Real-world Bug Hunting: A Field Guide to Web Hacking

Real-World Bug Hunting is a field guide to finding software bugs, with ethical hacker Peter Yaworski breaking down common types of bugs and contextualising them with real bug bounty reports released by hackers on companies like Twitter, Facebook, Google, Uber, and Starbucks.

Format: Paperback / softback
Length: 300 pages
Publication date: 09 July 2019
Publisher: No Starch Press,US

Real-World Bug Hunting is a comprehensive guide to discovering software bugs. Ethical hacker Peter Yaworski delves into various types of bugs, providing context by showcasing real bug bounty reports released by hackers on prominent companies such as Twitter, Facebook, Google, Uber, and Starbucks. As you delve into these reports, you will gain a deeper understanding of how these vulnerabilities function and strategies to identify similar ones in your own codebase.

The first bug type discussed by Yaworski is SQL injection, a common vulnerability that allows attackers to manipulate database queries and extract sensitive information. He explains how hackers exploit this vulnerability by injecting malicious SQL code into web forms or URLs, which can then be executed by the server and result in unauthorized access to data.

Next, Yaworski explores cross-site scripting (XSS) bugs, which allow attackers to inject malicious JavaScript code into web pages visited by users. This code can be executed by the browser, granting the attacker access to sensitive user information or taking control of the user's session. Yaworski provides examples of XSS attacks and explains how they can be prevented by implementing proper input validation and encoding techniques.

Moving on, Yaworski discusses buffer overflows, a type of bug that occurs when a program stores more data in a memory buffer than it is designed to hold. This can lead to memory corruption, causing the program to crash or execute arbitrary code. Yaworski explains how buffer overflows work and provides strategies for preventing them, such as using proper memory management techniques and checking for buffer overflow conditions.

Another bug type discussed by Yaworski is insecure cryptography, which involves the use of weak or outdated encryption algorithms. This can leave sensitive data vulnerable to attack, as hackers can easily break the encryption and access the underlying information. Yaworski explains how insecure cryptography works and provides recommendations for using stronger encryption algorithms, such as AES or RSA.

Yaworski also touches on privilege escalation, a common bug that occurs when an attacker gains unauthorized access to a system or application. This can be achieved through vulnerabilities in the operating system, application software, or user credentials. Yaworski explains how privilege escalation works and provides strategies for preventing it, such as implementing proper access control mechanisms and regular security audits.

In addition to these bug types, Yaworski discusses web application security, a critical aspect of modern software development. He explains how web applications are vulnerable to attacks and provides strategies for securing them, such as using proper authentication and authorization mechanisms, implementing input validation and encoding techniques, and using web application firewalls.

Finally, Yaworski emphasizes the importance of ethical hacking and bug bounty programs in identifying and reporting software bugs. He explains how these programs encourage developers to improve the security of their code and how they can benefit from participating in them.

In conclusion, Real-World Bug Hunting is a valuable resource for software developers and security professionals looking to improve their understanding of software bugs and their mitigation strategies. By exploring real-world bug bounty reports and gaining insights from expert hacker Peter Yaworski, you will be well-equipped to identify and address vulnerabilities in your own codebase.

Weight: 516g
Dimension: 178 x 233 x 17 (mm)
ISBN-13: 9781593278618