The Bug Hunter
I thought I should start with something that I thought was kind of cool. This tale, will be one of bugs. I start by creating a general understanding of the types of technologies,
processes and services that I expect to encounter. I like to create project directories where I store all compiled data into easily digestable formats that I can later parse for unique endpoints/data.
Ultimately, I intend to leverage a variety of data processing techniques to identify potential attack vectors, discover subdomains, and assess security vulnerabilities in a proactive manner.
-
1. Subdomain Enumeration
I use a variety of tools to perform automated and manual scans in search of unique endpoints. These endpoints can often seem unimportant but when sorted and analyzed one can piece together relationships between data. This can open up further understanding into the logic behind an application. Its also important to clean up any duplicates prior to moving onto validation, otherwise that processesing time will seem unending and you'll fall asleep which means you might miss breakfast. -
2. Subdomain Validation and Content Discovery
The endpoints and subdomains, though distinct, will probably consist of a few hundred lines. In order to validate the activity and content I first search for HTML response codes and headers which are piped into a list. Then I run that list through a python script that will reach out and take a snapshot of the web page so that I can easily sort through and digest that information instead of manually looking through all that junk and aimlessly hurting my eyes. -
3. Fingerprinting and Technology Identification
I'll fingerprint the active server/endpoint to identify unique technologies being used. I will usually compile this into a spreadsheet that I can use to visualize a systems architecture. This process makes it easy to cross reference system software and hardware versions against known CVE's. -
4. Testing and Bug Identification
This is where most of the fun and frustration takes place. Once an acceptable amount of information has been gathered and compiled, I begin moving into active testing. Not all organizations are the same, so what can done for one might not transfer well to others. Different company, different house, different rules. It's important to fully understand an organizations policies regarding security tests. That being said, everything between the lines an organization decides to draw is fair game. So, while staying within the boundaries that were set, one must think and live outside of it. I like the challenge that this can bring and have had great opportunities to leverage my skills in testing against SQL Injection, Directory Traversal, Leaked Credentials, Information Disclosure, Broken Access Control, etc.
I'll be adding some extra projects and other cool things I've been working on shortly!
