Table of Contents for
Bug Bounty Hunting Essentials

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Bug Bounty Hunting Essentials by Shahmeer Amir Published by Packt Publishing, 2018
  1. Bug Bounty Hunting Essentials
  2. Title Page
  3. Copyright and Credits
  4. Bug Bounty Hunting Essentials
  5. About Packt
  6. Why subscribe?
  7. Packt.com
  8. Contributors
  9. About the authors
  10. About the reviewers
  11. Packt is searching for authors like you
  12. Table of Contents
  13. Preface
  14. Who this book is for
  15. What this book covers
  16. Conventions used
  17. Get in touch
  18. Reviews
  19. Disclaimer
  20. Basics of Bug Bounty Hunting
  21. Bug bounty hunting platforms
  22. HackerOne
  23. Bugcrowd
  24. Cobalt
  25. Synack
  26. Types of bug bounty program
  27. Public programs
  28. Private programs
  29. Bug bounty hunter statistics
  30. Number of vulnerabilities
  31. Number of halls of fame
  32. Reputation points
  33. Signal
  34. Impact
  35. Accuracy
  36. Bug bounty hunting methodology
  37. How to become a bug bounty hunter
  38. Reading books
  39. Practicing what you learned
  40. Reading proof of concepts
  41. Learning from reports
  42. Starting bug bounty hunting
  43. Learning and networking with others
  44. Rules of bug bounty hunting
  45. Targeting the right program
  46. Approaching the target with clarity
  47. Keeping your expectations low
  48. Learning about vulnerabilities
  49. Keeping yourself up-to-date
  50. Automating your vulnerabilities
  51. Gaining experience with bug bounty hunting
  52. Chaining vulnerabilities
  53. Summary
  54. How to Write a Bug Bounty Report
  55. Prerequisites of writing a bug bounty report
  56. Referring to the policy of the program
  57. Mission statement
  58. Participating services
  59. Excluded domains
  60. Reward and qualifications
  61. Eligibility for participation
  62. Conduct guidelines
  63. Nonqualifying vulnerabilities
  64. Commitment to researchers
  65. Salient features of a bug bounty report
  66. Clarity
  67. Depth
  68. Estimation
  69. Respect
  70. Format of a bug bounty report
  71. Writing title of a report
  72. Writing the description of a report
  73. Writing the proof of concept of a report
  74. Writing exploitability of a report
  75. Writing impact of a report
  76. Writing remediation
  77. Responding to the queries of the team
  78. Summary
  79. SQL Injection Vulnerabilities
  80. SQL injection
  81. Types of SQL injection vulnerability
  82. In-band SQLi (classic SQLi)
  83. Inferential SQLi (blind SQLi)
  84. Out-of-band SQLi
  85. Goals of an SQL injection attack for bug bounty hunters
  86. Uber SQL injection
  87. Key learning from this report
  88. Grab taxi SQL Injection
  89. Key learning from this report
  90. Zomato SQL injection
  91. Key learning from this report
  92. LocalTapiola SQL injection
  93. Key learning from this report
  94. Summary
  95. Cross-Site Request Forgery
  96. Protecting the cookies
  97. Why does the CSRF exist?
  98. GET CSRF
  99. POST CSRF
  100. CSRF-unsafe protections
  101. Secret cookies
  102. Request restrictions
  103. Complex flow
  104. URL rewriting
  105. Using HTTPS instead of HTTP
  106. CSRF – more safe protection
  107. Detecting and exploiting CSRF
  108. Avoiding problems with authentication
  109. XSS – CSRF's best friend
  110. Cross-domain policies
  111. HTML injection
  112. JavaScript hijacking
  113. CSRF in the wild
  114. Shopify for exporting installed users
  115. Shopify Twitter disconnect
  116. Badoo full account takeover
  117. Summary
  118. Application Logic Vulnerabilities
  119. Origins
  120. What is the main problem?
  121. Following the flow
  122. Spidering
  123. Points of interest
  124. Analysis
  125. User input
  126. Out-band channels
  127. Naming conventions
  128. Keywords related to technologies
  129. Analyzing the traffic
  130. Application logic vulnerabilities in the wild
  131. Bypassing the Shopify admin authentication
  132. Starbucks race conditions
  133. Binary.com vulnerability – stealing a user's money
  134. HackerOne signal manipulation
  135. Shopify S buckets open
  136. HackerOne S buckets open
  137. Bypassing the GitLab 2F authentication
  138. Yahoo PHP info disclosure
  139. Summary
  140. Cross-Site Scripting Attacks
  141. Types of cross-site scripting
  142. Reflected cross-site scripting
  143. Stored cross-site scripting
  144. DOM-based XSS
  145. Other types of XSS attacks
  146. Blind XSS
  147. Flash-based XSS
  148. Self XSS
  149. How do we detect XSS bugs?
  150. Detecting XSS bugs in real life
  151. Follow the flow
  152. Avoiding input validation controls
  153. Other common strings
  154. Bypassing filters using encoding
  155. Bypassing filters using tag modifiers
  156. Bypassing filters using dynamic constructed strings
  157. Workflow of an XSS attack
  158. HackeroneXSS
  159. Executing malicious JS
  160. Embedding unauthorized images in the report
  161. Redirecting users to a different website
  162. Key learning from this report
  163. Slack XSS
  164. Embedding malicious links to infect other users on Slack
  165. Key learning from this report
  166. TrelloXSS
  167. Key learning from this report
  168. Shopify XSS
  169. Key learning from this report
  170. Twitter XSS
  171. Key learning from this report
  172. Real bug bounty examples
  173. Shopify wholesale
  174. Shopify Giftcard Cart
  175. Shopify currency formatting
  176. Yahoo Mail stored XSS
  177. Google image search
  178. Summary
  179. SQL Injection
  180. Origin
  181. Types of SQL injection
  182. In-band SQL injection
  183. Inferential
  184. Out-of-band SQL injection
  185. Fundamental exploitation
  186. Detecting and exploiting SQL injection as if tomorrow does not exist
  187. Union
  188. Interacting with the DBMS
  189. Bypassing security controls
  190. Blind exploitation
  191. Out-band exploitations
  192. Example
  193. Automation
  194. SQL injection in Drupal
  195. Summary
  196. Open Redirect Vulnerabilities
  197. Redirecting to another URL
  198. Constructing URLs
  199. Executing code
  200. URL shorteners
  201. Why do open redirects work?
  202. Detecting and exploiting open redirections
  203. Exploitation
  204. Impact
  205. Black and white lists
  206. Open redirects in the wild
  207. Shopify theme install open redirect
  208. Shopify login open redirect
  209. HackerOne interstitial redirect
  210. XSS and open redirect on Twitter
  211. Facebook
  212. Summary
  213. Sub-Domain Takeovers
  214. The sub-domain takeover
  215. CNAME takeovers
  216. NS takeover
  217. MX takeovers
  218. Internet-wide scans
  219. Detecting possibly affected domains
  220. Exploitation
  221. Mitigation
  222. Sub-domain takeovers in the wild
  223. Ubiquiti sub-domain takeovers
  224. Scan.me pointing to Zendesk
  225. Starbucks' sub-domain takeover
  226. Vine's sub-domain takeover
  227. Uber's sub-domain takeover
  228. Summary
  229. XML External Entity Vulnerability
  230. How XML works
  231. How is an XXE produced?
  232. Detecting and exploiting an XXE
  233. Templates
  234. XXEs in the wild
  235. Read access to Google
  236. A Facebook XXE with Word
  237. The Wikiloc XXE
  238. Summary
  239. Template Injection
  240. What's the problem?
  241. Examples
  242. Twig and FreeMaker
  243. Smarty
  244. Marko
  245. Detection
  246. Exploitation
  247. Mitigation
  248. SSTI in the wild
  249. Uber Jinja2 TTSI
  250. Uber Angular template injection
  251. Yahoo SSTI vulnerability
  252. Rails dynamic render
  253. Summary
  254. Top Bug Bounty Hunting Tools
  255. HTTP proxies, requests, responses, and traffic analyzers
  256. Burp Suite
  257. Wireshark
  258. Firebug
  259. ZAP – Zed Attack Proxy
  260. Fiddler
  261. Automated vulnerability discovery and exploitation
  262. Websecurify (SECAPPS)
  263. Acunetix
  264. Nikto
  265. sqlmap
  266. Recognize
  267. Knockpy
  268. HostileSubBruteforcer
  269. Nmap
  270. Shodan
  271. What CMS
  272. Recon-ng
  273. Extensions
  274. FoxyProxy
  275. User-Agent Switcher
  276. HackBar
  277. Cookies Manager+
  278. Summary
  279. Top Learning Resources
  280. Training
  281. Platzi
  282. Udemy
  283. GIAC
  284. Offensive Security
  285. Books and resources
  286. Web Application Hacker's Handbook
  287. OWASP Testing Guide
  288. Hacking 101
  289. The Hacker Play Book
  290. Exploiting Software
  291. CTFs and wargames
  292. Hack The Box
  293. Damn Vulnerable Web Application
  294. Badstore
  295. Metasploitable
  296. YouTube channels
  297. Web Hacking Pro Tips
  298. BugCrowd
  299. HackerOne
  300. Social networks and blogs
  301. Exploitware Labs
  302. Philippe Hare Wood
  303. PortSwigger's blog
  304. Meetings and networking
  305. LiveOverflow
  306. OWASP meetings
  307. DEFCON meetings
  308. 2600 meetings
  309. Conferences
  310. DEFCON
  311. BlackHat
  312. BugCON
  313. Ekoparty
  314. Code Blue
  315. CCC
  316. H2HC
  317. 8.8
  318. Podcasts
  319. PaulDotCom
  320. Summary
  321. Other Books You May Enjoy
  322. Leave a review - let other readers know what you think

What this book covers

Chapter 1, Basics of Bug Bounty Hunting, gives you an overview of what bug bounty hunting is and what the key steps for doing it are, including the techniques, platforms, and tools that are necessary for it.

Chapter 2, How to Write a Bug Bounty Report, provides you with information on how to use a vulnerability coordination platform to write bug bounty reports and how to respond to company's questions with caution and respect. It will also provide tips on how to increase payouts.

Chapter 3, SQL Injection Vulnerabilities, focuses on CRLF bug bounty reports. A CRLF injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.

Chapter 4, Cross-Site Request Forgery, is about basic Cross-Site Request Forgery (CSRF) attacks and bug bounty reports. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Chapter 5, Application Logic Vulnerabilities, is about business logic and application logic flaws. Application business logic flaws are unique to each custom application, potentially very damaging, and difficult to test. Attackers exploit business logic by using deductive reasoning to trick and ultimately exploit the application.

Chapter 6, Cross-Site Scripting Attacks, covers Cross-Site Scripting (XSS) vulnerabilities. XSS is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.

Chapter 7, SQL Injection, is mostly about finding SQL injection flaws in bug bounty programs. SQL injection is one of the most common web hacking techniques. SQL injection is the placement of malicious code in SQL statements via web page input.

Chapter 8, Open Redirect Vulnerabilities, is about open redirect vulnerabilities in web applications. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

Chapter 9, Sub-Domain Takeover, focuses on sub-domain takeover vulnerabilities. A sub-domain takeover is considered a high-severity threat and boils down to the registration of a domain by somebody else (with malicious intentions) in order to gain control over one or more (sub-)domains.

Chapter 10, XML External Entity Vulnerability, is about XML External Entity (XXE) attacks. XXE refers to a specific type of Server-Side Request Forgery (SSRF) attack, whereby an attacker is able to cause Denial of Service (DoS) and access local or remote files and services by abusing a widely available, rarely used feature in an XML parser.

Chapter 11Template Injection, is mainly about template injection vulnerabilities. Template injection vulnerabilities arise when applications using a client-side or server-side template framework dynamically embed user input in web pages.

Chapter 12, Top Bug Bounty Hunting Tools, reviews the most used tools for web application security assessments. Most of them are open source or for free, but we will also mention some tools that are licensed.

Chapter 13, Top Learning Resources, lists some resources to be updated in the new technologies, exploiting techniques and vulnerability disclosures.