Hands-On Bug Hunting for Penetration Testers is now available. The book covers how to detect, validate, and write submission reports for XSS, SQLi and NoSQLi, XXE, CSRF, and more vulnerabilities, including sections on detecting hidden content, crowdsourcing code injection snippets and other malicious inputs, writing quality submission reports, and more. It uses Burp Suite as a principal tool and proxy, with Python (3.6.5) and Bash scripts thrown in to augment, extend, and automate different testing functions. All the tools used are free. You can find the work in both ebook and print versions:
You can read more about the book’s scope and subjects on the work’s dedicated website, handsonbughunting.com.
I hope the book can provide readers with the foothold they need to dive further into security. I wrote it to provide anyone with a basic background in web application development everything they needed to bootstrap a nascent freelance security practice, and began participating in (and productively contributing to) bug bounty programs.