Table of Contents

Title Page 2
Copyright Page 3
About the Author 5
About the Technical Reviewer 6
Brief Contents 7
Contents in Detail 9
Foreword by Michiel Prins and Jobert Abma 17
Acknowledgments 19
Introduction 20
Who Should Read This Book 21
How to Read This Book 21
What’s in This Book 22
A Disclaimer About Hacking 24
1 Bug Bounty Basics 25
Vulnerabilities and Bug Bounties 25
Client and Server 26
What Happens When You Visit a Website 27
HTTP Requests 31
Summary 34
2 Open Redirect 35
How Open Redirects Work 35
Shopify Theme Install Open Redirect 37
Shopify Login Open Redirect 38
HackerOne Interstitial Redirect 39
Summary 41
3 HTTP Parameter Pollution 43
Server-Side HPP 43
Client-Side HPP 46
HackerOne Social Sharing Buttons 47
Twitter Unsubscribe Notifications 48

296
 Twitter Web Intents 50
Summary 52
4 Cross-Site Request Forgery 53
Authentication 53
CSRF with GET Requests 55
CSRF with POST Requests 56
Defenses Against CSRF Attacks 59
Shopify Twitter Disconnect 60
Change Users Instacart Zones 62
Badoo Full Account Takeover 63
Summary 65
5 HTML Injection and Content Spoofing 67
Coinbase Comment Injection Through Character Encoding 68
HackerOne Unintended HTML Inclusion 70
HackerOne Unintended HTML Include Fix Bypass 72
Within Security Content Spoofing 73
Summary 75
6 Carriage Return Line Feed Injection 77
HTTP Request Smuggling 77
v.shopify.com Response Splitting 78
Twitter HTTP Response Splitting 80
Summary 82
7 Cross-Site Scripting 83
Types of XSS 87
Shopify Wholesale 89
Shopify Currency Formatting 91
Yahoo! Mail Stored XSS 92
Google Image Search 94
Google Tag Manager Stored XSS 95
United Airlines XSS 97
Summary 100
8 Template Injection 101
Server-Side Template Injections 101

297
 Client-Side Template Injections 102
Uber AngularJS Template Injection 103
Uber Flask Jinja2 Template Injection 104
Rails Dynamic Render 107
Unikrn Smarty Template Injection 108
Summary 111
9 SQL Injection 112
SQL Databases 112
Countermeasures Against SQLi 114
Yahoo! Sports Blind SQLi 115
Uber Blind SQLi 119
Drupal SQLi 122
Summary 126
10 Server-Side Request Forgery 127
Demonstrating the Impact of Server-Side Request Forgery 127
Invoking GET vs. POST Requests 128
Performing Blind SSRFs 129
Attacking Users with SSRF Responses 130
ESEA SSRF and Querying AWS Metadata 131
Google Internal DNS SSRF 133
Internal Port Scanning Using Webhooks 137
Summary 139
11 XML External Entity 140
eXtensible Markup Language 140
How XXE Attacks Work 144
Read Access to Google 145
Facebook XXE with Microsoft Word 146
Wikiloc XXE 148
Summary 151
12 Remote Code Execution 152
Executing Shell Commands 152
Executing Functions 154
Strategies for Escalating Remote Code Execution 155

298
 Polyvore ImageMagick 156
Algolia RCE on facebooksearch.algolia.com 159
RCE Through SSH 161
Summary 163
13 Memory Vulnerabilities 164
Buffer Overflows 165
Read Out of Bounds 168
PHP ftp_genlist() Integer Overflow 169
Python Hotshot Module 170
Libcurl Read Out of Bounds 171
Summary 172
14 Subdomain Takeover 173
Understanding Domain Names 173
How Subdomain Takeovers Work 174
Ubiquiti Subdomain Takeover 175
Scan.me Pointing to Zendesk 176
Shopify Windsor Subdomain Takeover 177
Snapchat Fastly Takeover 178
Legal Robot Takeover 179
Uber SendGrid Mail Takeover 180
Summary 181
15 Race Conditions 183
Accepting a HackerOne Invite Multiple Times 184
Exceeding Keybase Invitation Limits 186
HackerOne Payments Race Condition 187
Shopify Partners Race Condition 188
Summary 190
16 Insecure Direct Object References 191
Finding Simple IDORs 191
Finding More Complex IDORs 192
Binary.com Privilege Escalation 193
Moneybird App Creation 194
Twitter Mopub API Token Theft 195

299
 ACME Customer Information Disclosure 197
Summary 199
17 OAuth Vulnerabilities 201
The OAuth Workflow 201
Stealing Slack OAuth Tokens 205
Passing Authentication with Default Passwords 206
Stealing Microsoft Login Tokens 207
Swiping Facebook Official Access Tokens 209
Summary 211
18 Application Logic and Configuration Vulnerabilities 212
Bypassing Shopify Administrator Privileges 213
Bypassing Twitter Account Protections 215
HackerOne Signal Manipulation 215
HackerOne Incorrect S3 Bucket Permissions 216
Bypassing GitLab Two-Factor Authentication 218
Yahoo! PHP Info Disclosure 220
HackerOne Hacktivity Voting 222
Accessing PornHub’s Memcache Installation 223
Summary 225
19 Finding Your Own Bug Bounties 227
Reconnaissance 227
Testing the Application 232
Going Further 237
Summary 239
20 Vulnerability Reports 240
Read the Policy 240
Include Details; Then Include More 241
Reconfirm the Vulnerability 241
Your Reputation 242
Show Respect for the Company 243
Appealing Bounty Rewards 245
Summary 245
A Tools 247

300
 Web Proxies 247
Subdomain Enumeration 248
Discovery 249
Screenshotting 250
Port Scanning 251
Reconnaissance 251
Hacking Tools 253
Mobile 254
Browser Plug-Ins 254
B Resources 256
Online Training 256
Bug Bounty Platforms 257
Recommended Reading 259
Video Resources 261
Recommended Blogs 262
Index 265

301