Web Hacking 101

With a Foreword written by HackerOne Co-Founders Michiel Prins and Jobert Abma, Web Hacking 101 is about the ethical exploration of software for security issues but learning to hack isn't always easy. With few exceptions, existing books are overly technical, only dedicate a single chapter to website vulnerabilities or don't include any real world examples. This book is different. Using publicly disclosed vulnerabilities, Web Hacking 101 explains common web vulnerabilities and will show you how to start finding vulnerabilities and collecting bounties. With over 30 examples, the book covers topics like: HTML Injection Cross site scripting (XSS) Cross site request forgery (CSRF) Open Redirects Remote Code Execution (RCE) Application Logic and more... Each example includes a classification of the attack, a report link, the bounty paid, easy to understand description and key takeaways. After reading this book, your eyes will be opened to the wide array of vulnerabilities that exist and you'll likely never look at a website or API the same way. Table of Contents......Page 5 Foreword......Page 13 How It All Started......Page 15 Just 30 Examples and My First Sale......Page 16 Who This Book Is Written For......Page 18 Chapter Overview......Page 19 Word of Warning and a Favour......Page 21 Background......Page 22 Description......Page 25 2. Shopify Login Open Redirect......Page 26 3. HackerOne Interstitial Redirect......Page 28 Summary......Page 29 Description......Page 31 1. HackerOne Social Sharing Buttons......Page 34 2. Twitter Unsubscribe Notifications......Page 35 3. Twitter Web Intents......Page 36 Summary......Page 39 Description......Page 40 1. Shopify Twitter Disconnect......Page 44 2. Change Users Instacart Zones......Page 46 3. Badoo Full Account Takeover......Page 47 Summary......Page 49 1. Coinbase Comments......Page 50 2. HackerOne Unintended HTML Inclusion......Page 52 3. Within Security Content Spoofing......Page 53 Summary......Page 55 Description......Page 56 1. Twitter HTTP Response Splitting......Page 57 2. v.shopify.com Response Splitting......Page 59 Summary......Page 61 Description......Page 62 1. Shopify Wholesale......Page 67 2. Shopify Giftcard Cart......Page 69 3. Shopify Currency Formatting......Page 71 4. Yahoo Mail Stored XSS......Page 72 5. Google Image Search......Page 74 6. Google Tagmanager Stored XSS......Page 75 7. United Airlines XSS......Page 76 Summary......Page 81 Server Side Template Injections......Page 82 Client Side Template Injections......Page 83 1. Uber Angular Template Injection......Page 84 2. Uber Template Injection......Page 85 3. Rails Dynamic Render......Page 88 Summary......Page 89 SQL Databases......Page 90 1. Drupal SQL Injection......Page 92 2. Yahoo Sports Blind SQL......Page 95 3. Uber Blind SQLi......Page 98 Summary......Page 101 HTTP Request Location......Page 102 Blind SSRFs......Page 103 Examples......Page 104 1. ESEA SSRF and Querying AWS Metadata......Page 105 2. Google Internal DNS SSRF......Page 106 3. Internal Port Scanning......Page 110 Summary......Page 112 Description......Page 113 1. Read Access to Google......Page 118 2. Facebook XXE with Word......Page 119 3. Wikiloc XXE......Page 122 Summary......Page 125 1. Polyvore ImageMagick......Page 126 2. Algolia RCE on facebooksearch.algolia.com......Page 128 3. Foobar Smarty Template Injection RCE......Page 130 Summary......Page 134 Buffer Overflow......Page 135 Read out of Bounds......Page 136 Memory Corruption......Page 138 1. PHP ftp_genlist()......Page 139 2. Python Hotshot Module......Page 140 3. Libcurl Read Out of Bounds......Page 141 4. PHP Memory Corruption......Page 142 Summary......Page 143 1. Ubiquiti Sub Domain Takeover......Page 144 2. Scan.me Pointing to Zendesk......Page 145 3. Shopify Windsor Sub Domain Takeover......Page 146 4. Snapchat Fastly Takeover......Page 147 5. api.legalrobot.com......Page 149 6. Uber SendGrid Mail Takeover......Page 152 Summary......Page 155 Description......Page 156 1. Starbucks Race Conditions......Page 158 2. Accepting HackerOne Invites Multiple Times......Page 159 3. Exceeding Keybase Invitation Limits......Page 162 4. HackerOne Payments......Page 163 Summary......Page 165 Description......Page 166 1. Binary.com Privilege Escalation......Page 167 2. Moneybird App Creation......Page 168 3. Twitter Mopub API Token Stealing......Page 170 Summary......Page 172 Description......Page 173 1. Swiping Facebook Official Access Tokens......Page 177 2. Stealing Slack OAuth Tokens......Page 178 3. Stealing Google Drive Spreadsheets......Page 179 Summary......Page 182 Description......Page 183 1. Shopify Administrator Privilege Bypass......Page 184 2. HackerOne Signal Manipulation......Page 185 3. Shopify S3 Buckets Open......Page 186 4. HackerOne S3 Buckets Open......Page 187 5. Bypassing GitLab Two Factor Authentication......Page 189 6. Yahoo PHP Info Disclosure......Page 191 7. HackerOne Hacktivity Voting......Page 192 8. Accessing PornHub's Memcache Installation......Page 195 9. Bypassing Twitter Account Protections......Page 197 Summary......Page 198 Reconnaissance......Page 200 Subdomain Enumeration......Page 201 Screenshotting......Page 202 Content Discovery......Page 203 Previous Bugs......Page 204 The Technology Stack......Page 205 Functionality Mapping......Page 206 Finding Vulnerabilities......Page 207 Going Further......Page 208 Summary......Page 210 Include Details. Then Include More.......Page 211 Show Respect for the Company......Page 212 Don't Shout Hello Before Crossing the Pond......Page 214 Parting Words......Page 215 ZAP Proxy......Page 217 crt.sh......Page 218 sqlmap......Page 219 Eyewitness......Page 220 Shodan......Page 221 Nikto......Page 222 CyberChef......Page 223 Race the Web......Page 224 Ysoserial......Page 225 Websecurify......Page 226 Wappalyzer......Page 227 Hackerone.com......Page 228 How to Shot Web......Page 229 Web Application Hackers Handbook......Page 230 NahamSec.com......Page 231 brutelogic.com.br......Page 232 Cheatsheets......Page 233 CRLF Injection......Page 234 Memory Corruption......Page 235 Vulnerability......Page 236 White Hat Hacker......Page 237 Open Redirects......Page 238 Cross Site Request Forgery......Page 239 HTML Injection......Page 240 Cross-Site Scripting......Page 241 SSTI......Page 243 Server Side Request Forgery......Page 244 XML External Entity Vulnerability......Page 245 Remote Code Execution......Page 246 Memory......Page 247 Sub Domain Takeover......Page 248 Race Conditions......Page 249 Insecure Direct Object References......Page 250 OAuth......Page 251 Application Logic Vulnerabilities......Page 252 Appendix B - Web Hacking 101 Changelog......Page 254