These notes are not comprehensive. I only jotted down what was useful for me and I may include other research I've done while going through the video.
- “Pushing a button is the fastest way to discover what it does”
- Seek to understand first - in order to break things or get things to behave in a way it was not intended to, you need to understand it
- What does each “button” do?
- How do these “buttons” interact with each other?
- For each functionality, if I was an attacker:
- What would I want?
- What would my goal be?
The unbalanced game
- Burden lies with the defender - “security is a negative goal”
- Defenders need to find every bug, while the attacker just needs to find one
- Defenders are inherently at a disadvantage
- Attack areas of higher risk first
- Rank application based on how valuable the compromised information would be to an attacker
- Ask the developers, what keeps you up at night?
- The answer is likely high risk area
Key components of a report
- Informative - issue has no impact currently, but might in the future
- Medium - Potential to cause harm to users, but no data leak
- High - Potential to reveal user data or can be chained with more severe exploits
- Critical - System compromise, risk of confidential/user data exposure
- Description - What is the vulnerability?
- Steps to reproduce - ideally with a POC
- Impact - What can an attacker do with this vulnerability?
- Mitigation - How it be fixed?
- List of assets affected
Browse the web with proxy set up and Burp. Watch the flow of data. Where does input get reflected?