Key Points
Release Date: September 2021
Date Reviewed: November 2021
Author/Creator: Vickie Li- @vickieli7
Subject(s): Bug bounty hunting, recon, report writing, web application hacking.
Prerequisite(s): Some knowledge of HTML, JavaScript, HTTP, cryptography, and encoding would help. But, I would even recommend this book to a complete beginner and suggest to research things as you go along.
Medium: Book and/or E-book
Length: 416 Pages
Price: $49.99 Print (comes with E-book), $39.99 E-Book.
Link: https://nostarch.com/bug-bounty-bootcamp (Not affiliated)
Review Disclaimer
My goal is to provide honest and consistent reviews that can help others decide if an educational resource is right for them. Due to this, reviews are not influenced by discounts given, affiliate marketing, or if product is given for free. However, it is admitted that these benefits influence if a resource will be reviewed and that I only engage in partnerships with companies who provide quality products. If you decide a resource is right for you, it is very appreciated to use any noted affiliate links as this will help Cybersec.Reviews produce more content to further help students make informed decisions on their education.
Review
My First Bugs
For those who don't know, I have been trying to break into the cyber security field from scratch for two years now. I have no previous experience other than just being a gamer and interested in technology. I will fully credit this book for giving me the confidence I needed to start hunting and finding my first bugs. I have attempted to start many times before, but it has always felt like taking an exam for me. I find a program, open my notes, navigate to the target web page, and then freeze. "Where do I start?", "What am I even looking for?", "I don't understand all this gibberish in my burp proxy" are some things that would go through my head. Now, with these clear explanations and step by step guides it makes it a lot easier to focus as a beginner. So, after reading this book I found a more suitable program to poke around on and tried again. I used the recon techniques provided and found my very first bug, an information disclosure that was marked as informative. Continuing my recon, I found another endpoint that had a bug that was not even covered in the book, but I did my own research to exploit it. This report was marked as a duplicate and I couldn't be happier, I have finally found a bug! Hopefully this has piqued your interest in learning more about this book and please read on to see if it is right for you.
Overview
When I am reading a book or doing an online course, I like to take comprehensive notes. If I am reading a print book, I usually take notes on my phone or If I am on my computer, I'll take notes using a word document. To put it in perspective of how much I gained from this book, let me give you some numbers. While reading the Real-World Bug hunting book I took 1 page at 249 words of notes. For Nahamsec's Bug Bounty Course I took 13 pages of notes at 3,311 words. For XSS Rats Bug Bounty Bootcamp course I took 15 pages of notes at 6,364 words. For Vickie Li's Bug Bounty Bootcamp book, I took a massive 64 pages of notes at 21,402 words. Albeit, I was reading it in the early release PDF version so I was able to copy and paste some excerpts but I rarely did. This is how much I took away from this book, it is hands down the best book I have read so far on the subject of web application hacking for a beginner. The Web Application Hackers Handbook may still be known as the bible, I would argue that this book may be the next go to for those learning web application hacking and bug bounty.
Intro
It's hard to figure out where to start for breaking down the content of this book. There's so much useful content packed into a concise package, I think it would be best to manually walk through it. The start of the book includes a section called "The Industry" which describes how to pick a bug bounty program and how to sustain success. This gives a great overview and includes topics such as asset type descriptions (Social Sites, Mobile Apps, ect.) and how different bug bounty programs operate. The next is called "Sustaining your success" which goes into report writing, working with triage teams, and having a productive mindset. Topics like this haven't been explained in previous resources in depth and it's good to keep in mind for hunting. One example is the topic called "Understand why you're failing" which provides advice on when you're not finding bugs or why your reports are closed as N/A. I loved how this intro was done and the information it includes, it's almost like mentoring more so than just a book.
Next, Vickie gives a great breakdown on how the internet works like HTTP and security controls. The explanation on security controls I found to be very helpful as it were more "dumbed down" (for the lack of a better term) about things I have read prior but didn't understand. Some of the described security controls include session management and JSON web tokens. The next section is about environment setup. This goes into how to setup Burp suite, the different tools, and what they do. I think these initial primers are written so well and clearly that someone with minimal knowledge can easily follow.
Recon
The next topic is recon and while reading through I thought to myself "I would have paid just for this as a Recon guide". The recon section is very extensive and goes over writing bash scripts for automating recon, walking an application, fingerprinting a tech stack, OSINT, and much more. It is also written to build on itself, so one can pretty much follow along when hacking. For example, it starts by going over subdomain enumeration, discovering directories, then finding third party hosting such as S3 buckets. The bash scripting for recon explanation is almost like a small book itself and I will be referring back to it often when I begin learning bash.
The Vulnerabilities
Now starts the real meat of this book, with 19 chapters devoted to web hacking techniques, there is a massive amount of content covered. The familiar vulnerabilities like cross site scripting and SQL injections are present, but there are some that are rarely covered as well. These include, click jacking, race conditions, template injections, and SSO exploits. Some topics like the insecure deserialization vulnerability, includes code you can run to follow along with examples in the book. The beginning of each chapter has a great "explain like I'm 5" section that gives a great introduction that helped me really understand the mechanics of a vulnerability before the steps of exploitation are given. Next, the topic is expanded upon with further explanations with subtopics. Example subtopics are, different XSS types, second order SQL injections, and finding exposed admin panels in relation to information disclosures. After the vulnerability is completely explained, a section about preventing it is included. This is very useful for not only rounding an even more complete understanding but can be useful when writing reports with recommended mitigation.
Lastly, a step-by-step guide for finding the vulnerability, escalation, and a summary ends each section. For me, this A-Z, step by step guides are exactly what I need to hunt for a new vulnerability type. To give you a better understanding, checkout this link to a sample chapter about open redirects https://nostarch.com/download/samples/BugBountyBootcampSampleC7h.pdf . Do you see how much one vulnerability is expanded upon and how clear steps are given? This is the format used for every vulnerability type and I think it works perfectly. The explanation of the vulnerability types is the most clear and easy to digest compared to anything else I've read or watched. I really love the depth of explanations of why and how things work under the hood, as opposed to other books or video courses that suggest blindly throwing random payloads everywhere. To sum up, Vickie does a great job teaching the inner workings of what leads to a vulnerability as opposed to solely providing hacking steps or payloads for exploitation. The explanations were fantastic, but the only thing that is missing would be included exercises or recommendations of exercises for the reader to participate in. This lack of hands on practice was the only thing I can see that was missing from this area that is common in other books published by No Starch Press.
Expert Techniques
The last four chapters of the book titled "expert techniques" cover things like API hacking and conducting code review. As a beginner, I really appreciated these topics being covered and they will be useful to refer back to. Being a beginner, I think it is still useful to be aware of these techniques and understand the methodology, even if I don't feel ready to hack APIs yet. Another example, on Twitter I've seen posts of how someone has found a bug from code review, but never understood how to get started looking for vulnerabilities like this and have always thought it was a type of exploit development through reverse engineering. Now that I have read this section in Bug Bounty Bootcamp, I understand some of the techniques and have the confidence to do my own research when I get to a situation where I am hacking an API or doing code review.
Conclusion
I recommend this book before anything else for a beginner trying to learn web security. Vickie provides an excellent delivery of breaking down complex concepts that makes it easy to comprehend. Also, the step by step guidance of exploiting a vulnerability is fantastic to refer back to. I'm not affiliated with No Starch Press or the author in anyway but I hope I have sold you on purchasing this book. If you are a complete beginner and feel confused or lost in all of the information out there then stop, grab this book, read through it once, then use it as your guide. Due to the lack of hands on exercises, I recommend supplementing this with other online CTF challenges to practice the theory of what the student is learning.
CSR Score
Quality: 5/5 The contents of the book is very well organized and contains minimal spelling errors.
Education: 5/5 A student of any skill level can gain insight from this book as it covers a range of topics relating to bug bounty.
Value for price: 4/5 The value for price is okay, but is a little high and is missing hands on exercises that are common in other books or courses.
Value for time: 4/5 The value of time for reading through this books is good, but again the student will need to supplement hands on practice as they follow along.
Verdict
Total Score: 18/20 “A highly recommended resource that is worth the time and/or monetary investment”.
(See scoring guide here http://cybersec.reviews/aboutme/#scoring)