“Filled with rich, real-world examples of security Real-World R e vulnerability reports, along with helpful analysis” a l - W — Michiel Prins and Jobert Abma, o r co-founders of HackerOne Bug Hunting l d B Learn how people break websites and how You’ll learn: u you can, too. Real-World Bug Hunting is the g 🦟 How the internet works and basic web premier field guide to finding software bugs. hacking concepts H Whether you’re a cyber-security beginner u who wants to make the internet safer or a 🦟 How attackers compromise websites n seasoned developer who wants to write se- A Field Guide to Web Hacking t cure code, ethical hacker Peter Yaworski will 🦟 How to identify functionality commonly i show you how it’s done. associated with vulnerabilities n g You’ll learn about the most common types of 🦟 Where to start when hunting bugs bugs, like cross-site scripting, insecure direct 🦟 How to find bug bounty programs and object references, and server-side request forg- submit effective vulnerability reports ery. Using real-life case studies of rewarded vulnerabilities from applications like Twitter, Real-World Bug Hunting is a fascinating soup- Facebook, Google, and Uber, you’ll see how to-nuts primer on web security vulnerabilities, A hackers manage to invoke race conditions filled with stories from the trenches and prac- F i while transferring money, use URL param- e tical wisdom. With your new understanding of l eters to cause users to like unintended tweets, d site security and vulnerabilities, you can help and more. G make the web a safer place—and profit while u i you’re at it. d Each chapter introduces a vulnerability type e accompanied by a series of actual reported t About the Author o bug bounties. The book’s collection of tales W from the field will teach you how attackers e trick users into giving away their sensitive Peter Yaworski is a successful bug bounty b information and how sites may reveal their hunter with thanks from Salesforce, Twitter, H a vulnerabilities to savvy users. You’ll even Airbnb, and the United States Department of c k learn how you could turn your challenging Defense, among others. He currently works at i n new hobby into a successful career. Shopify as an Application Security Engineer, g helping to make commerce more secure. THE FINEST IN GEEK ENTERTAINMENT™ Yaworski www.nostarch.com Price: $39.95 ($53.95 CDN) Shelve In: ComPuteRS/SeCuRIty Peter Yaworski Foreword by Michiel Prins and Jobert Abma real-world bug hunting r e a l - w o r l d b u g h u n t i n g a Field guide to web hacking by Peter Yaworski San Francisco real-world bug hunting. Copyright © 2019 by Peter Yaworski. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10: 1-59327-861-6 ISBN-13: 978-1-59327-861-8 Publisher: William Pollock Production Editor: Janelle Ludowise Cover Illustration: Jonny Thomas Interior Design: Octopod Studios Developmental Editors: Jan Cash and Annie Choi Technical Reviewer: Tsang Chi Hong Copyeditor: Anne Marie Walker Compositor: Happenstance Type-O-Rama Proofreader: Paula L. Fleming Indexer: JoAnne Burek For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 1.415.863.9900; [email protected] www.nostarch.com Library of Congress Cataloging-in-Publication Data Names: Yaworski, Peter, author. Title: Real-world bug hunting : a field guide to web hacking / Peter Yaworski. Description: San Francisco : No Starch Press, 2019. | Includes bibliographical references. Identifiers: LCCN 2018060556 (print) | LCCN 2019000034 (ebook) | ISBN 9781593278625 (epub) | ISBN 1593278624 (epub) | ISBN 9781593278618 (paperback) | ISBN 1593278616 (paperback) Subjects: LCSH: Debugging in computer science. | Penetration testing (Computer security) | Web sites--Testing. | BISAC: COMPUTERS / Security / Viruses. | COMPUTERS / Security / General. | COMPUTERS / Networking / Security. Classification: LCC QA76.9.D43 (ebook) | LCC QA76.9.D43 Y39 2019 (print) | DDC 004.2/4--dc23 LC record available at https://lccn.loc.gov/2018060556 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it. About the Author Peter Yaworski is a self-taught hacker thanks to the generous knowledge sharing of so many hackers who came before him, including those refer- enced in this book. He is also a successful bug bounty hunter with thanks from Salesforce, Twitter, Airbnb, Verizon Media, and the United States Department of Defense, among others. He currently works at Shopify as an Application Security Engineer, helping to make commerce more secure. About the Technical Reviewer Tsang Chi Hong, also known as FileDescriptor, is a pentester and a bug bounty hunter. He lives in Hong Kong. He writes about web security at https://blog.innerht.ml, enjoys listening to original soundtracks, and owns some cryptocurrencies. Brief Contents Foreword by Michiel Prins and Jobert Abma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Acknowledgments ................................................. xix Introduction...................................................... xxi Chapter 1: Bug Bounty Basics .......................................... 1 Chapter 2: Open Redirect............................................ 11 Chapter 3: HTTP Parameter Pollution .................................... 19 Chapter 4: Cross-Site Request Forgery ................................... 29 Chapter 5: HTML Injection and Content Spoofing............................ 41 Chapter 6: Carriage Return Line Feed Injection ............................. 49 Chapter 7: Cross- Site Scripting ........................................ 55 Chapter 8: Template Injection ......................................... 71 Chapter 9: SQL Injection............................................. 81 Chapter 10: Server- Side Request Forgery ................................. 95 Chapter 11: XML External Entity....................................... 107 Chapter 12: Remote Code Execution ................................... 119 Chapter 13: Memory Vulnerabilities.................................... 129 Chapter 14: Subdomain Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Chapter 15: Race Conditions ........................................ 149 Chapter 16: Insecure Direct Object References ............................ 157 Chapter 17: OAuth Vulnerabilities..................................... 167 Chapter 18: Application Logic and Configuration Vulnerabilities................ 177 Chapter 19: Finding Your Own Bug Bounties ............................. 191 Chapter 20: Vulnerability Reports ..................................... 203 Appendix A: Tools................................................ 209 Appendix B: Resources............................................. 217 Index ......................................................... 225 viii Brief Contents