Book Image

Hands-On Bug Hunting for Penetration Testers

By : Joe Marshall, Himanshu Sharma

Book Image

Hands-On Bug Hunting for Penetration Testers

By: Joe Marshall, Himanshu Sharma

Overview of this book

Bug bounties have quickly become a critical part of the security economy. This book shows you how technical professionals with an interest in security can begin productively—and profitably—participating in bug bounty programs. You will learn about SQli, NoSQLi, XSS, XXE, and other forms of code injection. You’ll see how to create CSRF PoC HTML snippets, how to discover hidden content (and what to do with it once it’s found), and how to create the tools for automated pentesting work?ows. Then, you’ll format all of this information within the context of a bug report that will have the greatest chance of earning you cash. With detailed walkthroughs that cover discovering, testing, and reporting vulnerabilities, this book is ideal for aspiring security professionals. You should come away from this work with the skills you need to not only find the bugs you're looking for, but also the best bug bounty programs to participate in, and how to grow your skills moving forward in freelance security research.

Preface

Who this book is for

What this book covers

To get the most out of this book

Free Chapter

Joining the Hunt

Joining the Hunt

Technical Requirements

The Benefits of Bug Bounty Programs

What You Should Already Know – Pentesting Background

Setting Up Your Environment – Tools To Know

What You Will Learn – Next Steps

How (Not) To Use This Book – A Warning

Further Reading

Choosing Your Hunting Ground

Choosing Your Hunting Ground

Technical Requirements

An Overview of Bug Bounty Communities – Where to Start Your Search

The Vulnerability of Web Applications – What You Should Target

Evaluating Rules of Engagement – How to Protect Yourself

Further Reading

Preparing for an Engagement

Preparing for an Engagement

Technical Requirements

Attack Surface Reconnaisance – Strategies and the Value of Standardization

Further Reading

Unsanitized Data – An XSS Case Study

Unsanitized Data – An XSS Case Study

Technical Requirements

A Quick Overview of XSS – The Many Varieties of XSS

Testing for XSS – Where to Find It, How to Verify It

XSS – An End-To-End Example

Further Reading

SQL, Code Injection, and Scanners

SQL, Code Injection, and Scanners

Technical Requirements

SQLi and Other Code Injection Attacks – Accepting Unvalidated Data

Testing for SQLi With Sqlmap – Where to Find It and How to Verify It

Trawling for Bugs – Using Google Dorks and Python for SQLi Discovery

Scanning for SQLi With Arachni

NoSQL Injection – Injecting Malformed MongoDB Queries

SQLi – An End-to-End Example

Further Reading

CSRF and Insecure Session Authentication

CSRF and Insecure Session Authentication

Technical Requirements

Building and Using CSRF PoCs

CSRF – An End-to-End Example

Further Reading

Detecting XML External Entities

Detecting XML External Entities

Technical requirements

A simple XXE example

XML injection vectors

XML injection and XXE – stronger together

Testing for XXE – where to find it, and how to verify it

XXE – an end-to-end example

Further reading

Access Control and Security Through Obscurity

Access Control and Security Through Obscurity

Technical Requirements

Security by Obscurity – The Siren Song

Data Leaks – What Information Matters?

Low Value Data – What Doesn’t Matter

Data Leak Vectors

Unmasking Hidden Content – How to Pull the Curtains Back

Data Leakage – An End-to-End Example

Further Reading

Framework and Application-Specific Vulnerabilities

Framework and Application-Specific Vulnerabilities

Technical Requirements

Known Component Vulnerabilities and CVEs – A Quick Refresher

WordPress – Using WPScan

Ruby on Rails – Rubysec Tools and Tricks

Django – Strategies for the Python App

Further Reading

Formatting Your Report

Formatting Your Report

Technical Requirements

Reproducing the Bug – How Your Submission Is Vetted

Critical Information – What Your Report Needs

Maximizing Your Award – The Features That Pay

Example Submission Reports – Where to Look

Hackerone Hacktivity

Vulnerability Lab Archive

Further Reading

Other Tools

Technical Requirements

Evaluating New Tools – What to Look For

Paid Versus Free Editions – What Makes a Tool Worth It?

A Quick Overview of Other Options – Nikto, Kali, Burp Extensions, and More

Further Reading

Other (Out of Scope) Vulnerabilities

Other (Out of Scope) Vulnerabilities

Technical Requirements

DoS/DDoS – The Denial-of-Service Problem

Sandboxed and Self-XSS – Low-Threat XSS Varieties

Non-Critical Data Leaks – What Companies Don’t Care About

Other Common No-Payout Vulnerabilities

Further Reading

Going Further

Further Reading

Assessment

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Chapter 5

Blind SQLi is SQLi where the results aren't visible; error-based SQLi expose sensitive information via carefully crafted SQL errors and time-based SQLi.
Aggressive SQLi injections can potentially damage a database or application.
Google Dorks are search queries designed to expose potentially vulnerable sites. The term comes from the hapless employee who mistakenly allows a sensitive document to be indexed by a public search engine.
--timeout, checks, --scope-include-subdomains, --http-request-concurrency MAX_CONCURRENCY, and --plugin 'PLUGIN:OPTION=VALUE,OPTION2=VALUE2' are all useful configuration flags for the arachni CLI.
You can generate reports from .afr files using the arachni_reporter CLI:

      arachni_reporter some_report.afr --reporter=html:outfile=my_report.html.zip

The $where clause in MongoDB is particularly vulnerable to injection.
If...