Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Hands-On Bug Hunting for Penetration Testers
Hands-On Bug Hunting for Penetration Testers

Hands-On Bug Hunting for Penetration Testers: A practical guide to help ethical hackers discover web application security flaws

Arrow left icon
Profile Icon Joe Marshall Profile Icon Himanshu Sharma
Arrow right icon
€32.99
Full star icon Full star icon Full star icon Full star icon Empty star icon 4 (2 Ratings)
Paperback Sep 2018 250 pages 1st Edition
eBook
€17.99 €26.99
Paperback
€32.99
Subscription
Free Trial
Renews at €18.99p/m
Arrow left icon
Profile Icon Joe Marshall Profile Icon Himanshu Sharma
Arrow right icon
€32.99
Full star icon Full star icon Full star icon Full star icon Empty star icon 4 (2 Ratings)
Paperback Sep 2018 250 pages 1st Edition
eBook
€17.99 €26.99
Paperback
€32.99
Subscription
Free Trial
Renews at €18.99p/m
eBook
€17.99 €26.99
Paperback
€32.99
Subscription
Free Trial
Renews at €18.99p/m

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Table of content icon View table of contents Preview book icon Preview Book

Hands-On Bug Hunting for Penetration Testers

Joining the Hunt

This book is designed to give you the practical experience necessary to take an interest in security and turn it into a fun, profitable pursuit.

The goal is that, by focusing on real submission reports, you'll get a better feel for where and how to discover vulnerabilities in the wild, and by following along at home, pentesting real sites (as well as deliberately-vulnerable web apps), you'll get invaluable hands-on experience. Sometimes the best way to learn is to get a smattering of theory and then just jump right in.

This chapter will focus on what you'll learn, how you'll learn it, and how to generally get the most out of this work. It will cover the following:

  • The benefits of bug bounty programs
  • What your pentesting background should be before coming into this book
  • Setting up your environment and the tools to know
  • Your next steps

Technical Requirements

The Benefits of Bug Bounty Programs

The web is exploding—more people are using it to do more, in more varied ways, than at any point in its short history.

The phone is a perfect example of the rise of digital life. Since its invention at the end of the 20th century, it's expanded from a minor technical elite to over sixty percent of the world's population – more than five billion people are slated to have phones by the end of 2019. Our tiny pocket computers have conquered the world in under 30 years. Like the Big Bang, phone usage hasn't exploded so much as expanded at a stupendous rate, inflating to encompass the majority of the world's population. From the landline void came the spark of a mobile, unbounded future, and almost as quickly as the idea was conceived, it was realized.

The following chart from the UN's 2015 study on its progress towards the Millennium Goals captures the extent to which phone ownership grew to encompass nearly everyone in the world just through the early 2010s:

As a result of that expansion in internet access and a parallel increase in the web's complexity, more people are able to get online easily and are capable of doing more once they're there. Shopping, banking, socializing an increasing part of our lives is lived online. And thanks to the data analysis of wunderkind artificial neural networks (algorithms designed to replicate the mathematical model of the human brain and its astounding success at pattern-recognition), trends point to more data collection. Neural nets are complicated to write but easy enough to use as long as you feed them enough information. Our devices know more about us than ever and they're learning more every day.

This graph shows how much data is being created (or is estimated to be created) every minute over the next couple of years. The y-x axis on the following graph is measured in zettabytes (ZB): 1 ZB = 1 billion terabytes (TB). The numbers are staggering:

More applications performing more complex services for more people and managing more data leads to things breaking. The demand for web developers has soared as companies try to realize their technical aspirations, but supply has not kept up with the almost unlimited appetite for development work. Coding bootcamps, online courses, and other alternatives to a four-year degree have become a popular entry point for a career in software engineering, but there's still a large gap between what the programming companies want done versus the programmers who are available and capable of doing it. As demands on developer time and attention have increased, security concerns once avoided as costly and nonessential have ballooned into crises for inattentive businesses, as vulnerabilities have led to data breaches, commercial exploitation, identity theft, and even espionage by state actors and criminal syndicates.

Bug bounties are the crowdsourced alternative to an expensive, in-house security apparatus. Technology companies (from mega corps to small, five-person start-ups) have embraced using public bug bounty programs to find the sort of faulty logic and mishandled data-processing in their applications that hackers typically use as footholds for larger campaigns. By finding vulnerabilities before they become exploits, companies can pay for work that directly reduces their exposure without having to cover the cost of a full security audit. Some companies choose to participate in third-party platforms, such as Bugcrowd or HackerOne, in order to standardize their payouts, submission report formatting, rules of engagement, and target lists, while others are large enough to run a program under their own umbrella.

Either way, by participating as a researcher, you get paid to apply your skills. And since many bug bounty marketplaces also track things such as the number of bugs you've found, their severity, and your general success rate, doing third-party research on public platforms can also be a great bridge to more work in security. If you're coming from a non-traditional background or don't have formal education in security, it could help make the case you've got the necessary skills to be productive in the field. You can do all of this while by responsibly following the discovery and disclosure process making the target application, and the general web, safer.

What You Should Already Know – Pentesting Background

This book assumes a familiarity with both web application engineering and the basics of web application security. Any experience with the frontend technologies that will provide the interface and context for many of your discoveries is an asset, including a basic understanding of HTML/CSS/JS, and the DOM; the client-server relationship, session management (cookies, TTL, and so on); and the browser environment. In addition, a general acquaintance with the RESTful API architecture, popular application frameworks and languages (Django/Python, RoR/Ruby, and so on), common application security techniques, and common vulnerabilities, will all be handy. You might be a full-time security researcher, a moonlighting web application engineer, or even just a programming enthusiast with a light background and a historical interest in security you'll all find something useful within these pages. If you're just beginning, that's OK too working through the step-by-step walk-through in later chapters will help you develop as a security researcher; you just might need to fill in the gaps with outside context.

In addition to these topics, it's assumed you'll also have experience using the command line. While many great graphic tools exist for conducting and visualizing penetration testing engagements, and we'll use many of them, the CLI is an invaluable tool for everything from package management, to real-time pentesting execution, to automation. And while many of the tools used will have a compatible Windows counterpart, the actual engagements will be conducted (for the most part) on a 2015-generation MacBook Pro loaded with High Sierra (10.13.2), if you are working on a Windows PC, you can still participate by using a virtual machine or emulation software.

Setting Up Your Environment – Tools To Know

All of the tools we'll use in this book will be free you shouldn't need to purchase anything outside of this work to recreate the walk-throughs. In the survey of other security software not used directly in our engagements in Chapter 12, Other Tools, there will be a discussion of other technologies (paid and free) you can leverage for extra functionality.

Here's a brief overview of some of the technologies we will be using:

  • Burp Suite is a versatile program that can intercept web traffic (Burp Proxy), trigger application information submission (Burp Intruder), scan input against malicious code snippets (Burp Scanner), and with the possibilities offered by extensions a multitude of other things. We'll go over both using the native Burp functionality as well as how to incorporate simple extensions. Some of the paid functionalities, such as Burp Scan, will only receive an overview, in favor of focusing on the features available in the free version.
  • Nmap, sqlmap, wfuzz, arachnid, and other CLI programs are great for their ability to be assembled into larger workflows, feeding information into adjacent tools (Burp and others), kicking off other automation, or consistently visualizing a target's attack surface.
  • Deliberately vulnerable web applications are a different category of tooling less for use in an actual pentesting engagement and designed more to either test out new ideas or calibrate an existing method or technology for those times when you need to return a positive result for a specific vulnerability. We'll be doing both with our use of deliberately vulnerable web apps, such as Google Gruyere, Target Range, DAMN vulnerable web app, and others. You can find a list of more DVWA in the sites section of Chapter 13, Going Further.

While we'll be going through the setup for these tools as we use them, it's still a good idea to poke around their installation and documentation pages. Because of their depth, many of these tools will have useful functionalities that we simply won't be able to completely cover in the course of our work. We'll also only skim the surface of tools not specific to security—the note—taking, logging, and other general productivity functionality represented by those apps can easily be replaced by whatever analogue you're most comfortable with.

What You Will Learn – Next Steps

In addition to becoming familiar with these tools (and more) by the end of this book, you will also learn how to look for, successfully detect, and write a bug submission report for vulnerabilities associated with XSS, SQLi and NoSQLi, CSRF, XEE, data leakage, insecure session management, and unvalidated redirects, as well as framework and language-specific vulnerabilities, including sites powered by WordPress, Django, and Ruby on Rails applications. You'll also learn how to write a report that maximizes your payout, where to direct your attention to maximize your chances of finding a vulnerability, what vulnerabilities don't lead to payouts, preparing for your pentesting sessions, how to stay within the rules of engagement for a session, and other general tips for being productive and profitable as an independent security researcher participating in bug bounty programs.

Getting actual experience with penetration testing for the purpose of participating in a bug bounty program is key. You'll ultimately learn the most from taking the tools explored here and applying them to your own targets, so as you work through the book, you're encouraged to sign up with a third-party community and start your first forays into security research. As long as you adhere to the rules of engagement and are respectful of the app and its users, you can start trying out the techniques explored in these pages. Participating in forum discussions, reading about other users' experiences, following blogs, and generally being a part of the security community can also help you get a sense of effective strategies. Reading bug report submissions from other researchers who have gotten the OK to disclose their findings is a fantastic way to start understanding what makes a submission report effective and what vulnerabilities are typically discovered where.

How (Not) To Use This Book – A Warning

A final word before moving on:

Do not misuse this book.

The techniques and technologies described in this book are solely for the purpose of participating in approved, ethical, White Hat penetration testing engagements so that you can find bugs and report them to be patched for a profit.

The lessons learned in this work should be used responsibly:

  • They should not be applied to a website against its owner's permission
  • They should not be applied to data or logic the website's owner considers out-of-scope
  • They should not in any way be weaponized taken beyond the vulnerability stage and made into proper exploits

Here's a quick example of what's meant by weaponized.

Let's say you find a stored XSS vulnerability, where improper data-sanitation is causing a comment thread to allow unescaped HTML to potentially store malicious code. You use the Burp Intruder tool and a manual follow-up to submit a code snippet demonstrating that you can store (and later execute) an arbitrary piece of JavaScript. The snippet in question is a pretty simple test it executes an alert() function within an improperly sanitized src attribute attached to an <img> HTML tag:


<IMG SRC=javascript:alert('XSS')>

There's nothing wrong with using an alert() or console.log() call to test whether JavaScript is being executed in a possible XSS instance although, when using alert() or logging, it's good to remember to output some info about where the XSS is happening (for example, alert(window.location.href)).

But there is something wrong with turning the vulnerability into an exploit. Once the XSS vulnerability is confirmed, it's easy to find malicious JavaScript to do more nefarious things. Running that malicious code even in a limited way risks corrupting application data or processes or other things that open you up to legal liability.

It's helpful to imagine how the vulnerability could be exploited many bug bounty programs want to hear a specific scenario regarding your vulnerability included in your submission report so they can know whether it's severe enough to trigger a payout. Sometimes even the form of that scenario how much damage you can make the case that an attacker could do can drastically affect your reward.

So it's good to put some thought into the exploit's general form with stored XSS, you could rewrite critical parts of the page where the script is being executed, or grab an authentication cookie and send it to a server listening for those credentials, or other attacks but assessing the impact of that exploit still falls short of writing code that damages people and processes.

Don't write exploit code. If you're in the United States, the legal penalties are severe as of this writing, the Computer Fraud and Abuse Act (CFAA) means that even a slight violation of a site's terms of service can result in a felony. Businesses are also quick to prosecute independent researchers not abiding by their rules of engagement, which is the condition researchers must follow when probing an application for vulnerabilities. Even if there's no threat of legal action, civil or criminal, hacking those sites defrauds innocent people, hurts small businesses, provokes a legislative overreaction, erodes privacy, and just generally makes the whole web worse.

It's not worth it.

With that out of the way, we can move on to the first step in any bug hunting adventure: choosing what program to use, what site to explore, along with where and how to find vulnerabilities.

Summary

This chapter has covered the origin and benefits of bug bounty programs, the background knowledge you need coming in, an overview of some of the tools we'll use in our engagements, how to get the most out of this book (practice on allowed sites), and finally, the moral and legal peril you risk by not abiding by a target site's rules of engagement or code of conduct.

In the next chapter, we'll cover different types of bug bounty programs, the key factors differentiating them, how you can evaluate where you should participate, as well as what applications make good targets, where you should focus your research, and finally, how you can use a program's rules of engagement to minimize your legal liability as a security researcher.

Questions

  1. Why do sites offer bug bounty programs?
  2. What's the value in participating in them?
  3. What do we need to know to get the most out of this book?
  4. What are some of the tools we'll be using? What are they for?
  5. How can we make XSS alert() calls more effective?
  6. Is it OK to think about how a vulnerability could be exploited? How about writing code to test that theory?
  7. What's the law governing much of the criminal theory surrounding penetration testing?

Further Reading

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Learn how to test for common bugs
  • Discover tools and methods for hacking ethically
  • Practice working through pentesting engagements step-by-step

Description

Bug bounties have quickly become a critical part of the security economy. This book shows you how technical professionals with an interest in security can begin productively—and profitably—participating in bug bounty programs. You will learn about SQli, NoSQLi, XSS, XXE, and other forms of code injection. You’ll see how to create CSRF PoC HTML snippets, how to discover hidden content (and what to do with it once it’s found), and how to create the tools for automated pentesting work?ows. Then, you’ll format all of this information within the context of a bug report that will have the greatest chance of earning you cash. With detailed walkthroughs that cover discovering, testing, and reporting vulnerabilities, this book is ideal for aspiring security professionals. You should come away from this work with the skills you need to not only find the bugs you're looking for, but also the best bug bounty programs to participate in, and how to grow your skills moving forward in freelance security research.

Who is this book for?

This book is written for developers, hobbyists, pentesters, and anyone with an interest (and a little experience) in web application security.

What you will learn

  • Choose what bug bounty programs to engage in
  • Understand how to minimize your legal liability and hunt for bugs ethically
  • See how to take notes that will make compiling your submission report easier
  • Know how to take an XSS vulnerability from discovery to verification, and report submission
  • Automate CSRF PoC generation with Python
  • Leverage Burp Suite for CSRF detection
  • Use WP Scan and other tools to find vulnerabilities in WordPress, Django, and Ruby on Rails applications
  • Write your report in a way that will earn you the maximum amount of money
Estimated delivery fee Deliver to Sweden

Premium delivery 7 - 10 business days

€17.95
(Includes tracking information)

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 12, 2018
Length: 250 pages
Edition : 1st
Language : English
ISBN-13 : 9781789344202
Vendor :
Offensive Security
Category :
Languages :
Tools :

What do you get with Print?

Product feature icon Instant access to your digital eBook copy whilst your Print order is Shipped
Product feature icon Paperback book shipped to your preferred address
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Shipping Address

Billing Address

Shipping Methods
Estimated delivery fee Deliver to Sweden

Premium delivery 7 - 10 business days

€17.95
(Includes tracking information)

Product Details

Publication date : Sep 12, 2018
Length: 250 pages
Edition : 1st
Language : English
ISBN-13 : 9781789344202
Vendor :
Offensive Security
Category :
Languages :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
€18.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
€189.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts
€264.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just €5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total 107.97
Bug Bounty Hunting Essentials
€32.99
Hands-On Bug Hunting for Penetration Testers
€32.99
Learning Malware Analysis
€41.99
Total 107.97 Stars icon
Banner background image

Table of Contents

15 Chapters
Joining the Hunt Chevron down icon Chevron up icon
Choosing Your Hunting Ground Chevron down icon Chevron up icon
Preparing for an Engagement Chevron down icon Chevron up icon
Unsanitized Data &#x2013; An XSS Case Study Chevron down icon Chevron up icon
SQL, Code Injection, and Scanners Chevron down icon Chevron up icon
CSRF and Insecure Session Authentication Chevron down icon Chevron up icon
Detecting XML External Entities Chevron down icon Chevron up icon
Access Control and Security Through Obscurity Chevron down icon Chevron up icon
Framework and Application-Specific Vulnerabilities Chevron down icon Chevron up icon
Formatting Your Report Chevron down icon Chevron up icon
Other Tools Chevron down icon Chevron up icon
Other (Out of Scope) Vulnerabilities Chevron down icon Chevron up icon
Going Further Chevron down icon Chevron up icon
Assessment Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
(2 Ratings)
5 star 50%
4 star 0%
3 star 50%
2 star 0%
1 star 0%
Ernesto Guevara Gonzaga Jul 08, 2019
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Excelente para comenzar
Amazon Verified review Amazon
andreaweb Nov 05, 2018
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
No special information, a lot of linked resources and common terms for people that have expirience in basic bug bounty system. I understand the book is a entry level but I saw the book as a list of information not a methodology.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is the delivery time and cost of print book? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela
What is custom duty/charge? Chevron down icon Chevron up icon

Customs duty are charges levied on goods when they cross international borders. It is a tax that is imposed on imported goods. These duties are charged by special authorities and bodies created by local governments and are meant to protect local industries, economies, and businesses.

Do I have to pay customs charges for the print book order? Chevron down icon Chevron up icon

The orders shipped to the countries that are listed under EU27 will not bear custom charges. They are paid by Packt as part of the order.

List of EU27 countries: www.gov.uk/eu-eea:

A custom duty or localized taxes may be applicable on the shipment and would be charged by the recipient country outside of the EU27 which should be paid by the customer and these duties are not included in the shipping charges been charged on the order.

How do I know my custom duty charges? Chevron down icon Chevron up icon

The amount of duty payable varies greatly depending on the imported goods, the country of origin and several other factors like the total invoice amount or dimensions like weight, and other such criteria applicable in your country.

For example:

  • If you live in Mexico, and the declared value of your ordered items is over $ 50, for you to receive a package, you will have to pay additional import tax of 19% which will be $ 9.50 to the courier service.
  • Whereas if you live in Turkey, and the declared value of your ordered items is over € 22, for you to receive a package, you will have to pay additional import tax of 18% which will be € 3.96 to the courier service.
How can I cancel my order? Chevron down icon Chevron up icon

Cancellation Policy for Published Printed Books:

You can cancel any order within 1 hour of placing the order. Simply contact [email protected] with your order details or payment transaction id. If your order has already started the shipment process, we will do our best to stop it. However, if it is already on the way to you then when you receive it, you can contact us at [email protected] using the returns and refund process.

Please understand that Packt Publishing cannot provide refunds or cancel any order except for the cases described in our Return Policy (i.e. Packt Publishing agrees to replace your printed book because it arrives damaged or material defect in book), Packt Publishing will not accept returns.

What is your returns and refunds policy? Chevron down icon Chevron up icon

Return Policy:

We want you to be happy with your purchase from Packtpub.com. We will not hassle you with returning print books to us. If the print book you receive from us is incorrect, damaged, doesn't work or is unacceptably late, please contact Customer Relations Team on [email protected] with the order number and issue details as explained below:

  1. If you ordered (eBook, Video or Print Book) incorrectly or accidentally, please contact Customer Relations Team on [email protected] within one hour of placing the order and we will replace/refund you the item cost.
  2. Sadly, if your eBook or Video file is faulty or a fault occurs during the eBook or Video being made available to you, i.e. during download then you should contact Customer Relations Team within 14 days of purchase on [email protected] who will be able to resolve this issue for you.
  3. You will have a choice of replacement or refund of the problem items.(damaged, defective or incorrect)
  4. Once Customer Care Team confirms that you will be refunded, you should receive the refund within 10 to 12 working days.
  5. If you are only requesting a refund of one book from a multiple order, then we will refund you the appropriate single item.
  6. Where the items were shipped under a free shipping offer, there will be no shipping costs to refund.

On the off chance your printed book arrives damaged, with book material defect, contact our Customer Relation Team on [email protected] within 14 days of receipt of the book with appropriate evidence of damage and we will work with you to secure a replacement copy, if necessary. Please note that each printed book you order from us is individually made by Packt's professional book-printing partner which is on a print-on-demand basis.

What tax is charged? Chevron down icon Chevron up icon

Currently, no tax is charged on the purchase of any print book (subject to change based on the laws and regulations). A localized VAT fee is charged only to our European and UK customers on eBooks, Video and subscriptions that they buy. GST is charged to Indian customers for eBooks and video purchases.

What payment methods can I use? Chevron down icon Chevron up icon

You can pay with the following card types:

  1. Visa Debit
  2. Visa Credit
  3. MasterCard
  4. PayPal
What is the delivery time and cost of print books? Chevron down icon Chevron up icon

Shipping Details

USA:

'

Economy: Delivery to most addresses in the US within 10-15 business days

Premium: Trackable Delivery to most addresses in the US within 3-8 business days

UK:

Economy: Delivery to most addresses in the U.K. within 7-9 business days.
Shipments are not trackable

Premium: Trackable delivery to most addresses in the U.K. within 3-4 business days!
Add one extra business day for deliveries to Northern Ireland and Scottish Highlands and islands

EU:

Premium: Trackable delivery to most EU destinations within 4-9 business days.

Australia:

Economy: Can deliver to P. O. Boxes and private residences.
Trackable service with delivery to addresses in Australia only.
Delivery time ranges from 7-9 business days for VIC and 8-10 business days for Interstate metro
Delivery time is up to 15 business days for remote areas of WA, NT & QLD.

Premium: Delivery to addresses in Australia only
Trackable delivery to most P. O. Boxes and private residences in Australia within 4-5 days based on the distance to a destination following dispatch.

India:

Premium: Delivery to most Indian addresses within 5-6 business days

Rest of the World:

Premium: Countries in the American continent: Trackable delivery to most countries within 4-7 business days

Asia:

Premium: Delivery to most Asian addresses within 5-9 business days

Disclaimer:
All orders received before 5 PM U.K time would start printing from the next business day. So the estimated delivery times start from the next day as well. Orders received after 5 PM U.K time (in our internal systems) on a business day or anytime on the weekend will begin printing the second to next business day. For example, an order placed at 11 AM today will begin printing tomorrow, whereas an order placed at 9 PM tonight will begin printing the day after tomorrow.


Unfortunately, due to several restrictions, we are unable to ship to the following countries:

  1. Afghanistan
  2. American Samoa
  3. Belarus
  4. Brunei Darussalam
  5. Central African Republic
  6. The Democratic Republic of Congo
  7. Eritrea
  8. Guinea-bissau
  9. Iran
  10. Lebanon
  11. Libiya Arab Jamahriya
  12. Somalia
  13. Sudan
  14. Russian Federation
  15. Syrian Arab Republic
  16. Ukraine
  17. Venezuela