Book Image

Hands-On Bug Hunting for Penetration Testers

By : Joe Marshall, Himanshu Sharma

Book Image

Hands-On Bug Hunting for Penetration Testers

By: Joe Marshall, Himanshu Sharma

Overview of this book

Bug bounties have quickly become a critical part of the security economy. This book shows you how technical professionals with an interest in security can begin productively—and profitably—participating in bug bounty programs. You will learn about SQli, NoSQLi, XSS, XXE, and other forms of code injection. You’ll see how to create CSRF PoC HTML snippets, how to discover hidden content (and what to do with it once it’s found), and how to create the tools for automated pentesting work?ows. Then, you’ll format all of this information within the context of a bug report that will have the greatest chance of earning you cash. With detailed walkthroughs that cover discovering, testing, and reporting vulnerabilities, this book is ideal for aspiring security professionals. You should come away from this work with the skills you need to not only find the bugs you're looking for, but also the best bug bounty programs to participate in, and how to grow your skills moving forward in freelance security research.

Preface

Who this book is for

What this book covers

To get the most out of this book

Free Chapter

Joining the Hunt

Joining the Hunt

Technical Requirements

The Benefits of Bug Bounty Programs

What You Should Already Know – Pentesting Background

Setting Up Your Environment – Tools To Know

What You Will Learn – Next Steps

How (Not) To Use This Book – A Warning

Further Reading

Choosing Your Hunting Ground

Choosing Your Hunting Ground

Technical Requirements

An Overview of Bug Bounty Communities – Where to Start Your Search

The Vulnerability of Web Applications – What You Should Target

Evaluating Rules of Engagement – How to Protect Yourself

Further Reading

Preparing for an Engagement

Preparing for an Engagement

Technical Requirements

Attack Surface Reconnaisance – Strategies and the Value of Standardization

Further Reading

Unsanitized Data – An XSS Case Study

Unsanitized Data – An XSS Case Study

Technical Requirements

A Quick Overview of XSS – The Many Varieties of XSS

Testing for XSS – Where to Find It, How to Verify It

XSS – An End-To-End Example

Further Reading

SQL, Code Injection, and Scanners

SQL, Code Injection, and Scanners

Technical Requirements

SQLi and Other Code Injection Attacks – Accepting Unvalidated Data

Testing for SQLi With Sqlmap – Where to Find It and How to Verify It

Trawling for Bugs – Using Google Dorks and Python for SQLi Discovery

Scanning for SQLi With Arachni

NoSQL Injection – Injecting Malformed MongoDB Queries

SQLi – An End-to-End Example

Further Reading

CSRF and Insecure Session Authentication

CSRF and Insecure Session Authentication

Technical Requirements

Building and Using CSRF PoCs

CSRF – An End-to-End Example

Further Reading

Detecting XML External Entities

Detecting XML External Entities

Technical requirements

A simple XXE example

XML injection vectors

XML injection and XXE – stronger together

Testing for XXE – where to find it, and how to verify it

XXE – an end-to-end example

Further reading

Access Control and Security Through Obscurity

Access Control and Security Through Obscurity

Technical Requirements

Security by Obscurity – The Siren Song

Data Leaks – What Information Matters?

Low Value Data – What Doesn’t Matter

Data Leak Vectors

Unmasking Hidden Content – How to Pull the Curtains Back

Data Leakage – An End-to-End Example

Further Reading

Framework and Application-Specific Vulnerabilities

Framework and Application-Specific Vulnerabilities

Technical Requirements

Known Component Vulnerabilities and CVEs – A Quick Refresher

WordPress – Using WPScan

Ruby on Rails – Rubysec Tools and Tricks

Django – Strategies for the Python App

Further Reading

Formatting Your Report

Formatting Your Report

Technical Requirements

Reproducing the Bug – How Your Submission Is Vetted

Critical Information – What Your Report Needs

Maximizing Your Award – The Features That Pay

Example Submission Reports – Where to Look

Hackerone Hacktivity

Vulnerability Lab Archive

Further Reading

Other Tools

Technical Requirements

Evaluating New Tools – What to Look For

Paid Versus Free Editions – What Makes a Tool Worth It?

A Quick Overview of Other Options – Nikto, Kali, Burp Extensions, and More

Further Reading

Other (Out of Scope) Vulnerabilities

Other (Out of Scope) Vulnerabilities

Technical Requirements

DoS/DDoS – The Denial-of-Service Problem

Sandboxed and Self-XSS – Low-Threat XSS Varieties

Non-Critical Data Leaks – What Companies Don’t Care About

Other Common No-Payout Vulnerabilities

Further Reading

Going Further

Further Reading

Assessment

Other Books You May Enjoy

Other Books You May Enjoy

Leave a review - let other readers know what you think

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

A simple XXE example

There are a few different types of XXE attack which can attempt Remote Code Execution (RCE) or – as we covered in the introduction – disclose information from targeted files. Here's an example of the second variety, from OWASP's entry for XXE:

 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

Here, you can see the external entity and its attempt—through the location string's file prefix and the following system path—to access a sensitive file on the vulnerable server.

XXE can also be used to conduct DoS attacks through an XML variant of a popular logic bomb tactic called a Billion Laughs. A DoS attack that occurs via a logic bomb—a piece of...