Web Hacking 101 How to Make Money Hacking Ethically Peter Yaworski This book is for sale at http://leanpub.com/web-hacking-101 This version was published on 2017-01-04 This is a Leanpub book. Leanpub empowers authors and publishers with the Lean Publishing process. Lean Publishing is the act of publishing an in-progress ebook using lightweight tools and many iterations to get reader feedback, pivot until you have the right book and build traction once you do. © 2015 - 2017 Peter Yaworski Tweet This Book! Please help Peter Yaworski by spreading the word about this book on Twitter! The suggested tweet for this book is: Can’t wait to read Web Hacking 101: How to Make Money Hacking Ethically by @yaworsk #bugbounty The suggested hashtag for this book is #bugbounty. Find out what other people are saying about the book by clicking on this link to search for this hashtag on Twitter: https://twitter.com/search?q=#bugbounty To Andrea and Ellie, thank you for supporting my constant roller coaster of motivation and confidence. Not only would I never have finished this book without you, my journey into hacking never would have even begun. To the HackerOne team, this book wouldn’t be what it is if it were not for you, thank you for all the support, feedback and work that you contributed to make this book more than just an analysis of 30 disclosures. Lastly, while this book sells for a minimum of $9.99, sales at or above the suggested price of $19.99 help me to keep the minimum price low, so this book remains accessible to people who can’t afford to pay more. Those sales also allow me to take time away from hacking to continually add content and make the book better so we can all learn together. While I wish I could list everyone who has paid more than the minimum to say thank you, the list would be too long and I don’t actually know any contact details of buyers unless they reach out to me. However, there is a small group who paid more than the suggested price when making their purchases, which really goes a long way. I’d like to recognize them here. They include: 1. @Ebrietas0 2. Mystery Buyer 3. Mystery Buyer 4. @nahamsec (Ben Sadeghipour) 5. Mystery Buyer 6. @Spam404Online 7. @Danyl0D (Danylo Matviyiv) 8. Mystery Buyer 9. @arneswinnen (Arne Swinnen) If you should be on this list, please DM me on Twitter. To everyone who purchased a copy of this, thank you! Contents 1. Foreword ....................................... 1 2. Introduction ..................................... 3 How It All Started ................................. 3 Just 30 Examples and My First Sale ........................ 4 Who This Book Is Written For ........................... 6 Chapter Overview ................................. 7 Word of Warning and a Favour .......................... 9 3. Background ...................................... 10 4. Open Redirect Vulnerabilities ........................... 13 Description ....................................... 13 Examples ........................................ 13 1. Shopify Theme Install Open Redirect ..................... 13 2. Shopify Login Open Redirect .......................... 14 3. HackerOne Interstitial Redirect ........................ 15 Summary ........................................ 16 5. HTTP Parameter Pollution ............................. 17 Description ....................................... 17 Examples ........................................ 18 1. HackerOne Social Sharing Buttons ...................... 18 2. Twitter Unsubscribe Notifications ....................... 19 3. Twitter Web Intents ............................... 20 Summary ........................................ 22 6. Cross-Site Request Forgery ............................. 24 Description ....................................... 24 Examples ........................................ 25 1. Shopify Export Installed Users ......................... 25 2. Shopify Twitter Disconnect ........................... 26 3. Badoo Full Account Takeover ......................... 27 Summary ........................................ 29 CONTENTS 7. HTML Injection .................................... 30 Description ....................................... 30 Examples ........................................ 30 1. Coinbase Comments .............................. 30 2. HackerOne Unintended HTML Inclusion ................... 31 3. Within Security Content Spoofing ....................... 33 Summary ........................................ 35 8. CRLF Injection .................................... 36 Description ....................................... 36 1. Twitter HTTP Response Splitting ........................ 36 2. v.shopify.com Response Splitting ....................... 38 Summary ........................................ 39 9. Cross-Site Scripting ................................. 40 Description ....................................... 40 Examples ........................................ 41 1. Shopify Wholesale ................................ 41 2. Shopify Giftcard Cart .............................. 43 3. Shopify Currency Formatting .......................... 45 4. Yahoo Mail Stored XSS ............................. 46 5. Google Image Search .............................. 48 6. Google Tagmanager Stored XSS ........................ 49 7. United Airlines XSS ............................... 50 Summary ........................................ 55 10. Template Injection ................................. 57 Description ....................................... 57 Examples ........................................ 58 1. Uber Angular Template Injection ....................... 58 2. Uber Template Injection ............................ 59 3. Rails Dynamic Render .............................. 62 Summary ........................................ 63 11. SQL Injection ..................................... 64 Description ....................................... 64 Examples ........................................ 65 1. Drupal SQL Injection .............................. 65 2. Yahoo Sports Blind SQL ............................. 67 Summary ........................................ 71 12. Server Side Request Forgery ............................ 72 Description ....................................... 72 Examples ........................................ 72 CONTENTS 1. ESEA SSRF and Querying AWS Metadata ................... 72 Summary ........................................ 74 13. XML External Entity Vulnerability ......................... 75 Description ....................................... 75 Examples ........................................ 79 1. Read Access to Google ............................. 79 2. Facebook XXE with Word ............................ 80 3. Wikiloc XXE .................................... 83 Summary ........................................ 86 14. Remote Code Execution .............................. 87 Description ....................................... 87 Examples ........................................ 87 1. Polyvore ImageMagick ............................. 87 2. Algolia RCE on facebooksearch.algolia.com . 89 3. Foobar Smarty Template Injection RCE .................... 91 Summary ........................................ 95 15. Memory ........................................ 96 Description ....................................... 96 Buffer Overflow .................................. 96 Read out of Bounds ................................ 97 Memory Corruption ................................ 99 Examples ........................................ 100 1. PHP ftp_genlist() ................................. 100 2. Python Hotshot Module ............................ 101 3. Libcurl Read Out of Bounds . 102 4. PHP Memory Corruption ............................ 103 Summary ........................................ 104 16. Sub Domain Takeover ................................ 105 Description ....................................... 105 Examples ........................................ 105 1. Ubiquiti Sub Domain Takeover . 105 2. Scan.me Pointing to Zendesk . 106 3. Shopify Windsor Sub Domain Takeover . 107 4. Snapchat Fastly Takeover ............................ 108 5. api.legalrobot.com ............................... 110 6. Uber SendGrid Mail Takeover . 113 Summary ........................................ 116 17. Race Conditions ................................... 117 Description ....................................... 117 CONTENTS Examples ........................................ 117 1. Starbucks Race Conditions . 117 2. Accepting HackerOne Invites Multiple Times . 119 Summary ........................................ 122 18. Insecure Direct Object References ........................ 123 Description ....................................... 123 Examples ........................................ 124 1. Binary.com Privilege Escalation . 124 2. Moneybird App Creation ............................ 125 3. Twitter Mopub API Token Stealing . 127 Summary ........................................ 129 19. OAuth ......................................... 130 Description ....................................... 130 Examples ........................................ 134 1. Swiping Facebook Official Access Tokens . 134 2. Stealing Slack OAuth Tokens . 135 3. Stealing Google Drive Spreadsheets . 136 Summary ........................................ 139 20. Application Logic Vulnerabilities ......................... 140 Description ....................................... 140 Examples ........................................ 141 1. Shopify Administrator Privilege Bypass . 141 2. HackerOne Signal Manipulation