Cover image for Bug Bounty Bootcamp

Bug Bounty Bootcamp

Author Vickie Li
Release Date: 2021/09/01
ISBN: 9781098129088
Topic:
0%
37
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

A comprehensive guide for any web application hacker, Bug Bounty Bootcamp is a detailed exploration of the many vulnerabilities present in modern websites and the hands-on techniques you can use to most successfully exploit them.

Bug Bounty Bootcamp prepares you for participation in bug bounty programs, which companies set up to reward hackers for finding and reporting vulnerabilities in their applications. The Bootcamp begins with guidance on writing high-quality bug reports and building lasting relationships with client organizations. You’ll then set up a hacking lab and dive into the mechanisms of common web vulnerabilities, like XSS and SQL injection, aided by thorough explanations of what causes them, how you can exploit them, where to find them, and how to bypass protections. You’ll also explore recon strategies for gathering intel on a target and automate recon with bash scripting. Finally, you’ll wade into advanced techniques, like hacking mobile apps, testing APIs, and reviewing source code for vulnerabilities.

Along the way, you’ll learn how to:

•Identify and successfully exploit a wide array of common web vulnerabilities
•Set up a hacking environment, configure Burp Suite, and use its modules to intercept traffic and hunt for bugs
•Chain together multiple bugs for maximum impact and higher payouts
•Bypass protection mechanisms like input sanitization and blocklists to make your attacks succeed
•Automate tedious bug-hunting tasks with fuzzing and bash scripting
•Set up an Android app testing environment

Thousands of data breaches happen every year. By understanding vulnerabilities and how they happen, you can help prevent malicious attacks, protect apps and users, and make the internet a safer place. Happy bug hunting!

Table of Contents

  1. Title Page
  2. Copyright
  3. About the Author
  4. Foreword
  5. Introduction
    1. Who This Book Is For
    2. What Is In This Book
    3. Happy Hacking!
  6. Part I: The Industry
    1. Chapter 1: Picking a Bug Bounty Program
    2. The State of the Industry
    3. Asset Types
    4. Social Sites and Applications
    5. General Web Applications
    6. Mobile Applications (Android, iOS, and Windows)
    7. APIs
    8. Source Code and Executables
    9. Hardware and IoT
    10. Bug Bounty Platforms
    11. The Pros . . .
    12. . . . and the Cons
    13. Scope, Payouts, and Response Times
    14. Program Scope
    15. Payout Amounts
    16. Response Time
    17. Private Programs
    18. Choosing the Right Program
    19. A Quick Comparison of Popular Programs
    20. Chapter 2: Sustaining Your Success
    21. Writing a Good Report
    22. Step 1: Craft a Descriptive Title
    23. Step 2: Provide a Clear Summary
    24. Step 3: Include a Severity Assessment
    25. Step 4: Give Clear Steps to Reproduce
    26. Step 5: Provide a Proof of Concept
    27. Step 6: Describe the Impact and Attack Scenarios
    28. Step 7: Recommend Possible Mitigations
    29. Step 8: Validate the Report
    30. Additional Tips for Writing Better Reports
    31. Building a Relationship with the Development Team
    32. Understanding Report States
    33. Dealing with Conflict
    34. Building a Partnership
    35. Understanding Why You’re Failing
    36. Why You’re Not Finding Bugs
    37. Why Your Reports Get Dismissed
    38. What to Do When You’re Stuck
    39. Step 1: Take a Break!
    40. Step 2: Build Your Skill Set
    41. Step 3: Gain a Fresh Perspective
    42. Lastly, a Few Words of Experience
  7. Part II: Getting Started
    1. Chapter 3: How the Internet Works
    2. The Client-Server Model
    3. The Domain Name System
    4. Internet Ports
    5. HTTP Requests and Responses
    6. Internet Security Controls
    7. Content Encoding
    8. Session Management and HTTP Cookies
    9. Token-Based Authentication
    10. JSON Web Tokens
    11. The Same-Origin Policy
    12. Learn to Program
    13. Chapter 4: Environmental Setup and Traffic Interception
    14. Choosing an Operating System
    15. Setting Up the Essentials: A Browser and a Proxy
    16. Opening the Embedded Browser
    17. Setting Up Firefox
    18. Setting Up Burp
    19. Using Burp
    20. The Proxy
    21. The Intruder
    22. The Repeater
    23. The Decoder
    24. The Comparer
    25. Saving Burp Requests
    26. A Final Note on . . . Taking Notes
    27. Chapter 5: Web Hacking Reconnaissance
    28. Manually Walking Through the Target
    29. Google Dorking
    30. Scope Discovery
    31. WHOIS and Reverse WHOIS
    32. IP Addresses
    33. Certificate Parsing
    34. Subdomain Enumeration
    35. Service Enumeration
    36. Directory Brute-Forcing
    37. Spidering the Site
    38. Third-Party Hosting
    39. GitHub Recon
    40. Other Sneaky OSINT Techniques
    41. Tech Stack Fingerprinting
    42. Writing Your Own Recon Scripts
    43. Understanding Bash Scripting Basics
    44. Saving Tool Output to a File
    45. Adding the Date of the Scan to the Output
    46. Adding Options to Choose the Tools to Run
    47. Running Additional Tools
    48. Parsing the Results
    49. Building a Master Report
    50. Scanning Multiple Domains
    51. Writing a Function Library
    52. Building Interactive Programs
    53. Using Special Variables and Characters
    54. Scheduling Automatic Scans
    55. A Note on Recon APIs
    56. Start Hacking!
    57. Tools Mentioned in This Chapter
    58. Scope Discovery
    59. OSINT
    60. Tech Stack Fingerprinting
    61. Automation
  8. Part III: Web Vulnerabilities
    1. Chapter 6: Cross-Site Scripting
    2. Mechanisms
    3. Types of XSS
    4. Stored XSS
    5. Blind XSS
    6. Reflected XSS
    7. DOM-Based XSS
    8. Self-XSS
    9. Prevention
    10. Hunting for XSS
    11. Step 1: Look for Input Opportunities
    12. Step 2: Insert Payloads
    13. Step 3: Confirm the Impact
    14. Bypassing XSS Protection
    15. Alternative JavaScript Syntax
    16. Capitalization and Encoding
    17. Filter Logic Errors
    18. Escalating the Attack
    19. Automating XSS Hunting
    20. Finding Your First XSS!
    21. Chapter 7: Open Redirects
    22. Mechanisms
    23. Prevention
    24. Hunting for Open Redirects
    25. Step 1: Look for Redirect Parameters
    26. Step 2: Use Google Dorks to Find Additional Redirect Parameters
    27. Step 3: Test for Parameter-Based Open Redirects
    28. Step 4: Test for Referer-Based Open Redirects
    29. Bypassing Open-Redirect Protection
    30. Using Browser Autocorrect
    31. Exploiting Flawed Validator Logic
    32. Using Data URLs
    33. Exploiting URL Decoding
    34. Combining Exploit Techniques
    35. Escalating the Attack
    36. Finding Your First Open Redirect!
    37. Chapter 8: Clickjacking
    38. Mechanisms
    39. Prevention
    40. Hunting for Clickjacking
    41. Step 1: Look for State-Changing Actions
    42. Step 2: Check the Response Headers
    43. Step 3: Confirm the Vulnerability
    44. Bypassing Protections
    45. Escalating the Attack
    46. A Note on Delivering the Clickjacking Payload
    47. Finding Your First Clickjacking Vulnerability!
    48. Chapter 9: Cross-Site Request Forgery
    49. Mechanisms
    50. Prevention
    51. Hunting for CSRFs
    52. Step 1: Spot State-Changing Actions
    53. Step 2: Look for a Lack of CSRF Protections
    54. Step 3: Confirm the Vulnerability
    55. Bypassing CSRF Protection
    56. Exploit Clickjacking
    57. Change the Request Method
    58. Bypass CSRF Tokens Stored on the Server
    59. Bypass Double-Submit CSRF Tokens
    60. Bypass CSRF Referer Header Check
    61. Bypass CSRF Protection by Using XSS
    62. Escalating the Attack
    63. Leak User Information by Using CSRF
    64. Create Stored Self-XSS by Using CSRF
    65. Take Over User Accounts by Using CSRF
    66. Delivering the CSRF Payload
    67. Finding Your First CSRF!
    68. Chapter 10: Insecure Direct Object References
    69. Mechanisms
    70. Prevention
    71. Hunting for IDORs
    72. Step 1: Create Two Accounts
    73. Step 2: Discover Features
    74. Step 3: Capture Requests
    75. Step 4: Change the IDs
    76. Bypassing IDOR Protection
    77. Encoded IDs and Hashed IDs
    78. Leaked IDs
    79. Offer the Application an ID, Even If It Doesn’t Ask for One
    80. Keep an Eye Out for Blind IDORs
    81. Change the Request Method
    82. Change the Requested File Type
    83. Escalating the Attack
    84. Automating the Attack
    85. Finding Your First IDOR!
    86. Chapter 11: SQL Injection
    87. Mechanisms
    88. Injecting Code into SQL Queries
    89. Using Second-Order SQL Injections
    90. Prevention
    91. Hunting for SQL Injections
    92. Step 1: Look for Classic SQL Injections
    93. Step 2: Look for Blind SQL Injections
    94. Step 3: Exfiltrate Information by Using SQL Injections
    95. Step 4: Look for NoSQL Injections
    96. Escalating the Attack
    97. Learn About the Database
    98. Gain a Web Shell
    99. Automating SQL Injections
    100. Finding Your First SQL Injection!
    101. Chapter 12: Race Conditions
    102. Mechanisms
    103. When a Race Condition Becomes a Vulnerability
    104. Prevention
    105. Hunting for Race Conditions
    106. Step 1: Find Features Prone to Race Conditions
    107. Step 2: Send Simultaneous Requests
    108. Step 3: Check the Results
    109. Step 4: Create a Proof of Concept
    110. Escalating Race Conditions
    111. Finding Your First Race Condition!
    112. Chapter 13: Server-Side Request Forgery
    113. Mechanisms
    114. Prevention
    115. Hunting for SSRFs
    116. Step 1: Spot Features Prone to SSRFs
    117. Step 2: Provide Potentially Vulnerable Endpoints with Internal URLs
    118. Step 3: Check the Results
    119. Bypassing SSRF Protection
    120. Bypass Allowlists
    121. Bypass Blocklists
    122. Escalating the Attack
    123. Perform Network Scanning
    124. Pull Instance Metadata
    125. Exploit Blind SSRFs
    126. Attack the Network
    127. Finding Your First SSRF!
    128. Chapter 14: Insecure Deserialization
    129. Mechanisms
    130. PHP
    131. Java
    132. Prevention
    133. Hunting for Insecure Deserialization
    134. Escalating the Attack
    135. Finding Your First Insecure Deserialization!
    136. Chapter 15: XML External Entity
    137. Mechanisms
    138. Prevention
    139. Hunting for XXEs
    140. Step 1: Find XML Data Entry Points
    141. Step 2: Test for Classic XXE
    142. Step 3: Test for Blind XXE
    143. Step 4: Embed XXE Payloads in Different File Types
    144. Step 5: Test for XInclude Attacks
    145. Escalating the Attack
    146. Reading Files
    147. Launching an SSRF
    148. Using Blind XXEs
    149. Performing Denial-of-Service Attacks
    150. More About Data Exfiltration Using XXEs
    151. Finding Your First XXE!
    152. Chapter 16: Template Injection
    153. Mechanisms
    154. Template Engines
    155. Injecting Template Code
    156. Prevention
    157. Hunting for Template Injection
    158. Step 1: Look for User-Input Locations
    159. Step 2: Detect Template Injection by Submitting Test Payloads
    160. Step 3: Determine the Template Engine in Use
    161. Escalating the Attack
    162. Searching for System Access via Python Code
    163. Escaping the Sandbox by Using Python Built-in Functions
    164. Submitting Payloads for Testing
    165. Automating Template Injection
    166. Finding Your First Template Injection!
    167. Chapter 17: Application Logic Errors and Broken Access Control
    168. Application Logic Errors
    169. Broken Access Control
    170. Exposed Admin Panels
    171. Directory Traversal Vulnerabilities
    172. Prevention
    173. Hunting for Application Logic Errors and Broken Access Control
    174. Step 1: Learn About Your Target
    175. Step 2: Intercept Requests While Browsing
    176. Step 3: Think Outside the Box
    177. Escalating the Attack
    178. Finding Your First Application Logic Error or Broken Access Control!
    179. Chapter 18: Remote Code Execution
    180. Mechanisms
    181. Code Injection
    182. File Inclusion
    183. Prevention
    184. Hunting for RCEs
    185. Step 1: Gather Information About the Target
    186. Step 2: Identify Suspicious User Input Locations
    187. Step 3: Submit Test Payloads
    188. Step 4: Confirm the Vulnerability
    189. Escalating the Attack
    190. Bypassing RCE Protection
    191. Finding Your First RCE!
    192. Chapter 19: Same-Origin Policy Vulnerabilities
    193. Mechanisms
    194. Exploiting Cross-Origin Resource Sharing
    195. Exploiting postMessage()
    196. Exploiting JSON with Padding
    197. Bypassing SOP by Using XSS
    198. Hunting for SOP Bypasses
    199. Step 1: Determine If SOP Relaxation Techniques Are Used
    200. Step 2: Find CORS Misconfiguration
    201. Step 3: Find postMessage Bugs
    202. Step 4: Find JSONP Issues
    203. Step 5: Consider Mitigating Factors
    204. Escalating the Attack
    205. Finding Your First SOP Bypass Vulnerability!
    206. Chapter 20: Single-Sign-On Security Issues
    207. Mechanisms
    208. Cooking Sharing
    209. Security Assertion Markup Language
    210. OAuth
    211. Hunting for Subdomain Takeovers
    212. Step 1: List the Target’s Subdomains
    213. Step 2: Find Unregistered Pages
    214. Step 3: Register the Page
    215. Monitoring for Subdomain Takeovers
    216. Hunting for SAML Vulnerabilities
    217. Step 1: Locate the SAML Response
    218. Step 2: Analyze the Response Fields
    219. Step 3: Bypass the Signature
    220. Step 4: Re-encode the Message
    221. Hunting for OAuth Token Theft
    222. Escalating the Attack
    223. Finding Your First SSO Bypass!
    224. Chapter 21: Information Disclosure
    225. Mechanisms
    226. Prevention
    227. Hunting for Information Disclosure
    228. Step 1: Attempt a Path Traversal Attack
    229. Step 2: Search the Wayback Machine
    230. Step 3: Search Paste Dump Sites
    231. Step 4: Reconstruct Source Code from an Exposed .git Directory
    232. Step 5: Find Information in Public Files
    233. Escalating the Attack
    234. Finding Your First Information Disclosure!
  9. Part IV: Expert Techniques
    1. Chapter 22: Conducting Code Reviews
    2. White-Box vs. Black-Box Testing
    3. The Fast Approach: grep Is Your Best Friend
    4. Dangerous Patterns
    5. Leaked Secrets and Weak Encryption
    6. New Patches and Outdated Dependencies
    7. Developer Comments
    8. Debug Functionalities, Configuration Files, and Endpoints
    9. The Detailed Approach
    10. Important Functions
    11. User Input
    12. Exercise: Spot the Vulnerabilities
    13. Chapter 23: Hacking Android Apps
    14. Setting Up Your Mobile Proxy
    15. Bypassing Certificate Pinning
    16. Anatomy of an APK
    17. Tools to Use
    18. Android Debug Bridge
    19. Android Studio
    20. Apktool
    21. Frida
    22. Mobile Security Framework
    23. Hunting for Vulnerabilities
    24. Chapter 24: API Hacking
    25. What Are APIs?
    26. REST APIs
    27. SOAP APIs
    28. GraphQL APIs
    29. API-Centric Applications
    30. Hunting for API Vulnerabilities
    31. Performing Recon
    32. Testing for Broken Access Control and Info Leaks
    33. Testing for Rate-Limiting Issues
    34. Testing for Technical Bugs
    35. Chapter 25: Automatic Vulnerability Discovery Using Fuzzers
    36. What Is Fuzzing?
    37. How a Web Fuzzer Works
    38. The Fuzzing Process
    39. Step 1: Determine the Data Injection Points
    40. Step 2: Decide on the Payload List
    41. Step 3: Fuzz
    42. Step 4: Monitor the Results
    43. Fuzzing with Wfuzz
    44. Path Enumeration
    45. Brute-Forcing Authentication
    46. Testing for Common Web Vulnerabilities
    47. More About Wfuzz
    48. Fuzzing vs. Static Analysis
    49. Pitfalls of Fuzzing
    50. Adding to Your Automated Testing Toolkit
  10. Index
18.222.111.211