Bug Bounty Bootcamp

Bug Bounty Bootcamp

The Guide to Finding and Reporting Web Vulnerabilities
by Vickie Li
November 2021, 416 pp.

Look Inside!

Bug Bounty Bootcamp backcoverBug Bounty Bootcamp spreadBug Bounty Bootcamp spreadBug Bounty Bootcamp spreadBug Bounty Bootcamp spreadBug Bounty Bootcamp spread

Download Chapter 7: OPEN REDIRECTS

Read our exclusive interview with the author HERE.

A comprehensive guide for any web application hacker, Bug Bounty Bootcamp is a detailed exploration of the many vulnerabilities present in modern websites and the hands-on techniques you can use to most successfully exploit them.

Bug Bounty Bootcamp prepares you for participation in bug bounty programs, which companies set up to reward hackers for finding and reporting vulnerabilities in their applications. The Bootcamp begins with guidance on writing high-quality bug reports and building lasting relationships with client organizations. You’ll then set up a hacking lab and dive into the mechanisms of common web vulnerabilities, like XSS and SQL injection, aided by thorough explanations of what causes them, how you can exploit them, where to find them, and how to bypass protections. You’ll also explore recon strategies for gathering intel on a target and automate recon with bash scripting. Finally, you’ll wade into advanced techniques, like hacking mobile apps, testing APIs, and reviewing source code for vulnerabilities.

Along the way, you’ll learn how to:

  • Identify and successfully exploit a wide array of common web vulnerabilities
  • Set up a hacking environment, configure Burp Suite, and use its modules to intercept traffic and hunt for bugs
  • Chain together multiple bugs for maximum impact and higher payouts
  • Bypass protection mechanisms like input sanitization and blocklists to make your attacks succeed
  • Automate tedious bug-hunting tasks with fuzzing and bash scripting
  • Set up an Android app testing environment

Thousands of data breaches happen every year. By understanding vulnerabilities and how they happen, you can help prevent malicious attacks, protect apps and users, and make the internet a safer place. Happy bug hunting!

Author Bio 

Vickie Li is a developer and security researcher experienced in finding and exploiting vulnerabilities in web applications. She has reported vulnerabilities to firms such as Facebook, Yelp and Starbucks and contributes to a number of online training programs and technical blogs.

Table of contents 


Part I: The Industry
Chapter 1: Picking a Bug Bounty Program
Chapter 2: Sustaining Your Success

Part II: Getting Started
Chapter 3: How the Internet Works
Chapter 4: Environmental Setup and Traffic Interception
Chapter 5: Web Hacking Reconnaissance

Part III: Web Vulnerabilities
Chapter 6: Cross-Site Scripting
Chapter 7: Open Redirects
Chapter 8: Clickjacking
Chapter 9: Cross-Site Request Forgery
Chapter 10: Insecure Direct Object References
Chapter 11: SQL Injection
Chapter 12: Race Conditions
Chapter 13: Server-Side Request Forgery
Chapter 14: Insecure Deserialization
Chapter 15: XML External Entity Vulnerabilities
Chapter 16: Template Injection
Chapter 17: Application Logic Errors and Broken Access Control
Chapter 18: Remote Code Execution
Chapter 19: Same Origin Policy Vulnerabilities
Chapter 20: Single-Sign-On Issues
Chapter 21: Information Disclosure

Part IV: Expert Techniques
Chapter 22: Conducting Code Reviews
Chapter 23: Hacking Android Apps
Chapter 24: API Hacking
Chapter 25: Automatic Vulnerability Discovery Using Fuzzers

View the Copyright page
View the detailed Table of Contents
View the Index


"A really good book for getting started in Bug Bounty, out at a time when something like this was really needed. You can take as many ethical hacking courses as you want, but when it comes to bug bounty, there is so much information and tools it can be imitating to start . . . This really should be the first book read by ANYONE looking to start in the bug bounty game."
—Alex/Muldwych, The Security Noob

"Bug Bounty Bootcamp should be on every hacker's shelf. Vickie Li answers an important question: 'So you found your first flaw, what's next?' By explaining how to write a bug report and interact with clients, she presents a wonderful guide on starting your security career."
—Andrew Orr, Associate Editor, The Mac Observer

"I have enjoyed Bug Bounty Bootcamp over the past few weeks and this is great for bug bounty beginners like myself. Anyone who is interested in learning more about different web vulnerabilities, bug bounty platforms, how the internet works, and how to make money making the web safer this is the book for you. Thanks to Vickie for writing such a great book!"
—The Digital Empress, YouTuber and Blogger

"Bug Bounty Bootcamp by Vickie Li is a thorough and masterful explanation for how to find bugs and responsibly report them. It is written so clearly, and provides such useful step-by-step instructions that as I was reading it, I was tempted to start hunting for bugs myself."
—Cynthia Brumfield, President, DCT-Associates

"Bug Bounty Bootcamp is a great resource for those who want to participate in Bug Bounties because it not only teaches you about the technical aspects, but helps you develop a methodology and sustain your testing. Some technology knowledge is assumed, but it does a solid job of describing the relevant vulnerability types from first principles, so it can be a strong resource for those new to the security space. The writing style is clear and to the point."
—David Tomaschik, Security Engineer at Google, Blogger at System Overlord

"I highly suggest reading Bug Bounty Bootcamp."

"Pure GEM. Learned a lot of things from her book."
—Aakash Choudhary, @LearnerHunter

"Loved the book. Well written, clear, concise, and easy to follow. Everyone from the beginner bug hunter to the seasoned pro will find a nugget, some nuggets or just pure nuggets of amazing information, tips and advice."
—Douglas Campbell, Advanced Reviewer

"The only book you need to get started in bug bounty is @vickieli7's book coming out from @nostarch, Bug Bounty Bootcamp. It's a detailed how-to with lots of technical how-to steps."
—Metacurity, Top Infosec News Destination, @Metacurity

"The new go-to resource for a beginner in web app hacking . . . I recommend this book before anything else for a beginner trying to learn web security. Vickie provides an excellent delivery of breaking down complex concepts that makes it easy to comprehend. Also, the step by step guidance of exploiting a vulnerability is fantastic to refer back to . . . If you are a complete beginner and feel confused or lost in all of the information out there then stop, grab this book, read through it once, then use it as your guide."
—AntiRuse, @AntiRuse, Blogger

"Definitely recommend it!"
—Michael, @DoAbarrel_Troll

"A thoughtful guide to understand not only how, but *where* to engage in bug bounty programs . . . I recommend this book not only for aspiring and experienced web security researchers, but also for people who are responsible for the development and deployment of web-based technology."
— Dave Batz, Advanced Reviewer

"Bug Bounty Bootcamp is *the* book for everyone in Information Technology, not just for those interested in bug bounties . . . This easy-to-read guide breaks down complicated topics into a simple progression through technical concepts. From a foundational overview of the industry and how to get started, the reader progresses from Cross Site Scripting all the way through to API hacking and use of Fuzzers. Vickie Li has done a tremendous service to information security by sharing her expert understanding of bug hunting in a highly accessible way. Recommended reading for all IT professionals, new or veteran."
—Jess Vachon, Advanced Reviewer

"Vicki Li’s book took me from knowing nothing about bug bounties, to finding my first bug. Li goes over the process of bug bounties, writing reports, and how to make relationships with companies. Li also has expert techniques that will help your automate your hacking experience and even hacking android apps."
—Anthony Ware, Advanced Reviewer

"For anyone interested in bug detection of web services, this book is for you. It takes an approach that is enjoyable for all levels. It covers the essentials for understanding web servers and why the assortment of vulnerabilities exists with steps in what to look for in approaching those security risks. It’s not going to make you an expert overnight, but it will set you on the path towards success, bypassing the common mistakes where others have fallen."
—Riley A., Advanced Reviewer

"Step-by-step instructions to achieve your first bug bounty and a great book to reference as a security professional. This book will give insight to how bug bounty programs operate and provide resources to learn programming, security tools, and breakdown OWASP top 10 vulnerabilities."
—Jessica W., Advanced Reviewer

"Since reading The Web Application Hacker's Handbook a few years ago, I haven't seen that much web security knowledge organized in one place as in Bug Bounty Bootcamp. Vickie did a fantastic job of covering many different vulnerability classes that are important for offensively testing web applications. Explanations are made so that beginners would understand them but I was also able to find some inspirations each time I looked at the book when testing a specific vulnerability class. I highly recommend Bug Bounty Bootcamp for everyone who wants to learn about web security."
—Bug Bounty Reports Explained, YouTuber and Advanced Reviewer

"A great companion to @yaworsk's earlier book, Real-World Bounty Hunting (also by
@nostarch), and deserves a place on your bookshelf."

"An informative and well-written guide that should be of interest to anyone considering a career in API hacking through bug bounty hunting."
—Dana Epp, Security Boulevard

Extra Stuff 

Read a Q&A with the author on TechTarget.


View the latest errata.