Contents in Detail 1. Cover Page 2. Title Page 3. Copyright Page 4. About the Author 5. About the Technical Reviewer 6. Brief Contents 7. Contents in Detail 8. Foreword by Michiel Prins and Jobert Abma 9. Acknowledgments 10. Introduction 1. Who Should Read This Book 2. How to Read This Book 3. What’s in This Book 4. A Disclaimer About Hacking 11. 1 Bug Bounty Basics 1. Vulnerabilities and Bug Bounties 2. Client and Server 3. What Happens When You Visit a Website 4. HTTP Requests 5. Summary 12. 2 Open Redirect 1. How Open Redirects Work 2. Shopify Theme Install Open Redirect 3. Shopify Login Open Redirect 4. HackerOne Interstitial Redirect 5. Summary 13. 3 HTTP Parameter Pollution 1. Server-Side HPP 2. Client-Side HPP 3. HackerOne Social Sharing Buttons 4. Twitter Unsubscribe Notifications 5. Twitter Web Intents 6. Summary 14. 4 Cross-Site Request Forgery 1. Authentication 2. CSRF with GET Requests 3. CSRF with POST Requests 4. Defenses Against CSRF Attacks 5. Shopify Twitter Disconnect 6. Change Users Instacart Zones 7. Badoo Full Account Takeover 8. Summary 15. 5 HTML Injection and Content Spoofing 1. Coinbase Comment Injection Through Character Encoding 2. HackerOne Unintended HTML Inclusion 3. HackerOne Unintended HTML Include Fix Bypass 4. Within Security Content Spoofing 5. Summary 16. 6 Carriage Return Line Feed Injection 1. HTTP Request Smuggling 2. v.shopify.com Response Splitting 3. Twitter HTTP Response Splitting 4. Summary 17. 7 Cross-Site Scripting 1. Types of XSS 2. Shopify Wholesale 3. Shopify Currency Formatting 4. Yahoo! Mail Stored XSS 5. Google Image Search 6. Google Tag Manager Stored XSS 7. United Airlines XSS 8. Summary 18. 8 Template Injection 1. Server-Side Template Injections 2. Client-Side Template Injections 3. Uber AngularJS Template Injection 4. Uber Flask Jinja2 Template Injection 5. Rails Dynamic Render 6. Unikrn Smarty Template Injection 7. Summary 19. 9 SQL Injection 1. SQL Databases 2. Countermeasures Against SQLi 3. Yahoo! Sports Blind SQLi 4. Uber Blind SQLi 5. Drupal SQLi 6. Summary 20. 10 Server-Side Request Forgery 1. Demonstrating the Impact of Server-Side Request Forgery 2. Invoking GET vs. POST Requests 3. Performing Blind SSRFs 4. Attacking Users with SSRF Responses 5. ESEA SSRF and Querying AWS Metadata 6. Google Internal DNS SSRF 7. Internal Port Scanning Using Webhooks 8. Summary 21. 11 XML External Entity 1. eXtensible Markup Language 2. How XXE Attacks Work 3. Read Access to Google 4. Facebook XXE with Microsoft Word 5. Wikiloc XXE 6. Summary 22. 12 Remote Code Execution 1. Executing Shell Commands 2. Executing Functions 3. Strategies for Escalating Remote Code Execution 4. Polyvore ImageMagick 5. Algolia RCE on facebooksearch.algolia.com 6. RCE Through SSH 7. Summary 23. 13 Memory Vulnerabilities 1. Buffer Overflows 2. Read Out of Bounds 3. PHP ftp_genlist() Integer Overflow 4. Python Hotshot Module 5. Libcurl Read Out of Bounds 6. Summary 24. 14 Subdomain Takeover 1. Understanding Domain Names 2. How Subdomain Takeovers Work 3. Ubiquiti Subdomain Takeover 4. Scan.me Pointing to Zendesk 5. Shopify Windsor Subdomain Takeover 6. Snapchat Fastly Takeover 7. Legal Robot Takeover 8. Uber SendGrid Mail Takeover 9. Summary 25. 15 Race Conditions 1. Accepting a HackerOne Invite Multiple Times 2. Exceeding Keybase Invitation Limits 3. HackerOne Payments Race Condition 4. Shopify Partners Race Condition 5. Summary 26. 16 Insecure Direct Object References 1. Finding Simple IDORs 2. Finding More Complex IDORs 3. Binary.com Privilege Escalation 4. Moneybird App Creation 5. Twitter Mopub API Token Theft 6. ACME Customer Information Disclosure 7. Summary 27. 17 OAuth Vulnerabilities 1. The OAuth Workflow 2. Stealing Slack OAuth Tokens 3. Passing Authentication with Default Passwords 4. Stealing Microsoft Login Tokens 5. Swiping Facebook Official Access Tokens 6. Summary 28. 18 Application Logic and Configuration Vulnerabilities 1. Bypassing Shopify Administrator Privileges 2. Bypassing Twitter Account Protections 3. HackerOne Signal Manipulation 4. HackerOne Incorrect S3 Bucket Permissions 5. Bypassing GitLab Two-Factor Authentication 6. Yahoo! PHP Info Disclosure 7. HackerOne Hacktivity Voting 8. Accessing PornHub’s Memcache Installation 9. Summary 29. 19 Finding Your Own Bug Bounties 1. Reconnaissance 2. Testing the Application 3. Going Further 4. Summary 30. 20 Vulnerability Reports 1. Read the Policy 2. Include Details; Then Include More 3. Reconfirm the Vulnerability 4. Your Reputation 5. Show Respect for the Company 6. Appealing Bounty Rewards 7. Summary 31. A Tools 1. Web Proxies 2. Subdomain Enumeration 3. Discovery 4. Screenshotting 5. Port Scanning 6. Reconnaissance 7. Hacking Tools 8. Mobile 9. Browser Plug-Ins 32. B Resources 1. Online Training 2. Bug Bounty Platforms 3. Recommended Reading 4. Video Resources 5. Recommended Blogs 33. Index REAL-WORLD BUG HUNTING A Field Guide to Web Hacking by Peter Yaworski San Francisco REAL-WORLD BUG HUNTING. Copyright © 2019 by Peter Yaworski. All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher. ISBN-10: 1-59327-861-6 ISBN-13: 978-1-59327-861-8 Publisher: William Pollock Production Editor: Janelle Ludowise Cover Illustration: Jonny Thomas Interior Design: Octopod Studios Developmental Editors: Jan Cash and Annie Choi Technical Reviewer: Tsang Chi Hong Copyeditor: Anne Marie Walker Compositor: Happenstance Type-O-Rama Proofreader: Paula L. Fleming Indexer: JoAnne Burek For information on distribution, translations, or bulk sales, please contact No Starch Press, Inc. directly: No Starch Press, Inc. 245 8th Street, San Francisco, CA 94103 phone: 1.415.863.9900; [email protected] www.nostarch.com Library of Congress Cataloging-in-Publication Data Names: Yaworski, Peter, author. Title: Real-world bug hunting : a field guide to web hacking / Peter Yaworski. Description: San Francisco : No Starch Press, 2019. | Includes bibliographical references. Identifiers: LCCN 2018060556 (print) | LCCN 2019000034 (ebook) | ISBN 9781593278625 (epub) | ISBN 1593278624 (epub) | ISBN 9781593278618 (paperback) | ISBN 1593278616 (paperback) Subjects: LCSH: Debugging in computer science. | Penetration testing (Computer security) | Web sites—Testing. | BISAC: COMPUTERS / Security / Viruses. | COMPUTERS / Security / General. | COMPUTERS / Networking / Security. Classification: LCC QA76.9.D43 (ebook) | LCC QA76.9.D43 Y39 2019 (print) | DDC 004.2/4—dc23 LC record available at https://lccn.loc.gov/2018060556 No Starch Press and the No Starch Press logo are registered trademarks of No Starch Press, Inc. Other product and company names mentioned herein may be the trademarks of their respective owners. Rather than use a trademark symbol with every occurrence of a trademarked name, we are using the names only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The information in this book is distributed on an “As Is” basis, without warranty. While every precaution has been taken in the preparation of this work, neither the author nor No Starch Press, Inc. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in it.