Introduction
Introduction
Part I: The Industry
Chapter 1: Picking a Bug Bounty Program
Chapter 2: Sustaining Your Success
Part II: Getting Started
Chapter 3: How the Internet Works
Chapter 4: Environmental Setup and Traffic
Interception
Chapter 5: Web Hacking Reconnaissance
Part III: Web Vulnerabilities
Chapter 6: Cross-Site Scripting
Chapter 7: Open Redirects
Chapter 8: Clickjacking
Chapter 9: Cross-Site Request Forgery
Chapter 10: Insecure Direct Object Reference
Chapter 11: SQL Injection
Chapter 12: Race Conditions
Chapter 13: Server-Side Request Forgery
Chapter 14: Insecure Deserialization
Chapter 15: XML External Entity Vulnerabilities
Chapter 16: Template Injection
Chapter 17: Application Logic Errors and Broken Access
Control
Chapter 18: Remote Code Execution
Chapter 19: Same Origin Policy Issues
Chapter 20: Single Sign-on Issues
Chapter 21: Information Disclosure
Part IV: Expert Techniques
Chapter 22: Conducting Code Reviews
Chapter 23: Hacking Android Apps
Chapter 24: API Hacking
Chapter 25: Automatic Vulnerability Discovery Using
Fuzzers
Index
Vickie Li is a developer and security researcher experienced in finding and exploiting vulnerabilities in web applications. She has reported vulnerabilities to firms such as Facebook, Yelp and Starbucks and contributes to a number of online training programs and technical blogs.
"A really good book for getting started in Bug Bounty, out at a
time when something like this was really needed. You can take as
many ethical hacking courses as you want, but when it comes to bug
bounty, there is so much information and tools it can be imitating
to start . . . This really should be the first book read by ANYONE
looking to start in the bug bounty game."
—Alex/Muldwych, The Security Noob
"Bug Bounty Bootcamp should be on every hacker's shelf. Vickie Li
answers an important question: 'So you found your first flaw,
what's next?' By explaining how to write a bug report and interact
with clients, she presents a wonderful guide on starting your
security career."
—Andrew Orr, Associate Editor, The Mac Observer
"I have enjoyed Bug Bounty Bootcamp over the past few weeks and
this is great for bug bounty beginners like myself. Anyone who is
interested in learning more about different web vulnerabilities,
bug bounty platforms, how the internet works, and how to make money
making the web safer this is the book for you. Thanks to Vickie for
writing such a great book!"
—The Digital Empress, YouTuber and Blogger
"Bug Bounty Bootcamp by Vickie Li is a thorough and masterful
explanation for how to find bugs and responsibly report them. It is
written so clearly, and provides such useful step-by-step
instructions that as I was reading it, I was tempted to start
hunting for bugs myself."
—Cynthia Brumfield, President, DCT-Associates
"Bug Bounty Bootcamp is a great resource for those who want to
participate in Bug Bounties because it not only teaches you about
the technical aspects, but helps you develop a methodology and
sustain your testing. Some technology knowledge is assumed, but it
does a solid job of describing the relevant vulnerability types
from first principles, so it can be a strong resource for those new
to the security space. The writing style is clear and to the
point."
—David Tomaschik, Security Engineer at Google, Blogger at System
Overlord
"I highly suggest reading Bug Bounty Bootcamp."
—@HolyBugx
"Pure GEM. Learned a lot of things from her book."
—Aakash Choudhary, @LearnerHunter
"Loved the book. Well written, clear, concise, and easy to follow.
Everyone from the beginner bug hunter to the seasoned pro will find
a nugget, some nuggets or just pure nuggets of amazing information,
tips and advice."
—Douglas Campbell, Advanced Reviewer
"The only book you need to get started in bug bounty is
@vickieli7's book coming out from @nostarch, Bug Bounty Bootcamp.
It's a detailed how-to with lots of technical how-to steps."
—Metacurity, Top Infosec News Destination, @Metacurity
"The new go-to resource for a beginner in web app hacking . . . I
recommend this book before anything else for a beginner trying to
learn web security. Vickie provides an excellent delivery of
breaking down complex concepts that makes it easy to comprehend.
Also, the step by step guidance of exploiting a vulnerability is
fantastic to refer back to . . . If you are a complete beginner and
feel confused or lost in all of the information out there then
stop, grab this book, read through it once, then use it as your
guide."
—AntiRuse, @AntiRuse, Blogger
"Definitely recommend it!"
—Michael, @DoAbarrel_Troll
"Bug Bounty Bootcamp is *the* book for everyone in Information
Technology, not just those interested in bug bounties . . . This
easy-to-read guide breaks down complicated topics into a simple
progression through technical concepts. From a foundational
overview of the industry and how to get started, the reader
progresses from Cross Site Scripting all the way through to API
hacking and use of Fuzzers. Vickie Li has done a tremendous service
to information security by sharing her expert understanding of bug
hunting in a highly accessible way. Recommended reading for all IT
professionals, new or veteran."
—Jess Vachon, Advanced Reviewer
"Vicki Li’s book took me from knowing nothing about bug bounties,
to finding my first bug. Li goes over the process of bug bounties,
writing reports, and how to make relationships with companies. Li
also has expert techniques that will help your automate your
hacking experience and even hacking android apps."
—Anthony Ware, Advanced Reviewer
"For anyone interested in bug detection of web services, this book
is for you. It takes an approach that is enjoyable for all levels.
It covers the essentials for understanding web servers and why the
assortment of vulnerabilities exists with steps in what to look for
in approaching those security risks. It’s not going to make you an
expert overnight, but it will set you on the path towards success,
bypassing the common mistakes where others have fallen."
—Riley A., Advanced Reviewer
"Step-by-step instructions to achieve your first bug bounty and a
great book to reference as a security professional. This book will
give insight to how bug bounty programs operate and provide
resources to learn programming, security tools, and breakdown OWASP
top 10 vulnerabilities."
—Jessica W., Advanced Reviewer
"Since reading The Web Application Hacker's Handbook a few years
ago, I haven't seen that much web security knowledge organized in
one place as in Bug Bounty Bootcamp. Vickie did a fantastic job of
covering many different vulnerability classes that are important
for offensively testing web applications. Explanations are made so
that beginners would understand them but I was also able to find
some inspirations each time I looked at the book when testing a
specific vulnerability class. I highly recommend Bug Bounty
Bootcamp for everyone who wants to learn about web security."
—Bug Bounty Reports Explained, YouTuber and Advanced Reviewer
"A great companion to @yaworsk's earlier book, Real-World Bounty
Hunting (also by
@nostarch), and deserves a place on your bookshelf."
—@jub0bs
"An informative and well-written guide that should be of interest
to anyone considering a career in API hacking through bug bounty
hunting."
—Dana Epp, Security Boulevard
Ask a Question About this Product More... |