Book Image

Bug Bounty Hunting Essentials

By : Carlos A. Lozano, Shahmeer Amir
Book Image

Bug Bounty Hunting Essentials

By: Carlos A. Lozano, Shahmeer Amir

Overview of this book

Bug bounty programs are the deals offered by prominent companies where-in any white-hat hacker can find bugs in the applications and they will have a recognition for the same. The number of prominent organizations having this program has increased gradually leading to a lot of opportunity for Ethical Hackers. This book will initially start with introducing you to the concept of Bug Bounty hunting. Then we will dig deeper into concepts of vulnerabilities and analysis such as HTML injection, CRLF injection and so on. Towards the end of the book, we will get hands-on experience working with different tools used for bug hunting and various blogs and communities to be followed. This book will get you started with bug bounty hunting and its fundamentals.
Table of Contents (20 chapters)
Title Page
Copyright and Credits
About Packt
Contributors
Preface
Index

SSTI in the wild


We'll review some reported SSTI vulnerabilities; they're using different template engines, so remember the examples we have seen when we read them.

Uber Jinja2 TTSI

On April 6, 2016, a bug bounty hunter named Orange Tsai published an SSTI vulnerability in the Uber application, which used the Flask Jinja2 template engine.

Orange Tsai entered, in the Name field, located in the Profile section in rider.uber.com, these numbers to be evaluated:

{{ '7'*7 }}

When he accepted the change, the application sent an email and, in the email's body, there appeared 7777777, the result:

Also, in the Uber application, the name of the user changed, showing how valid the action was:

So, he entered the following Python code:

{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}} 
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}

The result was that he could extract all of the information about the currently running instance:

The tip you can use to detect this kind of...