Real-World Bug Hunting A Field Guide to Web Hacking (Peter Yaworski) (Z-Library)
Author: Peter Yaworski
科学
Learn how people break websites and how you can, too. Real-World Bug Hunting is the premier field guide to finding software bugs. Whether you're a cyber-security beginner who wants to make the internet safer or a seasoned developer who wants to write secure code, ethical hacker Peter Yaworski will show you how it's done. You'll learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. Using real-life case studies of rewarded vulnerabilities from applications like Twitter, Facebook, Google, and Uber, you'll see how hackers manage to invoke race conditions while transferring money, use URL parameter to cause users to like unintended tweets, and more. Each chapter introduces a vulnerability type accompanied by a series of actual reported bug bounties. The book's collection of tales from the field will teach you how attackers trick users into giving away their sensitive information and how sites may reveal their vulnerabilities to savvy users. You'll even learn how you could turn your challenging new hobby into a successful career. You'll learn: • How the internet works and basic web hacking concepts • How attackers compromise websites • How to identify functionality commonly associated with vulnerabilities • How to find bug bounty programs and submit effective vulnerability reports Real-World Bug Hunting is a fascinating soup-to-nuts primer on web security vulnerabilities, filled with stories from the trenches and practical wisdom. With your new understanding of site security and weaknesses, you can help make the web a safer place--and profit while you're at it.
📄 File Format:
PDF
💾 File Size:
6.6 MB
5
Views
0
Downloads
0.00
Total Donations
📄 Text Preview (First 20 pages)
ℹ️
Registered users can read the full content for free
Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.
📄 Page
1
(This page has no text content)
📄 Page
2
Contents in Detail 1. Cover Page 2. Title Page 3. Copyright Page 4. About the Author 5. About the Technical Reviewer 6. Brief Contents 7. Contents in Detail 8. Foreword by Michiel Prins and Jobert Abma 9. Acknowledgments 10. Introduction 1. Who Should Read This Book 2. How to Read This Book 3. What’s in This Book 4. A Disclaimer About Hacking 11. 1 Bug Bounty Basics 1. Vulnerabilities and Bug Bounties 2. Client and Server 3. What Happens When You Visit a Website 4. HTTP Requests 5. Summary 12. 2 Open Redirect 1. How Open Redirects Work 2. Shopify Theme Install Open Redirect 3. Shopify Login Open Redirect 4. HackerOne Interstitial Redirect 5. Summary
📄 Page
3
13. 3 HTTP Parameter Pollution 1. Server-Side HPP 2. Client-Side HPP 3. HackerOne Social Sharing Buttons 4. Twitter Unsubscribe Notifications 5. Twitter Web Intents 6. Summary 14. 4 Cross-Site Request Forgery 1. Authentication 2. CSRF with GET Requests 3. CSRF with POST Requests 4. Defenses Against CSRF Attacks 5. Shopify Twitter Disconnect 6. Change Users Instacart Zones 7. Badoo Full Account Takeover 8. Summary 15. 5 HTML Injection and Content Spoofing 1. Coinbase Comment Injection Through Character Encoding 2. HackerOne Unintended HTML Inclusion 3. HackerOne Unintended HTML Include Fix Bypass 4. Within Security Content Spoofing 5. Summary 16. 6 Carriage Return Line Feed Injection 1. HTTP Request Smuggling 2. v.shopify.com Response Splitting 3. Twitter HTTP Response Splitting 4. Summary 17. 7 Cross-Site Scripting
📄 Page
4
1. Types of XSS 2. Shopify Wholesale 3. Shopify Currency Formatting 4. Yahoo! Mail Stored XSS 5. Google Image Search 6. Google Tag Manager Stored XSS 7. United Airlines XSS 8. Summary 18. 8 Template Injection 1. Server-Side Template Injections 2. Client-Side Template Injections 3. Uber AngularJS Template Injection 4. Uber Flask Jinja2 Template Injection 5. Rails Dynamic Render 6. Unikrn Smarty Template Injection 7. Summary 19. 9 SQL Injection 1. SQL Databases 2. Countermeasures Against SQLi 3. Yahoo! Sports Blind SQLi 4. Uber Blind SQLi 5. Drupal SQLi 6. Summary 20. 10 Server-Side Request Forgery 1. Demonstrating the Impact of Server-Side Request Forgery 2. Invoking GET vs. POST Requests 3. Performing Blind SSRFs 4. Attacking Users with SSRF Responses 5. ESEA SSRF and Querying AWS Metadata 6. Google Internal DNS SSRF 7. Internal Port Scanning Using Webhooks 8. Summary
📄 Page
5
21. 11 XML External Entity 1. eXtensible Markup Language 2. How XXE Attacks Work 3. Read Access to Google 4. Facebook XXE with Microsoft Word 5. Wikiloc XXE 6. Summary 22. 12 Remote Code Execution 1. Executing Shell Commands 2. Executing Functions 3. Strategies for Escalating Remote Code Execution 4. Polyvore ImageMagick 5. Algolia RCE on facebooksearch.algolia.com 6. RCE Through SSH 7. Summary 23. 13 Memory Vulnerabilities 1. Buffer Overflows 2. Read Out of Bounds 3. PHP ftp_genlist() Integer Overflow 4. Python Hotshot Module 5. Libcurl Read Out of Bounds 6. Summary 24. 14 Subdomain Takeover 1. Understanding Domain Names 2. How Subdomain Takeovers Work 3. Ubiquiti Subdomain Takeover 4. Scan.me Pointing to Zendesk 5. Shopify Windsor Subdomain Takeover 6. Snapchat Fastly Takeover 7. Legal Robot Takeover 8. Uber SendGrid Mail Takeover
📄 Page
6
9. Summary 25. 15 Race Conditions 1. Accepting a HackerOne Invite Multiple Times 2. Exceeding Keybase Invitation Limits 3. HackerOne Payments Race Condition 4. Shopify Partners Race Condition 5. Summary 26. 16 Insecure Direct Object References 1. Finding Simple IDORs 2. Finding More Complex IDORs 3. Binary.com Privilege Escalation 4. Moneybird App Creation 5. Twitter Mopub API Token Theft 6. ACME Customer Information Disclosure 7. Summary 27. 17 OAuth Vulnerabilities 1. The OAuth Workflow 2. Stealing Slack OAuth Tokens 3. Passing Authentication with Default Passwords 4. Stealing Microsoft Login Tokens 5. Swiping Facebook Official Access Tokens 6. Summary 28. 18 Application Logic and Configuration Vulnerabilities 1. Bypassing Shopify Administrator Privileges 2. Bypassing Twitter Account Protections 3. HackerOne Signal Manipulation 4. HackerOne Incorrect S3 Bucket Permissions 5. Bypassing GitLab Two-Factor Authentication 6. Yahoo! PHP Info Disclosure
📄 Page
7
7. HackerOne Hacktivity Voting 8. Accessing PornHub’s Memcache Installation 9. Summary 29. 19 Finding Your Own Bug Bounties 1. Reconnaissance 2. Testing the Application 3. Going Further 4. Summary 30. 20 Vulnerability Reports 1. Read the Policy 2. Include Details; Then Include More 3. Reconfirm the Vulnerability 4. Your Reputation 5. Show Respect for the Company 6. Appealing Bounty Rewards 7. Summary 31. A Tools 1. Web Proxies 2. Subdomain Enumeration 3. Discovery 4. Screenshotting 5. Port Scanning 6. Reconnaissance 7. Hacking Tools 8. Mobile 9. Browser Plug-Ins 32. B Resources 1. Online Training 2. Bug Bounty Platforms
📄 Page
8
3. Recommended Reading 4. Video Resources 5. Recommended Blogs 33. Index
📄 Page
9
REAL-WORLD BUG HUNTING A Field Guide to Web Hacking by Peter Yaworski San Francisco
📄 Page
10
REAL-WORLD BUG HUNTING. Copyright © 2019 by Peter Yaworski. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10: 1-59327-861-6 ISBN-13: 978-1-59327-861-8 Publisher: William Pollock Production Editor: Janelle Ludowise Cover Illustration: Jonny Thomas Interior Design: Octopod Studios Developmental Editors: Jan Cash and Annie Choi Technical Reviewer: Tsang Chi Hong Copyeditor: Anne Marie Walker Compositor: Happenstance Type-O-Rama Proofreader: Paula L. Fleming Indexer: JoAnne Burek For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 1.415.863.9900; info@nostarch.com www.nostarch.com Library of Congress Cataloging-in-Publication Data Names: Yaworski, Peter, author. Title: Real-world bug hunting : a field guide to web hacking / Peter Yaworski. Description: San Francisco : No Starch Press, 2019. | Includes bibliographical references. Identifiers: LCCN 2018060556 (print) | LCCN 2019000034 (ebook) | ISBN 9781593278625 (epub) | ISBN 1593278624 (epub) | ISBN 9781593278618 (paperback) | ISBN 1593278616 (paperback) Subjects: LCSH: Debugging in computer science. | Penetration testing
📄 Page
11
(Computer security) | Web sites--Testing. | BISAC: COMPUTERS / Security / Viruses. | COMPUTERS / Security / General. | COMPUTERS / Networking / Security. Classification: LCC QA76.9.D43 (ebook) | LCC QA76.9.D43 Y39 2019 (print) | DDC 004.2/4--dc23 LC record available at https://lccn.loc.gov/2018060556 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.
📄 Page
12
About the Author Peter Yaworski is a self-taught hacker thanks to the generous knowledge sharing of so many hackers who came before him, including those referenced in this book. He is also a successful bug bounty hunter with thanks from Salesforce, Twitter, Airbnb, Verizon Media, and the United States Department of Defense, among others. He currently works at Shopify as an Application Security Engineer, helping to make commerce more secure.
📄 Page
13
About the Technical Reviewer Tsang Chi Hong, also known as FileDescriptor, is a pentester and a bug bounty hunter. He lives in Hong Kong. He writes about web security at https://blog.innerht.ml, enjoys listening to original soundtracks, and owns some cryptocurrencies.
📄 Page
14
BRIEF CONTENTS Foreword by Michiel Prins and Jobert Abma Acknowledgments Introduction Chapter 1: Bug Bounty Basics Chapter 2: Open Redirect Chapter 3: HTTP Parameter Pollution Chapter 4: Cross-Site Request Forgery Chapter 5: HTML Injection and Content Spoofing Chapter 6: Carriage Return Line Feed Injection Chapter 7: Cross-Site Scripting Chapter 8: Template Injection Chapter 9: SQL Injection Chapter 10: Server-Side Request Forgery Chapter 11: XML External Entity Chapter 12: Remote Code Execution Chapter 13: Memory Vulnerabilities Chapter 14: Subdomain Takeover Chapter 15: Race Conditions
📄 Page
15
Chapter 16: Insecure Direct Object References Chapter 17: OAuth Vulnerabilities Chapter 18: Application Logic and Configuration Vulnerabilities Chapter 19: Finding Your Own Bug Bounties Chapter 20: Vulnerability Reports Appendix A: Tools Appendix B: Resources Index
📄 Page
16
CONTENTS IN DETAIL FOREWORD by Michiel Prins and Jobert Abma ACKNOWLEDGMENTS INTRODUCTION Who Should Read This Book How to Read This Book What’s in This Book A Disclaimer About Hacking 1 BUG BOUNTY BASICS Vulnerabilities and Bug Bounties Client and Server What Happens When You Visit a Website Step 1: Extracting the Domain Name Step 2: Resolving an IP Address Step 3: Establishing a TCP Connection Step 4: Sending an HTTP Request Step 5: Server Response Step 6: Rendering the Response HTTP Requests Request Methods HTTP Is Stateless Summary
📄 Page
17
2 OPEN REDIRECT How Open Redirects Work Shopify Theme Install Open Redirect Takeaways Shopify Login Open Redirect Takeaways HackerOne Interstitial Redirect Takeaways Summary 3 HTTP PARAMETER POLLUTION Server-Side HPP Client-Side HPP HackerOne Social Sharing Buttons Takeaways Twitter Unsubscribe Notifications Takeaways Twitter Web Intents Takeaways Summary 4 CROSS-SITE REQUEST FORGERY Authentication CSRF with GET Requests CSRF with POST Requests
📄 Page
18
Defenses Against CSRF Attacks Shopify Twitter Disconnect Takeaways Change Users Instacart Zones Takeaways Badoo Full Account Takeover Takeaways Summary 5 HTML INJECTION AND CONTENT SPOOFING Coinbase Comment Injection Through Character Encoding Takeaways HackerOne Unintended HTML Inclusion Takeaways HackerOne Unintended HTML Include Fix Bypass Takeaways Within Security Content Spoofing Takeaways Summary 6 CARRIAGE RETURN LINE FEED INJECTION HTTP Request Smuggling v.shopify.com Response Splitting Takeaways Twitter HTTP Response Splitting Takeaways
📄 Page
19
Summary 7 CROSS-SITE SCRIPTING Types of XSS Shopify Wholesale Takeaways Shopify Currency Formatting Takeaways Yahoo! Mail Stored XSS Takeaways Google Image Search Takeaways Google Tag Manager Stored XSS Takeaways United Airlines XSS Takeaways Summary 8 TEMPLATE INJECTION Server-Side Template Injections Client-Side Template Injections Uber AngularJS Template Injection Takeaways Uber Flask Jinja2 Template Injection Takeaways Rails Dynamic Render
📄 Page
20
Takeaways Unikrn Smarty Template Injection Takeaways Summary 9 SQL INJECTION SQL Databases Countermeasures Against SQLi Yahoo! Sports Blind SQLi Takeaways Uber Blind SQLi Takeaways Drupal SQLi Takeaways Summary 10 SERVER-SIDE REQUEST FORGERY Demonstrating the Impact of Server-Side Request Forgery Invoking GET vs. POST Requests Performing Blind SSRFs Attacking Users with SSRF Responses ESEA SSRF and Querying AWS Metadata Takeaways Google Internal DNS SSRF Takeaways Internal Port Scanning Using Webhooks
The above is a preview of the first 20 pages. Register to read the complete e-book.