Book Image

Bug Bounty Hunting Essentials

By : Carlos A. Lozano, Shahmeer Amir
Book Image

Bug Bounty Hunting Essentials

By: Carlos A. Lozano, Shahmeer Amir

Overview of this book

Bug bounty programs are the deals offered by prominent companies where-in any white-hat hacker can find bugs in the applications and they will have a recognition for the same. The number of prominent organizations having this program has increased gradually leading to a lot of opportunity for Ethical Hackers. This book will initially start with introducing you to the concept of Bug Bounty hunting. Then we will dig deeper into concepts of vulnerabilities and analysis such as HTML injection, CRLF injection and so on. Towards the end of the book, we will get hands-on experience working with different tools used for bug hunting and various blogs and communities to be followed. This book will get you started with bug bounty hunting and its fundamentals.

Related Content you might be interested in

Current Title:

Small book image
Bug Bounty Hunting Essentials
Carlos A. Lozano | Shahmeer Amir
Nov, 2018 | 270 pages
Small book image
Hands-On Application Penetration Testing with Burp Suite
Carlos A Lozano | Riyaz Ahemed Walikar | Dhruv Shah
Feb, 2019 | 366 pages
Small book image
Hands-On Bug Hunting for Penetration Testers
Joe Marshall
Sep, 2018 | 250 pages
Small book image
Kali Linux Web Penetration Testing Cookbook
Gilberto NajeraGutierrez
Aug, 2018 | 404 pages
Table of Contents (20 chapters)
Title Page
Title Page
Copyright and Credits
Copyright and Credits
About Packt
About Packt
Contributors
Contributors
Preface
Preface
Free Chapter
1
Basics of Bug Bounty Hunting
Basics of Bug Bounty Hunting
Bug bounty hunting platforms
Types of bug bounty program
Bug bounty hunter statistics
Bug bounty hunting methodology
How to become a bug bounty hunter
Rules of bug bounty hunting
Summary
2
How to Write a Bug Bounty Report
How to Write a Bug Bounty Report
Prerequisites of writing a bug bounty report
Salient features of a bug bounty report
Format of a bug bounty report
Responding to the queries of the team
Summary
3
SQL Injection Vulnerabilities
SQL Injection Vulnerabilities
SQL injection
Types of SQL injection vulnerability
Goals of an SQL injection attack for bug bounty hunters
Uber SQL injection
Grab taxi SQL Injection
Zomato SQL injection
LocalTapiola SQL injection
Summary
4
Cross-Site Request Forgery
Cross-Site Request Forgery
Protecting the cookies
Why does the CSRF exist?
Detecting and exploiting CSRF
XSS – CSRF's best friend
Cross-domain policies
CSRF in the wild
Summary
5
Application Logic Vulnerabilities
Application Logic Vulnerabilities
Origins
Following the flow
Application logic vulnerabilities in the wild
Summary
6
Cross-Site Scripting Attacks
Cross-Site Scripting Attacks
Types of cross-site scripting
How do we detect XSS bugs?
Workflow of an XSS attack
Real bug bounty examples
Summary
7
SQL Injection
SQL Injection
Origin
Example
Automation
SQL injection in Drupal
Summary
8
Open Redirect Vulnerabilities
Open Redirect Vulnerabilities
Redirecting to another URL
Constructing URLs
Executing code
URL shorteners
Why do open redirects work?
Detecting and exploiting open redirections
Exploitation
Impact
Black and white lists
Open redirects in the wild
Summary
9
Sub-Domain Takeovers
Sub-Domain Takeovers
The sub-domain takeover
Internet-wide scans
Exploitation
Mitigation
Sub-domain takeovers in the wild
Summary
10
XML External Entity Vulnerability
XML External Entity Vulnerability
How XML works
How is an XXE produced?
Detecting and exploiting an XXE
Templates
XXEs in the wild
Summary
11
Template Injection
Template Injection
What's the problem?
Detection
Exploitation
Mitigation
SSTI in the wild
Summary
12
Top Bug Bounty Hunting Tools
Top Bug Bounty Hunting Tools
HTTP proxies, requests, responses, and traffic analyzers
Automated vulnerability discovery and exploitation
Recognize
Extensions
Summary
13
Top Learning Resources
Top Learning Resources
Training
Books and resources
CTFs and wargames
YouTube channels
Social networks and blogs
Meetings and networking
Conferences
Podcasts
Summary
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think
Index
Index

Format of a bug bounty report

Based on my experience with bug bounties and pen test platforms, I have learned that a well-written report will make a major difference to your success. Over the years, I have developed a clear understanding of how to report flaws in a program and which flaws to report. This has led me to formulate a format for reporting, but this format is not universal and it may vary from person to person and case to case. But, it is something that you can adopt for clear reporting.

 

Writing title of a report

The report title is the first thing that the program owner looks at and notices about your report. The report title should be explicit and to the point. If the report title has emotional involvement to it, it is often not considered as a positive factor by the program owners. The title is the first impression about your report that the program owners get and it is what shows the level of maturity of the reporter and their experience. A straightforward title should be the...

Previous Section
End of Section 4
Next Section