Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Hands-On Bug Hunting for Penetration Testers

You're reading from   Hands-On Bug Hunting for Penetration Testers A practical guide to help ethical hackers discover web application security flaws

Arrow left icon
Product type Paperback
Published in Sep 2018
Publisher Packt
ISBN-13 9781789344202
Length 250 pages
Edition 1st Edition
Languages
Arrow right icon
Authors (2):
Arrow left icon
Himanshu Sharma Himanshu Sharma
Author Profile Icon Himanshu Sharma
Himanshu Sharma
Joe Marshall Joe Marshall
Author Profile Icon Joe Marshall
Joe Marshall
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Joining the Hunt 2. Choosing Your Hunting Ground FREE CHAPTER 3. Preparing for an Engagement 4. Unsanitized Data – An XSS Case Study 5. SQL, Code Injection, and Scanners 6. CSRF and Insecure Session Authentication 7. Detecting XML External Entities 8. Access Control and Security Through Obscurity 9. Framework and Application-Specific Vulnerabilities 10. Formatting Your Report 11. Other Tools 12. Other (Out of Scope) Vulnerabilities 13. Going Further 14. Assessment 15. Other Books You May Enjoy

How (Not) To Use This Book – A Warning

A final word before moving on:

Do not misuse this book.

The techniques and technologies described in this book are solely for the purpose of participating in approved, ethical, White Hat penetration testing engagements so that you can find bugs and report them to be patched for a profit.

The lessons learned in this work should be used responsibly:

  • They should not be applied to a website against its owner's permission
  • They should not be applied to data or logic the website's owner considers out-of-scope
  • They should not in any way be weaponized – taken beyond the vulnerability stage and made into proper exploits

Here's a quick example of what's meant by weaponized.

Let's say you find a stored XSS vulnerability, where improper data-sanitation is causing a comment thread to allow unescaped HTML to potentially store malicious code. You use the Burp Intruder tool and a manual follow-up to submit a code snippet demonstrating that you can store (and later execute) an arbitrary piece of JavaScript. The snippet in question is a pretty simple test – it executes an alert() function within an improperly sanitized src attribute attached to an <img> HTML tag:


<IMG SRC=javascript:alert('XSS')>

There's nothing wrong with using an alert() or console.log() call to test whether JavaScript is being executed in a possible XSS instance – although, when using alert() or logging, it's good to remember to output some info about where the XSS is happening (for example, alert(window.location.href)).

But there is something wrong with turning the vulnerability into an exploit. Once the XSS vulnerability is confirmed, it's easy to find malicious JavaScript to do more nefarious things. Running that malicious code –even in a limited way – risks corrupting application data or processes or other things that open you up to legal liability.

It's helpful to imagine how the vulnerability could be exploited – many bug bounty programs want to hear a specific scenario regarding your vulnerability included in your submission report so they can know whether it's severe enough to trigger a payout. Sometimes even the form of that scenario – how much damage you can make the case that an attacker could do – can drastically affect your reward.

So it's good to put some thought into the exploit's general form – with stored XSS, you could rewrite critical parts of the page where the script is being executed, or grab an authentication cookie and send it to a server listening for those credentials, or other attacks – but assessing the impact of that exploit still falls short of writing code that damages people and processes.

Don't write exploit code. If you're in the United States, the legal penalties are severe – as of this writing, the Computer Fraud and Abuse Act (CFAA) means that even a slight violation of a site's terms of service can result in a felony. Businesses are also quick to prosecute independent researchers not abiding by their rules of engagement, which is the condition researchers must follow when probing an application for vulnerabilities. Even if there's no threat of legal action, civil or criminal, hacking those sites defrauds innocent people, hurts small businesses, provokes a legislative overreaction, erodes privacy, and just generally makes the whole web worse.

It's not worth it.

With that out of the way, we can move on to the first step in any bug hunting adventure: choosing what program to use, what site to explore, along with where – and how – to find vulnerabilities.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime