Page 228 - Hands-On Bug Hunting for Penetration Testers
P. 228
Assessment
5. Testing for XXE using simple entity subsitution is an easy, lightweight way of
validating XXE bugs.
6. The "Billion Laughs" attack is not unique to XML; it is the use of nested entities to
consume exponential memory and DoS the parsing service.
7. Even though some services explicitly use JSON for passing data, their underlying
servers often have the capacity to use different data formats. Sometimes, doing
something as simple as using a different $POUFOU 5ZQF heading can allow you
to unlock these formats.
Chapter 8
1. Security through/by obscurity is a valid way of discouraging opportunistic
attacks, but it cannot be the foundation of a sound security strategy.
2. API keys, access tokens, passwords, and account and application data are all
commonly reported for bounties.
3. The Burp Proxy contains settings for passively uncovering hidden fieldsba
simple hack.
4. An API key grants blanket access to an API or service. An access token is
typically associated with more individual/role-based authentication systems,
though this is not a hard and fast distinction.
5. Generic error codes and descriptions, browser "autocomplete" functionality, and
information that generally doesn't provide an associated attack scenario, does not
typically merit a reward.
6. It is always a mistake to trust user input.
7. Web applications are leaky, but error messages, hidden fields, and client-source
code are all areas where sensitive information lurks.
Chapter 9
1. CVE stands for Common Vulnerabilities and Exposures. It is a system for
allowing different tools and organizations to share data about known
vulnerabilities.
2. WordPress is used by such a gigantic portion of the web that it makes a rich
target for hackers. Also, PHP, as a dynamically-type language, has its own
weaknesses.
[ 213 ]
