I N D E X

Symbols../, 279, 287, 325.bash_profile, 81/etc/passwd, 252, 291/etc/shadow, 177, 249, 253–260, 279, 332.git directory, 328–330. See also Git

annotated tags, 330blobs, 330commits, 330trees, 330

Aaccess control, 43, 175, 177–178, 278,

324, 364–365. See also broken access control

access tokens, 312–316, 364–365long-lived tokens, 316

account takeover, 172, 185, 321active scanning, 69. See also passive

scanningADB. See Android Debug Bridge (ADB)admin panels, 70–71, 278, 321AFL. See American Fuzzy Lop (AFL)alert box, 116, 122–126allowlist, 133, 141, 194, 215, 220–221.

See also blocklistAltdns, 69Amass, 68Amazon Elastic Compute Cloud (EC2),

77, 226. See also Amazon Web Services (AWS)

Amazon S3, 74–77, 226. See also Amazon Web Services (AWS)

Lazys3, 74S3 buckets, 61, 64, 74

Amazon Web Services (AWS), 61, 75, 308, 316

awscli, 75American Fuzzy Lop (AFL), 370

Android, 335, 347–354Android Debug Bridge (ADB), 351Android Package (APK), 350

Activities, 350AndroidManifest.xml, 350assets, 351BroadcastReceivers, 350classes.dex, 351ContentProviders, 350lib, 351MANIFEST.MF, 351META-INF, 351res, 351resources.arsc, 351res/values/strings.xml, 354Services, 350

Android Studio, 352developer options, 352

ApacheApache Cassandra, 199Apache Commons FileUpload, 243Apache CouchDB, 199Apache Groovy, 243

APIs. See application programming interfaces (APIs)

APK. See Android Package (APK)Apktool, 352application logic errors, 275–281, 379.

See also business logic vulnerabilities

application programming interfaces (APIs), 6, 34, 355–367

API-centric applications, 361API enumeration, 362API keys, 75, 226

apt-get, 219ASCII, 126–127, 138–140, 293ASNs. See autonomous systems (ASNs)asset, 4. See also scope

382   Index

attack scenarios, 19attack surface, 5–6, 25, 61–62, 104, 309authentication app, 276authentication keys, 62authorization code, 276, 314automated testing toolkit, 379automation strategies, 318autonomous systems (ASNs), 67AWS. See Amazon Web Services (AWS)Ayrey, Dylan, 339

Bbash script, 62, 80–104, 372basic authentication, 376Big List of Naughty Strings, 372billion laughs attack, 258. See also

XML bombBitbucket, 316bitly.com, 119black-box testing, 336. See also gray-box

testing, white-box testingblocklist, 126, 133, 215. See also allowlistbroken access control, 275–281, 364. See

also access controlbrute-forcing, 42, 54, 70–71, 376–377

directory brute-forcing, 62, 70–71URL brute-forcing, 278

bug bountybug bounty hunter, 3bug bounty platforms, 8bug bounty program, 3–4notes, 58private programs, 11

bug chains, 27Bugcrowd, 4, 8, 17bug slump, 27built-in functions, 270–272, 288BuiltWith, 79, 104Burp, 39, 47–58

AuthMatrix, 185Auto Repeater, 185Autorize, 185BAppStore, 185Burp Suite Pro, 47, 219Collaborator, 219comparer, 58 crawler, 72decoder, 39, 57

intruder, 54, 129, 370, 372repeater, 56SQLiPy, 203

business impact, 17, 27, 104, 379. See also business priorities

business logic vulnerabilities, 276. See also application logic errors

business priorities, 17, 27. See also business impact

business requirements, 279

CCA. See certificate authority (CA)capitalization, 126CAPTCHA, 65Capture the Flag, 12, 28Cascading Style Sheets (CSS), 34, 147

opacity, 148z-index, 147

cat command, 92CDATA. See character data (CDATA)Censys, 67, 70, 104central processing units (CPUs), 206certificate authority (CA), 50certificate parsing, 67certificate pinning, 349–350, 353cert pinning. See certificate pinningcharacter data (CDATA), 259chmod, 82clickjacking, 143–154, 163–165client, 34. See also serverclient IDs, 313–315Cloud computing, 226CNAME, 308

dangling CNAMEs, 309Cobalt, 4, 8Codecademy, 44, 80code injection, 283. See also command

injection, RCEcommand injection, 285, 343. See also

code injection, RCEcommand substitution, 84, 101, 292Common Vulnerabilities and

Exposures (CVEs), 78, 281, 332, 340

Common Vulnerability Scoring System (CVSS), 17

concurrency, 206

Index   383

confidentiality, 312configuration files, 70CORS. See Cross-Origin Resource

Sharing (CORS)CPUs. See central processing units

(CPUs)Cron, 102–103, 318

crontabs, 102–103Cross-Origin Resource Sharing

(CORS), 297–298, 302–306cross-site request forgery (CSRF), 128,

152, 155–174cross-site scripting (XSS), 111–129, 308CSRF. See cross-site request

forgery (CSRF)cryptography, 6–7, 339

weak cryptography, 339CSS. See Cascading Style Sheets (CSS)CTF. See Capture the Flag

CTF Wiki, 273curl, 87, 211, 366CVEs. See Common Vulnerabilities and

Exposures (CVEs)CVE database, 340

CVSS. See Common Vulnerability Scoring System (CVSS)

CyberChef, 39Cyrillic, 140

DDamn Vulnerable Web Application, 203data:, 122, 138database, 188data entry points, 371data exfiltration, 259data injection points, 371debugging mode, 351debug messages, 64Denial-of-Service Attacks (DoS), 10,

200, 258ReDoS, 63

dependencies, 76, 250, 288, 340outdated dependencies, 76, 340

descriptive error, 196, 257, 266, 268deserialization, 231–246developer comments, 324, 328, 331,

340, 345developer tools, 129

DigitalOcean, 227directory enumerator, 370directory traversal, 43, 177, 279, 325. See

also path traversalDNS. See Domain Name System (DNS)DOCTYPE, 248document.cookie, 115Document Object Model (DOM),

117–118document type definition (DTD),

248–250, 253–260DOM. See Document Object Model

(DOM)domain name, 33. See also hostnameDomain Name System (DNS), 34–35

DNS records, 222AAAA records, 222A records, 222

DNS zone transfers, 68domain privacy, 66domain registrar, 65, 223DoS. See Denial-of-Service Attacks

(DoS)DTD. See document type definition

(DTD)

EEC2. See Amazon Elastic Compute

Cloud (EC2)ECB, 339echo command, 83EdOverflow, 125, 317Eloquent JavaScript, 44embedded browser, 47, 50emulator, 6, 348–349, 352–353

mobile emulator, 348–349encoding

base64 encoding, 38, 138, 181content encoding, 38decimal encoding, 223double encoding, 139double word (dword) encoding,

223–224hex encoding, 38, 223mixed encoding, 223octal encoding, 223URL decoding, 138URL encoding, 38, 138, 181, 223

384   Index

encryption, 312, 338–339, 353entropy, 77, 159, 182, 339ERB. See Embedded Ruby template

(ERB)escaping, 119

escape character, 101, 119, 293output escaping, 119

eval, 284–285, 336–338event listener, 298–300, 302–303, 305

onclick, 122onerror, 122onload, 122

executable, 7Extensible Markup Language (XML),

247–260, 309, 357–358external entities, 248parameter entities, 256XML entities, 248XML parsers, 247

EyeWitness, 71, 316

Ffile inclusion, 286–287

local file inclusions, 287remote file inclusion, 286

File Transfer Protocol (FTP), 260filter bypass, 128, 293fingerprinting, 78Firefox, 46–52, 124, 160–161Flash, 111Frida, 350, 353

Objection, 350Universal Android SSL Pinning

Bypass, 350FTP. See File Transfer Protocol (FTP)fuzzing, 125, 195, 363, 370–379

FuzzDB, 372fuzzers, 369–379web application fuzzing, 370

Ggadgets, 238, 243–245

gadget chains, 243–245getopts, 92–98Git, 328

Blame, 76git diff, 103History, 76Issues, 76

GitHub, 75, 316GitHub gists, 327GitHub Pages, 308–309, 317repositories, 75

Gitleaks, 328Gitrob, 77Global Regular Expression Print

(grep), 88–89GoDaddy, 219Google Cloud, 226–227, 316Google dorking, 62, 65, 74, 134, 278Google Hacking Database, 65Graphical User Interface (GUI), 373GraphQL, 179, 358–365

Clairvoyance, 362introspection, 360-361

__schema, 360__type, 361

mutations, 359queries, 359Playground, 362

gray-box testing, 336. See also black-box testing, white-box testing

grep. See Global Regular Expression Print (grep)

GUI. See Graphical User Interface (GUI)

Hhacker blogs, 28HackerOne, 4, 8, 11, 17, 111, 233

Hacktivity, 209hacking, 61

hacking environment, 45HackTricks, 273hardcoded secrets, 76, 338–339, 354hardware, 7hashing, 177Haverbeke, Marijn, 44HMAC, 42Hostinger, 219hostname, 67, 296. See also domain

nameHTML. See Hypertext Markup

Language (HTML)HTTP. See HyperText Transfer Protocol

(HTTP)HttpOnly, 115, 120

Index   385

Hypertext Markup Language (HTML), 34

HTML tag, 123HyperText Transfer Protocol (HTTP),

36–39cookies, 39

cookie sharing, 308double-submit cookie, 167

request headers, 36Authorization, 36, 376Cookie, 36Host, 36Origin, 297Referer, 36User-Agent, 36, 377

request methods, 183response bodies, 37, 324response headers, 37, 151, 324

Access-Control-Allow-Origin, 37, 297–298, 302–305

Content-Security-Policy, 37, 120, 149, 151

Content-Type, 37, 242, 251frame-ancestors, 149Location, 37Set-Cookie, 37, 150, 156X-Frame-Options, 37, 149, 151,

153–154response times, 9status code, 36, 219

Iidentity assertion, 309–312identity provider, 309–314, 316, 319IDE. See integrated development

environment (IDE)IDORs. See insecure direct object

references (IDORs)IETF. See Internet Engineering Task

Force (IETF)iframe, 144–154, 158, 160, 163–164,

298–299, 304double iframe, 152frame-busting, 151–152

information leaks, 170, 226, 229, 295, 312, 324, 331–332, 354, 363–365

inline scripts, 113–114

input redirection, 83input validation, 119–120, 250, 288,

291, 293, 366insecure deserialization, 231–246,

337–338, 366–367insecure direct object references

(IDORs), 175–186, 353–354blind IDORs, 183read-based IDORs, 184write-based IDORs, 184

instance metadata, 226–229, 255integrated development environment

(IDE), 59internal network, 214. See also private

networkinternal domains, 66

internet, 33internet security controls, 38

Internet Engineering Task Force (IETF), 222

Internet of Things (IoT), 5, 7, 122, 347, 358

Internet Protocol (IP), 34IPv4, 34IPv6, 34, 222IP addresses, 65–66

IP range, 66reserved IP addresses, 218

Intigriti, 4, 8iOS, 348, 350, 353IoT. See Internet of Things (IoT)IP. See Internet Protocol (IP)

Jjava.io.Serializable, 241

readObject(), 241–242, 244writeObject(), 241

javascript:, 122–126JavaScript (JS), 34, 44, 111, 353

Angular, 120fromCharCode(), 126

Jenkins, 69jq, 90–91jQuery, 118

js.do, 127React, 120Retire.js, 180Vue.js, 120

386   Index

JS. See JavaScript (JS)JSON, 68, 184, 234, 357JSONP. See JSON with Padding

(JSONP)JSON Web Tokens (JWT), 41–43

alg field, 42header, 41

JSON with Padding (JSONP), 300–302, 305–306. See also JSON

JWT. See JSON Web Tokens (JWT). See also JSON

KKali Linux, 46KeyHacks, 76Kibana, 64Kubernetes, 227

LLearn Python the Hard Way, 44LinkFinder, 331Linux, 62localhost, 218low-hanging fruit, 25

MmacOS, 62man, 96man-in-the-middle attacks, 349Markdown, 59Masscan, 69MD4, 339MD5, 339memory leaks, 370methodology, 25, 27MFA. See multifactor authentication

(MFA)Miessler, Daniel, 372mind-mapping, 59mitigation process, 19–21mkdir, 83mobile applications, 6mobile hacking, 347–354Mobile Security Framework, 353MongoDB, 199monitoring system, 318

multifactor authentication (MFA), 276–277, 280

multithreading, 206MySQL, 188, 196, 198, 201

NNamecheap, 223Netcat, 219NetRange, 66network perimeter, 214network scanning, 215, 224–228NoSQL, 188, 199–201

NoSQL injections, 199–201NoSQLMap, 200

nslookup, 66, 222NULL origin, 297–298, 303–305

OOAuth, 141, 312–316, 320–321

redirect_uri, 313–316object-oriented programming

languages, 234Obsidian, 59Offensive Security, 120open redirect, 131–141, 221, 314–316,

338, 342–343open redirect chain, 315parameter-based open redirects, 135referer-based open redirects, 132,

135operating system, 46, 62OSINT, 77outbound requests, 228, 249, 252out-of-band interaction, 289out-of-band techniques, 219output redirection, 83–84OWASP, 28, 72

Code Review Guide, 336Dependency-Check tool, 340Deserialization Cheat Sheet, 244IoTGoat, 122Mobile Security Testing Guide, 348SQL injection prevention cheat

sheet, 195Web Security Testing Guide, 367XSS filter evasion cheat sheet, 128XSS prevention cheat sheet, 120

Index   387

Pparameterized queries, 192. See also

prepared statementsparent directory, 279, 325passive scanning, 69–70. See also active

scanningpassword-cracking, 269Pastebin, 77–78, 324, 327–328

pastebin-scraper, 328PasteHunter, 78, 328

paste dump sites, 327path enumeration, 374–375path traversal, 177, 279, 325, 366–367.

See also directory traversalPATH variable, 81pattern matching, 89payload, 41, 54, 154payouts, 9–11Periscope, 153permissions, 178permutations, 69, 74–75phishing, 129, 132, 140, 309PHP, 61, 70–71, 232–241

ExtendsClass, 232instantiation, 235, 239magic methods, 235–238object injection vulnerabilities,

233, 238unserialize(), 235

wrappers, 259phpmyadmin, 70, 79PHPSESSID, 79POC. See proof of conceptPOP chain. See property-oriented

programming chainpop-up, 154port, 35

port number, 35, 296port scanning, 62, 69

Postman, 362postMessage(), 298–306prepared statements, 192–194principle of least privilege, 201, 210, 288private network, 218. See also internal

networkProgrammer Help, 273

programming, 44expression, 262for loop, 93function library, 96functions, 87if-else statements, 86interactive programs, 97statement, 262while loop, 98

Project Sonar, 70proof of concept (POC), 18

POC generation, 174property-oriented programming chain,

238–239protocol, 43, 120, 296, 325proxy, 46, 52, 72, 348

proxy services, 216web proxy, 45

publicly disclosed reports, 25. See also write-up

publicly disclosed vulnerabilities, 324Python, 44, 244–245, 262–273, 289–292

dictionary, 272object, 270

QQuora, 77

Rrace conditions, 205–212, 366, 370randomization, 178rate-limiting, 365–366, 378RCE. See remote code execution (RCE)reachable machines, 224recon. See reconnaissancereconnaissance, 25, 61–107, 243, 360, 369

recon APIs, 104referer, 132–135, 141–163, 168–169, 315regex. See regular expressionregular expression, 77, 88–90, 221, 298,

338–339constants, 89operators, 89RexEgg, 90

remote code execution (RCE), 236–237, 283–293, 337

blind RCEs, 288classic RCEs, 288

388   Index

report states, 21duplicate, 22informative, 22invalid reports, 26low-severity bug, 26mediation, 23N/A, 22need more information, 22resolved, 23triaged, 22

Representational State Transfer (REST), 357

resource locks, 210REST. See Representational State

Transfer (REST)return-oriented programming, 241reverse engineering, 6reverse shell, 285rooted device, 6RSA, 42

SS3. See Amazon S3safe concurrency, 206same-origin policy (SOP), 43, 295–306SameSite, 149–152, 159–160SAML. See Security Assertion Markup

Language (SAML)sandbox

sandbox environment, 265–166sandbox escape, 269–273

sanitizing, 114SAST. See static analysis security

testing (SAST)SCA. See software composition

analysis (SCA)scanner, 72scheduling, 206scope, 9–13, 26

scope discovery, 65search engine, 63SecLists, 68, 372secret-bridge, 325secret key, 40secret storage system, 325Secure Shell Protocol (SSH), 218, 225,

227

Secure Sockets Layer (SSL), 67, 349Security Assertion Markup Language

(SAML), 309SAML Raider, 320SAML signature, 311

security context, 302security patches, 340security program, 4sensitive data leaks, 312sensitive information, 324serialization, 232. See also deserialization

serialized string, 233server, 34, 79. See also client

server logs, 64server status, 64

server-side request forgery (SSRF), 213–229, 278

blind SSRF, 214server-side template injections (SSTIs),

261–274server-side vulnerabilities, 6service banner, 218service enumeration, 69service provider, 309session, 39–40

session cookie, 115, 156–160, 162–172, 308–309, 318–321. See also session ID

session ID, 39. See also session cookie

session management, 39Shaw, Zed, 44shebang, 80shell

commands, 285interpreter, 62

Shopify, 359signature, 40–43, 311–312, 319–321, 351single sign-on (SSO), 307–321

shared-session SSO, 308–309SlideShare, 77Snapper, 71, 316SOAP, 358social engineering, 119, 132

Social-Engineer Toolkit, 154software composition analysis (SCA), 340software supply chain attack, 288

Index   389

SOP. See same-origin policy (SOP)source code review, 76, 328,

335–346, 351, 378. See also static analysis security testing (SAST), static code analysis

source command, 96spidering, 62, 71Spring Framework, 243SQL. See Structured Query Language

(SQL)SQL injections, 187–203

blind, 188, 195Boolean based, 196classic, 188, 195error based, 195first-order, 191inferential, 196out-of-band, 188, 195second-order, 191time based, 197UNION based, 195

sqlmap, 202Squarespace, 316SSH. See Secure Shell Protocol (SSH)SSL. See Secure Sockets Layer (SSL)SSL pinning. See certificate pinningSSO. See single sign-on (SSO)SSRF. See server-side request

forgery (SSRF)SSRFmap, 220SSTIs. See server-side template

injections (SSTIs)Stack Overflow, 77state-changing action, 149, 161static analysis security testing (SAST),

346. See also source code review, static code analysis

static code analysis, 378. See also source code review, static analysis security testing (SAST)

Structured Query Language (SQL), 187–188

SubBrute, 68subdomain, 64–65

sibling subdomains, 296subdomain enumeration, 68–69, 379subdomain takeovers, 308–309,

316–318

Subject Alternative Name, 67–68Sublime Text, 59superdomain, 296SVG, 253Swagger, 363Synack, 4, 8synchronization, 210syntax error, 123system root, 279

Ttechnology stack, 6, 69, 78–79, 104template engines, 261–266

Embedded Ruby template (ERB), 266

FreeMarker, 266Jinja, 262Smarty, 266Thymeleaf, 266Twig, 266

template injections. See server-side template injections (SSTIs)

test command, 95testing guides, 28third-party service, 308threads, 206time-of-check/time-of-use vulnerabilities.

See race conditionstime throttling, 366, 373–374token-based authentication, 40token forgery, 40Tomnomnom, 78tplmap, 273triage, 8–9truffleHog, 77, 328, 339tuple, 270Tutorials Point, 232Twitter, 356

UUnarchiver, 253unexpected behavior, 370Unicode, 140Unix, 46, 81, 100–102, 177, 249, 279,

290, 292, 325, 372Unrouted addresses, 228URLs, 63

absolute URL, 133–134, 325

390   Index

components of, 136internal URLs, 218mangled URLs, 136relative URLs, 133, 325

URL fragments, 118, 121, 266URL validation, 133, 136USB debugging, 351user input, 342user-interface redressing, 143. See also

clickjacking

Vvalidating, 114Vault, 325VBScript, 111VDPs. See vulnerability disclosure

programs (VDPs)ViewDNS.info, 66View Source Code, 79virtual environment, 352vulnerabilities, 61vulnerability disclosure programs

(VDPs), 10vulnerability report, 16. See also write-up

severity, 16steps to reproduce, 18

vulnerability scanners, 25

WW3Schools, 188WAF. See web application firewall

(WAF)Wappalyzer, 79Wayback Machine, 326

Waybackurls, 78web application firewall (WAF), 288

WAF bypass, 293web applications, 5web browser, 46web crawling, 71, 326web frameworks, 187Webhooks, 216web-hosting service, 223web page, 34Web Services Description Language

(WSDL), 358, 362web shell, 202web spidering, 62, 71Wfuzz, 370–371, 374–379

wget, 285, 329white-box testing, 336. See also black-

box testing, gray-box testingwhoami, 289whois, 65

reverse whois, 65whois.cymru.com, 67

Wikipedia, 63wildcard, 63, 101, 292, 297–299Windows 353WordPress, 7, 79, 280write-up, 28WSDL. See Web Services Description

Language (WSDL)

XXInclude Attacks, 251, 254XMind, 59XML. See Extensible Markup Language

(XML)XML bomb, 258. See also billion laughs

attackXML external entity (XXE), 247–260

blind XXE, 252classic XXE, 251

XMLHttpRequest, 128, 170XmlLint, 259X-Powered-By, 79, 324XSS, 111–129

blind XSS, 116, 125reflected XSS, 117, 343self-XSS, 119, 171stored XSS, 115

XSS filter, 126XSS Hunter, 125XSS polyglot, 124XSS protection, 126XXE. See XML external entity (XXE)

YYAML, 234, 338Ysoserial, 243

ZZAP. See Zed Attack Proxy (ZAP)Zed Attack Proxy (ZAP), 47, 72–73, 174,

362, 374zip command, 254zlib, 331