Real-World Bug Hunting
A Field Guide to Web Hacking
Peter Yaworski breaks down real disclosed reports across major bug bounty programs, organized by vulnerability class, so readers can pattern-match real findings rather than learn classes from textbook examples.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Peter Yaworski
- Published
- 2019
- Publisher
- No Starch Press
- Pages
- 264
- Language
- English
Read this if
Aspiring bug bounty hunters who want to learn the gap between knowing a bug class and finding one. Yaworski's annotated case studies are the closest thing to a textbook for what real disclosures look like.
Skip this if
Readers wanting a methodology playbook. The book is case-studies-organized-by-class, not workflow-organized; for the workflow side, read Bug Bounty Bootcamp.
Key takeaways
- Reading 30 annotated reports compresses what would otherwise take three months of HackerOne reading; the book is high-leverage for getting started.
- The "what to do when you find something" chapter is the most underrated part; reporting is half the bounty, and most beginners write bad reports.
- The classes covered (XSS, IDOR, SSRF, OAuth, race conditions, business logic) map directly to what's currently paying on public programs.
Notes
Pair with Bug Bounty Bootcamp (Li) for the workflow side and with Hacking APIs (Ball) for the modern attack surface. The HackerOne disclosed reports that supplement the book are now searchable through Hacktivity; treat the book as your annotated curriculum and the live reports as the homework.
What to read before
What to read before Real-World Bug Hunting →Beginner · 2021
Bug Bounty Bootcamp
Vickie Li's pragmatic walk through the bug-bounty workflow, from picking a program and recon to reporting findings that actually pay out.
Beginner · 2014
Penetration Testing
Georgia Weidman's lab-driven introduction to pentesting, walking the reader from setting up a target environment through scanning, exploitation, post-exploitation, and reporting.
Beginner · 2020
Web Security for Developers
Malcolm McDonald's developer-side primer on the OWASP-class issues, framed around real attacks and defended with code patterns rather than vendor products.
What to read next
What to read after Real-World Bug Hunting →Beginner · 2021
Bug Bounty Bootcamp
Vickie Li's pragmatic walk through the bug-bounty workflow, from picking a program and recon to reporting findings that actually pay out.
Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.
Explore similar books
Alternatives to Real-World Bug Hunting →Beginner · 2021
Bug Bounty Bootcamp
Vickie Li's pragmatic walk through the bug-bounty workflow, from picking a program and recon to reporting findings that actually pay out.
Intermediate · 2023
Black Hat GraphQL
Aleks and Farhi on attacking GraphQL specifically: introspection abuse, batching, depth and complexity attacks, auth flaws, and the differences from REST that make GraphQL pentests their own discipline.
Intermediate · 2022
Hacking APIs
Corey Ball's structured approach to attacking REST and GraphQL APIs: enumeration, auth flaws, business logic, mass assignment, and the testing harness around them.