Hands-On Bug Hunting for Penetration Testers: A practical guide to help ethical hackers discover web application security flaws

Joseph Marshall

買這商品的人也買了...

商品描述

Detailed walkthroughs of how to discover, test, and document common web application vulnerabilities.

Key Features

  • Learn how to test for common bugs
  • Discover tools and methods for hacking ethically
  • Practice working through pentesting engagements step-by-step

Book Description

Bug bounties have quickly become a critical part of the security economy. This book shows you how technical professionals with an interest in security can begin productively―and profitably―participating in bug bounty programs.

You will learn about SQli, NoSQLi, XSS, XXE, and other forms of code injection. You'll see how to create CSRF PoC HTML snippets, how to discover hidden content (and what to do with it once it's found), and how to create the tools for automated pentesting workflows.

Then, you'll format all of this information within the context of a bug report that will have the greatest chance of earning you cash.

With detailed walkthroughs that cover discovering, testing, and reporting vulnerabilities, this book is ideal for aspiring security professionals. You should come away from this work with the skills you need to not only find the bugs you're looking for, but also the best bug bounty programs to participate in, and how to grow your skills moving forward in freelance security research.

What you will learn

  • Choose what bug bounty programs to engage in
  • Understand how to minimize your legal liability and hunt for bugs ethically
  • See how to take notes that will make compiling your submission report easier
  • Know how to take an XSS vulnerability from discovery to verification, and report submission
  • Automate CSRF PoC generation with Python
  • Leverage Burp Suite for CSRF detection
  • Use WP Scan and other tools to find vulnerabilities in WordPress, Django, and Ruby on Rails applications
  • Write your report in a way that will earn you the maximum amount of money

Who this book is for

This book is written for developers, hobbyists, pentesters, and anyone with an interest (and a little experience) in web application security.

Table of Contents

  1. Joining the Hunt
  2. Choosing Your Hunting Ground
  3. Preparing for an Engagement
  4. Unsanitized Data; An XSS Case Study
  5. SQL, Code Injection, and Scanners
  6. CSRF and Insecure Session Authentication
  7. Detecting XML External Entities
  8. Access Control and Security Through Obscurity
  9. Framework and Application-Specific Vulnerabilities
  10. Formatting Your Report
  11. Other Tools
  12. Other (Out of Scope) Vulnerabilities
  13. Going Further
  14. Assessment

商品描述(中文翻譯)

詳細的指南,教你如何發現、測試和記錄常見的網絡應用程式漏洞。

主要特點:
- 學習如何測試常見的錯誤
- 發現道德黑客的工具和方法
- 逐步實踐測試步驟

書籍描述:
漏洞賞金計劃迅速成為安全經濟的重要組成部分。本書向對安全感興趣的技術專業人士展示了如何開始有產出且有利可圖地參與漏洞賞金計劃。

你將學習關於SQLi、NoSQLi、XSS、XXE和其他形式的代碼注入。你將看到如何創建CSRF PoC HTML片段,如何發現隱藏的內容(以及一旦發現後該如何處理),以及如何創建用於自動化測試工作流程的工具。

然後,你將在漏洞報告的背景下整理所有這些信息,以獲得最大的獲利機會。

通過涵蓋發現、測試和報告漏洞的詳細指南,本書非常適合有志於成為安全專業人士的人。通過這本書,你不僅能找到你尋找的漏洞,還能找到最佳的漏洞賞金計劃,並學會如何在自由職業安全研究中不斷提升自己的技能。

你將學到什麼:
- 選擇參與哪些漏洞賞金計劃
- 理解如何最大程度地減少法律責任並道德地尋找漏洞
- 學會如何記錄筆記,以便更容易編寫提交報告
- 知道如何將XSS漏洞從發現到驗證,並提交報告
- 使用Python自動化CSRF PoC生成
- 利用Burp Suite進行CSRF檢測
- 使用WP Scan和其他工具尋找WordPress、Django和Ruby on Rails應用程式中的漏洞
- 以能獲得最大金額的方式撰寫報告

本書適合對開發人員、愛好者、測試人員以及對網絡應用程式安全感興趣(並具有一些經驗)的人。

目錄:
1. 加入獵場
2. 選擇你的獵場
3. 為參與準備
4. 未經處理的數據; XSS案例研究
5. SQL、代碼注入和掃描器
6. CSRF和不安全的會話驗證
7. 檢測XML外部實體
8. 存取控制和安全性通過模糊
9. 框架和應用程序特定的漏洞
10. 格式化你的報告
11. 其他工具
12. 其他(超出範圍)的漏洞
13. 進一步發展
14. 評估