A good friend of mine and successful bug bounty hunter, Corben Leo, discussed in a blog post how he spotted an Express app from an error message alone1. He used his understanding of Express application code to uncover a critical flaw.
I often use the expression, "Learn to build it, then break it". The philosophy is simple: learn security by building projects, reading official documentation and codebases, and then attempting to find security flaws in your work.
For me, this approach has led to more application-specific findings. I focus on the technology stack and application functionality; rather than rely on general-purpose checklists.
Don’t get me wrong: there is nothing wrong with the OWASP Top 10. I have just found that, when it comes to auditing web applications, my most impactful—and arguably interesting—findings are specific to the application itself. In the bug bounty context, for instance, generic and well-documented attack vectors can produce critical flaws but are uncovered reasonably quickly upon programme launch. This will often result in numerous duplicate reports and frustrated reporters.
“We applaud the researcher [Ed] for thinking about our product specifically, not just applying a generic checklist.”
— Max Krohn, Co-founder of Keybase, OkCupid, SparkNotes, TheSpark on a series of security flaws I uncovered in Keybase
Why did I feel the need to share this? Something I have been trying to
encourage others to try out—especially if they are facing an onslaught
of duplicate reports—is taking time to build systems and understanding
how things are designed. In a black-box setting with this know-how, I
start to recognise patterns.
ng-* attribute on some random HTML tag?
Oh, this application is using Angular on the frontend! Angular has a
very opinionated way of structuring front-end code2. This is a great
opportunity to exploit this knowledge and uncover further components.
As evidenced by my reference to Corben’s blog, I am not alone in this approach. Jack Whitton talked about how working as a Security Engineer at Meta after having been an active member in the bug bounty community gave them this pattern recognition too3.
So, why not give it a try? Pick a random framework or technology you have regularly encountered.
Learn to build it, then break it.