Real-World Bug Hunting: A Field Guide to Web Hacking

Yaworski, Peter




Uses real-world bug reports (vulnerabilities in software or in this case web applications) to teach programmers and InfoSec professionals how to discover and protect vulnerabilities in web applications.

Real-World Bug Hunting is a field guide to finding software bugs. Ethical hacker Peter Yaworski breaks down common types of bugs, then contextualizes them with real bug bounty reports released by hackers on companies like Twitter, Facebook, Google, Uber, and Starbucks. As you read each report, you'll gain deeper insight into how the vulnerabilities work and how you might find similar ones.

Each chapter begins with an explanation of a vulnerability type, then moves into a series of real bug bounty reports that show how the bugs were found. You'll learn things like how Cross-Site Request Forgery tricks users into unknowingly submitting information to websites they are logged into; how to pass along unsafe JavaScript to execute Cross-Site Scripting; how to access another user's data via Insecure Direct Object References; how to trick websites into disclosing information with Server Side Request Forgeries; and how bugs in application logic can lead to pretty serious vulnerabilities. Yaworski also shares advice on how to write effective vulnerability reports and develop relationships with bug bounty programs, as well as recommends hacking tools that can make the job a little easier.



「《實戰漏洞獵捕》是一本尋找軟體漏洞的實戰指南。倫理駭客彼得·亞沃斯基(Peter Yaworski)將常見的漏洞類型進行了分解,並通過駭客在Twitter、Facebook、Google、Uber和Starbucks等公司上公開的真實漏洞獎金報告對其進行了情境化說明。當您閱讀每份報告時,您將更深入地了解漏洞的工作原理以及如何找到類似的漏洞。」

「每個章節都以漏洞類型的解釋開始,然後進入一系列真實的漏洞獎金報告,展示了如何發現這些漏洞。您將學到一些技巧,例如如何通過跨站請求偽造(Cross-Site Request Forgery)欺騙使用者在不知情的情況下向已登入的網站提交信息;如何傳遞不安全的JavaScript以執行跨站腳本(Cross-Site Scripting);如何通過不安全的直接物件引用(Insecure Direct Object References)訪問其他使用者的數據;如何通過伺服器端請求偽造(Server Side Request Forgeries)欺騙網站揭示信息;以及應用程式邏輯中的漏洞如何導致相當嚴重的漏洞。亞沃斯基還分享了如何撰寫有效的漏洞報告和建立與漏洞獎金計劃的關係的建議,並推薦了一些可以使工作更輕鬆的駭客工具。」


Peter Yaworski is a self-taught developer and ethical hacker who began building websites exclusively with Drupal. Since then, he has expanded his interest to Rails, Android app development, and software security, while producing over 100 video tutorials and interviews on YouTube covering ethical hacking, web development, and Android to help teach others what he's learned. Peter continues to be an active bug bounty participant with thanks from Shopify, HackerOne, Salesforce, Twitter, Starbucks and the US Department of Defense among others.


Peter Yaworski是一位自學的開發者和道德駭客,他最初專注於使用Drupal建立網站。此後,他擴展了對Rails、Android應用程式開發和軟體安全的興趣,同時在YouTube上製作了100多個視頻教程和訪談,涵蓋道德駭客、網站開發和Android等主題,以幫助他人學習他所學到的知識。Peter繼續積極參與漏洞賞金計劃,並受到Shopify、HackerOne、Salesforce、Twitter、Starbucks和美國國防部等機構的感謝。