View the Index

Index

Symbols and Numbers Amazon Simple Storage (S3) and bucket permissions, 181–183 ; (semicolon), 110 subdomain takeovers, 141–142 -- (MySQL comment), 83, 84 Amazon Web Services, 192 <> (angle brackets), 53, 56 ampersand (&), 22–23, 110, 112 ../ file path reference, 128 angle brackets (<>), 53, 56 / (forward slash), 99 AngularJS template engine | (pipe), 124 injection examples, 73–74, 198–199 ` (backtick), 122, 124 Sandbox bypasses, 72–73 " (double quote), 56 API See application programming ' (single quote), 44–46, 56 interface (API) # (hash), 44, 69 apok (hacker), 186 % (percent), 112 application/json content-type, %00 (null byte), 99 33–34, 35 %0A (line feed), 49 application logic and configuration %0D (carriage return), 49 vulnerabilities, 177–190 & (ampersand), 22–23, 110, 112 GitLab two-factor authentication 2FA (two-factor authentication), bug, 183–184 183–184 HackerOne and S3 bucket 32-bit processors, 133 permissions, 181–183 64-bit processors, 133 HackerOne Hacktivity voting, 127.0.0.1 (localhost), 102, 104–105 186–187 .docx file type, 113–114 HackerOne Signal manipulation, !ELEMENT (XML), 110, 111–112 180–181 !ENTITY (XML), 110, 111–112 overview, 177–178, 189–190 tags, 32, 36–37, 63–65, 70, 171 PornHub memcache installation, tag, 198 188–189 Shopify administrator privileges A bypass, 179 Abma, Jobert, 183–184, 198, 207–208 Twitter account protections, 180 about:blank context, 57 Yahoo! PHP info disclosure, Access-Control-Allow-Origin header, 34 184–186 access_denied parameter, 47 application programming interface access_token (OAuth), 169–170 (API), 7, 37–38, 90, 180, 197 ACME customer information application/x-www-form-urlencoded disclosure, 163–165 content-type, 32–34, 35 Ahrens, Julien, 101–104 Aquatone, 194 alert function, 56, 65, 69–70 A records, 140 Algolia remote code execution bug, arrays, 91–93 125–127 asset takeovers, 174–176. See also Amass, 211 subdomain takeover vulnerabilities Assis, Rodolfo, 69–70 authentication and hacker’s reputation, 205–206 HTTP requests, 50, 54, 150 informative, 163–164 misconfigurations, 173 –174, 197 permission to test further, 76 process, 30 proof of concept tips, 145 Authmatrix plug-in, 160 responses to, 16, 164–165 autofocus attribute, 58 rewards appeals, 207–208 automation techniques, 185–186, 200 bugs previously reported, 125, 196 Autorize plug-in, 160 BuiltWith, 72, 213 AWS metadata query bug, 100 Burp Suite, 40, 152, 158, 160, 195, 199–200, 210 B Bacchus, Adam, 206 C background jobs, 153–154, 156 Cable, Jack, 172 backtick (`), 122, 124 cache poisoning, 50 Badoo full account takeover, 38–40 call_user_func (PHP), 121 banking application illustrations Carettoni, Luca, 21, 22 cross-site request forgeries, 29–30, carriage return line feed (CRLF) 31–34 CRLF injection vulnerabilities, HTTP parameter pollution, 20–22 49–54 race conditions, 149–150 overview, 49–50, 54 base64-encoded content, 9 Shopify response splitting, 51–52 bash, 120, 185–186 Twitter response splitting, 52–54 binary.com privilege escalation, 159–160 Cascading Style Sheets (CSS), 6 blacklisted characters, 52 C/C++ memory management, blind SQLi, 84–87 129–133, 135 blind SSRFs, 97–98 CDNs (content delivery networks), 144 blind XSS attacks, 60, 198 censys.io website, 143, 214 Boolean attribute checks, 64, 86–87 certificate hashes tracking site, 143 Bounty Factory, 219 Chan, Ron, 224 browsers characters. See also sanitization of and cookies, 30–31 characters operations, 6–7 blacklisted, 52–53 plug-ins for, 216 encoding, 42–45, 49, 88–90, brute-forcing, 88–89, 195, 199, 211 173 –174 Bryant, Matthew, 60, 223 Charles (web proxy), 210 Bucket Finder, 182, 214 client-side HPP, 19, 22–23 Buerhaus, Brett, 99–100, 222 client-side template injection (CSTI) buffer overflow vulnerabilities, 130–133, vulnerabilities, 72–73, 73–74 134–135 clients bug bounties, 2 defined, 3 platforms, 219–220 OAuth resource, 168–170 programs, 2, 90, 123, 188, 189, CNAME records, 140–146 203–204 Cobalt, 219 Bugbounty JP, 219 Coinbase comment injection, 42–43 Bugcrowd resources, 219, 222, 223 comments in SQL queries, 83, 84, 92 A Bug Hunter’s Diary (Klein), 220 companies The Bug Hunters Methodology acquisition process exposures, 142 (Haddix), 220 and bug bounty programs, 2, 204, bug reporting 206–208 after disclosures, 125 configuration vulnerabilities, 177–178 approach, 204–207 CONNECT method, 7–8

226 Index connection headers, 5 cURL requests, 124–125, 136 content attribute, 13, 45 CVEs (disclosed security issues), 127 content delivery networks (CDNs), 144 CyberChef, 44, 214 content discovery, 195 content spoofing, 41–42, 48 D content-type headers, 6, 32–34, 35, 54 cookies dangerouslySetInnerHTML function, and carriage return line feed 45, 72 injection, 50, 51–54 databases, 150–151. See also SQL in cross-site request forgeries, 32, databases 35–36 db_query function (SQL), 92 in cross-site scripting, 56 De Ceukelaire, Inti, 44–46 forgeries on, 126–127, 128 DELETE method, 7–8 operations and attributes, 30–31 deserialization, 126–127 in subdomain takeovers, 140–141 Detectify Labs, 112, 201, 223 CORS See cross-origin resource dex2jar, 215 sharing (CORS) “did not respond”, 102 Coursera, 218 dig A command, 4 CRLF characters See carriage return directory and file enumeration line feed (CRLF) tools, 212 CRLF injection See carriage return line disclosed security issues (CVEs), 127 feed (CRLF), 49–54 DNS See Domain Name System (DNS) cross-origin resource sharing (CORS), Document Object Module (DOM), 7, 34, 35, 38 13, 45 cross-site request forgery (CSRF), 29–40 document parameters, 16, 56 Badoo full account takeover, 38–40 document type definitions (DTDs), defenses, 34–36 108–110 Instacart, 37–38 domain cookie attribute, 30–31 overview, 29–30, 40 Domain Name System (DNS), 3–4, 14, vs. server-side request forgeries, 95 97–98, 101–104, 141, 142 Shopify Twitter disconnect, 36–37 domain names, 3, 139–140 cross-site scripting (XSS) domain_name parameter, 14 vulnerabilities. See also XSS DOM-based XSS, 59–60 Jigsaw blog; XSSHunter, Drupal SQLi, 90–93 55–70 DTDs (document type definitions), and client-side template 108–110 injections, 72 Google image search, 65–66 E Google tag manager, 66–67 overview, 55–58 Ebrietas (hacker), 144 Shopify currency formatting, 62–63 EdOverflow (hacker), 146–147 Shopify wholesale, 61–62 email bug hunting examples, 74–76, types, 58–61 78–80, 87–90 United Airlines, 67–70 Emek, Tanner, 154–155 Yahoo! Mail stored XSS, 63–65 encoded characters, 42–45, 49, crt.sh website, 143, 211 173 –174, 197 CSRF See cross-site request error messages, 144 forgery (CSRF) escapeshellcmd (PHP), 120–121 CSRF tokens, 33–35, 38–40, 45 E-Sports Entertainment Association CSTI See client-side template injection (ESEA) bug, 98–100 (CSTI) vulnerabilities expandArguments function (SQL), 91–92 Cure53 Browser Security White Paper, 220 expires cookie attribute, 31 Exploit Database (DB), 195, 218

Index 227 eXtensible Markup Language (XML), operations, 7 110–117 and server-side modifications, entities, 110 36–37 overview, 107–110 with SSRFs, 97 parsing and file types, 111–117 Ghostscript vulnerabilities, 202 external HTTP requests, 96–97, Gill, Andy, 188–189, 224 100–104, 104–105 GitHub, 126, 141, 178, 195 EyeWitness, 127, 188, 212 GitLab two-factor authentication bug, 183–184 F Gitrob, 126, 195, 215 Gobuster, 195, 212 Facebook Google and OAuth access token bug, AngularJS template engine, 72–73, 174 –176 73–76 ReactJS template engine, 72 bug bounty program, 11 XXE with Microsoft Word bug, dig tool, 101–104 112–114 internal DNS SSRF, 100–104 Fastly, 144 Google bugs Fehrenbach, Patrik, 66–67, 185–186, image search, 65–66 222, 224 tag manager, 66–67 Fiddler (web proxy), 210 XXE vulnerability, 112 file and directory enumeration Google Chrome XSS Auditor, 59 tools, 212 Google dorking, 99, 100, 162, 195, 214 FileDescriptor (hacker), 46, 52–53, 59, Google Gruyere, 218 202, 224 Gowitness, 194, 212 file path expressions, 128 file types, 99, 114, 124–125, 197 file uploads, 122–123 H filtered ports, 97 The Hacker Blog, 223 Firefox cookie bug, 52 Hacker101, 218 firewall evasion, 50 HackerOne bugs flags on command line, 121 Hacktivity voting, 186–187 Flask Jinja2 template injection, 74, 123 interstitial redirect vulnerability, Flurry password authentication, 172 13, 15–16 forms invite multiple times, 150–151 hidden HTML, 33, 37 payments race condition, 153–154 as HTML injection, 42–43 and S3 bucket permissions, 181–183 forward slash (/), 99 Signal manipulation, 180–181 FoxyProxy add-on, 216 social sharing buttons, 23–24 Franjković, Josip, 152 unintended HTML inclusion, ftp_genlist() function (PHP), 134–135 44–47 functionality mapping, 197–198 HackerOne resources, 219, 221, 223 function execution, 121–122 hacking blogs, 222–224 fuzzing, 182 hacking techniques, 191–202 efficiency suggestions, 200–202 G overview, 191–192, 202 reconnaissance, 192–196 Gamal, Mahmoud, 159 testing, 196–200 GET requests Hacking: The Art of Exploitation in cross-site request forgeries, (Erikson), 221 31–32, 35, 40 hacking tools, 214–215 with open redirects, 12, 13

228 Index Hack the Box, 218 Hypertext Markup Language (HTML). Harewood, Philippe, 174–176, 201, 224 See also HTML injection harry_mg (hacker), 142 vulnerabilities Hasan, Mustafa, 67–70 character encoding, 42–43 hash (#), 44, 69 hidden forms, 33, 37 headers rendering, 6 host and connection, 5 Hypertext Transfer Protocol (HTTP). injections, 50–52 See also HTTP parameter HEAD method, 7–8 pollution (HPP); HTTP Heartbleed bug, 133–134 requests; HTTPScreenShot Heroku platform subdomain takeover HTTPS sites, 31 example, 140–141 messages, 2 hidden HTML forms, 33, 37 response codes, 5, 6, 12 Homakov, Egor, 178 response splitting, 50 Hopper, 216 standards, 3 Horst, Stefan, 90–91 host headers, 5 I HPP See HTTP parameter pollution (HPP) IDOR See insecure direct object HTML See Hypertext Markup reference (IDOR) Language (HTML) vulnerabilities HTML injection vulnerabilities, 41–48 id parameters, 121, 157–158 Coinbase, 42–44 iFrames, 56, 69–70, 159–160 examples, 42–47 image file types, 124–125 HackerOne, 44–47 ImageMagick software bugs, 123–125, overview, 41–42, 48 128, 202 Within Security, 47–48 tags, 32, 36–37, 63–65, 70, 171 htmlspecialchars function, 23 Inbound Parse Webhook, 146 HTTP See Hypertext Transfer IN clause (SQL), 91–92 Protocol (HTTP) innerHTML property, 54 httponly cookies, 30–31, 50, 56, 185 input sanitization, 56, 61, 65, 120–121 HTTP parameter pollution (HPP), insecure direct object reference 19–27 (IDOR) vulnerabilities, client-side, 22–23 157–165 HackerOne social sharing buttons, ACME customer information 23–24 disclosure, 163–165 overview, 19–21, 27 binary.com privilege escalation, server-side, 20–22 159–160 Twitter unsubscribe notifications, Moneybird app creation, 160–161 24–25 overview, 157–159, 165 Twitter Web Intents, 25–27 Twitter Mopub API token theft, HTTP requests 161–163 browser operations, 4–5 INSERT statements (SQL), 93 external vs. internal traffic, 96 Instacart cross-site request forgery, methods, 7–8 37–38 and race conditions, 150 integer parameters, 25, 158, 161 smuggling and hijacking, 50 internal DTD declarations, 109–110 statelessness, 8–9, 30 internal server access, 96–97 HTTPScreenShot, 194, 213 Internet Archive Wayback Machine, 192 HTTPS sites, 31 Internet Explorer CRLF injections, 52 and Same Origin Policy, 57

Index 229 Internet Protocol (IP). See also IP logic problems See application addresses, 3 logic and configuration interstitial web pages, 15–16 vulnerabilities Intigriti, 220 login/logout CSRF, 60–61 introspection concept, 76 logins. See also OAuth vulnerabilities IP addresses authentication, 30 ranges, 101–102, 104, 185–186, phishing, 41–42 193–194 logouts and cookie expirations, 31 resolving, 3–4 LPE (local privilege escalation), 122

J M Jamal, Mahmoud, 16, 38–40, 65–66 mail exchanger (MX) records, 146 JavaScript Markdown, 44, 46 and application logic mass assignment vulnerabilities, 178 vulnerabilities, 186–187 Masscan, 213 for open redirects, 13, 16 max-age cookie attribute, 31 overview, 6–7 Meg tool, 195 and XSS payloads, 56–58, 61–62, memcache, 189 67–70 memcpy() method (C language), 135 javascript:alert(1) payload, 65–66 memory management, 129–133, JD-GUI, 216 136–137 Jinja2 template engine, 72, 74–76, 123 memory vulnerabilities, 129–136 buffer overflows, 130–133 K libcurl read out of bounds bug, 136 overview, 129–130, 136–137 Kamkar, Samy, 55 PHP ftp_genlist() integer Karlsson, Matthias, 196, 205 overflow, 134–135 Kennedy, Justin, 96 Python Hotshot module, 135 kernel vulnerabilities, 122 read out of bounds, 133–134 Kettle, James, 73, 79, 224 metadata queries, 86–87, 100 Keybase invitation limit bug, 152 Metasploit Framework exploits, 126–127 Kinugawa, Masato, 59 tags, 12–13, 45–46 KnockPy, 141, 142, 211 Microsoft login tokens, 173–174 krankopwnz (hacker), 51 MIME sniffing, 6 mobile hacking, 200 L mobile tools, 215–216 model, view, controller architecture Landry, Jasmin, 127–128 (MVC), 77 lcamtuf blog, 223 Moneybird app creation, 160–161 Legal Robot subdomain takeover, Mozilla’s bug tracker system, 221 144 –145 MVC (model, view, controller Leitch, John, 135 architecture), 77 libcurl read out of bounds bug, 136 MX (mail exchanger) records, 146 Linux password storage, 111 Myspace Samy Worm, 55 Liquid Engine template engine, 62, 72 MySQL, 82–83, 86–87 LiveOverflow, 222 local file disclosure, 127 localhost (127.0.0.1), 102, 104–105 N local privilege escalation (LPE), 122 NahamSec blog, 223 Location headers, 6, 12, 50, 54 nc command, 4 location property, 13, 16 Netcat, 4, 125, 189 lock concept, 152, 155 Nmap, 188, 193, 213

230 Index nslookup command, 188 “permission denied”, 102 null bytes, 99, 131 phishing attacks, 11, 42, 48 nVisium, 76 –77 PHP arrays and functions, 91–93 O call_user_func, 121 escapeshellcmd, 120–121 OAuth vulnerabilities, 167–176 file types, 122–123 Facebook access tokens, 174–176 ftp_genlist() integer overflow, Microsoft login tokens, 173–174 134–135 overview, 167–170, 176 function execution, 121–122 stealing Slack tokens, 171 info disclosure bug, 184–186 Yahoo!-Flurry password Smarty template engine, 72, 78–80 authentication, 171–172 PHP Data Objects (PDO) extension, onerror attribute, 62, 64, 66, 69 90–93 onfocus attribute, 58 phpinfo function, 185 Online Hash Crack, 215 ping command, 120–121 online training, 217–219 polyglots, 198 OOB (out-of-band) exfiltration, 98 Polyvore website, 125 open redirect vulnerabilities, 11–17 PornHub, 188–189 HackerOne interstitial redirect, 13, ports 15–16 DNS lookup, 102 overview, 11–13, 17 and Same Origin Policy, 57 Shopify login, 14–15 scanning, 97, 104–105, 188–189, Shopify theme install, 13–14 193–194, 213 OpenSSL, 133–134 uses of, 4 Open Web Application Security Project port scanning tools, 213 (OWASP), 11, 21, 112, 221 Portswigger Blog, 224 operating system vulnerabilities, 122 POST requests OPTIONS method, 7–8, 34, 35 in cross-site request forgeries, Orange Tsai, 74–76, 87–90, 97, 123, 223 32–34, 37–38 Origin header, 35 CSRF tokens in, 35, 40 Ormandy, Tavis, 202 cURL options for, 124–125, 136 out-of-band (OOB) exfiltration, 98 operations, 8 OWASP See Open Web Application with SSRFs, 97 Security Project (OWASP) Prasad, Prakhar, 213 preflight OPTIONS calls, 8, 34 P prepareQuery (SQL), 91 Prins, Michiel, 126–127, 209 packets, 2 Project Zero blog, 224 Padelkar, Ashish, 181 proxies See web proxies page source view, 61 Psyon.org IP address converter, 104 Paolo, Stefano di, 21, 22 PUT method, 7–8 Paraschoudis, Symeon, 136 Pynnonen, Jouko, 64 password file exposure examples, 77, Python Hotshot module 79–80, 111–112, 121–122 vulnerability, 135 paths, 5 Python Jinja2 engine, 72 payloads character encoding, 88–89, 198–199 Q cross-site-scripting, 55–58, 61–62, quote characters, 56, 57. See also " 63, 65 (double quote); ' (single PentesterLab, 218 quote) percent (%), 112

Index 231 R Ruby on Rails configuration vulnerability, 178 race conditions, 149–156 and cookie management, 126–127 HackerOne invite multiple times, dynamic render bug, 76–77 150–151 permissions validation, 179 HackerOne payments, 153–154 and SQLi countermeasures, 83–84 Keybase invitation limits, 152–153 URL pattern, 197 overview, 149–150, 156 Shopify partners, 154–155 Rafaloff, Eric, 26–27 S Rails See Ruby on Rails Sadeghipour, Ben, 100, 124–125, Rails Secret Deserialization exploit, 128, 223 126–127 Same Origin Policy (SOP), 56–57 Ramadan, Mohamed, 113–114 samesite cookie attribute, 35–36 Rapid7 Sandbox bypasses, 72–74, 75 on fuzzing, 182 sanitization of characters. See Rails Secret Deserialization, 127 also unsanitized input RCE See remote code execution (RCE) exposures, 49, 54, 56, 198 vulnerabilities scan.me subdomain takeover, 142 React, 45, 186–187 scopes (OAuth), 167–170 ReactJS template engine, 72 screenshotting, 194, 212–213 read out of bounds vulnerabilities, SecLists, 141, 195, 212 133–134, 136 secret_key_base (Ruby on Rails), reconnaissance, 192–196, 213–214 126–127 redirects secure cookie attribute, 31 OAuth, 168–170 Secure Socket Shell (SSH), 128 parameters, 12, 17 self XSS vulnerabilities, 60 responses to, 6, 12 semicolon (;), 110 testing for, 96 SendGrid subdomain takeovers, redirect_to parameter, 12 145–147 redirect_uri (OAuth), 169, 171, 175 serialization, 126 Referer header, 35 server return messages, 102, 104–105 reflected XSS, 58–59 servers remote code execution (RCE) defined, 3 vulnerabilities, 119–128 responses, 5–6, 20–21 exploit on Algolia, 125–127 staging and development, 188–189 overview, 119–123 server-side HPP, 19, 20–22 Polyvore and ImageMajick, 123–125 server-side request forgery (SSRF) through SSH, 127–128 vulnerabilities, 95–105 render method, 77 ESEA bug and AWS Metadata Reni, Akhil, 161–163 query, 98–100 Repeater tool, 158 Google internal DNS bug, 100–104 Request for Comment (RFC) internal port scanning, 104–105 documents, 3 overview, 96–98, 113 reserved characters, 42 server-side template injection (SSTI) resource owner (OAuth), 168–170 vulnerabilities, 72, 74–75, resource server (OAuth), 168–170 78–80 response_type (OAuth), 168–170 shell commands, 119–121, 122–123 Rijal, Rohan, 145–147 shell_exec function, 120 rms (hacker), 179 Shodan, 214 root user access, 122, 127 Shopify bugs Rosen, Frans, 145, 201 administrator privileges bypass, 179 Ruby ERB template engine, 72, 77 cross-site request forgeries, 36–37

232 Index currency formatting, 62–63 scan.me pointing to Zendesk, 142 open redirect vulnerabilities, 13–15 Shopify Windsor takeover, 142–143 partners race condition, 154–155 Snapchat Fastly takeover, 143–144 response splitting, 51–52 Uber SendGrid mail takeover, wholesale website, 61–62 145–147 Windsor subdomain takeover, Ubiquiti CNAME example, 141–142 142–143 SubFinder, 192–193, 211 XSS, 61–63 SUID (specified user ID), 122 Shopify Liquid Engine template, 62, 72 Swinnen, Arne, 140–141 Silva, Reginaldo, 113 Synack, 220 Slack OAuth token bug, 171 sleep command, 87, 90 T Smarty template engine, 72, 78–80, 123 Snapchat Fastly subdomain takeover, The Tangled Web (Zalewski), 221 143–144 Tasci, Mert, 24–25 social engineering, 41–42, 48 technology identification techniques, software libraries as bug sites, 123, 125 196–197 SOP (Same Origin Policy), 56–57 template engines, defined, 71, 71–80 Sopas, David, 115–117 template injection vulnerabilities, 71–80 source viewing, 61 overview, 71–73, 80 Spelsberg, Max, 134 Rails dynamic render, 76–80 SQL databases Uber template injections, 73–76 overview, 82–83 testing methods, 196–200 prepared statements, 83–84, 90–91 text/plain content-type requests, 33 SQL injection (SQLi) attacks, 81–93 Thakkar, Jigar, 153–154 countermeasures, 83–84 third party services exposures, 140, Drupal SQLi, 90–93 142, 144 –145, 146 –147, overview, 81–83, 93 180, 197 with SSRF responses, 98 tools list. See also hacking resources, Uber blind SQLi, 87–90 209–216 Yahoo! Sports blind SQLi, 84–87 top-level domains, 139 sqlmap, 89, 215 TRACE method, 7–8 SQL statements, 82–83 Transmission Control Protocol (TCP) SSH (Secure Socket Shell), 128 connections, 4 SSL pinning, 200 Twitter bugs SSL registration tracking sites, 143, 193 account protections, 180 SSRF See server-side request forgery HTTP response splitting, 52–54 (SSRF) vulnerabilities Mopub API token theft, 161–163 SSTI (server-side template injection) unsubscribe notification, 24–25 vulnerabilities, 72 , 74–75, Web Intents, 25–27 78–80 Twitter security resource tweets, 221 stack memory, 131–132 two-factor authentication (2FA), state (OAuth), 169 183–184 status codes, 5, 6, 13, 158 stored XSS, 59, 66–70, 100 U subdomains enumerating, 128, 188–189, Uber bugs 192–193, 211 AngularJS template injection, overview, 139–140 73–74, 123 subdomain takeover vulnerabilities, blind SQLi, 87–90 139–147 Jinja2 template injection, 74–76 Legal Robot takeover, 144–145 Sendgrid mail takeover, 145–147 overview, 139, 141–141, 147, 189

Index 233 Ubiquiti subdomain takeover, 141–142 The Web Application Hacker’s Handbook Udacity, 219 (Stuttard and Pinto), Ullger, Aaron, 180 198, 221 Unicode characters, 52–53 Web Development Tutorials YouTube Uniform Resource Identifier (URI), 7 channel, 222 Uniform Resource Locator (URL). web frameworks, 83–84 See also HTTP parameter webhooks, 104–105, 146, 147 pollution (HPP); open web page source view, 61 redirect vulnerabilities web proxies, 37, 158, 210–211 defined, 7 websites. See also domains fragment, 69 browser access steps, 3–7 name parameters, 93 new functionality exposures, 181, parameter passing, 22–23, 47–48, 186–187, 201 84–87 redirection to malicious, 11, 12, 17 parsing and decoding, 19–23, WeSecureApp (hacker), 36–37 173 –174 Wfuzz, 212 rendering, 57, 66, 98, 99 What CMS, 214 Unikrn bug, 78–80, 123 white labeling, 146 unintended actions, 2 white-listed assets, 34, 174–176 universal unique identifiers (UUIDs), Whitton, Jack, 61, 173–174, 223 158–159 whoami command, 98 unsanitized input exposures. See also Wikiloc XXE, 115–117 cross-site scripting (XSS) wildcards vulnerabilities; remote and certificates, 143, 144 code execution (RCE) and subdomains, 145, 147 vulnerabilities, 49 window.location function, 13, 39–40 URI (Uniform Resource Identifier), 7 window.onload function, 39 URL See Uniform Resource Wireshark web proxy, 210 Locator (URL) Within Security content spoofing, 47–48 User Agent Switcher, 216 user id exploitation, 122 X UUIDs (universal unique identifiers), 158–159 XML See eXtensible Markup Language (XML) XML External Entity (XXE) V vulnerabilities, 107–117 verification processes, 154–155 Facebook XXE with Microsoft Vettorazi, Stefano, 84–87 Word, 112–114 view-source:URL, 61 overview, 107, 111–112 virtual defacement, 41–42 read access to Google bug, 112 virtual private server (VPS), 192 Wikiloc XXE, 115–117 VPS (virtual private server), 192 XSS Auditors, 58–59 vulnerabilities XSSHunter, 60, 198, 215 after code fixes, 46–47, 125 XSS Jigsaw blog, 224 defined, 2 XSS vulnerabilities See cross- vulnerability disclosure programs site scripting (XSS) (VDPs). See also bug bounty vulnerabilities programs, 2 XXE See XML External Entity (XXE) vulnerabilities W Wappalyzer, 72, 78, 196, 216 Wayback Machine, 192

234 Index Y Z Yahoo! bugs Zalewski, Michal, 223 Flurry password authentication, 172 ZAP Proxy, 37, 38, 211 Mail, 63–65 Zendesk PHP information disclosure, redirects, 15–16 184–186 subdomain takeovers, 142 Sports blind SQLi, 84–87 Zerocopter, 220 Yaworski, Peter, 104–105, 150–151, ZeroSec blog, 224 160–161, 163–165, 181–183 zseano (hacker), 143 ysoserial, 127, 215

~~Index 235~~