Bug Bounty Bootcamp teaches you how to hack web applications. You will learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them. You'll also learn how to navigate bug bounty programs set up by companies to reward security professionals for finding bugs in their web applications.
Bug bounty programs are company-sponsored programs that invite researchers to search for vulnerabilities on their applications and reward them for their findings. This book is designed to help beginners with little to no security experience learn web hacking, find bugs, and stay competitive in this booming and lucrative industry.
You'll start by learning how to choose a program, write quality bug reports, and maintain professional relationships in the industry. Then you'll learn how to set up a web hacking lab and use a proxy to capture traffic. In Part 3 of the book, you'll explore the mechanisms of common web vulnerabilities, like XSS, SQL injection, and template injection, and receive detailed advice on how to find them and bypass common protections. You'll also learn how to chain multiple bugs to maximize the impact of your vulnerabilities.
Finally, the book touches on advanced techniques rarely covered in introductory hacking books but that are crucial to understand to hack web applications. You'll learn how to hack mobile apps, review an application's source code for security issues, find vulnerabilities in APIs, and automate your hacking process. By the end of the book, you'll have learned the tools and techniques necessary to be a competent web hacker and find bugs on a bug bounty program.
Author(s): Vickie Li
Edition: 1
Publisher: No Starch Press
Year: 2021
Language: English
Pages: 416
Tags: bug, bounty, bootcamp, web, vulnerabilities
Brief Contents
Contents in Detail
Introduction
Who This Book Is For
What Is In This Book
Happy Hacking!
Foreword
Part I: The Industry
Chapter 1: Picking a Bug Bounty Program
The State of the Industry
Asset Types
Social Sites and Applications
General Web Applications
Mobile Applications (Android, iOS, and Windows)
APIs
Source Code and Executables
Hardware and IoT
Bug Bounty Platforms
The Pros . . .
. . . and the Cons
Scope, Payouts, and Response Times
Program Scope
Payout Amounts
Response Time
Private Programs
Choosing the Right Program
A Quick Comparison of Popular Programs
Chapter 2: Sustaining Your Success
Writing a Good Report
Step 1: Craft a Descriptive Title
Step 2: Provide a Clear Summary
Step 3: Include a Severity Assessment
Step 4: Give Clear Steps to Reproduce
Step 5: Provide a Proof of Concept
Step 6: Describe the Impact and Attack Scenarios
Step 7: Recommend Possible Mitigations
Step 8: Validate the Report
Additional Tips for Writing Better Reports
Building a Relationship with the Development Team
Understanding Report States
Dealing with Conflict
Building a Partnership
Understanding Why You’re Failing
Why You’re Not Finding Bugs
Why Your Reports Get Dismissed
What to Do When You’re Stuck
Step 1: Take a Break!
Step 2: Build Your Skill Set
Step 3: Gain a Fresh Perspective
Lastly, a Few Words of Experience
Part II: Getting Started
Chapter 3: How the Internet Works
The Client-Server Model
The Domain Name System
Internet Ports
HTTP Requests and Responses
Internet Security Controls
Content Encoding
Session Management and HTTP Cookies
Token-Based Authentication
JSON Web Tokens
The Same-Origin Policy
Learn to Program
Chapter 4: Environmental Setup and Traffic Interception
Choosing an Operating System
Setting Up the Essentials: A Browser and a Proxy
Opening the Embedded Browser
Setting Up Firefox
Setting Up Burp
Using Burp
The Proxy
The Intruder
The Repeater
The Decoder
The Comparer
Saving Burp Requests
A Final Note on . . . Taking Notes
Chapter 5: Web Hacking Reconnaissance
Manually Walking Through the Target
Google Dorking
Scope Discovery
WHOIS and Reverse WHOIS
IP Addresses
Certificate Parsing
Subdomain Enumeration
Service Enumeration
Directory Brute-Forcing
Spidering the Site
Third-Party Hosting
GitHub Recon
Other Sneaky OSINT Techniques
Tech Stack Fingerprinting
Writing Your Own Recon Scripts
Understanding Bash Scripting Basics
Saving Tool Output to a File
Adding the Date of the Scan to the Output
Adding Options to Choose the Tools to Run
Running Additional Tools
Parsing the Results
Building a Master Report
Scanning Multiple Domains
Writing a Function Library
Building Interactive Programs
Using Special Variables and Characters
Scheduling Automatic Scans
A Note on Recon APIs
Start Hacking!
Tools Mentioned in This Chapter
Scope Discovery
OSINT
Tech Stack Fingerprinting
Automation
Part III: Web Vulnerabilities
Chapter 6: Cross-Site Scripting
Mechanisms
Types of XSS
Stored XSS
Blind XSS
Reflected XSS
DOM-Based XSS
Self-XSS
Prevention
Hunting for XSS
Step 1: Look for Input Opportunities
Step 2: Insert Payloads
Step 3: Confirm the Impact
Bypassing XSS Protection
Alternative JavaScript Syntax
Capitalization and Encoding
Filter Logic Errors
Escalating the Attack
Automating XSS Hunting
Finding Your First XSS!
Chapter 7: Open Redirects
Mechanisms
Prevention
Hunting for Open Redirects
Step 1: Look for Redirect Parameters
Step 2: Use Google Dorks to Find Additional Redirect Parameters
Step 3: Test for Parameter-Based Open Redirects
Step 4: Test for Referer-Based Open Redirects
Bypassing Open-Redirect Protection
Using Browser Autocorrect
Exploiting Flawed Validator Logic
Using Data URLs
Exploiting URL Decoding
Combining Exploit Techniques
Escalating the Attack
Finding Your First Open Redirect!
Chapter 8: Clickjacking
Mechanisms
Prevention
Hunting for Clickjacking
Step 1: Look for State-Changing Actions
Step 2: Check the Response Headers
Step 3: Confirm the Vulnerability
Bypassing Protections
Escalating the Attack
A Note on Delivering the Clickjacking Payload
Finding Your First Clickjacking Vulnerability!
Chapter 9: Cross-Site Request Forgery
Mechanisms
Prevention
Hunting for CSRFs
Step 1: Spot State-Changing Actions
Step 2: Look for a Lack of CSRF Protections
Step 3: Confirm the Vulnerability
Bypassing CSRF Protection
Exploit Clickjacking
Change the Request Method
Bypass CSRF Tokens Stored on the Server
Bypass Double-Submit CSRF Tokens
Bypass CSRF Referer Header Check
Bypass CSRF Protection by Using XSS
Escalating the Attack
Leak User Information by Using CSRF
Create Stored Self-XSS by Using CSRF
Take Over User Accounts by Using CSRF
Delivering the CSRF Payload
Finding Your First CSRF!
Chapter 10: Insecure Direct Object References
Mechanisms
Prevention
Hunting for IDORs
Step 1: Create Two Accounts
Step 2: Discover Features
Step 3: Capture Requests
Step 4: Change the IDs
Bypassing IDOR Protection
Encoded IDs and Hashed IDs
Leaked IDs
Offer the Application an ID, Even If It Doesn’t Ask for One
Keep an Eye Out for Blind IDORs
Change the Request Method
Change the Requested File Type
Escalating the Attack
Automating the Attack
Finding Your First IDOR!
Chapter 11: SQL Injection
Mechanisms
Injecting Code into SQL Queries
Using Second-Order SQL Injections
Prevention
Hunting for SQL Injections
Step 1: Look for Classic SQL Injections
Step 2: Look for Blind SQL Injections
Step 3: Exfiltrate Information by Using SQL Injections
Step 4: Look for NoSQL Injections
Escalating the Attack
Learn About the Database
Gain a Web Shell
Automating SQL Injections
Finding Your First SQL Injection!
Chapter 12: Race Conditions
Mechanisms
When a Race Condition Becomes a Vulnerability
Prevention
Hunting for Race Conditions
Step 1: Find Features Prone to Race Conditions
Step 2: Send Simultaneous Requests
Step 3: Check the Results
Step 4: Create a Proof of Concept
Escalating Race Conditions
Finding Your First Race Condition!
Chapter 13: Server-Side Request Forgery
Mechanisms
Prevention
Hunting for SSRFs
Step 1: Spot Features Prone to SSRFs
Step 2: Provide Potentially Vulnerable Endpoints with Internal URLs
Step 3: Check the Results
Bypassing SSRF Protection
Bypass Allowlists
Bypass Blocklists
Escalating the Attack
Perform Network Scanning
Pull Instance Metadata
Exploit Blind SSRFs
Attack the Network
Finding Your First SSRF!
Chapter 14: Insecure Deserialization
Mechanisms
PHP
Java
Prevention
Hunting for Insecure Deserialization
Escalating the Attack
Finding Your First Insecure Deserialization!
Chapter 15: XML External Entity
Mechanisms
Prevention
Hunting for XXEs
Step 1: Find XML Data Entry Points
Step 2: Test for Classic XXE
Step 3: Test for Blind XXE
Step 4: Embed XXE Payloads in Different File Types
Step 5: Test for XInclude Attacks
Escalating the Attack
Reading Files
Launching an SSRF
Using Blind XXEs
Performing Denial-of-Service Attacks
More About Data Exfiltration Using XXEs
Finding Your First XXE!
Chapter 16: Template Injection
Mechanisms
Template Engines
Injecting Template Code
Prevention
Hunting for Template Injection
Step 1: Look for User-Input Locations
Step 2: Detect Template Injection by Submitting Test Payloads
Step 3: Determine the Template Engine in Use
Escalating the Attack
Searching for System Access via Python Code
Escaping the Sandbox by Using Python Built-in Functions
Submitting Payloads for Testing
Automating Template Injection
Finding Your First Template Injection!
Chapter 17: Application Logic Errors and Broken Access Control
Application Logic Errors
Broken Access Control
Exposed Admin Panels
Directory Traversal Vulnerabilities
Prevention
Hunting for Application Logic Errors and Broken Access Control
Step 1: Learn About Your Target
Step 2: Intercept Requests While Browsing
Step 3: Think Outside the Box
Escalating the Attack
Finding Your First Application Logic Error or Broken Access Control!
Chapter 18: Remote Code Execution
Mechanisms
Code Injection
File Inclusion
Prevention
Hunting for RCEs
Step 1: Gather Information About the Target
Step 2: Identify Suspicious User Input Locations
Step 3: Submit Test Payloads
Step 4: Confirm the Vulnerability
Escalating the Attack
Bypassing RCE Protection
Finding Your First RCE!
Chapter 19: Same-Origin Policy Vulnerabilities
Mechanisms
Exploiting Cross-Origin Resource Sharing
Exploiting postMessage()
Exploiting JSON with Padding
Bypassing SOP by Using XSS
Hunting for SOP Bypasses
Step 1: Determine If SOP Relaxation Techniques Are Used
Step 2: Find CORS Misconfiguration
Step 3: Find postMessage Bugs
Step 4: Find JSONP Issues
Step 5: Consider Mitigating Factors
Escalating the Attack
Finding Your First SOP Bypass Vulnerability!
Chapter 20: Single-Sign-On Security Issues
Mechanisms
Cooking Sharing
Security Assertion Markup Language
OAuth
Hunting for Subdomain Takeovers
Step 1: List the Target’s Subdomains
Step 2: Find Unregistered Pages
Step 3: Register the Page
Monitoring for Subdomain Takeovers
Hunting for SAML Vulnerabilities
Step 1: Locate the SAML Response
Step 2: Analyze the Response Fields
Step 3: Bypass the Signature
Step 4: Re-encode the Message
Hunting for OAuth Token Theft
Escalating the Attack
Finding Your First SSO Bypass!
Chapter 21: Information Disclosure
Mechanisms
Prevention
Hunting for Information Disclosure
Step 1: Attempt a Path Traversal Attack
Step 2: Search the Wayback Machine
Step 3: Search Paste Dump Sites
Step 4: Reconstruct Source Code from an Exposed .git Directory
Step 5: Find Information in Public Files
Escalating the Attack
Finding Your First Information Disclosure!
Part IV: Expert Techniques
Chapter 22: Conducting Code Reviews
White-Box vs. Black-Box Testing
The Fast Approach: grep Is Your Best Friend
Dangerous Patterns
Leaked Secrets and Weak Encryption
New Patches and Outdated Dependencies
Developer Comments
Debug Functionalities, Configuration Files, and Endpoints
The Detailed Approach
Important Functions
User Input
Exercise: Spot the Vulnerabilities
Chapter 23: Hacking Android Apps
Setting Up Your Mobile Proxy
Bypassing Certificate Pinning
Anatomy of an APK
Tools to Use
Android Debug Bridge
Android Studio
Apktool
Frida
Mobile Security Framework
Hunting for Vulnerabilities
Chapter 24: API Hacking
What Are APIs?
REST APIs
SOAP APIs
GraphQL APIs
API-Centric Applications
Hunting for API Vulnerabilities
Performing Recon
Testing for Broken Access Control and Info Leaks
Testing for Rate-Limiting Issues
Testing for Technical Bugs
Chapter 25: Automatic Vulnerability Discovery Using Fuzzers
What Is Fuzzing?
How a Web Fuzzer Works
The Fuzzing Process
Step 1: Determine the Data Injection Points
Step 2: Decide on the Payload List
Step 3: Fuzz
Step 4: Monitor the Results
Fuzzing with Wfuzz
Path Enumeration
Brute-Forcing Authentication
Testing for Common Web Vulnerabilities
More About Wfuzz
Fuzzing vs. Static Analysis
Pitfalls of Fuzzing
Adding to Your Automated Testing Toolkit
Index