These notes are not comprehensive. I only jotted down what was useful for me and I may include other research I've done while going through the video.

Attacker Mindset

  • “Pushing a button is the fastest way to discover what it does”
  • Seek to understand first - in order to break things or get things to behave in a way it was not intended to, you need to understand it
    • What does each “button” do?
    • How do these “buttons” interact with each other?
  • For each functionality, if I was an attacker:
    • What would I want?
    • What would my goal be?

The unbalanced game

  • Burden lies with the defender - “security is a negative goal”
    • Defenders need to find every bug, while the attacker just needs to find one
    • Defenders are inherently at a disadvantage


  • Attack areas of higher risk first
  • Rank application based on how valuable the compromised information would be to an attacker
  • Ask the developers, what keeps you up at night?
    • The answer is likely high risk area


Key components of a report

  1. Title
  2. Severity
    • Informative - issue has no impact currently, but might in the future
    • Low
    • Medium - Potential to cause harm to users, but no data leak
    • High - Potential to reveal user data or can be chained with more severe exploits
    • Critical - System compromise, risk of confidential/user data exposure
  3. Description - What is the vulnerability?
  4. Steps to reproduce - ideally with a POC
  5. Impact - What can an attacker do with this vulnerability?
  6. Mitigation - How it be fixed?
  7. List of assets affected

Takeaway Exercise

Browse the web with proxy set up and Burp. Watch the flow of data. Where does input get reflected?