✍️ 1/ Want to learn how to bug hunt in hard targets and find high impact issues? Here’s a short Sunday 🧵for those starting out and some general thoughts from over the years on software security: 
✍️ 2/ Developer mindset vs Adversarial mindset - Code review as a bug hunter is often different from code reviewing as part of feature change. As a bug hunter you are only focusing on how to circumvent a control or use in a way it was not intended. Learning this mindset is key
✍️ 3/ Going Deep vs Going Wide - Researching a target there is a trade off between going deep and going wide. If you have no knowledge then going wide helps to discover potential weak areas and build up a mental model. At some point it becomes important to focus down and refine
✍️ 4/ Target Biases - Its common to think because something is well established then there will be less bugs lurking there. However, most software is evolving and new features are constant being added. This new code is often a really good source of bugs.
✍️ 5/ Fuzzing Enhancements - As code moves on over time, developers need to create test code. This means that often this new code misses test coverage or has no tests at all. Binary diffing, API change logs and software update analysis are a great way to extend fuzzer coverage.
✍️ 6/ Code/binary review lead fuzzing - It can be very challenging to spot certain bugs using only code review or binary analysis. Combing the approach allows to identify complexity and focus fuzzing to weak areas which may lead to vulns you would have not spotted
✍️ 7/ Variant Analysis - As a researcher most of the bugs you find will not be particularly novel and are generally abstractions of a common vulnerability pattern. Knowing how to recognise these patterns and integrating into your toolset to allow faster identification is a must
✍️ 8/ Research Tracking - In the area you are researching it is important to keep up-to date on published material. As new attack surfaces are unearthed or new vulnerability classes are identified then taking this knowledge and integrating it into your tooling is important.
✍️ 9/ Collaboration - You can get quite far solo in bug hunting, however being able to work in a team allows effective use of the team members specialisation and allows for distribution of work. It helps with motivation on the VR emotional rollercoaster when failure is common.
✍️ 10/ Bug Tracking - Whilst going for the most impact as possible is the goal, reaching that goal may require many other lesser impact vulnerabilities chained together. As you are performing your research it is important to make notes of literally anything of potential value.
✍️ 11/ Target Knowledge Base - Whilst you are doing this research and afterwards it is important to maintain a target knowledge based. Building on existing knowledge is much easier than coming from zero knowledge of the target. Really helps if you switch between targets lots.
This was a bit of a brain dump, stay tuned for more on this in future with practice examples :)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
