Bug Bounty Hunting Essentials

Bug Bounty Hunting Essentials

by Carlos A. Lozano, Shahmeer Amir
Released November 2018
Publisher(s): Packt Publishing
ISBN: 9781788626897

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Get hands-on experience on concepts of Bug Bounty Hunting

Key Features

  • Get well-versed with the fundamentals of Bug Bounty Hunting
  • Hands-on experience on using different tools for bug hunting
  • Learn to write a bug bounty report according to the different vulnerabilities and its analysis

Book Description

Bug bounty programs are the deals offered by prominent companies where-in any white-hat hacker can find bugs in the applications and they will have a recognition for the same. The number of prominent organizations having this program has increased gradually leading to a lot of opportunity for Ethical Hackers.

This book will initially start with introducing you to the concept of Bug Bounty hunting. Then we will dig deeper into concepts of vulnerabilities and analysis such as HTML injection, CRLF injection and so on. Towards the end of the book, we will get hands-on experience working with different tools used for bug hunting and various blogs and communities to be followed.

This book will get you started with bug bounty hunting and its fundamentals.

What you will learn

  • Learn the basics of bug bounty hunting
  • Hunt bugs in web applications
  • Hunt bugs in Android applications
  • Analyze the top 300 bug reports
  • Discover bug bounty hunting research methodologies
  • Explore different tools used for Bug Hunting

Who this book is for

This book is targeted towards white-hat hackers, or anyone who wants to understand the concept behind bug bounty hunting and understand this brilliant way of penetration testing.

This book does not require any knowledge on bug bounty hunting.

Publisher resources

View/Submit Errata

Table of contents

  1. Title Page
  2. Copyright and Credits
    1. Bug Bounty Hunting Essentials
  3. About Packt
    1. Why subscribe?
    2. Packt.com
  4. Contributors
    1. About the authors
    2. About the reviewers
    3. Packt is searching for authors like you
  5. Preface
    1. Who this book is for
    2. What this book covers
      1. Conventions used
    3. Get in touch
      1. Reviews
    4. Disclaimer
  6. Basics of Bug Bounty Hunting
    1. Bug bounty hunting platforms
      1. HackerOne
      2. Bugcrowd
      3. Cobalt
      4. Synack
    2. Types of bug bounty program
      1. Public programs
      2. Private programs
    3. Bug bounty hunter statistics
      1. Number of vulnerabilities
      2. Number of halls of fame
      3. Reputation points
      4. Signal
      5. Impact
      6. Accuracy
    4. Bug bounty hunting methodology
    5. How to become a bug bounty hunter
      1. Reading books
      2. Practicing what you learned
      3. Reading proof of concepts
      4. Learning from reports
      5. Starting bug bounty hunting
      6. Learning and networking with others
    6. Rules of bug bounty hunting
      1. Targeting the right program
      2. Approaching the target with clarity
      3. Keeping your expectations low
      4. Learning about vulnerabilities
      5. Keeping yourself up-to-date
      6. Automating your vulnerabilities
      7. Gaining experience with bug bounty hunting
      8. Chaining vulnerabilities
    7. Summary
  7. How to Write a Bug Bounty Report
    1. Prerequisites of writing a bug bounty report
      1. Referring to the policy of the program
        1. Mission statement
        2. Participating services
        3. Excluded domains
        4. Reward and qualifications
        5. Eligibility for participation
        6. Conduct guidelines
        7. Nonqualifying vulnerabilities
        8. Commitment to researchers
    2. Salient features of a bug bounty report
      1. Clarity
      2. Depth
      3. Estimation
      4. Respect
    3. Format of a bug bounty report
      1. Writing title of a report
      2. Writing the description of a report
      3. Writing the proof of concept of a report
      4. Writing exploitability of a report
      5. Writing impact of a report
      6. Writing remediation
    4. Responding to the queries of the team
    5. Summary
  8. SQL Injection Vulnerabilities
    1. SQL injection
    2. Types of SQL injection vulnerability
      1. In-band SQLi (classic SQLi)
      2. Inferential SQLi (blind SQLi)
      3. Out-of-band SQLi
    3. Goals of an SQL injection attack for bug bounty hunters
    4. Uber SQL injection
      1. Key learning from this report
    5. Grab taxi SQL Injection
      1. Key learning from this report
    6. Zomato SQL injection
      1. Key learning from this report
    7. LocalTapiola SQL injection
      1. Key learning from this report
    8. Summary
  9. Cross-Site Request Forgery
    1. Protecting the cookies
    2. Why does the CSRF exist?
      1. GET CSRF
      2. POST CSRF
      3. CSRF-unsafe protections
        1. Secret cookies
        2. Request restrictions
        3. Complex flow
        4. URL rewriting
        5. Using HTTPS instead of HTTP
      4. CSRF – more safe protection
    3. Detecting and exploiting CSRF
      1. Avoiding problems with authentication
    4. XSS – CSRF's best friend
    5. Cross-domain policies
      1. HTML injection
      2. JavaScript hijacking
    6. CSRF in the wild
      1. Shopify for exporting installed users
      2. Shopify Twitter disconnect
      3. Badoo full account takeover
    7. Summary
  10. Application Logic Vulnerabilities
    1. Origins
      1. What is the main problem?
    2. Following the flow
      1. Spidering
      2. Points of interest
      3. Analysis
        1. User input
        2. Out-band channels
        3. Naming conventions
        4. Keywords related to technologies
        5. Analyzing the traffic
    3. Application logic vulnerabilities in the wild
      1. Bypassing the Shopify admin authentication
      2. Starbucks race conditions
      3. Binary.com vulnerability – stealing a user's money
      4. HackerOne signal manipulation
      5. Shopify S buckets open
      6. HackerOne S buckets open
      7. Bypassing the GitLab 2F authentication
      8. Yahoo PHP info disclosure
    4. Summary
  11. Cross-Site Scripting Attacks
    1. Types of cross-site scripting
      1. Reflected cross-site scripting
      2. Stored cross-site scripting
      3. DOM-based XSS
      4. Other types of XSS attacks
        1. Blind XSS
        2. Flash-based XSS
        3. Self XSS
    2. How do we detect XSS bugs?
      1. Detecting XSS bugs in real life
        1. Follow the flow
        2. Avoiding input validation controls
          1. Other common strings
          2. Bypassing filters using encoding
          3. Bypassing filters using tag modifiers
          4. Bypassing filters using dynamic constructed strings
    3. Workflow of an XSS attack
      1. HackeroneXSS
        1. Executing malicious JS
        2. Embedding unauthorized images in the report
        3. Redirecting users to a different website
        4. Key learning from this report
      2. Slack XSS
        1. Embedding malicious links to infect other users on Slack
        2. Key learning from this report
      3. TrelloXSS
        1. Key learning from this report
      4. Shopify XSS
        1. Key learning from this report
      5. Twitter XSS
        1. Key learning from this report
    4. Real bug bounty examples
      1. Shopify wholesale
      2. Shopify Giftcard Cart
      3. Shopify currency formatting
      4. Yahoo Mail stored XSS
      5. Google image search
    5. Summary
  12. SQL Injection
    1. Origin
      1. Types of SQL injection
        1. In-band SQL injection
        2. Inferential
        3. Out-of-band SQL injection
      2. Fundamental exploitation
      3. Detecting and exploiting SQL injection as if tomorrow does not exist
        1. Union
        2. Interacting with the DBMS
        3. Bypassing security controls
        4. Blind exploitation
        5. Out-band exploitations
    2. Example
    3. Automation
    4. SQL injection in Drupal
    5. Summary
  13. Open Redirect Vulnerabilities
    1. Redirecting to another URL
    2. Constructing URLs
    3. Executing code
    4. URL shorteners
    5. Why do open redirects work?
    6. Detecting and exploiting open redirections
    7. Exploitation
    8. Impact
    9. Black and white lists
    10. Open redirects in the wild
      1. Shopify theme install open redirect
      2. Shopify login open redirect
      3. HackerOne interstitial redirect
      4. XSS and open redirect on Twitter
      5. Facebook
    11. Summary
  14. Sub-Domain Takeovers
    1. The sub-domain takeover
      1. CNAME takeovers
      2. NS takeover
      3. MX takeovers
    2. Internet-wide scans
      1. Detecting possibly affected domains
    3. Exploitation
    4. Mitigation
    5. Sub-domain takeovers in the wild
      1. Ubiquiti sub-domain takeovers
      2. Scan.me pointing to Zendesk
      3. Starbucks' sub-domain takeover
      4. Vine's sub-domain takeover
        1. Uber's sub-domain takeover
    6. Summary
  15. XML External Entity Vulnerability
    1. How XML works
    2. How is an XXE produced?
    3. Detecting and exploiting an XXE
    4. Templates
    5. XXEs in the wild
      1. Read access to Google
      2. A Facebook XXE with Word
      3. The Wikiloc XXE
    6. Summary
  16. Template Injection
    1. What's the problem?
      1. Examples
        1. Twig and FreeMaker
        2. Smarty
        3. Marko
    2. Detection
    3. Exploitation
    4. Mitigation
    5. SSTI in the wild
      1. Uber Jinja2 TTSI
      2. Uber Angular template injection
      3. Yahoo SSTI vulnerability
      4. Rails dynamic render
    6. Summary
  17. Top Bug Bounty Hunting Tools
    1. HTTP proxies, requests, responses, and traffic analyzers
      1. Burp Suite
      2. Wireshark
      3. Firebug
      4. ZAP – Zed Attack Proxy
      5. Fiddler
    2. Automated vulnerability discovery and exploitation
      1. Websecurify (SECAPPS)
      2. Acunetix
      3. Nikto
      4. sqlmap
    3. Recognize
      1. Knockpy
      2. HostileSubBruteforcer
      3. Nmap
      4. Shodan
      5. What CMS
      6. Recon-ng
    4. Extensions
      1. FoxyProxy
      2. User-Agent Switcher
      3. HackBar
      4. Cookies Manager+
    5. Summary
  18. Top Learning Resources
    1. Training
      1. Platzi
      2. Udemy
      3. GIAC
      4. Offensive Security
    2. Books and resources
      1. Web Application Hacker's Handbook
      2. OWASP Testing Guide
      3. Hacking 101
      4. The Hacker Play Book
      5. Exploiting Software
    3. CTFs and wargames
      1. Hack The Box
      2. Damn Vulnerable Web Application
      3. Badstore
      4. Metasploitable
    4. YouTube channels
      1. Web Hacking Pro Tips
      2. BugCrowd
      3. HackerOne
    5. Social networks and blogs
      1. Exploitware Labs
      2. Philippe Hare Wood
      3. PortSwigger's blog
    6. Meetings and networking
      1. LiveOverflow
      2. OWASP meetings
      3. DEFCON meetings
      4. 2600 meetings
    7. Conferences
      1. DEFCON
      2. BlackHat
      3. BugCON
      4. Ekoparty
      5. Code Blue
      6. CCC
      7. H2HC
      8. 8.8
    8. Podcasts
      1. PaulDotCom
    9. Summary
  19. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think

Product information

  • Title: Bug Bounty Hunting Essentials
  • Author(s): Carlos A. Lozano, Shahmeer Amir
  • Release date: November 2018
  • Publisher(s): Packt Publishing
  • ISBN: 9781788626897