Bug Bounty BootCamp Book Review

Bug Bounty BootCamp Book Review

Being a programmer, cybersecurity is an important topic. I’ve been interested in it for a while. I listen to Security Now and Darknet Diaries and have been to various hackathons. I even signed up for HackerOne. I felt like I’ve just been dabbling in it though. This book is definitely a deep dive.

Audience

This book is written for someone who wants to become a bug bounty hunter. It walks you through all the various platforms and how to sign up for them. It talks about how to make reports in a way that emphasizes the importance of your discovery. It also talks about how to make a good proof of concept. This helps you get the maximum possible bounty. It also helps to ensure that companies address the issue appropriately. Even if you have no interest in becoming a bug bounty hunter, I found it a very insightful book.

Overall Impressions

I knew it intellectually, but never connected emotionally with just how vulnerable all our computer systems are. This is a book aimed at relative novices and it has 16 different types of exploits. I was already aware of many of them, but not all of them. For each exploit, the book has a variety of ways to get around common protections. I was amazed at how easy some of the protections were to bypass. It just reinforces my belief that if someone really wants in and has enough time and resources they will probably eventually succeed. The best we can do is eliminate the low-hanging fruit and then conduct frequent pen-testing audits to try to catch the other problems and address those results.

I think this book does a great job at hitting its target audience. I feel like if you are an aspiring bug bounty hunter, there is plenty in this book to get you started. My only real criticism is that I wish it came with some sort of lab or interactive examples or something, where you could test out all these exploits. The descriptions of how the exploits work were really good and detailed, but I am a hands-on learner. I really would have liked to be able to practice with them, and many of the examples would require some setup in order to do that. That said, HackerOne does have a CTF training set where I plan on trying a bunch of them out.

Reconnaissance

After the intro, the next section is on reconnaissance. There are some really good resources in here. Lots of OSINT tools for things like Google dorking and subdomain discovery. What I really liked about this chapter was that it walks you through how to chain a bunch of the tools together into a shell script that can automatically generate reports. Very nice and useful. The chapter also does a good job of differentiating between passive tools and active tools, which is an important distinction.

Exploits

The main part of the book takes a very structured look at a variety of exploits. All of these chapters are organized similarly. The sections are:

  • Mechanisms – How does the exploit actually work?
  • Prevention – What are some common steps that developers take to prevent this exploit?
  • Hunting Tips – How to identify this issue exists in the wild? What signs to look for?
  • Bypassing – How can you bypass the common preventive steps?
  • Escalating – How can you take full advantage of this exploit? How can you combine it with other exploits?
  • Automating – Is there a way to automate discovering or exploiting this flaw?

Here is a list of all the exploits covered:

  • Cross-Site Scripting
  • Open Redirects
  • ClickJacking
  • Cross-Site Request Forgery
  • Insecure Direct Object References
  • SQL Injection
  • Race Conditions
  • Server-Side Request Forgery
  • Insecure Deserialization
  • XML External Entity
  • Template Injection
  • Application Logic Errors and Broken Access Control
  • Remote Code Execution
  • Same-Origin Policy Vulnerabilities
  • Single-Sign-On Security Issues
  • Information Disclosure

Advanced Techniques

After the main exploits, the book goes into advanced techniques like Code Reviews, hacking Android apps, API Hacking, and using Fuzzers. These are just tools to help you find more of the previously mentioned exploits.