book

Bug Bounty Bootcamp

Name: Bug Bounty Bootcamp
Author: Vickie Li
ISBN: 9781718501546

by Vickie Li

September 2021

Intermediate to advanced

416 pages

11h 1m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
About the Author
Foreword
Introduction
Who This Book Is ForWhat Is In This BookHappy Hacking!
Part I: The Industry
Chapter 1: Picking a Bug Bounty Program
The State of the IndustryAsset TypesSocial Sites and ApplicationsGeneral Web ApplicationsMobile Applications (Android, iOS, and Windows)APIsSource Code and ExecutablesHardware and IoTBug Bounty PlatformsThe Pros . . .. . . and the ConsScope, Payouts, and Response TimesProgram ScopePayout AmountsResponse TimePrivate ProgramsChoosing the Right ProgramA Quick Comparison of Popular Programs
Chapter 2: Sustaining Your Success
Writing a Good ReportStep 1: Craft a Descriptive TitleStep 2: Provide a Clear SummaryStep 3: Include a Severity AssessmentStep 4: Give Clear Steps to ReproduceStep 5: Provide a Proof of ConceptStep 6: Describe the Impact and Attack ScenariosStep 7: Recommend Possible MitigationsStep 8: Validate the ReportAdditional Tips for Writing Better ReportsBuilding a Relationship with the Development TeamUnderstanding Report StatesDealing with ConflictBuilding a PartnershipUnderstanding Why You’re FailingWhy You’re Not Finding BugsWhy Your Reports Get DismissedWhat to Do When You’re StuckStep 1: Take a Break!Step 2: Build Your Skill SetStep 3: Gain a Fresh PerspectiveLastly, a Few Words of Experience
Part II: Getting Started
Chapter 3: How the Internet Works
The Client-Server ModelThe Domain Name SystemInternet PortsHTTP Requests and ResponsesInternet Security ControlsContent EncodingSession Management and HTTP CookiesToken-Based AuthenticationJSON Web TokensThe Same-Origin PolicyLearn to Program

Chapter 4: Environmental Setup and Traffic Interception
Choosing an Operating SystemSetting Up the Essentials: A Browser and a ProxyOpening the Embedded BrowserSetting Up FirefoxSetting Up BurpUsing BurpThe ProxyThe IntruderThe RepeaterThe DecoderThe ComparerSaving Burp RequestsA Final Note on . . . Taking Notes
Chapter 5: Web Hacking Reconnaissance
Manually Walking Through the TargetGoogle DorkingScope DiscoveryWHOIS and Reverse WHOISIP AddressesCertificate ParsingSubdomain EnumerationService EnumerationDirectory Brute-ForcingSpidering the SiteThird-Party HostingGitHub ReconOther Sneaky OSINT TechniquesTech Stack FingerprintingWriting Your Own Recon ScriptsUnderstanding Bash Scripting BasicsSaving Tool Output to a FileAdding the Date of the Scan to the OutputAdding Options to Choose the Tools to RunRunning Additional ToolsParsing the ResultsBuilding a Master ReportScanning Multiple DomainsWriting a Function LibraryBuilding Interactive ProgramsUsing Special Variables and CharactersScheduling Automatic ScansA Note on Recon APIsStart Hacking!Tools Mentioned in This ChapterScope DiscoveryOSINTTech Stack FingerprintingAutomation
Part III: Web Vulnerabilities
Chapter 6: Cross-Site Scripting
MechanismsTypes of XSSStored XSSBlind XSSReflected XSSDOM-Based XSSSelf-XSSPreventionHunting for XSSStep 1: Look for Input OpportunitiesStep 2: Insert PayloadsStep 3: Confirm the ImpactBypassing XSS ProtectionAlternative JavaScript SyntaxCapitalization and EncodingFilter Logic ErrorsEscalating the AttackAutomating XSS HuntingFinding Your First XSS!
Chapter 7: Open Redirects
MechanismsPreventionHunting for Open RedirectsStep 1: Look for Redirect ParametersStep 2: Use Google Dorks to Find Additional Redirect ParametersStep 3: Test for Parameter-Based Open RedirectsStep 4: Test for Referer-Based Open RedirectsBypassing Open-Redirect ProtectionUsing Browser AutocorrectExploiting Flawed Validator LogicUsing Data URLsExploiting URL DecodingCombining Exploit TechniquesEscalating the AttackFinding Your First Open Redirect!
Chapter 8: Clickjacking
MechanismsPreventionHunting for ClickjackingStep 1: Look for State-Changing ActionsStep 2: Check the Response HeadersStep 3: Confirm the VulnerabilityBypassing ProtectionsEscalating the AttackA Note on Delivering the Clickjacking PayloadFinding Your First Clickjacking Vulnerability!
Chapter 9: Cross-Site Request Forgery
MechanismsPreventionHunting for CSRFsStep 1: Spot State-Changing ActionsStep 2: Look for a Lack of CSRF ProtectionsStep 3: Confirm the VulnerabilityBypassing CSRF ProtectionExploit ClickjackingChange the Request MethodBypass CSRF Tokens Stored on the ServerBypass Double-Submit CSRF TokensBypass CSRF Referer Header CheckBypass CSRF Protection by Using XSSEscalating the AttackLeak User Information by Using CSRFCreate Stored Self-XSS by Using CSRFTake Over User Accounts by Using CSRFDelivering the CSRF PayloadFinding Your First CSRF!
Chapter 10: Insecure Direct Object References
MechanismsPreventionHunting for IDORsStep 1: Create Two AccountsStep 2: Discover FeaturesStep 3: Capture RequestsStep 4: Change the IDsBypassing IDOR ProtectionEncoded IDs and Hashed IDsLeaked IDsOffer the Application an ID, Even If It Doesn’t Ask for OneKeep an Eye Out for Blind IDORsChange the Request MethodChange the Requested File TypeEscalating the AttackAutomating the AttackFinding Your First IDOR!
Chapter 11: SQL Injection
MechanismsInjecting Code into SQL QueriesUsing Second-Order SQL InjectionsPreventionHunting for SQL InjectionsStep 1: Look for Classic SQL InjectionsStep 2: Look for Blind SQL InjectionsStep 3: Exfiltrate Information by Using SQL InjectionsStep 4: Look for NoSQL InjectionsEscalating the AttackLearn About the DatabaseGain a Web ShellAutomating SQL InjectionsFinding Your First SQL Injection!
Chapter 12: Race Conditions
MechanismsWhen a Race Condition Becomes a VulnerabilityPreventionHunting for Race ConditionsStep 1: Find Features Prone to Race ConditionsStep 2: Send Simultaneous RequestsStep 3: Check the ResultsStep 4: Create a Proof of ConceptEscalating Race ConditionsFinding Your First Race Condition!
Chapter 13: Server-Side Request Forgery
MechanismsPreventionHunting for SSRFsStep 1: Spot Features Prone to SSRFsStep 2: Provide Potentially Vulnerable Endpoints with Internal URLsStep 3: Check the ResultsBypassing SSRF ProtectionBypass AllowlistsBypass BlocklistsEscalating the AttackPerform Network ScanningPull Instance MetadataExploit Blind SSRFsAttack the NetworkFinding Your First SSRF!
Chapter 14: Insecure Deserialization
MechanismsPHPJavaPreventionHunting for Insecure DeserializationEscalating the AttackFinding Your First Insecure Deserialization!
Chapter 15: XML External Entity
MechanismsPreventionHunting for XXEsStep 1: Find XML Data Entry PointsStep 2: Test for Classic XXEStep 3: Test for Blind XXEStep 4: Embed XXE Payloads in Different File TypesStep 5: Test for XInclude AttacksEscalating the AttackReading FilesLaunching an SSRFUsing Blind XXEsPerforming Denial-of-Service AttacksMore About Data Exfiltration Using XXEsFinding Your First XXE!
Chapter 16: Template Injection
MechanismsTemplate EnginesInjecting Template CodePreventionHunting for Template InjectionStep 1: Look for User-Input LocationsStep 2: Detect Template Injection by Submitting Test PayloadsStep 3: Determine the Template Engine in UseEscalating the AttackSearching for System Access via Python CodeEscaping the Sandbox by Using Python Built-in FunctionsSubmitting Payloads for TestingAutomating Template InjectionFinding Your First Template Injection!
Chapter 17: Application Logic Errors and Broken Access Control
Application Logic ErrorsBroken Access ControlExposed Admin PanelsDirectory Traversal VulnerabilitiesPreventionHunting for Application Logic Errors and Broken Access ControlStep 1: Learn About Your TargetStep 2: Intercept Requests While BrowsingStep 3: Think Outside the BoxEscalating the AttackFinding Your First Application Logic Error or Broken Access Control!
Chapter 18: Remote Code Execution
MechanismsCode InjectionFile InclusionPreventionHunting for RCEsStep 1: Gather Information About the TargetStep 2: Identify Suspicious User Input LocationsStep 3: Submit Test PayloadsStep 4: Confirm the VulnerabilityEscalating the AttackBypassing RCE ProtectionFinding Your First RCE!
Chapter 19: Same-Origin Policy Vulnerabilities
MechanismsExploiting Cross-Origin Resource SharingExploiting postMessage()Exploiting JSON with Padding Bypassing SOP by Using XSSHunting for SOP BypassesStep 1: Determine If SOP Relaxation Techniques Are UsedStep 2: Find CORS MisconfigurationStep 3: Find postMessage BugsStep 4: Find JSONP IssuesStep 5: Consider Mitigating FactorsEscalating the AttackFinding Your First SOP Bypass Vulnerability!
Chapter 20: Single-Sign-On Security Issues
MechanismsCookie SharingSecurity Assertion Markup LanguageOAuthHunting for Subdomain TakeoversStep 1: List the Target’s SubdomainsStep 2: Find Unregistered PagesStep 3: Register the PageMonitoring for Subdomain TakeoversHunting for SAML VulnerabilitiesStep 1: Locate the SAML ResponseStep 2: Analyze the Response FieldsStep 3: Bypass the SignatureStep 4: Re-encode the MessageHunting for OAuth Token TheftEscalating the AttackFinding Your First SSO Bypass!
Chapter 21: Information Disclosure
MechanismsPreventionHunting for Information DisclosureStep 1: Attempt a Path Traversal AttackStep 2: Search the Wayback MachineStep 3: Search Paste Dump SitesStep 4: Reconstruct Source Code from an Exposed .git DirectoryStep 5: Find Information in Public FilesEscalating the AttackFinding Your First Information Disclosure!
Part IV: Expert Techniques
Chapter 22: Conducting Code Reviews
White-Box vs. Black-Box TestingThe Fast Approach: grep Is Your Best FriendDangerous PatternsLeaked Secrets and Weak EncryptionNew Patches and Outdated DependenciesDeveloper CommentsDebug Functionalities, Configuration Files, and EndpointsThe Detailed ApproachImportant FunctionsUser InputExercise: Spot the Vulnerabilities
Chapter 23: Hacking Android Apps
Setting Up Your Mobile ProxyBypassing Certificate PinningAnatomy of an APKTools to UseAndroid Debug BridgeAndroid StudioApktoolFridaMobile Security FrameworkHunting for Vulnerabilities
Chapter 24: API Hacking
What Are APIs?REST APIsSOAP APIsGraphQL APIsAPI-Centric ApplicationsHunting for API VulnerabilitiesPerforming ReconTesting for Broken Access Control and Info LeaksTesting for Rate-Limiting IssuesTesting for Technical Bugs
Chapter 25: Automatic Vulnerability Discovery Using Fuzzers
What Is Fuzzing?How a Web Fuzzer WorksThe Fuzzing ProcessStep 1: Determine the Data Injection PointsStep 2: Decide on the Payload ListStep 3: FuzzStep 4: Monitor the ResultsFuzzing with WfuzzPath EnumerationBrute-Forcing AuthenticationTesting for Common Web VulnerabilitiesMore About WfuzzFuzzing vs. Static AnalysisPitfalls of FuzzingAdding to Your Automated Testing Toolkit
Index

Content preview from Bug Bounty Bootcamp

21 Information Disclosure

The IDOR vulnerabilities covered in Chapter 10 are a common way for applications to leak private information about users. But an attacker can uncover sensitive information from a target application in other ways too. I call these bugs information disclosure bugs. These bugs are common; in fact, they’re the type of bug I find most often while bug bounty hunting, even when I’m searching for other bug types.

These bugs can happen in many ways, depending on the application. In this chapter, we’ll talk about a few ways you might manage to leak data from an application, and how you can maximize the chances of finding ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Redefining Hacking: A Comprehensive Guide to Red Teaming and Bug Bounty Hunting in an AI-driven World

Publisher Resources

ISBN: 9781098129088

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Bug Bounty Bootcamp

by Vickie Li

21 Information Disclosure

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.