Introduction
Hello Friends and welcome to HaXeZ. This week I’ve been reading Real-World Bug Hunting — A Field Guide to Web Hacking, written by Peter Yaworski and published by no starch press. I purchased this book from Amazon for around £20.00 which in my opinion is well worth the money.
Real-World Bug Hunting Initial Thoughts
I bought this book because I wanted to improve my application penetration testing skills. At the present time, Web Application tests are a huge category in information security. Overall, I’ve probably done more Web Application tests than any other type of test since entering the industry. In short, there are so many different technologies and attack vectors to consider when testing web applications. It can be overwhelming if you’re new to the industry. For the most part, I wanted to read this book to expand my current knowledge and to improve my testing methodology. It did just that. The author covers a lot of areas in this book and gives real-world examples of bug bounties that have been submitted to Hacker One.
HTTP Parameter Pollution Bug Hunting
One of the first topics that the author covers is Server-Side and Client-Side HTTP Parameter Pollution. For instance, he talks about how adding additional parameters to the URL to see which one gets processed could lead to a vulnerability. Furthermore, he uses an example of performing a funds transfer on a banking website. He explains that adding an additional account parameter to the URL could result in a vulnerability. I won’t go into specifics but the way that the server processes the request determines which account the funds are removed from. The author also gives a real-world example of someone who was able to unsubscribe other users from Twitter notifications, which I thought was hilarious.
Cross-Site Request Forgery Bug Hunting
Cross-Site Request Forgery is when a threat actor tricks an unsuspecting user into opening a link. The link will direct the user to a malicious website that sends a request to a legitimate website. Provided that the user has session cookies stored in their browser, the request would be authenticated and succeed. The author uses an example of when a hacker discovered a CSRF attack that affected Twitter and Shopify. To clarify, the hacker was able to disconnect other users’ Twitter accounts from their Shopify store. While this seems mostly harmless, it is still a vulnerability and could cause users to miss important notifications.
Carriage Return Line Feed Injection
This type of attack vector requires the submission of encoded characters that have special meanings. As a result, these encoded characters may bypass traditional input sanitization facilitating unexpected actions. Specifically, the author uses are the %0D and %0A characters that represent a carriage return and a line feed. The author uses an example of how a hacker found an HTTP Response Splitting vulnerability on Twitter that allowed him to set cookies. The specific details of this vulnerability are beyond the scope of this review but it’s definitely worth reading.
Cross-Site Scripting
XSS, every penetration tester’s first exploit. Ok, maybe not but it is one of the first things I was taught when joining the industry. There are two types of Cross-Site Scripting and the author does a fantastic job of explaining both. For example, he talks about how it was possible to perform a persistent Cross-Site Scripting attack on Yahoo mail. This vulnerability was possible due to the way the sanitization handled malformed image tags. There are more examples including ones that affected Google image search, United Airlines, and Shopify.
SQL Injection
SQL Injection is apparently one of the most financially rewarding bugs to find. This is understandable since the impact of exploiting an SQL Injection could be huge. There have been loads of examples in the news (specifically mobile phone network providers) where their customer’s sensitive data was leaked. There are many different types of SQLi and the author provides examples such as a Blind SQLi bug found on Yahoo Sports. The hacker was able to discover this vulnerability by the way page was rendering pictures. Personally, I struggle with Blind SQLi, it seems like such a long process.
Finding Your Own Bug Bounties
The author covers many more attack types and gives real-world examples of where and how bug hunters have found them. The majority of the findings are well beyond my current technical capability, which only made me find them more fascinating. While this may be true for a lot of new penetration testers, the author does provide a testing methodology of sorts. This methodology alone is worth the price of admission. It discusses how you should approach a test and where you should focus your energy. It explains that you should target one specific vulnerability and not move on until you’ve popped it.
Conclusions
This book was a great read and while it didn’t make me a super hacker (no single book will), it has motivated me to learn more. The financial reward of bug bounties is great, but the knowledge of those performing the bug bounties is what was truly inspiring.
The author provides great real-life examples of many different attack types. To summarise them all in a blog post would take forever. The main takeaway from the book that I found was persistence! persistence in learning and persistence in testing. If you find a bug that looks like a bug then keep persisting until you exploit it. All of the examples in the book start with an initial discovery but then a great deal of persistence was required from the hacker in order to exploit it and claim their bounty.
Even reading the book took persistence on my part because technical books aren’t always the easiest reads. I really enjoyed this book though and would recommend it to anybody starting in the industry. Not so much for the technical details but more for the message behind it. Keep chipping away and being persistent with your goals.