Real-World Bug Hunting

Real-World Bug Hunting

A Field Guide to Web Hacking
by Peter Yaworski
July 2019, 264 pp.

Look Inside!

Real-World Bug HuntingReal-World Bug HuntingReal-World Bug HuntingReal-World Bug HuntingReal-World Bug Hunting

Download Chapter 2: Open Redirect

Learn how people break websites and how you can, too. Real-World Bug Hunting is the premier field guide to finding software bugs. Whether you’re a cyber-security beginner who wants to make the internet safer or a seasoned developer who wants to write secure code, ethical hacker Peter Yaworski will show you how it's done.

You’ll learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. Using real-life case studies of rewarded vulnerabilities from applications like Twitter, Facebook, Google, and Uber, you’ll see how hackers manage to invoke race conditions while transferring money, use URL parameter to cause users to like unintended tweets, and more.

Each chapter introduces a vulnerability type accompanied by a series of actual reported bug bounties. The book’s collection of tales from the field will teach you how attackers trick users into giving away their sensitive information and how sites may reveal their vulnerabilities to savvy users. You'll even learn how you could turn your challenging new hobby into a successful career.

You’ll learn:

  • How the internet works and basic web hacking concepts
  • How attackers compromise websites
  • How to identify functionality commonly associated with vulnerabilities
  • Where to start when hunting bugs
  • How to find bug bounty programs and submit effective vulnerability reports

Real-World Bug Hunting is a fascinating soup-to-nuts primer on web security vulnerabilities, filled with stories from the trenches and practical wisdom. With your new understanding of site security and weaknesses, you can help make the web a safer place—and profit while you're at it.

Author Bio 

Peter Yaworski is a successful bug bounty hunter with thanks from Salesforce, Twitter, Airbnb, and the United States Department of Defense, among others. He currently works at Shopify as an Application Security Engineer, helping to make commerce more secure.

Table of contents 


Chapter 1: Bug Bounty Basics
Chapter 2: Open Redirect
Chapter 3: HTTP Parameter Pollution
Chapter 4: Cross-Site Request Forgery
Chapter 5: HTML Injection and Content Spoofing
Chapter 6: Carriage Return Line Feed Injection
Chapter 7: Cross-Site Scripting
Chapter 8: Template Injections
Chapter 9: SQL Injection
Chapter 10: Server-Side Request Forgery
Chapter 11: XML External Entity
Chapter 12: Remote Code Execution
Chapter 13: Memory Vulnerabilities
Chapter 14: Subdomain Takeover
Chapter 15: Race Conditions
Chapter 16: Insecure Direct Object References
Chapter 17: OAuth Vulnerabilities
Chapter 18: Application Logic and Configuration Vulnerabilities
Chapter 19: Finding Your Own Bug Bounties
Chapter 20: Vulnerability Reports

Appendix A: Tools
Appendix B: Resources

View the detailed Table of Contents
View the Index


"I am quite sure that [this book is] going to be one of the most recommended books for web app pen-testing. If it is not already."
—Sudo Realm

"A brilliant resource for anyone who aspires to be a professional bug hunter."
—Dana Epp, Security Boulevard