What do you think?
Rate this book
A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security
"This is one of the most interesting infosec books to come out in the last several years."
–Dino Dai Zovi, Information Security Professional
"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
–Felix 'FX' Lindner
Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.
A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software, like Apple's iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, you'll see how the developers responsible for these flaws patched the bugs—or failed to respond at all. As you follow Klein on his journey, you'll gain deep technical knowledge and insight into how hackers approach difficult problems and experience the true joys (and frustrations) of bug hunting.
Along the way you'll learn how to:
A Bug Hunter's Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether you're hunting bugs for fun, for profit, or to make the world a safer place, you'll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.
–Dino Dai Zovi, Information Security Professional
"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
–Felix 'FX' Lindner
Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.
A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software, like Apple's iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, you'll see how the developers responsible for these flaws patched the bugs—or failed to respond at all. As you follow Klein on his journey, you'll gain deep technical knowledge and insight into how hackers approach difficult problems and experience the true joys (and frustrations) of bug hunting.
Along the way you'll learn how to:
A Bug Hunter's Diary is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether you're hunting bugs for fun, for profit, or to make the world a safer place, you'll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.
200 pages, Paperback
First published October 22, 2011
51 people are currently reading
834 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 13 of 13 reviews
April 26, 2012
This book is a good read as far as technical books go, however it has something lacking. It feels as though more time could be spent analyzing closed source programs rather than the examples chosen: VLC, Solaris, etc.
Thy said, the presentation is great. Each example has a very clear approach and methodology.
If you are new to bug hunting, or want to get a taste of what bug hunting is about, this book is for you. If you are a seasoned veteran of bugs, your time is probably better spent developing solutions for automating bug discovery, writing up a clear guide to heap exploitation, or similar.
Overall, this was an enjoyable read, it just wasn't quite what I was hoping for.
Thy said, the presentation is great. Each example has a very clear approach and methodology.
If you are new to bug hunting, or want to get a taste of what bug hunting is about, this book is for you. If you are a seasoned veteran of bugs, your time is probably better spent developing solutions for automating bug discovery, writing up a clear guide to heap exploitation, or similar.
Overall, this was an enjoyable read, it just wasn't quite what I was hoping for.
October 13, 2018
A good trip over common and uncommon techniques to find bugs, and the way to think around them. It's a book for people interested into finding vulnerabilities in software. It might not teach you anything new in terms of technical concepts but a great down to earth explanation of the process, the challenges and how to train your own ideas for bug hunting.
I would recommend this book to anyone interested in Security and specially to those who are willing to learn more on how to grow as bug hunters.
The only thing to consider is that examples are old, and no direct exploits are provided. Tobias will teach or show how to get control, but no PoCs are provided.
I would recommend this book to anyone interested in Security and specially to those who are willing to learn more on how to grow as bug hunters.
The only thing to consider is that examples are old, and no direct exploits are provided. Tobias will teach or show how to get control, but no PoCs are provided.
August 9, 2018
Presented in the form of case studies, complete with motivations for why the author started exploring these and some trial programs to explore the parameter space, this was a nice collection to pick up and get motivated in finding exploits. Compare and contrast with the Shellcoder's Handbook..
Not the end all and be all, but a useful book to communicate an *approach*, rather than specific exploits.
Not the end all and be all, but a useful book to communicate an *approach*, rather than specific exploits.
December 23, 2019
The book content is already basically 10 years old, but the insights into the art of bug hunting are still incredible. Klein presents clearly initial thoughts, exploration, testing, and bug exploitation examples. He does not present actual code for legal reasons, but great information for anyone who wishes to hunt for bugs. What I loved were the summaries of lessons at the end of each entry which present lessons for all the relevant parties (e.g. users and programmers).
October 24, 2019
Fabulous
This books offers an excellent introduction to the process of discovering and initiating fileless attacks on computer operating systems. It is a concise and well written book - highly recommended.
This books offers an excellent introduction to the process of discovering and initiating fileless attacks on computer operating systems. It is a concise and well written book - highly recommended.
May 8, 2019
I don't actually remember much of it, more than it was easy to read, and straight to the point.
January 9, 2021
great overview of (legacy/classic) software vulnerabilities (multiple types/multiple platforms/multiple techniques)
September 14, 2016
"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
–Felix 'FX' Lindner
A Bug Hunter's Diary follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software.
"This is one of the most interesting infosec books to come out in the last several years."
**–Dino Dai Zovi, Information Security Professional**
"Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime."
**–Felix 'FX' Lindner**
Seemingly simple bugs can have drastic consequences, allowing attackers to compromise systems, escalate local privileges, and otherwise wreak havoc on a system.
*A Bug Hunter's Diary* follows security expert Tobias Klein as he tracks down and exploits bugs in some of the world's most popular software, like Apple's iOS, the VLC media player, web browsers, and even the Mac OS X kernel. In this one-of-a-kind account, you'll see how the developers responsible for these flaws patched the bugs—or failed to respond at all. As you follow Klein on his journey, you'll gain deep technical knowledge and insight into how hackers approach difficult problems and experience the true joys (and frustrations) of bug hunting.
Along the way you'll learn how to:
Use field-tested techniques to find bugs, like identifying and tracing user input data and reverse engineering Exploit vulnerabilities like NULL pointer dereferences, buffer overflows, and type conversion flaws Develop proof of concept code that verifies the security flaw Report bugs to vendors or third party brokers
*A Bug Hunter's Diary* is packed with real-world examples of vulnerable code and the custom programs used to find and test bugs. Whether you're hunting bugs for fun, for profit, or to make the world a safer place, you'll learn valuable new skills by looking over the shoulder of a professional bug hunter in action.
October 15, 2016
For a long time you keep hearing things like "don't use this 'cause it can be exploited", but you really never saw something like that being exploited. And then comes this book and shows how someone can use everything you know you can't use to actually call something it wasn't expected to be called.
Confusing? Well, it's a very complex issue that involves the call stack and assembly and registers and all that. But the book goes into length explaining and showing those things (so, yeah, some knowledge of assembly is required).
In the end, it's a good book about those "things" you know your shouldn't use, and what happens when you actually use them.
Confusing? Well, it's a very complex issue that involves the call stack and assembly and registers and all that. But the book goes into length explaining and showing those things (so, yeah, some knowledge of assembly is required).
In the end, it's a good book about those "things" you know your shouldn't use, and what happens when you actually use them.
May 29, 2016
gives you an insight into how the finest of reverse engineering think and process those bugs, most importantly coding the exploit. Brief but not concise, Tobias claims that the reason is due to the cyber law in germany.
November 5, 2014
I absolutely loved this book!
It clears much of the magic behind those elite hackers and how they discover high profile vulns
It clears much of the magic behind those elite hackers and how they discover high profile vulns
August 10, 2016
Giving two stars purely based on my own experience with this. I'm clearly not target audience for this. An interesting read but way past my level of technical competence to fully understand it.
August 20, 2016
Not for everyone... very interesting
Displaying 1 - 13 of 13 reviews