Usefull add-ons for Webapp Pentesting and Bug Bounty

So here is just a very short one. Always when I have to set up a new pentest machine, I have to look it up again, so here is a small list of browser addons that are usefull for webapp pentesting (using Firefox):

  • wappalyzer
  • Temp Mail
  • Hackbar Quantum
  • retire.js
  • Foxy Proxy Basic
  • shodan.io
  • Export Cookies

Book review: Real-World Bug Hunting

One of the good things about Defcon is that there is a No Starch Press store at the vendors area. 

So I bought it for the flight, but it took a bit longer until I was through the book.

The book has 20 chapters, starting with Bug Bounty Basics. The next 17 chapters go through different classes of vulnerabitlites like XSS, SQLi, memory corruption, CSRF and so on.

After an explanation of the vulnerabilty itself, real reports are also included with further hints. At the end of each chapter the reader can find useful takeaways.

The last two chapters are not about bugs, one is about finding bugs in general, including some descriptions for tactics and tools. The last chapter is about writing a good report, communication to the companies and how to deal with the different programmes, which seems very useful to me.

Real-World Bug Hunting is helping to maximaize payouts and finding more bugs. It shows up lots of attack vectors and creative way for exploing them.

The book is not for beginners. I recommend to have a look at the recommendations list, the bug bounty beginners and the penetration tester basics articles for more resources.

Real-World Bug Hunting: A Field Guide to Web Hacking
Author: Peter Yaworski
Content: A very practical guide to bug hunting and bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner, Intermediate
Buy at Amazon U.S.
Buy at Amazon Germany

Career Path Security Researcher & Bug Bounty

Security Researchers work in the field of bug bounties and exploitation, often they are independent but sometimes they also work as employees. I think that both paths are not easy, but of course it can be done. On both paths you can earn lots of $$$ but I also heard of people who came out disappointed. Some people starting this as a side job and then go independent. If you don’t know some basics look here and here.

The reason why I put both paths in one post is that for me you need a similar mindset. You have to be highly motivated, need to learn a lot before you gain some success (well, at least for most people) and if you go independent you work on your own. For both you need a plan or tactics, you can’t just start hacking and hope to find something.

When you want to participate in bug bounties normally you are using platforms like hackerone or bugcrowd, but lot’s of companies have their own bounty programs. Since most of these programs are public this makes starting easy.

On the other hand, when you want to start as a researcher and do exploit development, you also have some public resources like ZDI or zerodium. But what is more important than in bug bounty, is networking with other researchers and companies. One way is to go at conferences and trainings, have a look at the links section of this article.

Both paths might take months or even years until you get into it, so this article can only be a starting point that I hope is helpful.

Links

Bug Bounty

Blog Articles, programs

LevelUp 0x02 – Bug Bounty Hunter Methodology v3

Advanced Web Attacks and Exploitation (AWAE)

Probably interesting for both paths, but web hacking is more bug bounty for me…
https://www.offensive-security.com/information-security-training/advanced-web-attack-and-exploitation/

Exploiting

35C3 – From Zero to Zero Day

The Exploit tutorials from corelan

https://www.corelan.be/index.php/articles/
That said, I can highly recommend the trainings that you can book at several conferences:
https://www.corelan-training.com/

OSCE- Cracking the Perimeter (CTP)

Also mentioned here before, the Offensive Security course and certification:
https://www.offensive-security.com/information-security-training/cracking-the-perimeter/

OSEE – Advanced Windows Exploitation (AWE)

I also heard great things about the AWE (OSEE) for more in depth exploitation, but I don’t have personal experience here.

Even more links:
https://www.zerodayinitiative.com/
https://zerodium.com/
https://googleprojectzero.blogspot.com/
and especially this article from project zero:
https://googleprojectzero.blogspot.com/p/working-at-project-zero.html

Conferences

As said before, learning new things and networking is really important, so here are some conferences that seem good, you should also consider to take some trainings:

Books

Hands-On Bug Hunting for Penetration Testers
Author: Joseph Marshall
Content: Go through common bugs in Webapps and introduction to bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner
Buy at Amazon U.S.
Buy at Amazon Germany

The Shellcoder’s Handbook
Authors: Chris Anley, John Heasman, Felix “FX” Lindner, Gerardo Richarte
Content: Exploiting security holes for Windows, Solaris, MacOSX, Cisco. Although from 2007 still worth reading.
Career: Penetration Tester, Exploiter
Level: Intermediate, Experts
Buy at Amazon U.S.
Buy at Amazon Germany

Hacking: The Art of Exploitation
Author: Jon Erickson
Content: Goes from the first steps in Bash and C to in depth exploitation and debugging on Linux.
Career: Penetration Tester, Exploit Developer
Level: Beginner, Intermediate, Expert
Buy at Amazon U.S.
Buy at Amazon Germany

And here is a great free book:
Modern Windows Exploit Development
http://docs.alexomar.com/biblioteca/Modern%20Windows%20Exploit%20Development.pdf

Book Review Hands-on Bug Hunting for Penetration Testers

Hands-On Bug Hunting for Penetration Testers
Author: Joseph Marshall
Content: Go through common bugs in Webapps and introduction to bug bounties
Career: Penetration Tester, Bug Bounty
Level: Beginner
Buy at Amazon U.S.
Buy at Amazon Germany

The main audience of Bug Hunting for Penetration Testers are coders and penetration testers interested in bug bounties. The book goes through bug bounty programs, penetration testing and the usual web security vulnerabilites like XSS, SQL injections, XEE and so on.

As the title sais, the book was written for people with prior knowledge in penetration testing. So the vulnerabtilies are not explained in depth, but nevertheless it is suitable also for beginners if they are willing to go deeper later and using other sources, after each chapter there are some recommendations for it.

For me the perspective as a bug hunter is pretty interesting, and the book is going into automatisation of some tasks and which vulnerabilites are usually interesting for bug bounty programs and how to report them. For getting an impression about the coding have a look here, unfortunatelly the code base is for python 2.7 and not python 3. The books is also informing about information gathering and bug bounty strategies. What I also like are the end-to-end examples, from finding and exploiting a vulnerability to a short example report. Later reporting is explained into more detail.

If you are interested in Bug Bounty programs you should have a look into this book.