Web Hacking 101 (Peter Yaworski) (Z-Library)

📄 File Format: PDF

💾 File Size: 9.4 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

(This page has no text content)

📄 Page 2

Web Hacking 101 How to Make Money Hacking Ethically Peter Yaworski This book is for sale at http://leanpub.com/web-hacking-101 This version was published on 2018-11-30 This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing process. Lean Publishing is the act of publishing an in-progress ebook using lightweight tools and many iterations to get reader feedback, pivot until you have the right book and build traction once you do. © 2015 - 2018 Peter Yaworski

📄 Page 3

Tweet This Book! Please help Peter Yaworski by spreading the word about this book on Twitter! The suggested tweet for this book is: Can’t wait to read Web Hacking 101: How to Make Money Hacking Ethically by @yaworsk #bugbounty The suggested hashtag for this book is #bugbounty. Find out what other people are saying about the book by clicking on this link to search for this hashtag on Twitter: #bugbounty

📄 Page 4

To Andrea and Ellie, thank you for supporting my constant roller coaster of motivation and confidence. Not only would I never have finished this book without you, my journey into hacking never would have even begun. To the HackerOne team, this book wouldn’t be what it is if it were not for you, thank you for all the support, feedback and work that you contributed tomake this bookmore than just an analysis of 30 disclosures. Lastly, while this book sells for a minimum of $9.99, sales at or above the suggested price of $19.99 help me to keep the minimum price low, so this book remains accessible to people who can’t afford to pay more. Those sales also allow me to take time away from hacking to continually add content and make the book better so we can all learn together. While I wish I could list everyone who has paid more than the minimum to say thank you, the list would be too long and I don’t actually know any contact details of buyers unless they reach out to me. However, there is a small group who paid more than the suggested price when making their purchases, which really goes a long way. I’d like to recognize them here. They include: 1. @Ebrietas0 2. Mystery Buyer 3. Mystery Buyer 4. @nahamsec (Ben Sadeghipour) 5. Mystery Buyer 6. @Spam404Online 7. @Danyl0D (Danylo Matviyiv) 8. Mystery Buyer 9. @arneswinnen (Arne Swinnen) If you should be on this list, please DM me on Twitter. To everyone who purchased a copy of this, thank you!

📄 Page 5

Contents 1. Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 How It All Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Just 30 Examples and My First Sale . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Who This Book Is Written For . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Chapter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Word of Warning and a Favour . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4. Open Redirect Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1. Shopify Theme Install Open Redirect . . . . . . . . . . . . . . . . . . . . . . . 14 2. Shopify Login Open Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3. HackerOne Interstitial Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5. HTTP Parameter Pollution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 1. HackerOne Social Sharing Buttons . . . . . . . . . . . . . . . . . . . . . . . . 22 2. Twitter Unsubscribe Notifications . . . . . . . . . . . . . . . . . . . . . . . . . 23 3. Twitter Web Intents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 6. Cross-Site Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 1. Shopify Twitter Disconnect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 2. Change Users Instacart Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3. Badoo Full Account Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

📄 Page 6

CONTENTS 7. HTML Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 1. Coinbase Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 2. HackerOne Unintended HTML Inclusion . . . . . . . . . . . . . . . . . . . . . 40 3. Within Security Content Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . 41 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 8. CRLF Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 1. Twitter HTTP Response Splitting . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2. v.shopify.com Response Splitting . . . . . . . . . . . . . . . . . . . . . . . . . 47 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 9. Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 1. Shopify Wholesale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 2. Shopify Giftcard Cart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3. Shopify Currency Formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 4. Yahoo Mail Stored XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 5. Google Image Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 6. Google Tagmanager Stored XSS . . . . . . . . . . . . . . . . . . . . . . . . . . 63 7. United Airlines XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 10. Template Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Server Side Template Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Client Side Template Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 1. Uber Angular Template Injection . . . . . . . . . . . . . . . . . . . . . . . . . 72 2. Uber Template Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 3. Rails Dynamic Render . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 11. SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 SQL Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Countermeasures Against SQLi . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 1. Drupal SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 2. Yahoo Sports Blind SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 3. Uber Blind SQLi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

📄 Page 7

CONTENTS Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 12. Server Side Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 HTTP Request Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Invoking GET Versus POST Requests . . . . . . . . . . . . . . . . . . . . . . . . . 91 Blind SSRFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Leveraging SSRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 1. ESEA SSRF and Querying AWS Metadata . . . . . . . . . . . . . . . . . . . . . 93 2. Google Internal DNS SSRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 3. Internal Port Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 13. XML External Entity Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 1. Read Access to Google . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 2. Facebook XXE with Word . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 3. Wikiloc XXE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 14. Remote Code Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 1. Polyvore ImageMagick . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 2. Algolia RCE on facebooksearch.algolia.com . . . . . . . . . . . . . . . . . . . 116 3. Foobar Smarty Template Injection RCE . . . . . . . . . . . . . . . . . . . . . . 118 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 15. Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Read out of Bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Memory Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 1. PHP ftp_genlist() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 2. Python Hotshot Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 3. Libcurl Read Out of Bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 4. PHP Memory Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 16. Sub Domain Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

📄 Page 8

CONTENTS Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 1. Ubiquiti Sub Domain Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 2. Scan.me Pointing to Zendesk . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 3. Shopify Windsor Sub Domain Takeover . . . . . . . . . . . . . . . . . . . . . 134 4. Snapchat Fastly Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 5. api.legalrobot.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 6. Uber SendGrid Mail Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 17. Race Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 1. Starbucks Race Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 2. Accepting HackerOne Invites Multiple Times . . . . . . . . . . . . . . . . . . 147 3. Exceeding Keybase Invitation Limits . . . . . . . . . . . . . . . . . . . . . . . 150 4. HackerOne Payments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 18. Insecure Direct Object References . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 1. Binary.com Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . 155 2. Moneybird App Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 3. Twitter Mopub API Token Stealing . . . . . . . . . . . . . . . . . . . . . . . . . 158 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 19. OAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 1. Swiping Facebook Official Access Tokens . . . . . . . . . . . . . . . . . . . . 165 2. Stealing Slack OAuth Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 3. Stealing Google Drive Spreadsheets . . . . . . . . . . . . . . . . . . . . . . . 167 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 20. Application Logic Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 1. Shopify Administrator Privilege Bypass . . . . . . . . . . . . . . . . . . . . . 172 2. HackerOne Signal Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . 173 3. Shopify S3 Buckets Open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 4. HackerOne S3 Buckets Open . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 5. Bypassing GitLab Two Factor Authentication . . . . . . . . . . . . . . . . . . 177 6. Yahoo PHP Info Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 7. HackerOne Hacktivity Voting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

📄 Page 9

CONTENTS 8. Accessing PornHub’s Memcache Installation . . . . . . . . . . . . . . . . . . 183 9. Bypassing Twitter Account Protections . . . . . . . . . . . . . . . . . . . . . . 185 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 21. Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Reconnaissance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 Subdomain Enumeration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Port Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Screenshotting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Content Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Previous Bugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Testing the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 The Technology Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Functionality Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Finding Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Going Further . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 22. Vulnerability Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Read the disclosure guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Include Details. Then Include More. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Confirm the Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Show Respect for the Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Bounties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Don’t Shout Hello Before Crossing the Pond . . . . . . . . . . . . . . . . . . . . . . 202 Parting Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 23. Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Burp Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 ZAP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Knockpy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 HostileSubBruteforcer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Sublist3r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 crt.sh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 IPV4info.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 SecLists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 XSSHunter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 sqlmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Eyewitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Gowitness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Gobuster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Meg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Shodan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

📄 Page 10

CONTENTS Censys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 What CMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 BuiltWith . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Nikto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Recon-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 GitRob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 CyberChef . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 OnlineHashCrack.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 idb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Bucket Finder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Race the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Google Dorks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 JD GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Mobile Security Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Ysoserial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Firefox Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 FoxyProxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 User Agent Switcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Firebug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Hackbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Websecurify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Cookie Manager+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 XSS Me . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Offsec Exploit-db Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Wappalyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 24. Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Online Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Web Application Exploits and Defenses . . . . . . . . . . . . . . . . . . . . . . . 216 The Exploit Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Udacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Bug Bounty Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Hackerone.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Bugcrowd.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Synack.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Cobalt.io . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Video Tutorials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 youtube.com/yaworsk1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Seccasts.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 How to Shot Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Further Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 OWASP.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

📄 Page 11

CONTENTS Hackerone.com/hacktivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 https://bugzilla.mozilla.org . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Twitter #infosec and #bugbounty . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Twitter @disclosedh1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Web Application Hackers Handbook . . . . . . . . . . . . . . . . . . . . . . . . . 218 Bug Hunters Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Recommended Blogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 philippeharewood.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Philippe’s Facebook Page - www.facebook.com/phwd-113702895386410 . 219 fin1te.net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 NahamSec.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 blog.it-securityguard.com . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 blog.innerht.ml . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 blog.orange.tw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Portswigger Blog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Nvisium Blog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 blog.zsec.uk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 brutelogic.com.br . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 lcamtuf.blogspot.ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Bug Crowd Blog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 HackerOne Blog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Cheatsheets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 25. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Black Hat Hacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Buffer Overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Bug Bounty Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Bug Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 CRLF Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Cross Site Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Cross Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 HTML Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 HTTP Parameter Pollution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 HTTP Response Splitting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Memory Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Open Redirect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Researchers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Response Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Responsible Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Vulnerability Coordination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Vulnerability Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

📄 Page 12

CONTENTS White Hat Hacker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 26. Appendix A - Take Aways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Open Redirects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 HTTP Parameter Pollution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Cross Site Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 HTML Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 CRLF Injections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 SSTI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Server Side Request Forgery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 XML External Entity Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Remote Code Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Sub Domain Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 Race Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Insecure Direct Object References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 OAuth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Application Logic Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 27. Appendix B - Web Hacking 101 Changelog . . . . . . . . . . . . . . . . . . . . . . 242

📄 Page 13

1. Foreword The best way to learn is simply by doing. That is how we - Michiel Prins and Jobert Abma - learned to hack. We were young. Like all hackers who came before us, and all of those who will come after, we were driven by an uncontrollable, burning curiosity to understand how things worked. We were mostly playing computer games, and by age 12 we decided to learn how to build software of our own. We learned how to program in Visual Basic and PHP from library books and practice. Fromour understanding of software development, we quickly discovered that these skills allowed us to find other developers’ mistakes. We shifted from building to breaking and hacking has been our passion ever since. To celebrate our high school graduation, we took over a TV station’s broadcast channel to air an ad congratulating our graduating class. While amusing at the time, we quickly learned there are consequences and these are not the kind of hackers the world needs. The TV station and school were not amused and we spent the summer washing windows as our punishment. In college, we turned our skills into a viable consulting business that, at its peak, had clients in the public and private sector across the entire world. Our hacking experience led us to HackerOne, a company we co-founded in 2012. We wanted to allow every company in the universe to work with hackers successfully and this continues to be HackerOne’s mission today. If you’re reading this, you also have the curiosity needed to be a hacker and bug hunter. We believe this book will be a tremendous guide along your journey. It’s filled with rich, real world examples of security vulnerability reports that resulted in real bug bounties, along with helpful analysis and review by Pete Yaworski, the author and a fellow hacker. He is your companion as you learn, and that’s invaluable. Another reason this book is so important is that it focuses on how to become an ethical hacker. Mastering the art of hacking can be an extremely powerful skill that we hope will be used for good. The most successful hackers know how to navigate the thin line between right and wrong while hacking. Many people can break things, and even try to make a quick buck doing so. But imagine you can make the Internet safer, work with amazing companies around the world, and even get paid along the way. Your talent has the potential of keeping billions of people and their data secure. That is what we hope you aspire to. We are grateful to no end to Pete for taking his time to document all of this so eloquently. We wish we had this resource when we were getting started. Pete’s book is a joy to read with the information needed to kickstart your hacking journey.

📄 Page 14

Foreword 2 Happy reading, and happy hacking! Remember to hack responsibly. Michiel Prins and Jobert Abma Co-Founders, HackerOne

📄 Page 15

2. Introduction Thank you for purchasing this book, I hope you have as much fun reading it as I did researching and writing it. Web Hacking 101 is my first book, meant to help you get started hacking. I began writing this as a self-published explanation of 30 vulnerabilities, a by-product of my own learning. It quickly turned into so much more. My hope for the book, at the very least, is to open your eyes to the vast world of hacking. At best, I hope this will be your first step towards making the web a safer place while earning some money doing it. How It All Started In late 2015, I stumbled across the book, We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency by Parmy Olson and ended up reading it in a week. Having finished it though, I was left wondering how these hackers got started. I was thirsty for more, but I didn’t just want to knowWHAT hackers did, I wanted to know HOW hackers did it. So I kept reading. But each time I finsihed a new book, I was still left with the same questions: • How do other Hackers learn about the vulnerabilities they find? • Where are people finding vulnerabilities? • How do Hackers start the process of hacking a target site? • Is Hacking just about using automated tools? • How can I get started finding vulnerabilities? But looking for more answers, kept opening more and more doors. Around this same time, I was taking Coursera Android development courses and keeping an eye out for other interesting courses. The Coursera Cybersecurity specialization caughtmy eye, particularly Course 2, Software Security. Luckily forme, it was just starting (as of February 2016, it is listed as Coming Soon) and I enrolled. A few lectures in, I finally understood what a buffer overflow was and how it was exploited. I fully grasped how SQL injections were achieved whereas before, I only knew the danger. In short, I was hooked. Up until this point, I always approached web security

📄 Page 16

Introduction 4 from the developer’s perspective, appreciating the need to sanitize values and avoid using user input directly. Now I was beginning to understand what it all looked like from a hacker’s perspective. I kept looking formore information on how to hack and came across Bugcrowd’s forums. Unfortunately they weren’t overly active at the time but there someone mentioned HackerOne’s hacktivity and linked to a report. Following the link, I was amazed. I was reading a description of a vulnerability, written to a company, who then disclosed it to the world. Perhaps more importantly, the company actually paid the hacker to find and report this! That was a turning point, I became obsessed. Especially when a homegrown Canadian company, Shopify, seemed to be leading the pack in disclosures at the time. Checking out Shopify’s profile, their disclosure list was littered with open reports. I couldn’t read enough of them. The vulnerabilities included Cross-Site Scripting, Authentication and Cross-Site Request Forgery, just to name a few. Admittedly, at this stage, I was struggling to understand what the reports were detailing. Some of the vulnerabilities and methods of exploitation were hard to understand. Searching Google to try and understand one particular report, I ended on a GitHub issue thread for an old Ruby on Rails default weak parameter vulnerability (this is detailed in the Application Logic chapter) reported by Egor Homakov. Following up on Egor led me to his blog, which includes disclosures for some seriously complex vulnerabilities. Reading about his experiences, I realized, the world of hacking might benefit from plain language explanations of real world vulnerabilities. And it just so happened, that I learn better when teaching others. And so, Web Hacking 101 was born. Just 30 Examples and My First Sale I decided to start out with a simple goal, find and explain 30 web vulnerabilities in easy to understand, plain language. I figured, at worst, researching and writing about vulnerabilities would help me learn about hacking. At best, I’d sell a million copies, become a self-publishing guru and retire early. The latter has yet to happen and at times, the former seems endless. Around the 15 explained vulnerabilities mark, I decided to publish my draft so it could be purchased - the platform I chose, LeanPub (which most have probably purchased through), allows you to publish iteratively, providing customers with access to all updates. I sent out a tweet thanking HackerOne and Shopify for their disclosures and to tell the world about my book. I didn’t expect much.

📄 Page 17

Introduction 5 But within hours, I made my first sale. Elated at the idea of someone actually paying for my book (something I created and was pouring a tonne of effort into!), I logged on to LeanPub to see what I could find out about the mystery buyer. Turns out nothing. But then my phone vibrated, I received a tweet from Michiel Prins saying he liked the book and asked to be kept in the loop. Who the hell is Michiel Prins? I checked his Twitter profile and turns out, he’s one of the Co-Founders of HackerOne. Shit. Part of me thought HackerOne wouldn’t be impressed with my reliance on their site for content. I tried to stay positive, Michiel seemed supportive and did ask to be kept in the loop, so probably harmless. Not long after my first sale, I received a second sale and figured I was on to something. Coincidentally, around the same time, I got a notification from Quora about a question I’d probably be interested in, How do I become a successful Bug bounty hunter? Given my experience starting out, knowing what it was like to be in the same shoes and with the selfish goal of wanting to promote my book, I figured I’d write an answer. About half way through, it dawned on me that the only other answer was written by Jobert Abma, one of the other Co-Founders of HackerOne. A pretty authoritative voice on hacking. Shit. I contemplated abandoningmy answer but then elected to rewrite it to build on his input since I couldn’t compete with his advice. I hit submit and thought nothing of it. But then I received an interesting email: Hi Peter, I saw your Quora answer and then saw that you are writing a book about White Hat hacking. Would love to know more. Kind regards, Marten CEO, HackerOne Triple Shit. A lot of things ran throughmymind at this point, none of which were positive and pretty much all were irrational. In short, I figured the only reason Marten would email me was to drop the hammer on my book. Thankfully, that couldn’t have been further from the truth. I replied to him explaining who I was and what I was doing - that I was trying to learn how to hack and help others learn along with me. Turns out, he was a big fan of the idea. He explained that HackerOne is interested in growing the community and supporting hackers as they learn as it’s mutually beneficial to everyone involved. In short, he offered to help. Andman, has he ever. This book probably wouldn’t bewhere it is today or include half the content without his and HackerOne’s constant support and motivation. Since that initial email, I kept writing and Marten kept checking in. Michiel and Jobert reviewed drafts, provided suggestions and even contributed some sections. Marten even

📄 Page 18

Introduction 6 went above and beyond to cover the costs of a professionally designed cover (goodbye plain yellow cover with a white witches’ hat, all of which looked like it was designed by a four year old). In May 2016, Adam Bacchus joined HackerOne and on his 5th day working there, he read the book, provided edits and was explaining what it was like to be on the receiving end of vulnerability reports - something I’ve now included in the report writing chapter. I mention all this because throughout this journey, HackerOne has never asked for anything in return. They’ve just wanted to support the community and saw this book was a good way of doing it. As someone new to the hacking community, that resonated with me and I hope it does with you too. I personally prefer to be part of a supportive and inclusive community. So, since then, this book has expanded dramatically, well beyond what I initially envi- sioned. And with that, the target audience has also changed. Who This Book Is Written For This book is writtenwith new hackers inmind. It doesn’tmatter if you’re a web developer, web designer, stay at homemom, a 10 year old or a 75 year old. I want this book to be an authoritative reference for understanding the different types of vulnerabilities, how to find them, how to report them, how to get paid and even, how to write defensive code. That said, I didn’t write this book to preach to the masses. This is really a book about learning together. As such, I share successes AND some of my notable (and embarrassing) failures. The book also isn’t meant to be read cover to cover, if there is a particular section you’re interested in, go read it first. In some cases, I do reference sections previously discussed, but doing so, I try to connect the sections so you can flip back and forth. I want this book to be something you keep open while you hack. On that note, each vulnerability type chapter is structured the same way: • Begin with a description of the vulnerability type; • Review examples of the vulnerability; and, • Conclude with a summary. Similarly, each example within those chapters is structured the same way and includes: • My estimation of the difficulty finding the vulnerability • The url associated with where the vulnerability was found • A link to the report or write up

📄 Page 19

Introduction 7 • The date the vulnerability was reported • The amount paid for the report • An easy to understand description of the vulnerability • Take aways that you can apply to your own efforts Lastly, while it’s not a prerequisite for hacking, it is probably a good idea to have some familiarity with HTML, CSS, Javascript and maybe some programming. That isn’t to say you need to be able to put together web pages from scratch, off the top of your head but understanding the basic structure of a web page, how CSS defines a look and feel and what can be accomplished with Javascript will help you uncover vulnerabilities and understand the severity of doing so. Programming knowledge is helpful when you’re looking for application logic vulnerabilities. If you can put yourself in the programmer’s shoes to guess how they may have implemented something or read their code if it’s available, you’ll be ahead in the game. To do so, I recommend checking out Udacity’s free online courses Intro to HTML and CSS and Javacript Basics, links to which I’ve included in the Resources chapter. If you’re not familiar with Udacity, it’s mission is to bring accessible, affordable, engaging and highly effective higher education to the world. They’ve partnered with companies like Google, AT&T, Facebook, Salesforce, etc. to create programs and offer courses online. Chapter Overview Chapter 2 is an introductory background to how the internet works, including HTTP requests and responses and HTTP methods. Chapter 3 covers Open Redirects, an interesting vulnerability which involves exploiting a site to direct users to visit another site which allows an attacker to exploit a user’s trust in the vulnerable site. Chapter 4 covers HTTP Parameter Pollution and in it, you’‘ll learn how to find systems that may be vulnerable to passing along unsafe input to third party sites. Chapter 5 covers Cross-Site Request Forgery vulnerabilities, walking through examples that show how users can be tricked into submitting information to a website they are logged into unknowingly. Chapter 6 covers HTML Injections and in it, you’ll learn how being able to inject HTML into a web page can be used maliciously. One of the more interesting takeaways is how you can use encoded values to trick sites into accepting and rendering the HTML you submit, bypassing filters. Chapter 7 covers Carriage Return Line Feed Injections and in it, looking at examples of submitting carriage return, line breaks to sites and the impact it has on rendered content.

📄 Page 20

Introduction 8 Chapter 8 covers Cross-Site Scripting, a massive topic with a huge variety of ways to achieve exploits. Cross-Site Scripting represents huge opportunities and an entire book could and probably should, be written solely on it. There are a tonne of examples I could have included here so I try to focus on the most interesting and helpful for learning. Chapter 9 covers Server Side Template Injection, as well as client side injections. These types of vulnerabilities take advantage of developers injecting user input directly into templates when submitted using the template syntax. The impact of these vulnerabilities depends on where they occur but can often lead to remote code executions. Chapter 10 covers structured query language (SQL) injections, which involve manipulat- ing database queries to extract, update or delete information from a site. Chapter 11 covers Server Side Request Forgerywhich allows an attacker to user a remote server to make subsequent HTTP requests on the attacker’s behalf. Chapter 12 covers XML External Entity vulnerabilities resulting from a sites parsing of extensible markup language (XML). These types of vulnerabilities can include things like reading private files, remote code execution, etc. Chapter 13 covers Remote Code Execution, or the ability for an attacker to execute arbitrary code on a victim server. This type of vulnerability is among the most dangerous since an attacker can control what code is executed and is usually rewarded as such. Chapter 14 covers memory related vulnerabilities, a type of vulnerability which can be tough to find and are typically related to low level programming languages. However, discovering these types of bugs can lead to some pretty serious vulnerabilities. Chapter 15 covers Sub Domain Takeovers, something I learned a lot about researching this book and should be largely credited to Mathias, Frans and the Dectectify team. Essentially here, a site refers to a sub domain hosting with a third party service but never actually claims the appropriate address from that service. This would allow an attacker to register the address from the third party so that all traffic, which believes it is on the victim’s domain, is actually on an attacker’s. Chapter 16 covers Race Conditions, a vulnerability which involves two ormore processes performing action based on conditions which should only permit one action to occur. For example, think of bank transfers, you shouldn’t be able to perform two transfers of $500 when your balance is only $500. However, a race condition vulnerability could permit it. Chapter 17 covers Insecure Direct Object Reference vulnerabilities whereby an attacker can read or update objections (database records, files, etc) which they should not have permission to. Chapter 18 covers application logic based vulnerabilities. This chapter has grown into a catch all for vulnerabilities I consider linked to programming logic flaws. I’ve found these types of vulnerabilities may be easier for a beginner to find instead of looking for weird and creative ways to submit malicious input to a site.