O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Real-World Bug Hunting

Book Description

Real-World Bug Hunting is a field guide to finding software bugs. Ethical hacker Peter Yaworski breaks down common types of bugs, then contextualizes them with real bug bounty reports released by hackers on companies like Twitter, Facebook, Google, Uber, and Starbucks. As you read each report, you'll gain deeper insight into how the vulnerabilities work and how you might find similar ones.

Each chapter begins with an explanation of a vulnerability type, then moves into a series of real bug bounty reports that show how the bugs were found. You'll learn things like how Cross-Site Request Forgery tricks users into unknowingly submitting information to websites they are logged into; how to pass along unsafe JavaScript to execute Cross-Site Scripting; how to access another user's data via Insecure Direct Object References; how to trick websites into disclosing information with Server Side Request Forgeries; and how bugs in application logic can lead to pretty serious vulnerabilities. Yaworski also shares advice on how to write effective vulnerability reports and develop relationships with bug bounty programs, as well as recommends hacking tools that can make the job a little easier.

Table of Contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. About the Technical Reviewer
  6. Brief Contents
  7. Contents in Detail
  8. Foreword by Michiel Prins and Jobert Abma
  9. Acknowledgments
  10. Introduction
    1. Who Should Read This Book
    2. How to Read This Book
    3. What’s in This Book
    4. A Disclaimer About Hacking
  11. 1 Bug Bounty Basics
    1. Vulnerabilities and Bug Bounties
    2. Client and Server
    3. What Happens When You Visit a Website
    4. HTTP Requests
    5. Summary
  12. 2 Open Redirect
    1. How Open Redirects Work
    2. Shopify Theme Install Open Redirect
    3. Shopify Login Open Redirect
    4. HackerOne Interstitial Redirect
    5. Summary
  13. 3 HTTP Parameter Pollution
    1. Server-Side HPP
    2. Client-Side HPP
    3. HackerOne Social Sharing Buttons
    4. Twitter Unsubscribe Notifications
    5. Twitter Web Intents
    6. Summary
  14. 4 Cross-Site Request Forgery
    1. Authentication
    2. CSRF with GET Requests
    3. CSRF with POST Requests
    4. Defenses Against CSRF Attacks
    5. Shopify Twitter Disconnect
    6. Change Users Instacart Zones
    7. Badoo Full Account Takeover
    8. Summary
  15. 5 HTML Injection and Content Spoofing
    1. Coinbase Comment Injection Through Character Encoding
    2. HackerOne Unintended HTML Inclusion
    3. HackerOne Unintended HTML Include Fix Bypass
    4. Within Security Content Spoofing
    5. Summary
  16. 6 Carriage Return Line Feed Injection
    1. HTTP Request Smuggling
    2. v.shopify.com Response Splitting
    3. Twitter HTTP Response Splitting
    4. Summary
  17. 7 Cross-Site Scripting
    1. Types of XSS
    2. Shopify Wholesale
    3. Shopify Currency Formatting
    4. Yahoo! Mail Stored XSS
    5. Google Image Search
    6. Google Tag Manager Stored XSS
    7. United Airlines XSS
    8. Summary
  18. 8 Template Injection
    1. Server-Side Template Injections
    2. Client-Side Template Injections
    3. Uber AngularJS Template Injection
    4. Uber Flask Jinja2 Template Injection
    5. Rails Dynamic Render
    6. Unikrn Smarty Template Injection
    7. Summary
  19. 9 SQL Injection
    1. SQL Databases
    2. Countermeasures Against SQLi
    3. Yahoo! Sports Blind SQLi
    4. Uber Blind SQLi
    5. Drupal SQLi
    6. Summary
  20. 10 Server-Side Request Forgery
    1. Demonstrating the Impact of Server-Side Request Forgery
    2. Invoking GET vs. POST Requests
    3. Performing Blind SSRFs
    4. Attacking Users with SSRF Responses
    5. ESEA SSRF and Querying AWS Metadata
    6. Google Internal DNS SSRF
    7. Internal Port Scanning Using Webhooks
    8. Summary
  21. 11 XML External Entity
    1. eXtensible Markup Language
    2. How XXE Attacks Work
    3. Read Access to Google
    4. Facebook XXE with Microsoft Word
    5. Wikiloc XXE
    6. Summary
  22. 12 Remote Code Execution
    1. Executing Shell Commands
    2. Executing Functions
    3. Strategies for Escalating Remote Code Execution
    4. Polyvore ImageMagick
    5. Algolia RCE on facebooksearch.algolia.com
    6. RCE Through SSH
    7. Summary
  23. 13 Memory Vulnerabilities
    1. Buffer Overflows
    2. Read Out of Bounds
    3. PHP ftp_genlist() Integer Overflow
    4. Python Hotshot Module
    5. Libcurl Read Out of Bounds
    6. Summary
  24. 14 Subdomain Takeover
    1. Understanding Domain Names
    2. How Subdomain Takeovers Work
    3. Ubiquiti Subdomain Takeover
    4. Scan.me Pointing to Zendesk
    5. Shopify Windsor Subdomain Takeover
    6. Snapchat Fastly Takeover
    7. Legal Robot Takeover
    8. Uber SendGrid Mail Takeover
    9. Summary
  25. 15 Race Conditions
    1. Accepting a HackerOne Invite Multiple Times
    2. Exceeding Keybase Invitation Limits
    3. HackerOne Payments Race Condition
    4. Shopify Partners Race Condition
    5. Summary
  26. 16 Insecure Direct Object References
    1. Finding Simple IDORs
    2. Finding More Complex IDORs
    3. Binary.com Privilege Escalation
    4. Moneybird App Creation
    5. Twitter Mopub API Token Theft
    6. ACME Customer Information Disclosure
    7. Summary
  27. 17 OAuth Vulnerabilities
    1. The OAuth Workflow
    2. Stealing Slack OAuth Tokens
    3. Passing Authentication with Default Passwords
    4. Stealing Microsoft Login Tokens
    5. Swiping Facebook Official Access Tokens
    6. Summary
  28. 18 Application Logic and Configuration Vulnerabilities
    1. Bypassing Shopify Administrator Privileges
    2. Bypassing Twitter Account Protections
    3. HackerOne Signal Manipulation
    4. HackerOne Incorrect S3 Bucket Permissions
    5. Bypassing GitLab Two-Factor Authentication
    6. Yahoo! PHP Info Disclosure
    7. HackerOne Hacktivity Voting
    8. Accessing PornHub’s Memcache Installation
    9. Summary
  29. 19 Finding Your Own Bug Bounties
    1. Reconnaissance
    2. Testing the Application
    3. Going Further
    4. Summary
  30. 20 Vulnerability Reports
    1. Read the Policy
    2. Include Details; Then Include More
    3. Reconfirm the Vulnerability
    4. Your Reputation
    5. Show Respect for the Company
    6. Appealing Bounty Rewards
    7. Summary
  31. A Tools
    1. Web Proxies
    2. Subdomain Enumeration
    3. Discovery
    4. Screenshotting
    5. Port Scanning
    6. Reconnaissance
    7. Hacking Tools
    8. Mobile
    9. Browser Plug-Ins
  32. B Resources
    1. Online Training
    2. Bug Bounty Platforms
    3. Recommended Reading
    4. Video Resources
    5. Recommended Blogs
  33. Index