experience with computers, programming. and/or code.

To learn more about hacker lexicon, click here

Inspiration

Where did the idea come from?

We started thinking about relevant modern issues (more on that in the mission) and arrived at: information security, cybersecurity, security vulnerabilities, and bugs.

We see the value in connecting security researchers (white-hat hackers who find bugs and ethically report them to companies) with bug bounties and the everyday benefits they offer because preventing even one security vulnerability can save a company its reputation and unparalleled amounts of money. At the same time, each bounty rewards the security researchers who find the bugs (more in "Why Bug Bounties?"). Expanding beyond an audience of over 200,000 unsung ethical cyber warriors, we also tried to remove pain points for developers and the average user.

The average user should be able to ask to see if they've been hacked, what they can do after being hacked, and check on the latest list of breaches or general cybersecurity news.

Developers should be able to ask complex programming questions and get an answer from the StackOverflow question and answer library without making their query robotic.

These features are a real win-win for all types of users and makes the world a better place while providing the user convenience and saving them time. And so we built what is now Bug Browser keeping these features and user experience in mind.

Mission

Why bug bounties?

A large part of our days now revolve around devices and being connected to the internet. Customers have come to expect security and confidence in the company handling their data. Even the best developers in the world can leave security vulnerabilities open in their applications. Platforms such as BugCrowd and HackerOne make it easier for security researchers to get connected with companies and allow companies to reach a vast network of researchers. Breaches and security vulnerabilities are expensive to recover from, much more expensive than the few-thousand-dollar reward hackers receive for their finding(s). Facebook, Equifax, Intel, 24/7 AI, eBay, Home Depot, Target, and a handful of other companies have experienced security breaches as a result of vulnerabilities exploited by black hat hackers and their reputations have suffered as a result.

Use Cases

What does the Alexa skill do?

Connect security researchers with bug bounties

Help developers fix bugs and security flaws in their code

Help users keep their data secure and find out if their data has been leaked or stolen and suggest action upon the discovery of data loss

Keep users in the loop about recent breaches through the news, even if Bug Browser is unsure they are affected

Make users aware of preventative measures that can reduce risk of future data loss

Help get more people interested in security research and bug bounty hunting and inspire developers to secure their own applications through a comprehensive lesson plan in security research

Who is this Alexa skill for? Each group of individuals can use Bug Browser in a unique way.

1. General Public - All customers and clients value their private data. As such, they expect the company entrusted with their data to do everything in their power to protect that data. Now more than ever, breaches of customer data are a common occurrence. Users should not, however, become desensitized or numb to such news but rather proactively take action to protect their data. - Bug Browser can help anyone keep up-to-date on the latest news about security vulnerabilities, hacks, and other cybersecurity issues.

  • How does this skill provide convenience, save time, and improve the lives of the general public?
    • Bug Browser provides focused news on the topic of cybersecurity and a list of security breaches. In today's fast paced news cycle, not everyone in the public is made aware of hacks and vulnerabilities that affect them.
    • Bug Browser can also check for security breaches that may have resulted in a users data being lost by getting a users email from account linking. Users who learn they are affected by a security breach through Bug Browser can then take proactive steps to prevent further losses by changing their password, freezing their credit reports, activating identity protection services, canceling their credit cards, updating their computer or device software, and/or using 2-factor authentication which Bug Browser can teach users about.
  • Bug Browser's security tips ultimately can save the general public from the headaches of recovering lost accounts and data, reversing unauthorized transactions, and more with its proactive steps before the lost data is abused by black-hat hackers and people on the black market.

2. Developers - Developers who have experience with code, computers, and other fields of computer science but are not focused on hacking, cybersecurity, or security research as a career or hobby - Bug Browser can introduce developers to the importance of bug bounties and bug bounty platforms and ask advanced programming questions.

  • How does this skill provide convenience, save time, and improve the lives of developers?
    • Bug Browser has overview videos and descriptions to get developers hooked on the lifestyle that is security research. Bug Browser will walk developers through the reasons bug bounty programs exist, how they can join bug bounty platforms, and set them on their way to being a novice hacker. Bug Browser effectively exposes developers to new ways to apply their existing interests and knowledge of computer science including to develop and defeat new security techniques and find strengths and weaknesses in code.
    • Bug Browser also has a list developers can quickly access to understand HTTP Status codes. These status are standard codes for communicating between network requests but there are so many that its hard to remember which means what. It is crucial to know what these codes mean when analyzing server-client interactions. Bug Browser can list 62 standard HTTP status codes with ease.
      • Example: 200 OK
    • Developers can ask Bug Browser to search for a specific bug they find in their code or programs. Using the power of Bing Cognitive Services Search API and StackExchange API, Bug Browser will return the top answer from a StackOverflow thread. Developers can use this feature when their compilers do not provide enough information about how to fix the issue, to jog their memory, or to learn about bugs they have never seen before. StackOverflow is equipped to handle the most complex of questions about development. The Bing Cognitive Services Search API allows Bug Browser to process queries without requiring the user to use "keywords" or robotic queries.

3. New and Intermediate Hackers - Hackers who are just starting their career or hobby in security research will not have the coding experience to find bugs immediately but have enough of an understanding of code, computers, web development, server-side scripting, hardware, networking, operating systems, etcetera to learn how to hack. These hackers are likely developers looking to make additional money or improve their own skills - Bug Browser provides tutorials for how to hack for people with basic experience and understanding in the world of computers including application and development of software in C++, C, or Python, as well as experience developing software applications in Linux, Mac OS, and/or Windows environments. Novice hackers can listen to the descriptions or watch the videos in the background while they work on other tasks.

  • How does this skill provide convenience, save time, and improve the lives of novice hackers?
    • Bug Browser can describe specific vulnerabilities, how to find security flaws, and explain how to get paid with bug bounties. Whether users are interested in learning about bug bounties, have a background in computer science, or are seasoned security professionals, they can learn something from Bug Browsers library of lessons (powered by Hacker101).

4. Active Security Researchers - Security researchers do not work your typical 9-to-5 workday. People in this field do not have to have a college diploma or a certification to do it, just a good understanding of programming, computers, and hardware. Security research can be challenging but very rewarding. Ethical hackers protect companies, organizations, and institutions from abuse from malicious hackers. These ethical hackers gain anything from points on the platform to monetary rewards. - Security researchers can ask about active programs, get more details about these programs, save favorite programs to their lists, and refer back to the skill for updates and new programs daily. Our skill can potentially reach the over 166,000 registered ethical hackers on HackerOne (as of December 2017) and the over 80,400 registered security researchers on BugCrowd (as of April 2018) in addition to the developer and general public audiences.

  • How does this skill provide convenience, save time, and improve the lives of security researchers?
    • Security researchers often work on their own schedule and have flexible hours. Bug Browser can simplify the process of learning of new programs (list sorted by NEWEST first) from multiple platforms in one place.
    • Once they find a few programs they like, security researchers can ask Bug Browser to add the programs to their list so they can keep track of the bounties they want to participate in from all platforms in one place. They can do all of this from the convenience of their Echo Spot, Echo Show, Fire TV, Dash Wand, Alexa App, Fire TV, and/or other Alexa-enabled devices.

Skill Development Cycle

What was challenging during the development process?

Our team faced several major challenges during the development cycle:

1. Implementing a Graphical User Interface / Display Interface

When we started the skill we had not even thought about users who had displays like those on the Echo Spot and Echo Show as well as cards on the Fire TV and Alexa app. One of the goals we set for ourselves was to implement a GUI for Bug Browser and design the best user experience possible. Frequently referring to Amazon's resources and documentation for building user interfaces, we were able to quickly learn the differences between the templates. The next step in the development process was to find the most effective method of building a template. We had trouble implementing the display interfaces initially but soon became experts at using them after learning how to use the standard template builder methods included in the SDK for Lambda. While adding support for templates, we found it difficult to read text over certain images. In order to solve this problem, we added a darker gradient to the images so the text overlay would be more visible.

2. Asynchronous Requests

From the early stages of Bug Browser, our team had agreed on a few basic design principles that would increase the efficiency and reliability of Bug Browser. One of the most important of these principles was the use of asynchronous request for HTTP GET requests because it is the best practice to avoid blocking the main thread whenever possible. We used the request-promise Node.js module for writing asynchronous requests that would retrieve image assets, JSON, and other data that would be parsed with the Cheerio module for Node.js.

3. Context Maintenance

Alexa is a smart, conversational AI that, just like any human being, needs context in order to interpret speech and respond to a user query. Not only does Alexa require context, but it also needs to be able to remember session details that would help with routing requests to the correct destination. We implemented a system of context organization that would be able to determine the last intent a user was routed to and used it for page navigation between programs lists and program pages as well as news lists and news pages.

For example, if a user asks for "number one" that could either mean a HackerOne program, a BugCrowd program, or a lesson number. Session-level attributes help us know what the user wants without forcing them to be more specific.

4. Touch Interactions

To improve user experience we enabled touch interactions using ElementSelected for Echo Show and Echo Spot devices. While this could not be tested from the simulator, we had our own touch-enabled Echo devices to test from. We felt binding a GUI touch event to an intent or function was crucial to user experience when additional information could also be requested by voice. Some of the most important uses for ElementSelected were for retrieving more information about both active programs and for seeing more information about a news article.

5. Voice Interactions

To improve user experience we enabled intents such as AMAZON.RepeatIntent should a user want to repeat an intent. Bug Browser's users can often be simultaneously working on important tasks, such as researching security flaws on a BugCrowd or HackerOne bounty, while using Bug Browser to retrieve more information about these bounties so we made sure to provide convenient intents for our users.

6. Reducing Response Time

Bug Browser consumes several APIs in order to provide users with accurate and reliable information. One of the challenges that came with developing an API consuming application was ensuring that Bug Browser was responsive and usable without making the user wait too long for a response. One of the ways we achieved this goal was using using bluebird to run several API calls in parallel. In order to mitigate the latency when consuming APIs, we heavily employed the use of an advanced caching system that uses AWS Lambda and S3 storage. We developed new accelerated Lambda functions specifically designed for caching with S3 storage. These functions periodically retrieve data from the APIs Bug Browser uses and stores them in S3 objects (JSON format) in an S3 bucket. The advantages of developing a cache system with AWS Lambda, AWS S3 Object Storage, and AWS S3 Transfer Acceleration are very noticeable because the latency for some API responses have dropped from as much as over 4900ms to just under 200ms. User experience was one of our primary concerns and we made sure to do our best to make Bug Browser feel great for everyday use.

We are reducing the response times even further by deploying Bug Browser on AWS Lambda in the following regions:

  • Asia Pacific (Tokyo)
  • EU (Ireland)
  • US East (N. Virginia)
  • US West (Oregon)

7. Testing

To ensure a flawless user experience regardless of the user device, we used virtual simulators for the Echo Show, our own Echo Spots, Amazon Apps with Alexa built-in, Dash Wands, and Echo Dots. Because Bug Browser has over 50 intents, we set aside a significant amount of time for the testing of each intent and used AWS CloudWatch logs to quickly find any issues. We kept on testing Bug Browser until we couldn't find any bugs.

What are the accomplishments your team is proud of?

  • Bug Browser is our first display interface skill entering production
  • Bug Browser is also our first skill which dynamically gets information and can do advanced functions with the data
  • Receiving incredibly positive feedback from multiple users during beta testing and while live including hearing from members of the field directly
  • Coming up with a unique use case for Alexa that meets the needs of security researchers and can be used by anyone interested in cybersecurity, information security, development, and security vulnerabilities
  • Coming up with creative solutions to collaborate such as using GitHub's Atom Text Editor + Teletype
  • Partnering with BugCrowd to see what security researchers want in an Alexa skill

Features

Dynamic Content

Programs join these platforms and/or go public often and news and/or answers for topics infinitely change and as such we do not manually update information for dynamic aspects of the skill.

BugCrowd - Since BugCrowd's APIs are not currently available to researchers, we used Cheerio to get data from their website. In just a few hundred milliseconds, users are presented with a list of programs with pictures (Echo Spot and Echo Show only) and can request additional details about specific programs to get a readout and Alexa card with additional details.

  • BugCrowd VRT - This open source taxonomy prioritizes security vulnerabilities so hackers know what to look for and what companies generally pay for.

HackerOne - Here we leverage HackerOne's API to get their active programs list. We cache data from their APIs for a faster response time.

News API - News API helps us connect users with several news sources. We no longer need to wait for several endpoints just to get a diverse set of sources, instead we can quickly deliver cybersecurity information to the user.

Have I Been Pwned - Have I Been Pwned helps us find out about data breaches that have leaked your email and other information as well as about recent security breaches that have affected large amounts of people.

Google Custom Search APIs - Google Custom Search helps us traverse StackOverflow and process natural language inputs.

StackExchange API - StackExchanges's StackOverflow is a popular forum for developers and helps us find information about your bug questions and inquiries.

Supported Phrases

Try some of these sample utterances:

General

  • Try, Alexa ask Bug Browser to repeat that to repeat previous intent
  • Try, Alexa page up / page down / scroll right / scroll left / scroll up / scroll down (Echo Show and Echo Spot)
  • Try, Alexa ask Bug Browser to go to sleep
  • Try, Alexa ask Bug Browser, what can you do? to learn about all the intents the skill supports. Tap or ask to go to the desired intent from the help page

Learn about bugs including those in your own code (powered by StackOverflow answers)

  • Try, Alexa ask Bug Browser to search for bug ArrayOutOfBounds exception
  • Try, Alexa ask Bug Browser to search for bug NullPointerException exception
  • Try, Alexa ask Bug Browser to search for how to loop through an array in Java
  • Try, Alexa ask Bug Browser, how do I create a website in VueJS

Not all StackOverflow answers will be helpful or work. Bug Browser will accept feedback and try to find the next best answer. After you've asked a question, you can say:

  • Try, Alexa, that answer was not helpful
  • Try, Alexa, that did not work
  • Try, Alexa, next answer
  • Try, Alexa, previous answer

Learn about security breaches and ones that may affect you

  • Try, Alexa ask Bug Browser, have I been hacked? (Account Linking Required)
  • Try, Alexa ask Bug Browser to check my profile (Account Linking Required)
  • Try, Alexa ask Bug Browser to tell me about recent breaches

Learn about best security practices and how to secure your accounts, devices, and data after a hack

  • Try, Alexa ask Bug Browser to give me security tips
  • Try, Alexa ask Bug Browser for security recommendations

Learn about BugCrowd and HackerOne

  • Try, Alexa ask Bug Browser to tell me some facts about BugCrowd.
  • Try, Alexa ask Bug Browser to introduce me to BugCrowd.
  • Try, Alexa ask Bug Browser to tell me what bug bounties and bug bounty platforms are
  • See the Alexa app or interface for a recap of this information (iOS, Android, and Fire TV)
  • Try, Alexa how do you use BugCrowd? (Echo Spot and Echo Show only)
  • Try, Alexa ask Bug Browser to introduce me to BugCrowd with a video to learn about BugCrowd through videos (Echo Spot and Echo Show only)

Get bounties from BugCrowd and/or HackerOne (Sorted by NEWEST first)

  • Try, Alexa ask Bug Browser, how do you find bounties?
  • Try, Alexa ask Bug Browser, what companies are looking for security researchers?
  • Try, Alexa ask Bug Browser, what are some bounties available from BugCrowd?
  • Try, Alexa ask Bug Browser to tell me about HackerOne programs
  • See the Alexa app or interface for the list of programs (iOS, Android, and Fire TV)

Get more bounties beyond the first set of cards provided (Sorted by NEWEST first)

  • Try, Alexa next page
  • Try, Alexa previous page
  • Try, Yes when prompted if you want to hear more programs

Get additional details for bounties from BugCrowd and/or HackerOne

  • Try, Alexa ask Bug Browser to tell me more about program {number} after asking for the list on the desired platform
    • Try, Alexa ask Bug Browser to tell me more about program number five
  • Try, Alexa ask Bug Browser to tell me more about BugCrowd bounty {number}
    • Try, Alexa ask Bug Browser to tell me more about BugCrowd bounty number seven
  • Try, Yes when prompted if you want to learn about more programs
  • Try, Alexa ask Bug Browser to add this to my list after getting additional details on the program to save programs to a custom list on your Alexa app
  • See the Alexa app or interface for additional details such as program requirements (iOS, Android, and Fire TV)

Learn about recent vulnerability disclosure from HackerOne

  • Try, Alexa ask Bug Browser for recent disclosure
  • Try, Alexa ask Bug Browser for an example bug report

Learn about hacking news from several sources using News API

  • Try, Alexa ask Bug Browser to give me a flash briefing on hacks
  • Try, Alexa ask Bug Browser to tell me the latest news on vulnerabilities
  • Tap on the article for additional details (Echo Spot and Echo Show only)
  • See the Alexa app or interface for article titles (iOS, Android, and Fire TV)

Learn about the Vulnerability Rating Taxonomy (VRT) and vulnerability priorities as outlined by BugCrowd

  • Try, Alexa ask Bug Browser to tell me about the VRT
  • See the Alexa app or interface for additional details (iOS, Android, and Fire TV)

Learn about HTTP status codes

  • Try, Alexa ask Bug Browser to list HTTP status codes

Learn about cybersecurity through video tutorials (Fire Tablet*, Echo Spot and Echo Show only)

  • Try, Alexa ask Bug Browser to teach me how to hack
  • Try, Alexa ask Bug Browser to play the lesson introduction video
  • Try, Alexa ask Bug Browser to play lesson {number}
    • Try, Alexa ask Bug Browser to play lesson five
  • Try, Alexa ask Bug Browser to teach me Same-Origin Policy
  • Try, Alexa ask Bug Browser to teach me about types of XSS
  • Try, Alexa ask Bug Browser to teach me about directory traversal
  • Try, Alexa ask Bug Browser to teach me about session fixation
  • Try, Alexa ask Bug Browser to teach me about clickjacking
  • Try, Alexa ask Bug Browser to teach me about remote file inclusion
  • Try, Alexa ask Bug Browser to teach me about how multipart POSTs work
  • Try, Alexa ask Bug Browser to teach me about null terminators
  • Try, Alexa ask Bug Browser to teach me about unchecked redirects
  • Try, Alexa ask Bug Browser to teach me about methods of storing passwords
  • Try, Alexa ask Bug Browser to teach me about block cipher modes
  • Try, Alexa ask Bug Browser to teach me about stream cipher key reuse
  • Try, Alexa ask Bug Browser to teach me about ECB mode

*Fire Tablet must support Show Mode

Coming Soon:

Pending API, SDK, and/or Platform Support

  • Asking for program details by name so user can ask for details about the program without asking for the latest list of programs (Awaiting API Support)
  • Video Queue (Awaiting SDK Support)
  • Highlight text and automatically switch cards for Display Interface (Awaiting SDK Support)
  • Font color customized (Awaiting SDK Support)
  • Notifications on your watch list of programs (Notifications SDK is Invite-Only for Alexa) In The Works
  • Improve detail and response time for news articles and optimize support across all Alexa devices
  • Confirm Choices ex. Did you say you want more details about program Netflix?
  • More advanced use of account linking (to link more social profiles and enter more emails to check)

Built With

Legal

We are developers, not legal experts. If you own any of the images or content we use and would like it removed for any reason, feel free to open an issue through the Alexa App or on GitHub. We will promptly act on your request. This skill is not affiliated with or endorsed by HackerOne, BugCrowd, or any of their affiliates. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

For our terms of use, privacy policy, credits, contributors, and more see our website or the following files:

License

This project is licensed under the MIT License. See the LICENSE for details.

Privacy Policy

See the PRIVACY POLICY for details.

Credits and Contributors

See CREDITS for details.

About

Bug Browser provides information security, programming, and bug education and reference all in one skill. Bug Browser will teach you how to hack, tell you what a specific bug is, check if you have been hacked, provide a comprehensive briefing on cybersecurity around the world, a list of recent breaches, security tips, information about bug bount…

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published