Template Injection | Bug Bounty Hunting Essentials

Sign In Start Free Trial

Book Overview & Buying
Table Of Contents
Feedback & Rating

Bug Bounty Hunting Essentials

By : Shahmeer Amir , Carlos A. Lozano

3.3 (3)

Bug Bounty Hunting Essentials

3.3 (3)

By: Shahmeer Amir , Carlos A. Lozano

Overview of this book

Bug bounty programs are the deals offered by prominent companies where-in any white-hat hacker can find bugs in the applications and they will have a recognition for the same. The number of prominent organizations having this program has increased gradually leading to a lot of opportunity for Ethical Hackers. This book will initially start with introducing you to the concept of Bug Bounty hunting. Then we will dig deeper into concepts of vulnerabilities and analysis such as HTML injection, CRLF injection and so on. Towards the end of the book, we will get hands-on experience working with different tools used for bug hunting and various blogs and communities to be followed. This book will get you started with bug bounty hunting and its fundamentals.

Preface

Preface

Who this book is for

What this book covers

Get in touch

Disclaimer

Free Chapter

Basics of Bug Bounty Hunting

Basics of Bug Bounty Hunting

Bug bounty hunting platforms

Types of bug bounty program

Bug bounty hunter statistics

Bug bounty hunting methodology

How to become a bug bounty hunter

Rules of bug bounty hunting

Summary

How to Write a Bug Bounty Report

How to Write a Bug Bounty Report

Prerequisites of writing a bug bounty report

Salient features of a bug bounty report

Format of a bug bounty report

Responding to the queries of the team

Summary

SQL Injection Vulnerabilities

SQL Injection Vulnerabilities

SQL injection

Types of SQL injection vulnerability

Goals of an SQL injection attack for bug bounty hunters

Uber SQL injection

Grab taxi SQL Injection

Zomato SQL injection

LocalTapiola SQL injection

Summary

Cross-Site Request Forgery

Cross-Site Request Forgery

Protecting the cookies

Why does the CSRF exist?

Detecting and exploiting CSRF

XSS – CSRF's best friend

Cross-domain policies

CSRF in the wild

Summary

Application Logic Vulnerabilities

Application Logic Vulnerabilities

Origins

Following the flow

Application logic vulnerabilities in the wild

Summary

Cross-Site Scripting Attacks

Cross-Site Scripting Attacks

Types of cross-site scripting

How do we detect XSS bugs?

Workflow of an XSS attack

Real bug bounty examples

Summary

SQL Injection

SQL Injection

Origin

Example

Automation

SQL injection in Drupal

Summary

Open Redirect Vulnerabilities

Open Redirect Vulnerabilities

Redirecting to another URL

Constructing URLs

Executing code

URL shorteners

Why do open redirects work?

Detecting and exploiting open redirections

Exploitation

Impact

Black and white lists

Open redirects in the wild

Summary

Sub-Domain Takeovers

Sub-Domain Takeovers

The sub-domain takeover

Internet-wide scans

Exploitation

Mitigation

Sub-domain takeovers in the wild

Summary

XML External Entity Vulnerability

XML External Entity Vulnerability

How XML works

How is an XXE produced?

Detecting and exploiting an XXE

Templates

XXEs in the wild

Summary

Template Injection

Template Injection

What's the problem?

Detection

Exploitation

Mitigation

SSTI in the wild

Summary

Top Bug Bounty Hunting Tools

Top Bug Bounty Hunting Tools

HTTP proxies, requests, responses, and traffic analyzers

Automated vulnerability discovery and exploitation

Recognize

Extensions

Summary

Top Learning Resources

Top Learning Resources

Training

Books and resources

CTFs and wargames

YouTube channels

Social networks and blogs

Meetings and networking

Conferences

Podcasts

Summary

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

3.3 (3)

5 star

33.3%

4 star

0%

3 star

33.3%

2 star

33.3%

1 star

0%

SSTI in the wild

We'll review some reported SSTI vulnerabilities; they're using different template engines, so remember the examples we have seen when we read them.

Uber Jinja2 TTSI

On April 6, 2016, a bug bounty hunter named Orange Tsai published an SSTI vulnerability in the Uber application, which used the Flask Jinja2 template engine.

Orange Tsai entered, in the Name field, located in the Profile section in rider.uber.com, these numbers to be evaluated:

{{ '7'*7 }}

When he accepted the change, the application sent an email and, in the email's body, there appeared 7777777, the result:

Also, in the Uber application, the name of the user changed, showing how valid the action was:

So, he entered the following Python code:

{{ '7'*7 }}
{{ [].class.base.subclasses() }} # get all classes
{{''.class.mro()[1].subclasses()}} 
{%for c in [1,2,3] %}{{c,c,c}}{% endfor %}

The result was that he could extract all of the information about the currently running instance:

The tip you can use to detect this kind of...

Visually different images

CONTINUE READING

83

Tech Concepts

36

Programming languages

73

Tech Tools

Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.

Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.

50+ new titles added per month and exclusive early access to books as they are being written.

Bug Bounty Hunting Essentials

Search

Your notes and bookmarks