What do you think?
Rate this book
Real-World Bug Hunting: A Field Guide to Web Hacking
Learn how people break websites and how you can, too.
Real-World Bug Hunting is the premier field guide to finding software bugs. Whether you're a cyber-security beginner who wants to make the internet safer or a seasoned developer who wants to write secure code, ethical hacker Peter Yaworski will show you how it's done.
You'll learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. Using real-life case studies of rewarded vulnerabilities from applications like Twitter, Facebook, Google, and Uber, you'll see how hackers manage to invoke race conditions while transferring money, use URL parameter to cause users to like unintended tweets, and more.
Each chapter introduces a vulnerability type accompanied by a series of actual reported bug bounties. The book's collection of tales from the field will teach you how attackers trick users into giving away their sensitive information and how sites may reveal their vulnerabilities to savvy users. You'll even learn how you could turn your challenging new hobby into a successful career. You'll
Real-World Bug Hunting is a fascinating soup-to-nuts primer on web security vulnerabilities, filled with stories from the trenches and practical wisdom. With your new understanding of site security and weaknesses, you can help make the web a safer place--and profit while you're at it.
Real-World Bug Hunting is the premier field guide to finding software bugs. Whether you're a cyber-security beginner who wants to make the internet safer or a seasoned developer who wants to write secure code, ethical hacker Peter Yaworski will show you how it's done.
You'll learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. Using real-life case studies of rewarded vulnerabilities from applications like Twitter, Facebook, Google, and Uber, you'll see how hackers manage to invoke race conditions while transferring money, use URL parameter to cause users to like unintended tweets, and more.
Each chapter introduces a vulnerability type accompanied by a series of actual reported bug bounties. The book's collection of tales from the field will teach you how attackers trick users into giving away their sensitive information and how sites may reveal their vulnerabilities to savvy users. You'll even learn how you could turn your challenging new hobby into a successful career. You'll
Real-World Bug Hunting is a fascinating soup-to-nuts primer on web security vulnerabilities, filled with stories from the trenches and practical wisdom. With your new understanding of site security and weaknesses, you can help make the web a safer place--and profit while you're at it.
264 pages, Paperback
Published July 9, 2019
116 people are currently reading
667 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 16 of 16 reviews
February 21, 2020
Disregard the messages giving this book a terrible review.
Honestly, this book is a great intro to web hacking. It's not going to impress any seasoned hackers but anyone with a bit of web dev experience would learn a lot from this book.
That being said, it's basically just a collection of publicly available but bounties with a bit of commentary. The bounties are all quite old (the most recent being from 2016) but the general ideas behind them are still valid.
My favorite past of the book was rather early on where he explains what Myspace Samy Worm is. I grew up on MySpace so I was kinda surprised I never heard of this but it's a clever trick that had pretty big repercussions for the creator.
I was also pretty intrigued by learning about XSS Auditors built into browsers.
If anyone would like to watch videos about this I'd recommend this free MIT Course: https://ocw.mit.edu/courses/electrica...
Honestly, this book is a great intro to web hacking. It's not going to impress any seasoned hackers but anyone with a bit of web dev experience would learn a lot from this book.
That being said, it's basically just a collection of publicly available but bounties with a bit of commentary. The bounties are all quite old (the most recent being from 2016) but the general ideas behind them are still valid.
My favorite past of the book was rather early on where he explains what Myspace Samy Worm is. I grew up on MySpace so I was kinda surprised I never heard of this but it's a clever trick that had pretty big repercussions for the creator.
I was also pretty intrigued by learning about XSS Auditors built into browsers.
If anyone would like to watch videos about this I'd recommend this free MIT Course: https://ocw.mit.edu/courses/electrica...
July 14, 2021
A lot of fun to read and quite informative for newbies like me. It goes over the most common vulnerabilities, explains their concepts in a basic manner, and details examples of bug reports that were posted on HackerOne, and whether they got paid for it or not. The last chapter also includes useful guidelines for getting started.
Beware that you might need to be familiar with web concepts before attempting to read this book. Although it tries its best to explain everything, it's often attempted in one or two lines and that's not enough unless you have first-hand experience with the technologies mentioned. Knowing HTTP, HTML, and basic JavaScript would be the minimum requirement for getting anything out of this book, I'd say.
Beware that you might need to be familiar with web concepts before attempting to read this book. Although it tries its best to explain everything, it's often attempted in one or two lines and that's not enough unless you have first-hand experience with the technologies mentioned. Knowing HTTP, HTML, and basic JavaScript would be the minimum requirement for getting anything out of this book, I'd say.
December 14, 2020
I didn't read this book to become a hacker but to remind myself of all types of bugs I can do in web apps as a developer so that I can, ideally, avoid them. Every vulnerability is described in exquisite detail that even a non-technical person can read the book and grasp ideas about security issues. That was not an issue even for me, for someone with already good knowledge, as every chapter and paragraph was well structured, so I could see right away which parts I can skip. I would recommend this book to anyone working on web applications.
May 19, 2021
it is somewhat dated;
plus, I have read the first edition, the approach didn't really change by a bit;
you take the vuln, describe the idea and presents your reader with a report on hackerone;
I mean, it is probably what you are paying for but it is way too oversimplified + it is depicting some rare and useless vulns which are hard to spot in the wild.
Still, as a basic intro to bug bounties this might be a good reference.
plus, I have read the first edition, the approach didn't really change by a bit;
you take the vuln, describe the idea and presents your reader with a report on hackerone;
I mean, it is probably what you are paying for but it is way too oversimplified + it is depicting some rare and useless vulns which are hard to spot in the wild.
Still, as a basic intro to bug bounties this might be a good reference.
May 1, 2022
3.5★
The selected reports are what make this such a good resource for beginners, tho the space has changed drastically and not everything may apply, Maybe pair this one with smth like Vickie's Bug Bounty Bootcamp, and you can read the theory there and see the real world examples here, way more rewarding.
The selected reports are what make this such a good resource for beginners, tho the space has changed drastically and not everything may apply, Maybe pair this one with smth like Vickie's Bug Bounty Bootcamp, and you can read the theory there and see the real world examples here, way more rewarding.
November 15, 2022
Bug Hunting and Web Hacking
This was an excellent book on vulnerability detection and other basic web hacking techniques.
As someone into cybersecurity, I found this an important book to get the basics.
Of course, it was a little introductory, but a great book to get into the realm of hacking and infosec.
Would recommend.
4.8/5
This was an excellent book on vulnerability detection and other basic web hacking techniques.
As someone into cybersecurity, I found this an important book to get the basics.
Of course, it was a little introductory, but a great book to get into the realm of hacking and infosec.
Would recommend.
4.8/5
March 26, 2020
The book gives pretty detail intro in common web apps vulnerabilities and bug bounty processes. There are many highlights of bounty reports from recent cases too. Must read for anyone interested in apps security.
January 10, 2020
Very informative and quite comprehensive. My only complain is that the bugs presented were all up to 2016 and might not be representative of what the bug bounty scene looks like at the moment.
Want to read
November 12, 2020want to read this book
This entire review has been hidden because of spoilers.
Read
January 3, 2022Great book on all aspects of bug hunting, platforms and tools.
Real exemples of bug reports and good number of tips and tricks.
Real exemples of bug reports and good number of tips and tricks.
February 2, 2022
Quite good, slightly different to its ancestor (Web Hacking 101), would certainly recommend.
October 2, 2022
It is a good book!
It has a good number of tips, and tricks.
It has a good number of tips, and tricks.
June 24, 2023
Read this book when I was learning public bug bounties a long time back. Good for beginners.
November 2, 2023
In depth book about web hacking with plenty of real world examples and relevant vulnerabilities
October 29, 2024
Well structured, clear, good for beginners but also for experienced people who wants to learn new techniques and ideas.
September 5, 2023
Spring Reading Vlog https://youtu.be/wQMu_8wOtqQ
Displaying 1 - 16 of 16 reviews