کتاب باگ بانتی بوت کمپ  به شما می آموزد که چگونه برنامه های وب را هک کنید. شما یاد خواهید گرفت که چگونه روی یک هدف شناسایی انجام دهید، چگونه آسیب پذیری ها را شناسایی کنید و چگونه از آنها سوء استفاده کنید. شما همچنین یاد خواهید گرفت که چگونه برنامه‌های باگ بانتی را که توسط شرکت‌ها برای پاداش دادن به متخصصان امنیتی برای یافتن باگ‌ها در برنامه‌های وب خود راه‌اندازی شده‌اند، راه‌اندازی کنید.

برنامه‌های باگ بانتی برنامه‌هایی هستند که توسط شرکت حمایت می‌شوند و از محققان دعوت می‌کنند تا آسیب‌پذیری‌ها را در برنامه‌های خود جستجو کنند و به آنها برای یافته‌هایشان پاداش دهند. این کتاب برای کمک به مبتدیان با تجربه کم یا بدون هیچ تجربه امنیتی طراحی شده است که هک وب را بیاموزند، اشکالات را پیدا کنند و در این صنعت پررونق و پرسود رقابتی باقی بمانند.

شما با یادگیری نحوه انتخاب یک برنامه، نوشتن گزارش های باگ با کیفیت و حفظ روابط حرفه ای در صنعت شروع خواهید کرد. سپس یاد خواهید گرفت که چگونه یک آزمایشگاه هک وب راه اندازی کنید و از یک پروکسی برای ضبط ترافیک استفاده کنید. در قسمت 3 کتاب، مکانیسم‌های آسیب‌پذیری‌های رایج وب، مانند XSS، SQL injection، و template injection را بررسی می‌کنید و توصیه‌های مفصلی در مورد نحوه یافتن آنها و دور زدن حفاظت‌های رایج دریافت خواهید کرد. همچنین یاد خواهید گرفت که چگونه چندین باگ را زنجیره‌ای کنید تا تأثیر آسیب‌پذیری‌های خود را به حداکثر برسانید.

در نهایت، این کتاب به تکنیک‌های پیشرفته‌ای می‌پردازد که به ندرت در کتاب‌های مقدماتی هک پوشش داده می‌شوند، اما درک آن‌ها برای هک برنامه‌های وب بسیار مهم است. شما یاد خواهید گرفت که چگونه برنامه های تلفن همراه را هک کنید، کد منبع برنامه را برای مسائل امنیتی بررسی کنید، آسیب پذیری ها را در API ها پیدا کنید و فرآیند هک خود را خودکار کنید. در پایان کتاب، ابزارها و تکنیک‌های لازم برای اینکه یک هکر وب ماهر باشید و باگ‌ها را در برنامه باگ بانتی پیدا کنید، یاد خواهید گرفت.

درباره نویسنده

ویکی لی یک توسعه دهنده و محقق امنیتی با تجربه در یافتن و بهره برداری از آسیب پذیری ها در برنامه های کاربردی وب است. او آسیب‌پذیری‌هایی را به شرکت‌هایی مانند Facebook، Yelp و Starbucks گزارش کرده است و در تعدادی از برنامه‌های آموزشی آنلاین و وبلاگ‌های فنی مشارکت دارد.

نظر خوانندگان کتاب

"کتاب باگ بانتی بوت کمپ باید در کتابخانه هر هکری باشد. ویکی لی به یک سوال مهم پاسخ می دهد: "پس شما اولین نقص خود را پیدا کردید، بعدی چیست؟" او با توضیح نحوه نوشتن گزارش اشکال و تعامل با مشتریان، راهنمای فوق العاده ای را برای شروع حرفه امنیتی شما ارائه می دهد."

-اندرو اور، معاون ویرایشگر، مک آبزرور

"من در چند هفته گذشته از باگ بانتی بوت کمپ لذت بردم و این برای مبتدیان باگ بانتی مانند خودم عالی است. هر کسی که علاقه مند است در مورد آسیب پذیری های مختلف وب، پلت فرم های باگ بانتی، نحوه کار اینترنت و نحوه کسب درآمد بیشتر و وب امن تر بیاموزد، این کتاب برای شماست. از ویکی برای نوشتن چنین کتاب عالی تشکر می کنم!"

- ملکه دیجیتال، یوتیوبر و بلاگر

"باگ بانتی بوت کمپ توسط ویکی لی یک توضیح کامل و استادانه برای نحوه یافتن باگ ها و گزارش مسئولانه آنها است. به قدری واضح نوشته شده است و چنان دستورالعمل های گام به گام مفیدی را ارائه می دهد که وقتی داشتم آن را می خواندم وسوسه شدم. خودم شروع به هانت کنم."

- سینتیا برامفیلد، رئیس DCT-Associates

Bug Bounty Bootcampteaches you how to hack web applications. You will learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them. You'll also learn how to navigate bug bounty programs set up by companies to reward security professionals for finding bugs in their web applications.

Bug bounty programs are company-sponsored programs that invite researchers to search for vulnerabilities on their applications and reward them for their findings. This book is designed to help beginners with little to no security experience learn web hacking, find bugs, and stay competitive in this booming and lucrative industry. 

You'll start by learning how to choose a program, write quality bug reports, and maintain professional relationships in the industry. Then you'll learn how to set up a web hacking lab and use a proxy to capture traffic. In Part 3 of the book, you'll explore the mechanisms of common web vulnerabilities, like XSS, SQL injection, and template injection, and receive detailed advice on how to find them and bypass common protections. You'll also learn how to chain multiple bugs to maximize the impact of your vulnerabilities.

Finally, the book touches on advanced techniques rarely covered in introductory hacking books but that are crucial to understand to hack web applications. You'll learn how to hack mobile apps, review an application's source code for security issues, find vulnerabilities in APIs, and automate your hacking process. By the end of the book, you'll have learned the tools and techniques necessary to be a competent web hacker and find bugs on a bug bounty program.

Contents

PART I: THE INDUSTRY

Chapter 1: Picking a Bug Bounty Program

Chapter 2: Sustaining Your Success

PART II: GETTING STARTED

Chapter 3: How the Internet Works

Chapter 4: Environmental Setup and Traffic Interception

Chapter 5: Web Hacking Reconnaissance

PART III: WEB VULNERABILITIES

Chapter 6: Cross-Site Scripting

Chapter 7: Open Redirects

Chapter 8: Clickjacking

Chapter 9: Cross-Site Request Forgery

Chapter 10: Insecure Direct Object References

Chapter 11: SQL Injection

Chapter 12: Race Conditions

Chapter 13: Server-Side Request Forgery

Chapter 14: Insecure Deserialization

Chapter 15: XML External Entity

Chapter 16: Template Injection

Chapter 17: Application Logic Errors and Broken Access Control

Chapter 18: Remote Code Execution

Chapter 19: Same-Origin Policy Vulnerabilities

Chapter 20: Single-Sign-On Security Issues

Chapter 21: Information Disclosure

PART IV: EXPERT TECHNIQUES

Chapter 22: Conducting Code Reviews

Chapter 23: Hacking Android Apps

Chapter 24: API Hacking

Chapter 25: Automatic Vulnerability Discovery Using Fuzzers

Review

"A really good book for getting started in Bug Bounty, out at a time when something like this was really needed. You can take as many ethical hacking courses as you want, but when it comes to bug bounty, there is so much information and tools it can be imitating to start . . . This really should be the first book read by ANYONE looking to start in the bug bounty game."

—Alex/Muldwych, The Security Noob

"Bug Bounty Bootcamp should be on every hacker's shelf. Vickie Li answers an important question: 'So you found your first flaw, what's next?' By explaining how to write a bug report and interact with clients, she presents a wonderful guide on starting your security career."

—Andrew Orr, Associate Editor, The Mac Observer

"I have enjoyed Bug Bounty Bootcamp over the past few weeks and this is great for bug bounty beginners like myself. Anyone who is interested in learning more about different web vulnerabilities, bug bounty platforms, how the internet works, and how to make money making the web safer this is the book for you. Thanks to Vickie for writing such a great book!"

—The Digital Empress, YouTuber and Blogger

"Bug Bounty Bootcamp by Vickie Li is a thorough and masterful explanation for how to find bugs and responsibly report them. It is written so clearly, and provides such useful step-by-step instructions that as I was reading it, I was tempted to start hunting for bugs myself."

—Cynthia Brumfield, President, DCT-Associates

"Bug Bounty Bootcamp is a great resource for those who want to participate in Bug Bounties because it not only teaches you about the technical aspects, but helps you develop a methodology and sustain your testing. Some technology knowledge is assumed, but it does a solid job of describing the relevant vulnerability types from first principles, so it can be a strong resource for those new to the security space. The writing style is clear and to the point."

—David Tomaschik, Security Engineer at Google, Blogger at System Overlord

"I highly suggest reading Bug Bounty Bootcamp."

—@HolyBugx

"Pure GEM. Learned a lot of things from her book."

—Aakash Choudhary, @LearnerHunter

"Loved the book. Well written, clear, concise, and easy to follow. Everyone from the beginner bug hunter to the seasoned pro will find a nugget, some nuggets or just pure nuggets of amazing information, tips and advice."

—Douglas Campbell, Advanced Reviewer

"The only book you need to get started in bug bounty is @vickieli7's book coming out from @nostarch, Bug Bounty Bootcamp. It's a detailed how-to with lots of technical how-to steps."

—Metacurity, Top Infosec News Destination, @Metacurity

"The new go-to resource for a beginner in web app hacking . . . I recommend this book before anything else for a beginner trying to learn web security. Vickie provides an excellent delivery of breaking down complex concepts that makes it easy to comprehend. Also, the step by step guidance of exploiting a vulnerability is fantastic to refer back to . . . If you are a complete beginner and feel confused or lost in all of the information out there then stop, grab this book, read through it once, then use it as your guide."

—AntiRuse, @AntiRuse, Blogger

"Definitely recommend it!"

—Michael, @DoAbarrel_Troll

"Bug Bounty Bootcamp is *the* book for everyone in Information Technology, not just those interested in bug bounties . . . This easy-to-read guide breaks down complicated topics into a simple progression through technical concepts. From a foundational overview of the industry and how to get started, the reader progresses from Cross Site Scripting all the way through to API hacking and use of Fuzzers. Vickie Li has done a tremendous service to information security by sharing her expert understanding of bug hunting in a highly accessible way. Recommended reading for all IT professionals, new or veteran."

—Jess Vachon, Advanced Reviewer

"Vicki Li’s book took me from knowing nothing about bug bounties, to finding my first bug. Li goes over the process of bug bounties, writing reports, and how to make relationships with companies. Li also has expert techniques that will help your automate your hacking experience and even hacking android apps."

—Anthony Ware, Advanced Reviewer

"For anyone interested in bug detection of web services, this book is for you. It takes an approach that is enjoyable for all levels. It covers the essentials for understanding web servers and why the assortment of vulnerabilities exists with steps in what to look for in approaching those security risks. It’s not going to make you an expert overnight, but it will set you on the path towards success, bypassing the common mistakes where others have fallen."

—Riley A., Advanced Reviewer

"Step-by-step instructions to achieve your first bug bounty and a great book to reference as a security professional. This book will give insight to how bug bounty programs operate and provide resources to learn programming, security tools, and breakdown OWASP top 10 vulnerabilities."

—Jessica W., Advanced Reviewer

"Since reading The Web Application Hacker's Handbook a few years ago, I haven't seen that much web security knowledge organized in one place as in Bug Bounty Bootcamp. Vickie did a fantastic job of covering many different vulnerability classes that are important for offensively testing web applications. Explanations are made so that beginners would understand them but I was also able to find some inspirations each time I looked at the book when testing a specific vulnerability class. I highly recommend Bug Bounty Bootcamp for everyone who wants to learn about web security."

—Bug Bounty Reports Explained, YouTuber and Advanced Reviewer

"A great companion to @yaworsk's earlier book, Real-World Bounty Hunting (also by

@nostarch), and deserves a place on your bookshelf."

—@jub0bs

"An informative and well-written guide that should be of interest to anyone considering a career in API hacking through bug bounty hunting."

—Dana Epp, Security Boulevard

About the Author

Vickie Li is a developer and security researcher experienced in finding and exploiting vulnerabilities in web applications. She has reported vulnerabilities to firms such as Facebook, Yelp and Starbucks and contributes to a number of online training programs and technical blogs.