Page 27 - Hands-On Bug Hunting for Penetration Testers
P. 27

Joining the Hunt                                                            Chapter 1

            What You Will Learn ` Next Steps


            In addition to becoming familiar with these tools (and more) by the end of this book, you
            will also learn how to look for, successfully detect, and write a bug submission report for
            vulnerabilities associated with XSS, SQLi and NoSQLi, CSRF, XEE, data leakage, insecure
            session management, and unvalidated redirects, as well as framework and language-
            specific vulnerabilities, including sites powered by WordPress, Django, and Ruby on Rails
            applications. You'll also learn how to write a report that maximizes your payout, where to
            direct your attention to maximize your chances of finding a vulnerability, what
            vulnerabilities don't lead to payouts, preparing for your pentesting sessions, how to stay
            within the rules of engagement for a session, and other general tips for being productive d
            and profitable d as an independent security researcher participating in bug bounty
            programs.
            Getting actual experience with penetration testing for the purpose of participating in a bug
            bounty program is key. You'll ultimately learn the most from taking the tools explored here
            and applying them to your own targets, so as you work through the book, you're
            encouraged to sign up with a third-party community and start your first forays into
            security research. As long as you adhere to the rules of engagement and are respectful of
            the app and its users, you can start trying out the techniques explored in these pages.
            Participating in forum discussions, reading about other users' experiences, following blogs,
            and generally being a part of the security community can also help you get a sense of
            effective strategies. Reading bug report submissions from other researchers who have
            gotten the OK to disclose their findings is a fantastic way to start understanding what
            makes a submission report effective and what vulnerabilities are typically discovered
            where.


            How (Not) To Use This Book ` A Warning


            A final word before moving on:

                 Do not misuse this book.
            The techniques and technologies described in this book are solely for the purpose of
            participating in approved, ethical, White Hat penetration testing engagements so that you
            can find bugs and report them to be patched for a profit.








                                                    [ 12 ]
   22   23   24   25   26   27   28   29   30   31   32