Real-World Bug Hunting: A Field Guide to Web Hacking

by Peter Yaworski

Learn how people break websites and how you can, too.

Real-World Bug Hunting is the premier field guide to finding software bugs. Whether you're a cyber-security beginner who wants to make the internet safer or a seasoned developer who wants to write secure code, ethical hacker Peter Yaworski will show you how it's done.

You'll learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. Using real-life case studies of rewarded vulnerabilities from applications like Twitter, Facebook, Google, and Uber, you'll see how hackers manage to invoke race conditions while transferring money, use URL parameter to cause users to like unintended tweets, and more.

Each chapter introduces a vulnerability type accompanied by a series of actual reported bug bounties. The book's collection of tales from the field will teach you how attackers trick users into giving away their sensitive information and how sites may reveal their vulnerabilities to savvy users. You'll even learn how you could turn your challenging new hobby into a successful career. You'll


Real-World Bug Hunting is a fascinating soup-to-nuts primer on web security vulnerabilities, filled with stories from the trenches and practical wisdom. With your new understanding of site security and weaknesses, you can help make the web a safer place--and profit while you're at it.

Genres: Hackers, Programming, Technology, Computers, Computer Science, Technical, Reference

264 pages, Paperback

Published July 9, 2019

Reviews

[Ray · Rating 4 out of 5]

Disregard the messages giving this book a terrible review.
Honestly, this book is a great intro to web hacking. It's not going to impress any seasoned hackers but anyone with a bit of web dev experience would learn a lot from this book.

That being said, it's basically just a collection of publicly available but bounties with a bit of commentary. The bounties are all quite old (the most recent being from 2016) but the general ideas behind them are still valid.

My favorite past of the book was rather early on where he explains what Myspace Samy Worm is. I grew up on MySpace so I was kinda surprised I never heard of this but it's a clever trick that had pretty big repercussions for the creator.

I was also pretty intrigued by learning about XSS Auditors built into browsers.

If anyone would like to watch videos about this I'd recommend this free MIT Course: https://ocw.mit.edu/courses/electrica...

[Siraj · Rating 5 out of 5]

A lot of fun to read and quite informative for newbies like me. It goes over the most common vulnerabilities, explains their concepts in a basic manner, and details examples of bug reports that were posted on HackerOne, and whether they got paid for it or not. The last chapter also includes useful guidelines for getting started.

Beware that you might need to be familiar with web concepts before attempting to read this book. Although it tries its best to explain everything, it's often attempted in one or two lines and that's not enough unless you have first-hand experience with the technologies mentioned. Knowing HTTP, HTML, and basic JavaScript would be the minimum requirement for getting anything out of this book, I'd say.

[Annah Honk · Rating 5 out of 5]

𝕀'𝕞 𝕚𝕞𝕡𝕣𝕖𝕤𝕤𝕖𝕕, 𝕥𝕠 𝕞𝕖 𝕀 𝕓𝕖𝕝𝕚𝕖𝕧𝕖 𝕤𝕠𝕞𝕖 𝕡𝕖𝕠𝕡𝕝𝕖 𝕤𝕙𝕠𝕦𝕝𝕕 𝕓𝕖 𝕔𝕒𝕝𝕝𝕖𝕕 𝕘𝕖𝕟𝕚𝕦𝕤 𝕚𝕟 𝕕𝕠𝕚𝕟𝕘 𝕨𝕙𝕒𝕥 𝕥𝕙𝕖𝕪 𝕜𝕟𝕠𝕨 𝕙𝕠𝕨 𝕥𝕠 𝕕𝕠 𝕓𝕖𝕤𝕥, 𝕨𝕙𝕖𝕟 𝕚𝕥 𝕔𝕠𝕞𝕖𝕤 𝕥𝕠 𝕕𝕖𝕒𝕝𝕚𝕟𝕘 𝕨𝕚𝕥𝕙 𝕘𝕖𝕥𝕥𝕚𝕟𝕘 𝕤𝕠𝕝𝕦𝕥𝕚𝕠𝕟𝕤 𝕒𝕟𝕕 𝕣𝕖𝕧𝕖𝕒𝕝𝕚𝕟𝕘 𝕤𝕖𝕔𝕣𝕖𝕥𝕤 𝕀 𝕔𝕒𝕟 𝕧𝕠𝕦𝕔𝕙 𝕗𝕠𝕣 𝕁𝔹𝔼𝔼 𝕊ℙ𝕐 𝕋𝔼𝔸𝕄 𝕙𝕒𝕔𝕜𝕚𝕟𝕘 𝕤𝕖𝕣𝕧𝕚𝕔𝕖𝕤 𝕒𝕤 𝕞𝕒𝕟𝕪 𝕥𝕚𝕞𝕖𝕤 𝕒𝕤 𝕡𝕠𝕤𝕤𝕚𝕓𝕝𝕖 𝕓𝕖𝕔𝕒𝕦𝕤𝕖 𝕠𝕗 𝕥𝕙𝕖 𝕓𝕣𝕚𝕝𝕝𝕚𝕒𝕟𝕥 𝕒𝕟𝕕 𝕤𝕦𝕡𝕖𝕣𝕓 𝕥𝕖𝕒𝕞𝕨𝕠𝕣𝕜 𝕥𝕙𝕖𝕪 𝕡𝕠𝕣𝕥𝕣𝕒𝕪𝕖𝕕. 𝕋𝕙𝕖𝕪 𝕒𝕣𝕖 𝕤𝕦𝕣𝕖𝕝𝕪 𝕥𝕙𝕖 𝕓𝕖𝕤𝕥 𝕀'𝕧𝕖 𝕤𝕖𝕖𝕟 𝕤𝕠 𝕗𝕒𝕣 𝕠𝕟 𝕀𝕟𝕤𝕥𝕒𝕘𝕣𝕒𝕞 𝕚𝕟 𝕞𝕪 𝕢𝕦𝕖𝕤𝕥 𝕗𝕠𝕣 𝕞𝕪 𝕕𝕖𝕤𝕚𝕣𝕖. 𝔼𝕧𝕖𝕣𝕪𝕠𝕟𝕖 𝕤𝕙𝕠𝕦𝕝𝕕 𝕖𝕟𝕕𝕖𝕒𝕧𝕠𝕣 𝕥𝕠 𝕝𝕖𝕒𝕧𝕖 𝕒 𝕣𝕖𝕧𝕚𝕖𝕨 𝕠𝕟𝕔𝕖 𝕥𝕙𝕖𝕪 𝕘𝕖𝕥 𝕤𝕒𝕥𝕚𝕤𝕗𝕚𝕖𝕕 𝕛𝕦𝕤𝕥 𝕥𝕙𝕖 𝕤𝕒𝕞𝕖 𝕨𝕒𝕪 𝕀 𝕡𝕣𝕠𝕞𝕚𝕤𝕖𝕕 𝕥𝕠 𝕕𝕠 𝕕𝕦𝕣𝕚𝕟𝕘 𝕞𝕪 𝕖𝕒𝕣𝕝𝕪 𝕕𝕒𝕪𝕤 𝕠𝕗 𝕙𝕚𝕣𝕚𝕟𝕘 𝕥𝕙𝕖𝕞. 𝕔𝕠𝕟𝕝𝕖𝕪𝕛𝕓𝕖𝕖𝕤𝕡𝕪𝟞𝟘𝟞@𝕘𝕞𝕒𝕚𝕝.𝕔𝕠𝕞 𝕕𝕚𝕕 𝕓𝕣𝕚𝕝𝕝𝕚𝕒𝕟𝕥, 𝔼𝕧𝕖𝕣𝕪𝕥𝕙𝕚𝕟𝕘 𝕨𝕒𝕤 𝕢𝕦𝕚𝕔𝕜, 𝕤𝕖𝕟𝕕 𝕕𝕞 𝕥𝕠 𝕥𝕖𝕒𝕞 𝕁𝔹𝔼𝔼 𝕊ℙ𝕐 𝕋𝔼𝔸𝕄 𝕠𝕟 𝕋𝕖𝕝𝕖𝕘𝕣𝕒𝕞 +𝟜𝟜 𝟟𝟜𝟝𝟞 𝟘𝟝𝟠𝟞𝟚𝟘

[Michal · Rating 4 out of 5]

I didn't read this book to become a hacker but to remind myself of all types of bugs I can do in web apps as a developer so that I can, ideally, avoid them. Every vulnerability is described in exquisite detail that even a non-technical person can read the book and grasp ideas about security issues. That was not an issue even for me, for someone with already good knowledge, as every chapter and paragraph was well structured, so I could see right away which parts I can skip. I would recommend this book to anyone working on web applications.

[Jeno · Rating 3 out of 5]

it is somewhat dated;
plus, I have read the first edition, the approach didn't really change by a bit;
you take the vuln, describe the idea and presents your reader with a report on hackerone;
I mean, it is probably what you are paying for but it is way too oversimplified + it is depicting some rare and useless vulns which are hard to spot in the wild.
Still, as a basic intro to bug bounties this might be a good reference.

[Ajam · Rating 3 out of 5]

3.5★
The selected reports are what make this such a good resource for beginners, tho the space has changed drastically and not everything may apply, Maybe pair this one with smth like Vickie's Bug Bounty Bootcamp, and you can read the theory there and see the real world examples here, way more rewarding.

[Ben · Rating 5 out of 5]

Bug Hunting and Web Hacking

This was an excellent book on vulnerability detection and other basic web hacking techniques.

As someone into cybersecurity, I found this an important book to get the basics.

Of course, it was a little introductory, but a great book to get into the realm of hacking and infosec.

Would recommend.

4.8/5

[Jon Kartago Lamida · Rating 4 out of 5]

The book gives pretty detail intro in common web apps vulnerabilities and bug bounty processes. There are many highlights of bounty reports from recent cases too. Must read for anyone interested in apps security.

[Sebastian · Rating 5 out of 5]

Very informative and quite comprehensive. My only complain is that the bugs presented were all up to 2016 and might not be representative of what the bug bounty scene looks like at the moment.

[Pj]

want to read this book

[Sergey Kochergan]

Great book on all aspects of bug hunting, platforms and tools.
Real exemples of bug reports and good number of tips and tricks.

[Augur Jay · Rating 4 out of 5]

Quite good, slightly different to its ancestor (Web Hacking 101), would certainly recommend.

[Mohamed Metwalli · Rating 4 out of 5]

It is a good book!
It has a good number of tips, and tricks.

[Mayur Sinha · Rating 5 out of 5]

Read this book when I was learning public bug bounties a long time back. Good for beginners.

[Sherb · Rating 4 out of 5]

In depth book about web hacking with plenty of real world examples and relevant vulnerabilities

[Orel · Rating 5 out of 5]

Well structured, clear, good for beginners but also for experienced people who wants to learn new techniques and ideas.

[Cobalt Claudia · Rating 5 out of 5]

Spring Reading Vlog https://youtu.be/wQMu_8wOtqQ