A good friend of mine and successful bug bounty hunter, Corben Leo,
discussed in a blog post how he spotted an Express app from an error
message alone. He used his understanding of Express application code
to uncover a critical flaw.
I often use the expression, “Learn to build it, then break it“.
The philosophy is simple: learn security by building projects, reading
official documentation and codebases, and then attempting to find
security flaws in your work.
For me, this approach has led to more application-specific findings. I
focus on the technology stack and application functionality; rather than
rely on general-purpose checklists.
Don’t get me wrong: there is nothing wrong with the OWASP Top 10. I have
just found that, when it comes to auditing web applications, my most
impactful—and arguably interesting—findings are specific to the
application itself. In the bug bounty context, for instance, generic and
well-documented attack vectors can produce critical flaws but are
uncovered reasonably quickly upon programme launch. This will often
result in numerous duplicate reports and frustrated reporters.
“We applaud the researcher [Ed] for thinking about our product specifically,
not just applying a generic checklist.”— Max Krohn, Co-founder of Keybase, OkCupid, SparkNotes, TheSpark on a
series of security flaws I uncovered in Keybase
Why did I feel the need to share this? Something I have been trying to
encourage others to try out—especially if they are facing an onslaught
of duplicate reports—is taking time to build systems and understanding
how things are designed. In a black-box setting with this know-how, I
start to recognise patterns. ng-* attribute on some random HTML tag?
Oh, this application is using Angular on the frontend! Angular has a
very opinionated way of structuring front-end code. This is a great
opportunity to exploit this knowledge and uncover further components.
As evidenced by my reference to Corben’s blog, I am not alone in this
approach. Jack Whitton talked about how working as a Security Engineer
at Meta after having been an active member in the bug bounty community
gave them this pattern recognition too.
So, why not give it a try? Pick a random framework or technology you
have regularly encountered.
Learn to build it, then break it.