book

Bug Bounty Bootcamp

Name: Bug Bounty Bootcamp
Author: Vickie Li
ISBN: 9781718501546

by Vickie Li

September 2021

Intermediate to advanced

416 pages

11h 1m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
About the Author
Foreword
Introduction
Who This Book Is ForWhat Is In This BookHappy Hacking!
Part I: The Industry
Chapter 1: Picking a Bug Bounty Program
The State of the IndustryAsset TypesSocial Sites and ApplicationsGeneral Web ApplicationsMobile Applications (Android, iOS, and Windows)APIsSource Code and ExecutablesHardware and IoTBug Bounty PlatformsThe Pros . . .. . . and the ConsScope, Payouts, and Response TimesProgram ScopePayout AmountsResponse TimePrivate ProgramsChoosing the Right ProgramA Quick Comparison of Popular Programs
Chapter 2: Sustaining Your Success
Writing a Good ReportStep 1: Craft a Descriptive TitleStep 2: Provide a Clear SummaryStep 3: Include a Severity AssessmentStep 4: Give Clear Steps to ReproduceStep 5: Provide a Proof of ConceptStep 6: Describe the Impact and Attack ScenariosStep 7: Recommend Possible MitigationsStep 8: Validate the ReportAdditional Tips for Writing Better ReportsBuilding a Relationship with the Development TeamUnderstanding Report StatesDealing with ConflictBuilding a PartnershipUnderstanding Why You’re FailingWhy You’re Not Finding BugsWhy Your Reports Get DismissedWhat to Do When You’re StuckStep 1: Take a Break!Step 2: Build Your Skill SetStep 3: Gain a Fresh PerspectiveLastly, a Few Words of Experience
Part II: Getting Started
Chapter 3: How the Internet Works
The Client-Server ModelThe Domain Name SystemInternet PortsHTTP Requests and ResponsesInternet Security ControlsContent EncodingSession Management and HTTP CookiesToken-Based AuthenticationJSON Web TokensThe Same-Origin PolicyLearn to Program

Chapter 4: Environmental Setup and Traffic Interception
Choosing an Operating SystemSetting Up the Essentials: A Browser and a ProxyOpening the Embedded BrowserSetting Up FirefoxSetting Up BurpUsing BurpThe ProxyThe IntruderThe RepeaterThe DecoderThe ComparerSaving Burp RequestsA Final Note on . . . Taking Notes
Chapter 5: Web Hacking Reconnaissance
Manually Walking Through the TargetGoogle DorkingScope DiscoveryWHOIS and Reverse WHOISIP AddressesCertificate ParsingSubdomain EnumerationService EnumerationDirectory Brute-ForcingSpidering the SiteThird-Party HostingGitHub ReconOther Sneaky OSINT TechniquesTech Stack FingerprintingWriting Your Own Recon ScriptsUnderstanding Bash Scripting BasicsSaving Tool Output to a FileAdding the Date of the Scan to the OutputAdding Options to Choose the Tools to RunRunning Additional ToolsParsing the ResultsBuilding a Master ReportScanning Multiple DomainsWriting a Function LibraryBuilding Interactive ProgramsUsing Special Variables and CharactersScheduling Automatic ScansA Note on Recon APIsStart Hacking!Tools Mentioned in This ChapterScope DiscoveryOSINTTech Stack FingerprintingAutomation
Part III: Web Vulnerabilities
Chapter 6: Cross-Site Scripting
MechanismsTypes of XSSStored XSSBlind XSSReflected XSSDOM-Based XSSSelf-XSSPreventionHunting for XSSStep 1: Look for Input OpportunitiesStep 2: Insert PayloadsStep 3: Confirm the ImpactBypassing XSS ProtectionAlternative JavaScript SyntaxCapitalization and EncodingFilter Logic ErrorsEscalating the AttackAutomating XSS HuntingFinding Your First XSS!
Chapter 7: Open Redirects
MechanismsPreventionHunting for Open RedirectsStep 1: Look for Redirect ParametersStep 2: Use Google Dorks to Find Additional Redirect ParametersStep 3: Test for Parameter-Based Open RedirectsStep 4: Test for Referer-Based Open RedirectsBypassing Open-Redirect ProtectionUsing Browser AutocorrectExploiting Flawed Validator LogicUsing Data URLsExploiting URL DecodingCombining Exploit TechniquesEscalating the AttackFinding Your First Open Redirect!
Chapter 8: Clickjacking
MechanismsPreventionHunting for ClickjackingStep 1: Look for State-Changing ActionsStep 2: Check the Response HeadersStep 3: Confirm the VulnerabilityBypassing ProtectionsEscalating the AttackA Note on Delivering the Clickjacking PayloadFinding Your First Clickjacking Vulnerability!
Chapter 9: Cross-Site Request Forgery
MechanismsPreventionHunting for CSRFsStep 1: Spot State-Changing ActionsStep 2: Look for a Lack of CSRF ProtectionsStep 3: Confirm the VulnerabilityBypassing CSRF ProtectionExploit ClickjackingChange the Request MethodBypass CSRF Tokens Stored on the ServerBypass Double-Submit CSRF TokensBypass CSRF Referer Header CheckBypass CSRF Protection by Using XSSEscalating the AttackLeak User Information by Using CSRFCreate Stored Self-XSS by Using CSRFTake Over User Accounts by Using CSRFDelivering the CSRF PayloadFinding Your First CSRF!
Chapter 10: Insecure Direct Object References
MechanismsPreventionHunting for IDORsStep 1: Create Two AccountsStep 2: Discover FeaturesStep 3: Capture RequestsStep 4: Change the IDsBypassing IDOR ProtectionEncoded IDs and Hashed IDsLeaked IDsOffer the Application an ID, Even If It Doesn’t Ask for OneKeep an Eye Out for Blind IDORsChange the Request MethodChange the Requested File TypeEscalating the AttackAutomating the AttackFinding Your First IDOR!
Chapter 11: SQL Injection
MechanismsInjecting Code into SQL QueriesUsing Second-Order SQL InjectionsPreventionHunting for SQL InjectionsStep 1: Look for Classic SQL InjectionsStep 2: Look for Blind SQL InjectionsStep 3: Exfiltrate Information by Using SQL InjectionsStep 4: Look for NoSQL InjectionsEscalating the AttackLearn About the DatabaseGain a Web ShellAutomating SQL InjectionsFinding Your First SQL Injection!
Chapter 12: Race Conditions
MechanismsWhen a Race Condition Becomes a VulnerabilityPreventionHunting for Race ConditionsStep 1: Find Features Prone to Race ConditionsStep 2: Send Simultaneous RequestsStep 3: Check the ResultsStep 4: Create a Proof of ConceptEscalating Race ConditionsFinding Your First Race Condition!
Chapter 13: Server-Side Request Forgery
MechanismsPreventionHunting for SSRFsStep 1: Spot Features Prone to SSRFsStep 2: Provide Potentially Vulnerable Endpoints with Internal URLsStep 3: Check the ResultsBypassing SSRF ProtectionBypass AllowlistsBypass BlocklistsEscalating the AttackPerform Network ScanningPull Instance MetadataExploit Blind SSRFsAttack the NetworkFinding Your First SSRF!
Chapter 14: Insecure Deserialization
MechanismsPHPJavaPreventionHunting for Insecure DeserializationEscalating the AttackFinding Your First Insecure Deserialization!
Chapter 15: XML External Entity
MechanismsPreventionHunting for XXEsStep 1: Find XML Data Entry PointsStep 2: Test for Classic XXEStep 3: Test for Blind XXEStep 4: Embed XXE Payloads in Different File TypesStep 5: Test for XInclude AttacksEscalating the AttackReading FilesLaunching an SSRFUsing Blind XXEsPerforming Denial-of-Service AttacksMore About Data Exfiltration Using XXEsFinding Your First XXE!
Chapter 16: Template Injection
MechanismsTemplate EnginesInjecting Template CodePreventionHunting for Template InjectionStep 1: Look for User-Input LocationsStep 2: Detect Template Injection by Submitting Test PayloadsStep 3: Determine the Template Engine in UseEscalating the AttackSearching for System Access via Python CodeEscaping the Sandbox by Using Python Built-in FunctionsSubmitting Payloads for TestingAutomating Template InjectionFinding Your First Template Injection!
Chapter 17: Application Logic Errors and Broken Access Control
Application Logic ErrorsBroken Access ControlExposed Admin PanelsDirectory Traversal VulnerabilitiesPreventionHunting for Application Logic Errors and Broken Access ControlStep 1: Learn About Your TargetStep 2: Intercept Requests While BrowsingStep 3: Think Outside the BoxEscalating the AttackFinding Your First Application Logic Error or Broken Access Control!
Chapter 18: Remote Code Execution
MechanismsCode InjectionFile InclusionPreventionHunting for RCEsStep 1: Gather Information About the TargetStep 2: Identify Suspicious User Input LocationsStep 3: Submit Test PayloadsStep 4: Confirm the VulnerabilityEscalating the AttackBypassing RCE ProtectionFinding Your First RCE!
Chapter 19: Same-Origin Policy Vulnerabilities
MechanismsExploiting Cross-Origin Resource SharingExploiting postMessage()Exploiting JSON with Padding Bypassing SOP by Using XSSHunting for SOP BypassesStep 1: Determine If SOP Relaxation Techniques Are UsedStep 2: Find CORS MisconfigurationStep 3: Find postMessage BugsStep 4: Find JSONP IssuesStep 5: Consider Mitigating FactorsEscalating the AttackFinding Your First SOP Bypass Vulnerability!
Chapter 20: Single-Sign-On Security Issues
MechanismsCookie SharingSecurity Assertion Markup LanguageOAuthHunting for Subdomain TakeoversStep 1: List the Target’s SubdomainsStep 2: Find Unregistered PagesStep 3: Register the PageMonitoring for Subdomain TakeoversHunting for SAML VulnerabilitiesStep 1: Locate the SAML ResponseStep 2: Analyze the Response FieldsStep 3: Bypass the SignatureStep 4: Re-encode the MessageHunting for OAuth Token TheftEscalating the AttackFinding Your First SSO Bypass!
Chapter 21: Information Disclosure
MechanismsPreventionHunting for Information DisclosureStep 1: Attempt a Path Traversal AttackStep 2: Search the Wayback MachineStep 3: Search Paste Dump SitesStep 4: Reconstruct Source Code from an Exposed .git DirectoryStep 5: Find Information in Public FilesEscalating the AttackFinding Your First Information Disclosure!
Part IV: Expert Techniques
Chapter 22: Conducting Code Reviews
White-Box vs. Black-Box TestingThe Fast Approach: grep Is Your Best FriendDangerous PatternsLeaked Secrets and Weak EncryptionNew Patches and Outdated DependenciesDeveloper CommentsDebug Functionalities, Configuration Files, and EndpointsThe Detailed ApproachImportant FunctionsUser InputExercise: Spot the Vulnerabilities
Chapter 23: Hacking Android Apps
Setting Up Your Mobile ProxyBypassing Certificate PinningAnatomy of an APKTools to UseAndroid Debug BridgeAndroid StudioApktoolFridaMobile Security FrameworkHunting for Vulnerabilities
Chapter 24: API Hacking
What Are APIs?REST APIsSOAP APIsGraphQL APIsAPI-Centric ApplicationsHunting for API VulnerabilitiesPerforming ReconTesting for Broken Access Control and Info LeaksTesting for Rate-Limiting IssuesTesting for Technical Bugs
Chapter 25: Automatic Vulnerability Discovery Using Fuzzers
What Is Fuzzing?How a Web Fuzzer WorksThe Fuzzing ProcessStep 1: Determine the Data Injection PointsStep 2: Decide on the Payload ListStep 3: FuzzStep 4: Monitor the ResultsFuzzing with WfuzzPath EnumerationBrute-Forcing AuthenticationTesting for Common Web VulnerabilitiesMore About WfuzzFuzzing vs. Static AnalysisPitfalls of FuzzingAdding to Your Automated Testing Toolkit
Index

Overview

A comprehensive guide for any web application hacker, Bug Bounty Bootcamp is a detailed exploration of the many vulnerabilities present in modern websites and the hands-on techniques you can use to most successfully exploit them.

Bug Bounty Bootcamp prepares you for participation in bug bounty programs, which companies set up to reward hackers for finding and reporting vulnerabilities in their applications. The Bootcamp begins with guidance on writing high-quality bug reports and building lasting relationships with client organizations. You’ll then set up a hacking lab and dive into the mechanisms of common web vulnerabilities, like XSS and SQL injection, aided by thorough explanations of what causes them, how you can exploit them, where to find them, and how to bypass protections. You’ll also explore recon strategies for gathering intel on a target and automate recon with bash scripting. Finally, you’ll wade into advanced techniques, like hacking mobile apps, testing APIs, and reviewing source code for vulnerabilities.

Along the way, you’ll learn how to:

•Identify and successfully exploit a wide array of common web vulnerabilities
•Set up a hacking environment, configure Burp Suite, and use its modules to intercept traffic and hunt for bugs
•Chain together multiple bugs for maximum impact and higher payouts
•Bypass protection mechanisms like input sanitization and blocklists to make your attacks succeed
•Automate tedious bug-hunting tasks with fuzzing and bash scripting
•Set up an Android app testing environment

Thousands of data breaches happen every year. By understanding vulnerabilities and how they happen, you can help prevent malicious attacks, protect apps and users, and make the internet a safer place. Happy bug hunting!

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098129088

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills