Question

Bug Bounty Bootcamp covers everything you need to start hacking web applications and participating in bug bounty programs. This book is broken into four parts: The Industry, Getting Started, Web Vulnerabilities, and Expert Techniques.

漏洞赏金训练营覆盖了你开始黑客攻击 Web 应用程序和参加漏洞赏金计划所需的一切。本书分为四个部分：行业、入门、Web 漏洞和专家技巧。

Part I: The Industry

第一部分：行业

1. The first part of the book focuses on the bug bounty industry. Chapter 1: Picking a Bug Bounty Program explains the various types of bug bounty programs and how to choose one that suits your interests and experience level. Chapter 2: Sustaining Your Success teaches you the nontechnical skills you need to succeed in the bug bounty industry, like writing a good report, building professional relationships, and dealing with conflict and frustration.

Part II: Getting Started

第二部分：入门指南

1. The second part of the book prepares you for web hacking and introduces you to the basic technologies and tools you’ll need to successfully hunt for bugs.

   Chapter 3: How the Internet Works explains the basics of internet technologies. It also introduces the internet security mechanisms you will encounter, such as session management, token-based authentication, and the same-origin policy.

   第三章，“互联网的工作原理”解释了互联网技术的基础知识。它还介绍了您将遇到的互联网安全机制，例如会话管理、基于令牌的身份验证和同源策略。

   Chapter 4: Environmental Setup and Traffic Interception shows you how to set up your hacking environment, configure Burp Suite, and effectively utilize Burp Suite’s various modules to intercept traffic and hunt for bugs.

   第 4 章：环境设置和流量拦截向您展示如何设置您的黑客环境，配置 Burp Suite，并有效地利用 Burp Suite 的各个模块拦截流量并寻找漏洞。

   Chapter 5: Web Hacking Reconnaissance details the recon strategies you can take to gather information about a target. It also includes an introduction to bash scripting and shows you how to create an automated recon tool from scratch.

   第 5 章：Web 黑客侦察详细介绍了您可以采用的侦察策略，以收集有关目标的信息。它还包括对 bash 脚本的介绍，并向您展示如何从头开始创建自动化侦察工具。

Part III: Web Vulnerabilities

第三部分：网站漏洞

1. Then we start hacking! This part, the core of the book, dives into the details of specific vulnerabilities. Each chapter is dedicated to a vulnerability and explains what causes that vulnerability, how to prevent it, and how to find, exploit, and escalate it for maximum impact.

   Chapters 6 through 18 discuss common vulnerabilities you are likely to encounter in real-life applications, including cross-site scripting (XSS), open redirects, clickjacking, cross-site request forgery (CSRF), insecure direct object references (IDOR), SQL injection, race conditions, server-side request forgery (SSRF), insecure deserialization, XML external entity vulnerabilities (XXE), template injection, application logic errors and broken access control, and remote code execution (RCE).

   第 6 章到第 18 章讨论现实应用中可能会遇到的常见漏洞，包括跨站脚本(XSS)、开放式重定向、点击劫持、跨站请求伪造(CSRF)、不安全的直接对象引用(IDOR)、SQL 注入、竞态条件、服务器端请求伪造(SSRF)、不安全的反序列化、XML 外部实体漏洞(XXE)、模板注入、应用逻辑错误和破损的访问控制，以及远程代码执行(RCE)。

   Chapter 19: Same-Origin Policy Vulnerabilities dives into a fundamental defense of the modern internet: the same-origin policy. You’ll learn about the mistakes developers make when building applications to work around the same-origin policy and how hackers can exploit these mistakes.

   第 19 章：同源策略漏洞深入了解了现代互联网的一个基本防御：同源策略。您将会了解到开发人员在构建应用程序以规避同源策略时所犯的错误以及黑客如何利用这些错误。

   Chapter 20: Single-Sign-On Security Issues discusses the most common ways applications implement single-sign-on features, the potential weaknesses of each method, and how you can exploit these weaknesses.

   第 20 章：单点登录安全问题讨论了应用程序实现单点登录功能的最常见方法，每种方法的潜在弱点以及您如何利用这些弱点。

   Finally, Chapter 21: Information Disclosure discusses several ways of extracting sensitive information from a web application.

   最后，第 21 章：信息披露介绍了从 Web 应用程序中提取敏感信息的几种方法。

Part IV: Expert Techniques

第四部分：专家技巧

1. The final part of the book introduces in-depth techniques for the experienced hacker. This section will help you advance your skills once you understand the basics covered in Part III.

   Chapter 22: Conducting Code Reviews teaches you how to identify vulnerabilities in source code. You will also get the chance to practice reviewing a few pieces of code.

   第 22 章：进行代码审查教您如何识别源代码中的漏洞。您还将有机会练习审查一些代码。

   Chapter 23: Hacking Android Apps teaches you how to set up your mobile hacking environment and find vulnerabilities in Android applications.

   第 23 章：《Android 应用程序黑客攻略》教您如何设置移动黑客环境并查找 Android 应用程序中的漏洞。

   Chapter 24: API Hacking discusses application programming interfaces (APIs), an essential part of many modern applications. I discuss types of APIs and how to hunt for vulnerabilities that manifest in them.

   第 24 章：API 黑客讨论应用程序编程接口（APIs），是许多现代应用程序的重要组成部分。 我讨论了 API 的类型以及如何寻找在它们中表现出的漏洞。

   Chapter 25: Automatic Vulnerability Discovery Using Fuzzers wraps up the book by showing you how to automatically hunt for vulnerabilities by using a method called fuzzing. You’ll practice fuzzing a web application with an open source fuzzer.

   第 25 章：使用模糊测试自动发现漏洞是本书的收尾之笔，会向您展示如何使用一种称为模糊测试的方法自动寻找漏洞。您将使用一个开源模糊测试工具来练习模糊测试一个 Web 应用程序。