I really enjoy finding and exploiting critical findings. Following the below process helps me finding bugs consistently.
📚 Study Vulnerability Classes
Familiarize yourself with different attacks, know when they apply, and understand their mitigations. This is key for three reasons:
- You increase your probabilities of finding good bugs. If you’re not aware of XXE, you would likely miss it.
- If a bug class is mitigated well, try focusing on a different bug class before going too deep.
- Keep up to date on new bugs, they are often exploitable. The industry as a whole responds slow to trends.
🔠Perform a Breadth-First Search of Functionality
Interact with the system and understand what functionality it provides. Take note of ways you can supply input to it. Perform quick tests (XSS, SQLI, AFL for fuzzing) to see if you can shake some bugs out of the system early.
Bugs often lurk in the corners of applications that are not paid much attention to. Same for new or complex features, and features not using battle-tested secure libraries. Did the software roll their own authentication process (Login & Forgot Password Flows, MFA, Credential Checking, etc.)? These are often breakable if developed in house (same goes for OAuth integrations).
Is an application using mitigations/security checks inconsistently? If you find an authorization bug for a low-risk feature, see if the same vulnerability pattern exists in high-risk features.
Use static and dynamic testing tools to help find bugs. Automatically replaying requests in Burp, while substituting credentials with another user or guest is a quick way to find Authorization bugs. If reversing a binary, see if there are references to known vulnerable functions (strcpy, sprintf, etc.). Auto-testing payloads for common vuln classes can help too.
Keep track of lower-risk findings. These may be handy later on in an exploit chain.
🤿 Deep Dive into Interesting Areas
This step is the more time consuming process. The goal is to test in-depth functionality to uncover security bugs.
Developing application-specific tooling falls under this category (grammars for fuzzing, protocol-aware tooling to tamper with communications, etc.).
Bugs in 3rd party libraries may also exist. Doing an audit (especially on crypto related functionality) can reveal bugs.
Re-visit bug classes that seem well mitigated. Often it takes just one good bug in order to get into the system.