My Authors
Read all threads
how to find vulnerabilities in code:
- search for dangerous functionality
- find a path from input you control to that dangerous functionality
- test your exploit by isolating and running critical parts of the code locally
how to find dangerous functionality:
pay special attention to:
- high concentration of security "bad words" (eval, exec, raw, privileged, YAML, merge, reflect, etc)
- string parsing (dynamic langs, SQL, URLs, file paths, etc)
- code handling security stuff (authN, authZ, crypto)
how to find dangerous functionality:
- rules enforced by difficult to read code (likely some edge cases)
- calls that have "unsafe", "insecure", etc in the name
- counter-intuitive language features (perl array expansion, PHP implicit conversions, overwriting JS prototypes, etc.)
how to find paths:
- walk the call stack and trace data you control
- use static analysis tools to do this
- use "find usages" in an IDE to find calls; repeat until you're at the top
- focus on less obvious input (auto set headers, input from other software, metadata, etc)
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Will Butler

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!