INDEX Symbols and Numbers Amazon Simple Storage (S3) and bucket permissions, 181–183 ; (semicolon), 110 subdomain takeovers, 141–142 -- (MySQL comment), 83, 84 Amazon Web Services, 192 <> (angle brackets), 53, 56 ampersand (&), 22–23, 110, 112 ../ file path reference, 128 angle brackets (<>), 53, 56 / (forward slash), 99 AngularJS template engine | (pipe), 124 injection examples, 73–74, 198–199 ` (backtick), 122, 124 Sandbox bypasses, 72–73 " (double quote), 56 API See application programming ' (single quote), 44–46, 56 interface (API) # (hash), 44, 69 apok (hacker), 186 % (percent), 112 application/json content-type, %00 (null byte), 99 33–34, 35 %0A (line feed), 49 application logic and configuration %0D (carriage return), 49 vulnerabilities, 177–190 & (ampersand), 22–23, 110, 112 GitLab two-factor authentication 2FA (two-factor authentication), bug, 183–184 183–184 HackerOne and S3 bucket 32-bit processors, 133 permissions, 181–183 64-bit processors, 133 HackerOne Hacktivity voting, 127.0.0.1 (localhost), 102, 104–105 186–187 .docx file type, 113–114 HackerOne Signal manipulation, !ELEMENT (XML), 110, 111–112 180–181 !ENTITY (XML), 110, 111–112 overview, 177–178, 189–190 <img> tags, 32, 36–37, 63–65, 70, 171 PornHub memcache installation, <s> tag, 198 188–189 Shopify administrator privileges A bypass, 179 Abma, Jobert, 183–184, 198, 207–208 Twitter account protections, 180 about:blank context, 57 Yahoo! PHP info disclosure, Access-Control-Allow-Origin header, 34 184–186 access_denied parameter, 47 application programming interface access_token (OAuth), 169–170 (API), 7, 37–38, 90, 180, 197 ACME customer information application/x-www-form-urlencoded disclosure, 163–165 content-type, 32–34, 35 Ahrens, Julien, 101–104 Aquatone, 194 alert function, 56, 65, 69–70 A records, 140 Algolia remote code execution bug, arrays, 91–93 125–127 asset takeovers, 174–176. See also Amass, 211 subdomain takeover vulnerabilities Assis, Rodolfo, 69–70 authentication and hacker’s reputation, 205–206 HTTP requests, 50, 54, 150 informative, 163–164 misconfigurations, 173 –174, 197 permission to test further, 76 process, 30 proof of concept tips, 145 Authmatrix plug-in, 160 responses to, 16, 164–165 autofocus attribute, 58 rewards appeals, 207–208 automation techniques, 185–186, 200 bugs previously reported, 125, 196 Autorize plug-in, 160 BuiltWith, 72, 213 AWS metadata query bug, 100 Burp Suite, 40, 152, 158, 160, 195, 199–200, 210 B Bacchus, Adam, 206 C background jobs, 153–154, 156 Cable, Jack, 172 backtick (`), 122, 124 cache poisoning, 50 Badoo full account takeover, 38–40 call_user_func (PHP), 121 banking application illustrations Carettoni, Luca, 21, 22 cross-site request forgeries, 29–30, carriage return line feed (CRLF) 31–34 CRLF injection vulnerabilities, HTTP parameter pollution, 20–22 49–54 race conditions, 149–150 overview, 49–50, 54 base64-encoded content, 9 Shopify response splitting, 51–52 bash, 120, 185–186 Twitter response splitting, 52–54 binary.com privilege escalation, 159–160 Cascading Style Sheets (CSS), 6 blacklisted characters, 52 C/C++ memory management, blind SQLi, 84–87 129–133, 135 blind SSRFs, 97–98 CDNs (content delivery networks), 144 blind XSS attacks, 60, 198 censys.io website, 143, 214 Boolean attribute checks, 64, 86–87 certificate hashes tracking site, 143 Bounty Factory, 219 Chan, Ron, 224 browsers characters. See also sanitization of and cookies, 30–31 characters operations, 6–7 blacklisted, 52–53 plug-ins for, 216 encoding, 42–45, 49, 88–90, brute-forcing, 88–89, 195, 199, 211 173 –174 Bryant, Matthew, 60, 223 Charles (web proxy), 210 Bucket Finder, 182, 214 client-side HPP, 19, 22–23 Buerhaus, Brett, 99–100, 222 client-side template injection (CSTI) buffer overflow vulnerabilities, 130–133, vulnerabilities, 72–73, 73–74 134–135 clients bug bounties, 2 defined, 3 platforms, 219–220 OAuth resource, 168–170 programs, 2, 90, 123, 188, 189, CNAME records, 140–146 203–204 Cobalt, 219 Bugbounty JP, 219 Coinbase comment injection, 42–43 Bugcrowd resources, 219, 222, 223 comments in SQL queries, 83, 84, 92 A Bug Hunter’s Diary (Klein), 220 companies The Bug Hunters Methodology acquisition process exposures, 142 (Haddix), 220 and bug bounty programs, 2, 204, bug reporting 206–208 after disclosures, 125 configuration vulnerabilities, 177–178 approach, 204–207 CONNECT method, 7–8 226 Index connection headers, 5 cURL requests, 124–125, 136 content attribute, 13, 45 CVEs (disclosed security issues), 127 content delivery networks (CDNs), 144 CyberChef, 44, 214 content discovery, 195 content spoofing, 41–42, 48 D content-type headers, 6, 32–34, 35, 54 cookies dangerouslySetInnerHTML function, and carriage return line feed 45, 72 injection, 50, 51–54 databases, 150–151. See also SQL in cross-site request forgeries, 32, databases 35–36 db_query function (SQL), 92 in cross-site scripting, 56 De Ceukelaire, Inti, 44–46 forgeries on, 126–127, 128 DELETE method, 7–8 operations and attributes, 30–31 deserialization, 126–127 in subdomain takeovers, 140–141 Detectify Labs, 112, 201, 223 CORS See cross-origin resource dex2jar, 215 sharing (CORS) “did not respond”, 102 Coursera, 218 dig A command, 4 CRLF characters See carriage return directory and file enumeration line feed (CRLF) tools, 212 CRLF injection See carriage return line disclosed security issues (CVEs), 127 feed (CRLF), 49–54 DNS See Domain Name System (DNS) cross-origin resource sharing (CORS), Document Object Module (DOM), 7, 34, 35, 38 13, 45 cross-site request forgery (CSRF), 29–40 document parameters, 16, 56 Badoo full account takeover, 38–40 document type definitions (DTDs), defenses, 34–36 108–110 Instacart, 37–38 domain cookie attribute, 30–31 overview, 29–30, 40 Domain Name System (DNS), 3–4, 14, vs. server-side request forgeries, 95 97–98, 101–104, 141, 142 Shopify Twitter disconnect, 36–37 domain names, 3, 139–140 cross-site scripting (XSS) domain_name parameter, 14 vulnerabilities. See also XSS DOM-based XSS, 59–60 Jigsaw blog; XSSHunter, Drupal SQLi, 90–93 55–70 DTDs (document type definitions), and client-side template 108–110 injections, 72 Google image search, 65–66 E Google tag manager, 66–67 overview, 55–58 Ebrietas (hacker), 144 Shopify currency formatting, 62–63 EdOverflow (hacker), 146–147 Shopify wholesale, 61–62 email bug hunting examples, 74–76, types, 58–61 78–80, 87–90 United Airlines, 67–70 Emek, Tanner, 154–155 Yahoo! Mail stored XSS, 63–65 encoded characters, 42–45, 49, crt.sh website, 143, 211 173 –174, 197 CSRF See cross-site request error messages, 144 forgery (CSRF) escapeshellcmd (PHP), 120–121 CSRF tokens, 33–35, 38–40, 45 E-Sports Entertainment Association CSTI See client-side template injection (ESEA) bug, 98–100 (CSTI) vulnerabilities expandArguments function (SQL), 91–92 Cure53 Browser Security White Paper, 220 expires cookie attribute, 31 Exploit Database (DB), 195, 218 Index 227 eXtensible Markup Language (XML), operations, 7 110–117 and server-side modifications, entities, 110 36–37 overview, 107–110 with SSRFs, 97 parsing and file types, 111–117 Ghostscript vulnerabilities, 202 external HTTP requests, 96–97, Gill, Andy, 188–189, 224 100–104, 104–105 GitHub, 126, 141, 178, 195 EyeWitness, 127, 188, 212 GitLab two-factor authentication bug, 183–184 F Gitrob, 126, 195, 215 Gobuster, 195, 212 Facebook Google and OAuth access token bug, AngularJS template engine, 72–73, 174 –176 73–76 ReactJS template engine, 72 bug bounty program, 11 XXE with Microsoft Word bug, dig tool, 101–104 112–114 internal DNS SSRF, 100–104 Fastly, 144 Google bugs Fehrenbach, Patrik, 66–67, 185–186, image search, 65–66 222, 224 tag manager, 66–67 Fiddler (web proxy), 210 XXE vulnerability, 112 file and directory enumeration Google Chrome XSS Auditor, 59 tools, 212 Google dorking, 99, 100, 162, 195, 214 FileDescriptor (hacker), 46, 52–53, 59, Google Gruyere, 218 202, 224 Gowitness, 194, 212 file path expressions, 128 file types, 99, 114, 124–125, 197 file uploads, 122–123 H filtered ports, 97 The Hacker Blog, 223 Firefox cookie bug, 52 Hacker101, 218 firewall evasion, 50 HackerOne bugs flags on command line, 121 Hacktivity voting, 186–187 Flask Jinja2 template injection, 74, 123 interstitial redirect vulnerability, Flurry password authentication, 172 13, 15–16 forms invite multiple times, 150–151 hidden HTML, 33, 37 payments race condition, 153–154 as HTML injection, 42–43 and S3 bucket permissions, 181–183 forward slash (/), 99 Signal manipulation, 180–181 FoxyProxy add-on, 216 social sharing buttons, 23–24 Franjković, Josip, 152 unintended HTML inclusion, ftp_genlist() function (PHP), 134–135 44–47 functionality mapping, 197–198 HackerOne resources, 219, 221, 223 function execution, 121–122 hacking blogs, 222–224 fuzzing, 182 hacking techniques, 191–202 efficiency suggestions, 200–202 G overview, 191–192, 202 reconnaissance, 192–196 Gamal, Mahmoud, 159 testing, 196–200 GET requests Hacking: The Art of Exploitation in cross-site request forgeries, (Erikson), 221 31–32, 35, 40 hacking tools, 214–215 with open redirects, 12, 13 228 Index Hack the Box, 218 Hypertext Markup Language (HTML). Harewood, Philippe, 174–176, 201, 224 See also HTML injection harry_mg (hacker), 142 vulnerabilities Hasan, Mustafa, 67–70 character encoding, 42–43 hash (#), 44, 69 hidden forms, 33, 37 headers rendering, 6 host and connection, 5 Hypertext Transfer Protocol (HTTP). injections, 50–52 See also HTTP parameter HEAD method, 7–8 pollution (HPP); HTTP Heartbleed bug, 133–134 requests; HTTPScreenShot Heroku platform subdomain takeover HTTPS sites, 31 example, 140–141 messages,