O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Hands-On Bug Hunting for Penetration Testers

Book Description

Detailed walkthroughs of how to discover, test, and document common web application vulnerabilities.

Key Features

  • Learn how to test for common bugs
  • Discover tools and methods for hacking ethically
  • Practice working through pentesting engagements step-by-step

Book Description

Bug bounties have quickly become a critical part of the security economy. This book shows you how technical professionals with an interest in security can begin productively—and profitably—participating in bug bounty programs.

You will learn about SQli, NoSQLi, XSS, XXE, and other forms of code injection. You'll see how to create CSRF PoC HTML snippets, how to discover hidden content (and what to do with it once it's found), and how to create the tools for automated pentesting workflows.

Then, you'll format all of this information within the context of a bug report that will have the greatest chance of earning you cash.

With detailed walkthroughs that cover discovering, testing, and reporting vulnerabilities, this book is ideal for aspiring security professionals. You should come away from this work with the skills you need to not only find the bugs you're looking for, but also the best bug bounty programs to participate in, and how to grow your skills moving forward in freelance security research.

What you will learn

  • Choose what bug bounty programs to engage in
  • Understand how to minimize your legal liability and hunt for bugs ethically
  • See how to take notes that will make compiling your submission report easier
  • Know how to take an XSS vulnerability from discovery to verification, and report submission
  • Automate CSRF PoC generation with Python
  • Leverage Burp Suite for CSRF detection
  • Use WP Scan and other tools to find vulnerabilities in WordPress, Django, and Ruby on Rails applications
  • Write your report in a way that will earn you the maximum amount of money

Who this book is for

This book is written for developers, hobbyists, pentesters, and anyone with an interest (and a little experience) in web application security.

Downloading the example code for this book You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.

Table of Contents

  1. Title Page
  2. Copyright and Credits
    1. Hands-On Bug Hunting for Penetration Testers
  3. Dedication
  4. Packt Upsell
    1. Why subscribe?
    2. Packt.com
  5. Contributors
    1. About the author
    2. About the reviewers
    3. Packt is searching for authors like you
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
      1. Download the example code files
      2. Conventions used
    4. Get in touch
      1. Reviews
  7. Joining the Hunt
    1. Technical Requirements
    2. The Benefits of Bug Bounty Programs
    3. What You Should Already Know – Pentesting Background
    4. Setting Up Your Environment – Tools To Know
    5. What You Will Learn – Next Steps
    6. How (Not) To Use This Book – A Warning
    7. Summary
    8. Questions
    9. Further Reading
  8. Choosing Your Hunting Ground
    1. Technical Requirements
    2. An Overview of Bug Bounty Communities – Where to Start Your Search
      1. Third-Party Marketplaces
        1. Bugcrowd
        2. HackerOne
        3. Vulnerability Lab
        4. BountyFactory
        5. Synack
      2. Company-Sponsored Initiatives
        1. Google
        2. Facebook
        3. Amazon
        4. GitHub
        5. Microsoft
      3. Finding Other Programs
      4. Money Versus Swag Rewards
      5. The Internet Bug Bounty Program
      6. ZeroDisclo and Coordinated Vulnerability Disclosures
    3. The Vulnerability of Web Applications – What You Should Target
    4. Evaluating Rules of Engagement – How to Protect Yourself
    5. Summary
    6. Questions
    7. Further Reading
  9. Preparing for an Engagement
    1. Technical Requirements
      1. Tools
      2. Using Burp
    2. Attack Surface Reconnaisance – Strategies and the Value of Standardization
      1. Sitemaps
      2. Scanning and Target Reconaissance
        1. Brute-forcing Web Content
        2. Spidering and Other Data-Collection Techniques
          1. Burp Spider
          2. Striker
          3. Scrapy and Custom Pipelines
      3. Manual Walkthroughs
      4. Source Code
      5. Building a Process
        1. Formatting the JS Report
        2. Downloading the JavaScript
        3. Putting It All Together
        4. The Value Behind the Structure
    3. Summary
    4. Questions
    5. Further Reading
  10. Unsanitized Data – An XSS Case Study
    1. Technical Requirements
    2. A Quick Overview of XSS – The Many Varieties of XSS
    3. Testing for XSS – Where to Find It, How to Verify It
      1. Burp Suite and XSS Validator
        1. Payload Sets
        2. Payload Options
        3. Payload Processing
    4. XSS – An End-To-End Example
      1. XSS in Google Gruyere
      2. Gathering Report Information
        1. Category
        2. Timestamps
        3. URL
        4. Payload
        5. Methodology
        6. Instructions to Reproduce
        7. Attack Scenario
    5. Summary
    6. Questions
    7. Further Reading
  11. SQL, Code Injection, and Scanners
    1. Technical Requirements
    2. SQLi and Other Code Injection Attacks – Accepting Unvalidated Data
      1. A Simple SQLi Example
    3. Testing for SQLi With Sqlmap – Where to Find It and How to Verify It
    4. Trawling for Bugs – Using Google Dorks and Python for SQLi Discovery
      1. Google Dorks for SQLi
      2. Validating a Dork
    5. Scanning for SQLi With Arachni
      1. Going Beyond Defaults
      2. Writing a Wrapper Script
    6. NoSQL Injection – Injecting Malformed MongoDB Queries
    7. SQLi – An End-to-End Example
      1. Gathering Report Information
        1. Category
        2. Timestamps
        3. URL
        4. Payload
        5. Methodology
        6. Instructions to Reproduce
        7. Attack Scenario
        8. Final Report
    8. Summary
    9. Questions
    10. Further Reading
  12. CSRF and Insecure Session Authentication
    1. Technical Requirements
    2. Building and Using CSRF PoCs
      1. Creating a CSRF PoC Code Snippet
      2. Validating Your CSRF PoC
      3. Creating Your CSRF PoC Programmatically
    3. CSRF – An End-to-End Example
      1. Gathering Report Information
        1. Category
        2. Timestamps
        3. URL
        4. Payload
        5. Methodology
        6. Instructions to Reproduce
        7. Attack Scenario
        8. Final Report
    4. Summary
    5. Questions
    6. Further Reading
  13. Detecting XML External Entities
    1. Technical requirements
    2. A simple XXE example
    3. XML injection vectors
    4. XML injection and XXE – stronger together
    5. Testing for XXE – where to find it, and how to verify it
    6. XXE – an end-to-end example
      1. Gathering report information
        1. Category
        2. Timestamps
        3. URL
        4. Payload
        5. Methodology
        6. Instructions to reproduce
        7. Attack scenario
        8. Final report
    7. Summary
    8. Questions
    9. Further reading
  14. Access Control and Security Through Obscurity
    1. Technical Requirements
    2. Security by Obscurity – The Siren Song
    3. Data Leaks – What Information Matters?
      1. API Keys
      2. Access Tokens
      3. Passwords
      4. Hostnames
      5. Machine RSA/Encryption Keys
      6. Account and Application Data
    4. Low Value Data – What Doesn’t Matter
      1. Generally Descriptive Error Messages
      2. 404 and Other Non-200 Error Codes
      3. Username Enumeration
      4. Browser Autocomplete or Save Password Functionality
    5. Data Leak Vectors
      1. Config Files
      2. Public Code Repos
      3. Client Source Code
      4. Hidden Fields
      5. Error Messages
    6. Unmasking Hidden Content – How to Pull the Curtains Back
      1. Preliminary Code Analysis
      2. Using Burp to Uncover Hidden Fields
    7. Data Leakage – An End-to-End Example
      1. Gathering Report Information
        1. Final Report
    8. Summary
    9. Questions
    10. Further Reading
  15. Framework and Application-Specific Vulnerabilities
    1. Technical Requirements
    2. Known Component Vulnerabilities and CVEs – A Quick Refresher
    3. WordPress – Using WPScan
      1. WPScan as a Dockerized CLI
      2. Burp and WPScan
    4. Ruby on Rails – Rubysec Tools and Tricks
      1. Exploiting RESTful MVC Routing Patterns
      2. Checking the Version for Particular Weaknesses
      3. Testing Cookie Data and Authentication
    5. Django – Strategies for the Python App
      1. Checking for DEBUG = True
      2. Probing the Admin Page
    6. Summary
    7. Questions
    8. Further Reading
  16. Formatting Your Report
    1. Technical Requirements
    2. Reproducing the Bug – How Your Submission Is Vetted
    3. Critical Information – What Your Report Needs
    4. Maximizing Your Award – The Features That Pay
    5. Example Submission Reports – Where to Look
    6. Hackerone Hacktivity
    7. Vulnerability Lab Archive
    8. GitHub
    9. Summary
    10. Questions
    11. Further Reading
  17. Other Tools
    1. Technical Requirements
    2. Evaluating New Tools – What to Look For
    3. Paid Versus Free Editions – What Makes a Tool Worth It?
    4. A Quick Overview of Other Options – Nikto, Kali, Burp Extensions, and More
      1. Scanners
        1. Nikto
        2. Zed Attack Proxy 
        3. w3af
        4. nmap and python-nmap
        5. Aircrack-ng
        6. Wireshark
        7. SpiderFoot
      2. Resources
        1. FuzzDB
        2. Pentesting Cheatsheet
        3. Exploit DB
        4. Awesome Web Security
      3. Kali Linux
      4. Source Code Analysis (White Box) Tools
        1. Pytaint
        2. Bandit
        3. Brakeman
      5. Burp
        1. Burp Extensions
          1. JSON Beautifier
          2. Retire.js
          3. Python Scripter
          4. Burp Notes
          5. Burp REST API
          6. SaaS-Specific Extensions
        2. Using Burp Pro to Generate a CSRF PoC
      6. Metasploit and Exploitation Frameworks
    5. Summary
    6. Questions
    7. Further Reading
  18. Other (Out of Scope) Vulnerabilities
    1. Technical Requirements
    2. DoS/DDoS – The Denial-of-Service Problem
    3. Sandboxed and Self-XSS – Low-Threat XSS Varieties
    4. Non-Critical Data Leaks – What Companies Don’t Care About
      1. Emails
      2. HTTP Request Banners
      3. Known Public Files
      4. Missing HttpOnly Cookie Flags
    5. Other Common No-Payout Vulnerabilities
      1. Weak or Easily Nypassed Captchas
      2. The HTTP OPTIONS Method Enabled
      3. BEAST (CVE-2011-3389) and Other SSL-Based Attacks
      4. Brute Forcing Authentication Systems
      5. CSRF Logout
      6. Anonymous Form CSRF
      7. Clickjacking and Clickjacking-Enabled Attacks
      8. Physical Testing Findings
      9. Outdated Browsers
      10. Server Information
      11. Rate-Limiting
    6. Summary
    7. Questions
    8. Further Reading
  19. Going Further
    1. Blogs
      1. The SANS Institute
      2. Bugcrowd
      3. Darknet
      4. HighOn.Coffee
      5. Zero Day Blog
      6. SANS AppSec Blog
    2. Courses
      1. Penetration Testing With Kali Linux
      2. The Infosec Institute Coursework
      3. Udemy Penetration Testing Classes
      4. Terminology
      5. Attack Scenario
      6. Attack Surface
      7. Black Box Testing
      8. Bugs
      9. Bug Bounty Programs
      10. CORS
      11. Data Exfiltration
      12. Data Sanitation
      13. Data Leakage
      14. Exploit
      15. Fingerprinting
      16. Fuzzing
      17. Google Dorks
      18. Known Component Vulnerabilities
      19. OSINT
      20. Passive Versus Active Scanning
      21. Payload
      22. Proof-of-Concept (PoC)
      23. Rules of Engagement (RoE)
      24. Red Team
      25. Remote Code Execution (RCE)
      26. Safe Harbor
      27. Scope
      28. Security Posture
      29. Single-Origin Policy
      30. Submission Report
      31. Vulnerability
      32. White Box Testing
      33. Workflow
      34. Zero-Day
    3. Summary
    4. Questions
    5. Further Reading
  20. Assessment
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
  21. Other Books You May Enjoy
    1. Leave a review - let other readers know what you think