0

How do you go about researching and discovering zero days? Breakdown the process. What positions can I expect to see that offers a more offensive and research oriented approach to security?

i see How are zero days found? but i need more

Community
  • 1
adrián
  • 41
  • 1
  • 8

1 Answers1

2

Everyone has its own method.

Bugs come in various species.

Be curious and ask yourself questions. Start with the "Five Ws" (https://en.wikipedia.org/wiki/Five_Ws) . Rinse and repeat and soon you will be able to recognize them then to classify them. Then you will be able to spot them. Then you will be able to see the trace they leave. Then, for example, you will understand that by following the trace they leave, you can get to their nest.

On your own path to wisdom you will need some specific tools to see and follow, but they will come to you naturally when you answer your own questions.

Soon you will have found lots of nests of various bug species just about anywhere.

Only then, when you have seen the fundamental nature of bugs, will you be able to decide where you want to go, and develop your own code of conduct and ethic by asking yourself "Should I" questions, or "Why wouldn't I" questions.

Should I eliminate some ? Should I eliminate them once and for all ? Should I profit from them ? Why wouldn't I cultivate them so that there are more of them ? Why wouldn't I design new bug species ?

Computer security is a collaborative art. Be curious, and have fun guiding it along the way you wish it to go.

Below is Edit 1 :

(Doing the exercise together to help you be convinced)

I pointed now explicitly to the 5Ws wikipedia article which is a rather good generic strategy. The question is rather open, so I was providing a rather open answer giving some methodology.

I could have oriented you to any CVE vulnerability list and told you to analyse. But imho vulnerabilities are less fundamental than bugs (vulnerabilities are bugs with security consequences).

So by speaking of bugs, if you were to ask yourself "Where could I find example bugs" as I suggested you should, soon you would have answered your question and went to github.com/trending, picked a random project and go to issues page. And then for example ask yourself 'What is this project', 'Who is doing this', 'Why is he doing this'...

Have an open mindset set on attack mode (you can train like you would train in chess).

As of today at the top of the trending list we got https://github.com/neutraltone/awesome-stock-resources .

What is it ? a list of websites which offer free reusable pics and resources

Who made the project ? "a Front-End Designer" -> good he probably isn't a security expert -> He will make errors that we will be able to exploit.

Who uses such site ? Webmasters who needs pictures or resources but don't have time and money to do them themselves. (In a sense this is already a vulnerability, and it's already a red flag for easy preys)

Why ? It seems to be a common problem to find free legally usable resources, (Does this project solve this problem with security in mind ? -> No -> good for us)

Where will those free resources be used ? On various random websites somewhere.

When ? The project is trending now so the security doors may not yet be closed, or fully opened yet.

How would someone exploit it ? Just "give" some free resources to the websites pointed by those lists or make one of such websites (Some of the websites he point to are in Beta, so the curator is not very regarding). Sooner or later your resources will end up in the browser of a client while being served by a third party.

For now this project doesn't point to free javascript resources, which would have been easy XSS, maybe we should ask a random question to the author go to the issues page and suggest : "add other media assets?" (so bad I've already been beaten to it but it's revealing that the author is open to suggestions).

But it points to site which offer to load CSS (for the moment too simple to hide a hack without risks but it shows it's already on a dangerous path :) ). And in CSS it seems (I'm no css expert) you can "import" other css from absolute urls. So you could easily have a css that looks good now but later by updating what's pointed by the link in the future (once it found its way to a website) you will be able at will to deface a target website by serving a custom made CSS.

In today's effective offensive security, which was OP question, you plant bugs, you create backdoors, you give people the rope they need to hang themselves, you reward bad behavior (like copy/pasting, like giving economic advantage for not caring about security, like hyping false-security...). You just have to sow the seeds and harvest the bugs.

darkblue
  • 121
  • 2
  • 2
    This seems like a non-answer, honestly. Why not provide concrete examples, even if you must link to them? – Mark Buffalo Nov 09 '15 at 04:45
  • @MarkHulkalo As you request I completed my answer to make it more accessible. I hope it's more clear now. If it's not, please forgive my inability to express the following idea : "Try to get in the right mindset for security. This is how I do it. " – darkblue Nov 09 '15 at 16:57
  • would be nicer if it were formatted to be a bit more readable. :p – Mark Buffalo Nov 09 '15 at 16:59
  • This is from just 5 days ago: a vulnerability was found in PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-ech-overflow.html), and some of the discovery work was done with the American Fuzzy Lop (http://lcamtuf.coredump.cx/afl/). Read thoroughly. – dblanchard Nov 12 '15 at 09:50