Bug Bounty Hunting Essentials
Carlos A. Lozano Shahmeer Amir更新时间:2021-06-10 18:36:23
最新章节:Leave a review - let other readers know what you thinkcoverpage
Title Page
About Packt
Why subscribe?
Packt.com
Contributors
About the authors
About the reviewers
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
Conventions used
Get in touch
Reviews
Disclaimer
Basics of Bug Bounty Hunting
Bug bounty hunting platforms
HackerOne
Bugcrowd
Cobalt
Synack
Types of bug bounty program
Public programs
Private programs
Bug bounty hunter statistics
Number of vulnerabilities
Number of halls of fame
Reputation points
Signal
Impact
Accuracy
Bug bounty hunting methodology
How to become a bug bounty hunter
Reading books
Practicing what you learned
Reading proof of concepts
Learning from reports
Starting bug bounty hunting
Learning and networking with others
Rules of bug bounty hunting
Targeting the right program
Approaching the target with clarity
Keeping your expectations low
Learning about vulnerabilities
Keeping yourself up-to-date
Automating your vulnerabilities
Gaining experience with bug bounty hunting
Chaining vulnerabilities
Summary
How to Write a Bug Bounty Report
Prerequisites of writing a bug bounty report
Referring to the policy of the program
Mission statement
Participating services
Excluded domains
Reward and qualifications
Eligibility for participation
Conduct guidelines
Nonqualifying vulnerabilities
Commitment to researchers
Salient features of a bug bounty report
Clarity
Depth
Estimation
Respect
Format of a bug bounty report
Writing title of a report
Writing the description of a report
Writing the proof of concept of a report
Writing exploitability of a report
Writing impact of a report
Writing remediation
Responding to the queries of the team
Summary
SQL Injection Vulnerabilities
SQL injection
Types of SQL injection vulnerability
In-band SQLi (classic SQLi)
Inferential SQLi (blind SQLi)
Out-of-band SQLi
Goals of an SQL injection attack for bug bounty hunters
Uber SQL injection
Key learning from this report
Grab taxi SQL Injection
Key learning from this report
Zomato SQL injection
Key learning from this report
LocalTapiola SQL injection
Key learning from this report
Summary
Cross-Site Request Forgery
Protecting the cookies
Why does the CSRF exist?
GET CSRF
POST CSRF
CSRF-unsafe protections
Secret cookies
Request restrictions
Complex flow
URL rewriting
Using HTTPS instead of HTTP
CSRF – more safe protection
Detecting and exploiting CSRF
Avoiding problems with authentication
XSS – CSRF's best friend
Cross-domain policies
HTML injection
JavaScript hijacking
CSRF in the wild
Shopify for exporting installed users
Shopify Twitter disconnect
Badoo full account takeover
Summary
Application Logic Vulnerabilities
Origins
What is the main problem?
Following the flow
Spidering
Points of interest
Analysis
User input
Out-band channels
Naming conventions
Keywords related to technologies
Analyzing the traffic
Application logic vulnerabilities in the wild
Bypassing the Shopify admin authentication
Starbucks race conditions
Binary.com vulnerability – stealing a user's money
HackerOne signal manipulation
Shopify S buckets open
HackerOne S buckets open
Bypassing the GitLab 2F authentication
Yahoo PHP info disclosure
Summary
Cross-Site Scripting Attacks
Types of cross-site scripting
Reflected cross-site scripting
Stored cross-site scripting
DOM-based XSS
Other types of XSS attacks
Blind XSS
Flash-based XSS
Self XSS
How do we detect XSS bugs?
Detecting XSS bugs in real life
Follow the flow
Avoiding input validation controls
Other common strings
Bypassing filters using encoding
Bypassing filters using tag modifiers
Bypassing filters using dynamic constructed strings
Workflow of an XSS attack
HackeroneXSS
Executing malicious JS
Embedding unauthorized images in the report
Redirecting users to a different website
Key learning from this report
Slack XSS
Embedding malicious links to infect other users on Slack
Key learning from this report
TrelloXSS
Key learning from this report
Shopify XSS
Key learning from this report
Twitter XSS
Key learning from this report
Real bug bounty examples
Shopify wholesale
Shopify Giftcard Cart
Shopify currency formatting
Yahoo Mail stored XSS
Google image search
Summary
SQL Injection
Origin
Types of SQL injection
In-band SQL injection
Inferential
Out-of-band SQL injection
Fundamental exploitation
Detecting and exploiting SQL injection as if tomorrow does not exist
Union
Interacting with the DBMS
Bypassing security controls
Blind exploitation
Out-band exploitations
Example
Automation
SQL injection in Drupal
Summary
Open Redirect Vulnerabilities
Redirecting to another URL
Constructing URLs
Executing code
URL shorteners
Why do open redirects work?
Detecting and exploiting open redirections
Exploitation
Impact
Black and white lists
Open redirects in the wild
Shopify theme install open redirect
Shopify login open redirect
HackerOne interstitial redirect
XSS and open redirect on Twitter
Facebook
Summary
Sub-Domain Takeovers
The sub-domain takeover
CNAME takeovers
NS takeover
MX takeovers
Internet-wide scans
Detecting possibly affected domains
Exploitation
Mitigation
Sub-domain takeovers in the wild
Ubiquiti sub-domain takeovers
Scan.me pointing to Zendesk
Starbucks' sub-domain takeover
Vine's sub-domain takeover
Uber's sub-domain takeover
Summary
XML External Entity Vulnerability
How XML works
How is an XXE produced?
Detecting and exploiting an XXE
Templates
XXEs in the wild
Read access to Google
A Facebook XXE with Word
The Wikiloc XXE
Summary
Template Injection
What's the problem?
Examples
Twig and FreeMaker
Smarty
Marko
Detection
Exploitation
Mitigation
SSTI in the wild
Uber Jinja2 TTSI
Uber Angular template injection
Yahoo SSTI vulnerability
Rails dynamic render
Summary
Top Bug Bounty Hunting Tools
HTTP proxies requests responses and traffic analyzers
Burp Suite
Wireshark
Firebug
ZAP – Zed Attack Proxy
Fiddler
Automated vulnerability discovery and exploitation
Websecurify (SECAPPS)
Acunetix
Nikto
sqlmap
Recognize
Knockpy
HostileSubBruteforcer
Nmap
Shodan
What CMS
Recon-ng
Extensions
FoxyProxy
User-Agent Switcher
HackBar
Cookies Manager+
Summary
Top Learning Resources
Training
Platzi
Udemy
GIAC
Offensive Security
Books and resources
Web Application Hacker's Handbook
OWASP Testing Guide
Hacking 101
The Hacker Play Book
Exploiting Software
CTFs and wargames
Hack The Box
Damn Vulnerable Web Application
Badstore
Metasploitable
YouTube channels
Web Hacking Pro Tips
BugCrowd
HackerOne
Social networks and blogs
Exploitware Labs
Philippe Hare Wood
PortSwigger's blog
Meetings and networking
LiveOverflow
OWASP meetings
DEFCON meetings
2600 meetings
Conferences
DEFCON
BlackHat
BugCON
Ekoparty
Code Blue
CCC
H2HC
8.8
Podcasts
PaulDotCom
Summary
Other Books You May Enjoy
Leave a review - let other readers know what you think
更新时间:2021-06-10 18:36:23