Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Hands-On Bug Hunting for Penetration Testers

You're reading from   Hands-On Bug Hunting for Penetration Testers A practical guide to help ethical hackers discover web application security flaws

Arrow left icon
Product type Paperback
Published in Sep 2018
Publisher Packt
ISBN-13 9781789344202
Length 250 pages
Edition 1st Edition
Languages
Arrow right icon
Authors (2):
Arrow left icon
Himanshu Sharma Himanshu Sharma
Author Profile Icon Himanshu Sharma
Himanshu Sharma
Joe Marshall Joe Marshall
Author Profile Icon Joe Marshall
Joe Marshall
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Joining the Hunt 2. Choosing Your Hunting Ground FREE CHAPTER 3. Preparing for an Engagement 4. Unsanitized Data – An XSS Case Study 5. SQL, Code Injection, and Scanners 6. CSRF and Insecure Session Authentication 7. Detecting XML External Entities 8. Access Control and Security Through Obscurity 9. Framework and Application-Specific Vulnerabilities 10. Formatting Your Report 11. Other Tools 12. Other (Out of Scope) Vulnerabilities 13. Going Further 14. Assessment 15. Other Books You May Enjoy

The Benefits of Bug Bounty Programs

The web is exploding—more people are using it to do more, in more varied ways, than at any point in its short history.

The phone is a perfect example of the rise of digital life. Since its invention at the end of the 20th century, it's expanded from a minor technical elite to over sixty percent of the world's population – more than five billion people are slated to have phones by the end of 2019. Our tiny pocket computers have conquered the world in under 30 years. Like the Big Bang, phone usage hasn't exploded so much as expanded at a stupendous rate, inflating to encompass the majority of the world's population. From the landline void came the spark of a mobile, unbounded future, and almost as quickly as the idea was conceived, it was realized.

The following chart from the UN's 2015 study on its progress towards the Millennium Goals captures the extent to which phone ownership grew to encompass nearly everyone in the world just through the early 2010s:

As a result of that expansion in internet access and a parallel increase in the web's complexity, more people are able to get online easily and are capable of doing more once they're there. Shopping, banking, socializing an increasing part of our lives is lived online. And thanks to the data analysis of wunderkind artificial neural networks (algorithms designed to replicate the mathematical model of the human brain and its astounding success at pattern-recognition), trends point to more data collection. Neural nets are complicated to write but easy enough to use as long as you feed them enough information. Our devices know more about us than ever and they're learning more every day.

This graph shows how much data is being created (or is estimated to be created) every minute over the next couple of years. The y-x axis on the following graph is measured in zettabytes (ZB): 1 ZB = 1 billion terabytes (TB). The numbers are staggering:

More applications performing more complex services for more people and managing more data leads to things breaking. The demand for web developers has soared as companies try to realize their technical aspirations, but supply has not kept up with the almost unlimited appetite for development work. Coding bootcamps, online courses, and other alternatives to a four-year degree have become a popular entry point for a career in software engineering, but there's still a large gap between what the programming companies want done versus the programmers who are available and capable of doing it. As demands on developer time and attention have increased, security concerns once avoided as costly and nonessential have ballooned into crises for inattentive businesses, as vulnerabilities have led to data breaches, commercial exploitation, identity theft, and even espionage by state actors and criminal syndicates.

Bug bounties are the crowdsourced alternative to an expensive, in-house security apparatus. Technology companies (from mega corps to small, five-person start-ups) have embraced using public bug bounty programs to find the sort of faulty logic and mishandled data-processing in their applications that hackers typically use as footholds for larger campaigns. By finding vulnerabilities before they become exploits, companies can pay for work that directly reduces their exposure without having to cover the cost of a full security audit. Some companies choose to participate in third-party platforms, such as Bugcrowd or HackerOne, in order to standardize their payouts, submission report formatting, rules of engagement, and target lists, while others are large enough to run a program under their own umbrella.

Either way, by participating as a researcher, you get paid to apply your skills. And since many bug bounty marketplaces also track things such as the number of bugs you've found, their severity, and your general success rate, doing third-party research on public platforms can also be a great bridge to more work in security. If you're coming from a non-traditional background or don't have formal education in security, it could help make the case you've got the necessary skills to be productive in the field. You can do all of this while by responsibly following the discovery and disclosure process making the target application, and the general web, safer.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image