Book Image

Bug Bounty Hunting Essentials

By : Carlos A. Lozano, Shahmeer Amir
Book Image

Bug Bounty Hunting Essentials

By: Carlos A. Lozano, Shahmeer Amir

Overview of this book

Bug bounty programs are the deals offered by prominent companies where-in any white-hat hacker can find bugs in the applications and they will have a recognition for the same. The number of prominent organizations having this program has increased gradually leading to a lot of opportunity for Ethical Hackers. This book will initially start with introducing you to the concept of Bug Bounty hunting. Then we will dig deeper into concepts of vulnerabilities and analysis such as HTML injection, CRLF injection and so on. Towards the end of the book, we will get hands-on experience working with different tools used for bug hunting and various blogs and communities to be followed. This book will get you started with bug bounty hunting and its fundamentals.
Table of Contents (20 chapters)
Title Page
Copyright and Credits
About Packt
Contributors
Preface
Index

XXEs in the wild


Now, we'll look at some real examples of XXEs and how they have been exploited in bounty programs.

Read access to Google

On April 11th, 2014, researchers from the Detectify security team reported a vulnerability in the Google search engine.

 

The reasons they selected the Google search engine to look for vulnerabilities were as follows:

  • They thought Google is such a big platform that it might have old or deprecated software.
  • It's a challenge to assess unknown and hardly accessible software.
  • They had access to proprietary software that only some people can access.
  • They had access to alpha and beta releases by Google.

So, they started to doing searches using Google Search:

Using searching techniques, they found some interesting systems and software. But they put their attention to the Google Toolbar button gallery. This was a personalized toolbar to manage Google buttons; the users could personalize it with new buttons or edit the existing ones. The Detectify team considered it a very...