Hands-On Bug Hunting for Penetration Testers
Joseph Marshall更新时间:2021-07-16 17:54:01
最新章节:Leave a review - let other readers know what you think封面
Title Page
Copyright and Credits
Hands-On Bug Hunting for Penetration Testers
Dedication
Packt Upsell
Why subscribe?
Packt.com
Contributors
About the author
About the reviewers
Packt is searching for authors like you
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Conventions used
Get in touch
Reviews
Joining the Hunt
Technical Requirements
The Benefits of Bug Bounty Programs
What You Should Already Know – Pentesting Background
Setting Up Your Environment – Tools To Know
What You Will Learn – Next Steps
How (Not) To Use This Book – A Warning
Summary
Questions
Further Reading
Choosing Your Hunting Ground
Technical Requirements
An Overview of Bug Bounty Communities – Where to Start Your Search
Third-Party Marketplaces
Bugcrowd
HackerOne
Vulnerability Lab
BountyFactory
Synack
Company-Sponsored Initiatives
Google
Facebook
Amazon
GitHub
Microsoft
Finding Other Programs
Money Versus Swag Rewards
The Internet Bug Bounty Program
ZeroDisclo and Coordinated Vulnerability Disclosures
The Vulnerability of Web Applications – What You Should Target
Evaluating Rules of Engagement – How to Protect Yourself
Summary
Questions
Further Reading
Preparing for an Engagement
Technical Requirements
Tools
Using Burp
Attack Surface Reconnaisance – Strategies and the Value of Standardization
Sitemaps
Scanning and Target Reconaissance
Brute-forcing Web Content
Spidering and Other Data-Collection Techniques
Burp Spider
Striker
Scrapy and Custom Pipelines
Manual Walkthroughs
Source Code
Building a Process
Formatting the JS Report
Downloading the JavaScript
Putting It All Together
The Value Behind the Structure
Summary
Questions
Further Reading
Unsanitized Data – An XSS Case Study
Technical Requirements
A Quick Overview of XSS – The Many Varieties of XSS
Testing for XSS – Where to Find It How to Verify It
Burp Suite and XSS Validator
Payload Sets
Payload Options
Payload Processing
XSS – An End-To-End Example
XSS in Google Gruyere
Gathering Report Information
Category
Timestamps
URL
Payload
Methodology
Instructions to Reproduce
Attack Scenario
Summary
Questions
Further Reading
SQL Code Injection and Scanners
Technical Requirements
SQLi and Other Code Injection Attacks – Accepting Unvalidated Data
A Simple SQLi Example
Testing for SQLi With Sqlmap – Where to Find It and How to Verify It
Trawling for Bugs – Using Google Dorks and Python for SQLi Discovery
Google Dorks for SQLi
Validating a Dork
Scanning for SQLi With Arachni
Going Beyond Defaults
Writing a Wrapper Script
NoSQL Injection – Injecting Malformed MongoDB Queries
SQLi – An End-to-End Example
Gathering Report Information
Category
Timestamps
URL
Payload
Methodology
Instructions to Reproduce
Attack Scenario
Final Report
Summary
Questions
Further Reading
CSRF and Insecure Session Authentication
Technical Requirements
Building and Using CSRF PoCs
Creating a CSRF PoC Code Snippet
Validating Your CSRF PoC
Creating Your CSRF PoC Programmatically
CSRF – An End-to-End Example
Gathering Report Information
Category
Timestamps
URL
Payload
Methodology
Instructions to Reproduce
Attack Scenario
Final Report
Summary
Questions
Further Reading
Detecting XML External Entities
Technical requirements
A simple XXE example
XML injection vectors
XML injection and XXE – stronger together
Testing for XXE – where to find it and how to verify it
XXE – an end-to-end example
Gathering report information
Category
Timestamps
URL
Payload
Methodology
Instructions to reproduce
Attack scenario
Final report
Summary
Questions
Further reading
Access Control and Security Through Obscurity
Technical Requirements
Security by Obscurity – The Siren Song
Data Leaks – What Information Matters?
API Keys
Access Tokens
Passwords
Hostnames
Machine RSA/Encryption Keys
Account and Application Data
Low Value Data – What Doesn’t Matter
Generally Descriptive Error Messages
404 and Other Non-200 Error Codes
Username Enumeration
Browser Autocomplete or Save Password Functionality
Data Leak Vectors
Config Files
Public Code Repos
Client Source Code
Hidden Fields
Error Messages
Unmasking Hidden Content – How to Pull the Curtains Back
Preliminary Code Analysis
Using Burp to Uncover Hidden Fields
Data Leakage – An End-to-End Example
Gathering Report Information
Final Report
Summary
Questions
Further Reading
Framework and Application-Specific Vulnerabilities
Technical Requirements
Known Component Vulnerabilities and CVEs – A Quick Refresher
WordPress – Using WPScan
WPScan as a Dockerized CLI
Burp and WPScan
Ruby on Rails – Rubysec Tools and Tricks
Exploiting RESTful MVC Routing Patterns
Checking the Version for Particular Weaknesses
Testing Cookie Data and Authentication
Django – Strategies for the Python App
Checking for DEBUG = True
Probing the Admin Page
Summary
Questions
Further Reading
Formatting Your Report
Technical Requirements
Reproducing the Bug – How Your Submission Is Vetted
Critical Information – What Your Report Needs
Maximizing Your Award – The Features That Pay
Example Submission Reports – Where to Look
Hackerone Hacktivity
Vulnerability Lab Archive
GitHub
Summary
Questions
Further Reading
Other Tools
Technical Requirements
Evaluating New Tools – What to Look For
Paid Versus Free Editions – What Makes a Tool Worth It?
A Quick Overview of Other Options – Nikto Kali Burp Extensions and More
Scanners
Nikto
Zed Attack Proxy
w3af
nmap and python-nmap
Aircrack-ng
Wireshark
SpiderFoot
Resources
FuzzDB
Pentesting Cheatsheet
Exploit DB
Awesome Web Security
Kali Linux
Source Code Analysis (White Box) Tools
Pytaint
Bandit
Brakeman
Burp
Burp Extensions
JSON Beautifier
Retire.js
Python Scripter
Burp Notes
Burp REST API
SaaS-Specific Extensions
Using Burp Pro to Generate a CSRF PoC
Metasploit and Exploitation Frameworks
Summary
Questions
Further Reading
Other (Out of Scope) Vulnerabilities
Technical Requirements
DoS/DDoS – The Denial-of-Service Problem
Sandboxed and Self-XSS – Low-Threat XSS Varieties
Non-Critical Data Leaks – What Companies Don’t Care About
Emails
HTTP Request Banners
Known Public Files
Missing HttpOnly Cookie Flags
Other Common No-Payout Vulnerabilities
Weak or Easily Nypassed Captchas
The HTTP OPTIONS Method Enabled
BEAST (CVE-2011-3389) and Other SSL-Based Attacks
Brute Forcing Authentication Systems
CSRF Logout
Anonymous Form CSRF
Clickjacking and Clickjacking-Enabled Attacks
Physical Testing Findings
Outdated Browsers
Server Information
Rate-Limiting
Summary
Questions
Further Reading
Going Further
Blogs
The SANS Institute
Bugcrowd
Darknet
HighOn.Coffee
Zero Day Blog
SANS AppSec Blog
Courses
Penetration Testing With Kali Linux
The Infosec Institute Coursework
Udemy Penetration Testing Classes
Terminology
Attack Scenario
Attack Surface
Black Box Testing
Bugs
Bug Bounty Programs
CORS
Data Exfiltration
Data Sanitation
Data Leakage
Exploit
Fingerprinting
Fuzzing
Google Dorks
Known Component Vulnerabilities
OSINT
Passive Versus Active Scanning
Payload
Proof-of-Concept (PoC)
Rules of Engagement (RoE)
Red Team
Remote Code Execution (RCE)
Safe Harbor
Scope
Security Posture
Single-Origin Policy
Submission Report
Vulnerability
White Box Testing
Workflow
Zero-Day
Summary
Questions
Further Reading
Assessment
Chapter 1
Chapter 2
Chapter 3
Chapter 4
Chapter 5
Chapter 6
Chapter 7
Chapter 8
Chapter 9
Chapter 10
Chapter 11
Chapter 12
Chapter 13
Other Books You May Enjoy
Leave a review - let other readers know what you think
更新时间:2021-07-16 17:54:01