Key Points

Release Date: 2019

Date Reviewed: 2020

Author/Creator: Peter Yaworski

Subject(s): Quick HTTP overview,16 Vulnerabilities explained with real examples, methodology, Report writing.

Prerequisite(s): Basic knowledge of networking, HTML, JavaScript.

Medium: Book

Length: 264 Pages

Price: 26.20 on Amazon

Link: Real-World Bug Hunting: A Field Guide to Web Hacking: Yaworski, Peter: 9781593278618: Amazon.com: Books(Not Affiliated)

Review Disclaimer

My goal is to provide honest and consistent reviews that can help others decide if an educational resource is right for them. Due to this, reviews are not influenced by discounts given, affiliate marketing, or if product is given for free. However, it is admitted that these benefits influence if a resource will be reviewed and that I only engage in partnerships with companies who provide quality products. If you decide a resource is right for you, it is very appreciated to use any noted affiliate links as this will help Cybersec.Reviews produce more content to further help students make informed decisions on their education.

Review

Overview

Peter Yaworski wrote Web Hacking 101 that was released in 2018. I'm not sure if it is Peter's intent but there are PDF versions of Web Hacking 101 that are widely available online (https://www.hackerone.com/ethical-hacker/hack-learn-earn-free-e-book). This isn't really a bad thing if you're like me and actually like physical books. But if you purchased Web Hacking 101 and then purchased Real World Bug Hunting thinking you're getting something new, different, or highly expanded then you'll be disappointed. A lot of the content is very similar, if not identical to Web Hacking 101. This wasn't so much the case for me, I have "read" Web Hacking 101 but this was before I got into the world of Information Technology. So, I didn't have a [redacted] clue of what I was reading at the time. Albeit there are conceptual explanations of each vulnerability but it’s not too practical. Anyways, the book starts off going over the basics of bug bounties, how websites work, and HTTP. These starting sections were written very well and are new compared to the Web Hacking 101 book. The overview of how websites work is good and I think it would give anybody a decent idea whether they have previous knowledge or not. To fully understand the vulnerabilities, I still think one needs to know the basics of what HTML and JavaScript is prior to reading.

Real World Bug Examples

The real content of the book is the 16 vulnerabilities that are explained. These overviews include an explanation of what the vulnerability is, how it arises, and then breakdowns of a real reports. The vulnerability explanations can be hit or miss if you are a beginner because most don't include how to actually exploit an application. For example, the section about SSRF includes information of what the concept of SSRF is, but then the next paragraph begins with "Suppose you find an SSRF…". I was left with questions like, how do I actually find one? What kind of requests or parameters should I look for? What's an actual SSRF payload look like? These kinds of questions can sometimes be answered in the explanations of real disclosed reports but still the technique isn't clearly explained.

Mentioned But Not Explained

The end of the book concludes with methodology, report writing, and an index of tools. The methodology section is high level overview which includes ideas to think of when testing a web application. These ideas are like "Do port scanning", "look at previous bugs", and "look at the technology stack". There's some good tips and tricks but no actual beginner techniques explained. The report writing chapter is similar with a high-level overview too. Lastly, the book ends with an index of tools that are under general categories and a few sentences of what it does. For example, Knockpy is under the category of subdomain enumeration and has the paragraph stating "Knockpy is a Python tool designed to iterate over a word list to identify a company's subdomains…". This section is nice to get an idea of what tools are out there but might not be the most useful for a beginner.

Conclusion

This book is hard to tell who it is written for. It begins by stating that anyone can pick it up and understand it which is true if you're just learning about what website vulnerabilities are. But it is titled as Real-World Bug Hunting and includes sections about report writing and methodology. I believe it is meant for a beginner bug bounty hunter but it only includes the explanation of what a vulnerability type is but not the technique of how to exploit it. So, a beginner won't find this very useful and a more experienced hunter probably won't either. If you want to read explanations about disclosed bug bounty reports this book is for you, but if you're looking about how to exploit web application there are better alternatives out there.

CSR Score

Quality: 3/5 Not many spelling errors but the writing style is hard to follow.

Education: 2/5 The book mentions subjects which would be useful for someone who already has some understanding but will leave a beginner student not fully informed.

Value for price: 1/5 Due to this print book being nearly identical to free PDF version of web hacking 101 the value for price is very low.

Value for time: 1/5 The value for time is very low as much of what is contained in this book can be learned from the free PDF version and self research.

Verdict

Total Score: 7/20 “Not worth your time or money”

(See scoring guide here http://cybersec.reviews/aboutme/#scoring)