Book description
Real-World Bug Hunting is a field guide to finding software bugs. Ethical hacker Peter Yaworski breaks down common types of bugs, then contextualizes them with real bug bounty reports released by hackers on companies like Twitter, Facebook, Google, Uber, and Starbucks. As you read each report, you'll gain deeper insight into how the vulnerabilities work and how you might find similar ones.
Each chapter begins with an explanation of a vulnerability type, then moves into a series of real bug bounty reports that show how the bugs were found. You'll learn things like how Cross-Site Request Forgery tricks users into unknowingly submitting information to websites they are logged into; how to pass along unsafe JavaScript to execute Cross-Site Scripting; how to access another user's data via Insecure Direct Object References; how to trick websites into disclosing information with Server Side Request Forgeries; and how bugs in application logic can lead to pretty serious vulnerabilities. Yaworski also shares advice on how to write effective vulnerability reports and develop relationships with bug bounty programs, as well as recommends hacking tools that can make the job a little easier.
Publisher resources
Table of contents
- Cover Page
- Title Page
- Copyright Page
- About the Author
- About the Technical Reviewer
- Brief Contents
- Contents in Detail
- Foreword by Michiel Prins and Jobert Abma
- Acknowledgments
- Introduction
- 1 Bug Bounty Basics
- 2 Open Redirect
- 3 HTTP Parameter Pollution
- 4 Cross-Site Request Forgery
- 5 HTML Injection and Content Spoofing
- 6 Carriage Return Line Feed Injection
- 7 Cross-Site Scripting
- 8 Template Injection
- 9 SQL Injection
- 10 Server-Side Request Forgery
- 11 XML External Entity
- 12 Remote Code Execution
- 13 Memory Vulnerabilities
- 14 Subdomain Takeover
- 15 Race Conditions
- 16 Insecure Direct Object References
- 17 OAuth Vulnerabilities
-
18 Application Logic and Configuration Vulnerabilities
- Bypassing Shopify Administrator Privileges
- Bypassing Twitter Account Protections
- HackerOne Signal Manipulation
- HackerOne Incorrect S3 Bucket Permissions
- Bypassing GitLab Two-Factor Authentication
- Yahoo! PHP Info Disclosure
- HackerOne Hacktivity Voting
- Accessing PornHub’s Memcache Installation
- Summary
- 19 Finding Your Own Bug Bounties
- 20 Vulnerability Reports
- A Tools
- B Resources
- Index
Product information
- Title: Real-World Bug Hunting
- Author(s):
- Release date: June 2019
- Publisher(s): No Starch Press
- ISBN: 9781593278618
You might also like
book
Bug Bounty Hunting Essentials
Get hands-on experience on concepts of Bug Bounty Hunting Key Features Get well-versed with the fundamentals …
book
Kubernetes: Up and Running, 2nd Edition
Kubernetes radically changes the way applications are built and deployed in the cloud. Since its introduction …
book
API Security in Action
A web API is an efficient way to communicate with an application or service. However, this …
book
Kubernetes: Up and Running, 3rd Edition
In just five years, Kubernetes has radically changed the way developers and ops personnel build, deploy, …