Hands-On Bug Hunting for Penetration Testers: A practical guide to help ethical hackers discover web application security flaws
暫譯: 滲透測試者的實戰漏洞狩獵:幫助道德駭客發現網路應用程式安全漏洞的實用指南

Joseph Marshall

Hands-On Bug Hunting for Penetration Testers: A practical guide to help ethical hackers discover web application security flaws

買這商品的人也買了...

商品描述

Detailed walkthroughs of how to discover, test, and document common web application vulnerabilities.

Key Features

  • Learn how to test for common bugs
  • Discover tools and methods for hacking ethically
  • Practice working through pentesting engagements step-by-step

Book Description

Bug bounties have quickly become a critical part of the security economy. This book shows you how technical professionals with an interest in security can begin productively―and profitably―participating in bug bounty programs.

You will learn about SQli, NoSQLi, XSS, XXE, and other forms of code injection. You'll see how to create CSRF PoC HTML snippets, how to discover hidden content (and what to do with it once it's found), and how to create the tools for automated pentesting workflows.

Then, you'll format all of this information within the context of a bug report that will have the greatest chance of earning you cash.

With detailed walkthroughs that cover discovering, testing, and reporting vulnerabilities, this book is ideal for aspiring security professionals. You should come away from this work with the skills you need to not only find the bugs you're looking for, but also the best bug bounty programs to participate in, and how to grow your skills moving forward in freelance security research.

What you will learn

  • Choose what bug bounty programs to engage in
  • Understand how to minimize your legal liability and hunt for bugs ethically
  • See how to take notes that will make compiling your submission report easier
  • Know how to take an XSS vulnerability from discovery to verification, and report submission
  • Automate CSRF PoC generation with Python
  • Leverage Burp Suite for CSRF detection
  • Use WP Scan and other tools to find vulnerabilities in WordPress, Django, and Ruby on Rails applications
  • Write your report in a way that will earn you the maximum amount of money

Who this book is for

This book is written for developers, hobbyists, pentesters, and anyone with an interest (and a little experience) in web application security.

Table of Contents

  1. Joining the Hunt
  2. Choosing Your Hunting Ground
  3. Preparing for an Engagement
  4. Unsanitized Data; An XSS Case Study
  5. SQL, Code Injection, and Scanners
  6. CSRF and Insecure Session Authentication
  7. Detecting XML External Entities
  8. Access Control and Security Through Obscurity
  9. Framework and Application-Specific Vulnerabilities
  10. Formatting Your Report
  11. Other Tools
  12. Other (Out of Scope) Vulnerabilities
  13. Going Further
  14. Assessment

商品描述(中文翻譯)

詳細步驟說明如何發現、測試和記錄常見的網頁應用程式漏洞。

主要特點



  • 學習如何測試常見的錯誤

  • 發現道德駭客的工具和方法

  • 逐步練習滲透測試的參與過程

書籍描述


漏洞獎勵計畫迅速成為安全經濟的重要組成部分。本書展示了對安全感興趣的技術專業人員如何開始有效且有利可圖地參與漏洞獎勵計畫。


您將學習到 SQLi、NoSQLi、XSS、XXE 及其他形式的代碼注入。您將看到如何創建 CSRF PoC HTML 片段,如何發現隱藏內容(以及發現後該如何處理),以及如何創建自動化滲透測試工作流程的工具。


然後,您將在漏洞報告的上下文中格式化所有這些信息,以便最大程度地提高獲得現金的機會。


本書提供詳細的步驟說明,涵蓋發現、測試和報告漏洞,對於有志於成為安全專業人士的人來說非常理想。您應該能夠從這本書中獲得所需的技能,不僅能找到您正在尋找的漏洞,還能找到最佳的漏洞獎勵計畫參與,並了解如何在自由職業的安全研究中提升您的技能。

您將學到什麼



  • 選擇參與哪些漏洞獎勵計畫

  • 了解如何最小化法律責任並道德地尋找漏洞

  • 了解如何做筆記,以便更輕鬆地編寫提交報告

  • 知道如何將 XSS 漏洞從發現到驗證,再到報告提交

  • 使用 Python 自動生成 CSRF PoC

  • 利用 Burp Suite 進行 CSRF 偵測

  • 使用 WP Scan 和其他工具查找 WordPress、Django 和 Ruby on Rails 應用程式中的漏洞

  • 以能為您帶來最大金額的方式撰寫報告

本書適合誰


本書是為開發人員、愛好者、滲透測試人員以及任何對網頁應用程式安全感興趣(並有一些經驗)的人士撰寫的。

目錄



  1. 加入獵捕

  2. 選擇您的獵捕場地

  3. 準備參與

  4. 未經清理的數據;一個 XSS 案例研究

  5. SQL、代碼注入和掃描器

  6. CSRF 和不安全的會話身份驗證

  7. 檢測 XML 外部實體

  8. 訪問控制和通過模糊性實現安全

  9. 框架和應用程式特定的漏洞

  10. 格式化您的報告

  11. 其他工具

  12. 其他(超出範圍)漏洞

  13. 進一步深入

  14. 評估

類似商品

最後瀏覽商品 (6)