A practical guide to help ethical hackers discover web application security flaws
Joseph Marshall
Purchase Now !
Just with Paypal
Just with Paypal
Book Details
Price
|
3.00 USD |
|---|---|
Pages
| 240 p |
File Size
|
14,275 KB |
File Type
|
PDF format |
ISBN
| 978-1-78934-420-2 |
Copyright
| 2018 Packt Publishing |
Joseph Marshall is a web application developer and freelance writer with credits from The
Atlantic, Kirkus Review, and the SXSW film blog. He also enjoys moonlighting as a
freelance security researcher, working with third-party vulnerability marketplaces such as
Bugcrowd and HackerOne. His background and education include expertise in
development, nonfiction writing, linguistics, and instruction/teaching. He lives in Austin, TX.
About the reviewers
Sachin Wagh is a young information security researcher from India. His core area of
expertise includes penetration testing, vulnerability analysis, and exploit development. He
has found security vulnerabilities in Google, Tesla Motors, LastPass, Microsoft, F-Secure,
and other companies. Due to the severity of many bugs discovered, he has received
numerous awards for his findings. He has participated in several security conferences as a
speaker, such as Hack In Paris, Infosecurity Europe, and HAKON.
I would specially like to thank Shweta Pant and Drashti Panchal for offering me this
opportunity. I would also like to thank my family and close friends for supporting me.
Himanshu Sharma has already achieved fame for finding security loopholes and
vulnerabilities in Apple, Google, Microsoft, Facebook, Adobe, Uber, and many more, with
hall of fame listings as proof. He has helped celebrities such as Harbhajan Singh, and also
assisted an international singer in tracking down his hacked account and recovering it. He
was a speaker at the international conferences Botconf 2013 and CONFidence 2018. He has
also spoken at IEEE conferences in California and Malaysia, as well as for TEDx. Currently,
he is the cofounder of BugsBounty, a crowd-sourced security platform for ethical hackers
and companies interested in cyber services. He has also authored a book titled Kali Linux -
An Ethical Hacker's Cookbook.
Preface
This book is designed to give interested coders (part-time, professional, and otherwise) the
skills they need to start participating in public bug bounty programs, covering both general
pentesting subjects, such as scoping your testing sessions appropriately, and bountyspecific
security topics, such as how to format your bug submission report to ensure the
best chance of earning a reward
As the need for security audits on the public web grows, crowdsourced solutions are
becoming more popular. This book aims to give you everything you need to participate in
those programswalking you through important topics with a mix of theory and direct,
hands-on examples.
Table of Contents
Preface 1
Chapter 1: Joining the Hunt 6
Technical Requirements 6
The Benefits of Bug Bounty Programs 7
What You Should Already Know – Pentesting Background 10
Setting Up Your Environment – Tools To Know 10
What You Will Learn – Next Steps 12
How (Not) To Use This Book – A Warning 12
Summary 14
Questions 15
Further Reading 15
Chapter 2: Choosing Your Hunting Ground 16
Technical Requirements 16
An Overview of Bug Bounty Communities – Where to Start Your
Search 16
Third-Party Marketplaces 17
Bugcrowd 17
HackerOne 18
Vulnerability Lab 19
BountyFactory 19
Synack 19
Company-Sponsored Initiatives 20
Google 21
Facebook 21
Amazon 22
GitHub 22
Microsoft 22
Finding Other Programs 23
Money Versus Swag Rewards 23
The Internet Bug Bounty Program 24
ZeroDisclo and Coordinated Vulnerability Disclosures 24
The Vulnerability of Web Applications – What You Should Target 26
Evaluating Rules of Engagement – How to Protect Yourself 27
Summary 29
Questions 29
Further Reading 30
Chapter 3: Preparing for an Engagement 31
Technical Requirements 32
Tools 32
Using Burp 34
Attack Surface Reconnaisance – Strategies and the Value of
Standardization 34
Sitemaps 35
Scanning and Target Reconaissance 37
Brute-forcing Web Content 37
Spidering and Other Data-Collection Techniques 39
Burp Spider 39
Striker 40
Scrapy and Custom Pipelines 42
Manual Walkthroughs 42
Source Code 45
Building a Process 47
Formatting the JS Report 47
Downloading the JavaScript 50
Putting It All Together 51
The Value Behind the Structure 52
Summary 53
Questions 54
Further Reading 54
Chapter 4: Unsanitized Data – An XSS Case Study 55
Technical Requirements 56
A Quick Overview of XSS – The Many Varieties of XSS 56
Testing for XSS – Where to Find It, How to Verify It 57
Burp Suite and XSS Validator 57
Payload Sets 61
Payload Options 61
Payload Processing 62
XSS – An End-To-End Example 65
XSS in Google Gruyere 66
Gathering Report Information 69
Category 69
Timestamps 69
URL 70
Payload 70
Methodology 70
Instructions to Reproduce 70
Attack Scenario 71
Summary 72
Questions 72
Further Reading 72
Chapter 5: SQL, Code Injection, and Scanners 73
Technical Requirements 74
SQLi and Other Code Injection Attacks – Accepting Unvalidated
Data 75
A Simple SQLi Example 75
Testing for SQLi With Sqlmap – Where to Find It and How to Verify It 76
Google Dorks for SQLi 79
Validating a Dork 79
Scanning for SQLi With Arachni 81
Going Beyond Defaults 82
Writing a Wrapper Script 84
NoSQL Injection – Injecting Malformed MongoDB Queries 84
SQLi – An End-to-End Example 85
Gathering Report Information 88
Category 88
Timestamps 88
URL 89
Payload 89
Methodology 89
Instructions to Reproduce 89
Attack Scenario 89
Final Report 89
Summary 90
Questions 90
Further Reading 91
Chapter 6: CSRF and Insecure Session Authentication 92
Technical Requirements 93
Building and Using CSRF PoCs 93
Creating a CSRF PoC Code Snippet 93
Validating Your CSRF PoC 97
Creating Your CSRF PoC Programmatically 99
CSRF – An End-to-End Example 105
Gathering Report Information 112
Category 112
Timestamps 112
URL 112
Payload 112
Methodology 112
Instructions to Reproduce 112
Attack Scenario 113
Final Report 113
Summary 114
Questions 114
Further Reading 114
Chapter 7: Detecting XML External Entities 115
Technical requirements 116
A simple XXE example 116
XML injection vectors 118
XML injection and XXE – stronger together 119
Testing for XXE – where to find it, and how to verify it 120
XXE – an end-to-end example 120
Gathering report information 125
Category 125
Timestamps 125
URL 125
Payload 125
Methodology 125
Instructions to reproduce 126
Attack scenario 126
Final report 126
Summary 127
Questions 127
Further reading 128
Chapter 8: Access Control and Security Through Obscurity 129
Technical Requirements 129
Security by Obscurity – The Siren Song 130
Data Leaks – What Information Matters? 131
API Keys 131
Access Tokens 131
Passwords 132
Hostnames 132
Machine RSA/Encryption Keys 132
Account and Application Data 132
Low Value Data – What Doesn’t Matter 132
Generally Descriptive Error Messages 133
404 and Other Non-200 Error Codes 133
Username Enumeration 133
Browser Autocomplete or Save Password Functionality 133
Data Leak Vectors 134
Config Files 134
Public Code Repos 134
Client Source Code 135
Hidden Fields 135
Error Messages 136
Unmasking Hidden Content – How to Pull the Curtains Back 136
Preliminary Code Analysis 136
Using Burp to Uncover Hidden Fields 136
Data Leakage – An End-to-End Example 138
Gathering Report Information 141
Final Report 142
Summary 142
Questions 143
Further Reading 143
Chapter 9: Framework and Application-Specific Vulnerabilities 144
Technical Requirements 145
Known Component Vulnerabilities and CVEs – A Quick Refresher 147
WordPress – Using WPScan 148
WPScan as a Dockerized CLI 148
Burp and WPScan 153
Ruby on Rails – Rubysec Tools and Tricks 157
Exploiting RESTful MVC Routing Patterns 158
Checking the Version for Particular Weaknesses 158
Testing Cookie Data and Authentication 158
Django – Strategies for the Python App 158
Checking for DEBUG = True 159
Probing the Admin Page 159
Summary 159
Questions 160
Further Reading 160
Chapter 10: Formatting Your Report 161
Technical Requirements 161
Reproducing the Bug – How Your Submission Is Vetted 162
Critical Information – What Your Report Needs 164
Maximizing Your Award – The Features That Pay 165
Example Submission Reports – Where to Look 167
Hackerone Hacktivity 168
Vulnerability Lab Archive 169
GitHub 170
Summary 171
Questions 171
Further Reading 171
Chapter 11: Other Tools 172
Technical Requirements 172
Evaluating New Tools – What to Look For 173
Paid Versus Free Editions – What Makes a Tool Worth It? 173
A Quick Overview of Other Options – Nikto, Kali, Burp Extensions,
and More 176
Scanners 176
Nikto 176
Zed Attack Proxy 176
w3af 176
nmap and python-nmap 177
Aircrack-ng 177
Wireshark 177
SpiderFoot 177
Resources 178
FuzzDB 178
Pentesting Cheatsheet 178
Exploit DB 178
Awesome Web Security 179
Kali Linux 179
Source Code Analysis (White Box) Tools 179
Pytaint 179
Bandit 180
Brakeman 180
Burp 180
Burp Extensions 180
JSON Beautifier 180
Retire.js 181
Python Scripter 181
Burp Notes 181
Burp REST API 181
SaaS-Specific Extensions 181
Using Burp Pro to Generate a CSRF PoC 182
Metasploit and Exploitation Frameworks 184
Summary 185
Questions 185
Further Reading 186
Chapter 12: Other (Out of Scope) Vulnerabilities 187
Technical Requirements 187
DoS/DDoS – The Denial-of-Service Problem 188
Sandboxed and Self-XSS – Low-Threat XSS Varieties 189
Non-Critical Data Leaks – What Companies Don’t Care About 190
Emails 190
HTTP Request Banners 190
Known Public Files 191
Missing HttpOnly Cookie Flags 191
Other Common No-Payout Vulnerabilities 191
Weak or Easily Nypassed Captchas 191
The HTTP OPTIONS Method Enabled 192
BEAST (CVE-2011-3389) and Other SSL-Based Attacks 192
Brute Forcing Authentication Systems 193
CSRF Logout 193
Anonymous Form CSRF 193
Clickjacking and Clickjacking-Enabled Attacks 194
Physical Testing Findings 194
Outdated Browsers 194
Server Information 195
Rate-Limiting 195
Summary 195
Questions 195
Further Reading 196
Chapter 13: Going Further 197
Blogs 197
The SANS Institute 197
Bugcrowd 198
Darknet 198
HighOn.Coffee 198
Zero Day Blog 198
SANS AppSec Blog 199
Courses 199
Penetration Testing With Kali Linux 199
The Infosec Institute Coursework 199
Udemy Penetration Testing Classes 200
Terminology 200
Attack Scenario 200
Attack Surface 200
Black Box Testing 201
Bugs 201
Bug Bounty Programs 201
CORS 201
Data Exfiltration 202
Data Sanitation 202
Data Leakage 202
Exploit 202
Fingerprinting 203
Fuzzing 203
Google Dorks 203
Known Component Vulnerabilities 203
OSINT 203
Passive Versus Active Scanning 204
Payload 204
Proof-of-Concept (PoC) 204
Rules of Engagement (RoE) 204
Red Team 204
Remote Code Execution (RCE) 205
Safe Harbor 205
Scope 205
Security Posture 205
Single-Origin Policy 206
Submission Report 206
Vulnerability 206
White Box Testing 206
Workflow 207
Zero-Day 207
Summary 207
Questions 207
Further Reading 208
Assessment 209
Other Books You May Enjoy 217
Index 220
Bookscreen
Who this book is for
This book is written for developers, hobbyists, pentesters, and anyone with an interest (and
maybe a little experience) in web application security and public bug bounty programs.