So you want to become an analyst in the field of network security ...

The translation of the article was prepared especially for students of the Pentest. Penetration Testing Practice .








Are you interested in developing hacking methods and want to share your discoveries with the information security community? In this article, I will give some recommendations to those who want to become an analyst in the field of web security, as well as talk about the opportunities and pitfalls that he once met on his way.



Who is a network security analyst?



Network security analysts are people who go beyond the use of well-known hacking techniques such as SQLi and XSS and find new threats to websites. These may be innovative solutions that complicate existing methods, such as the approach to exploiting local + blind XXE vulnerabilities, or whole new threat classes like Web Cache Deception (poisoning web application cache).



It is very difficult to protect websites from unknown attack methods, so they can often be used to operate a large number of other secure websites. This means publishing your discoveries in this area can help websites eliminate vulnerabilities, thereby increasing the overall level of security for the entire ecosystem.



Breaking for life



Most of the research involves the use of existing methods that have advanced a bit, so for a start it would be nice to get acquainted with the current state of affairs. The quickest way to do this is to find a job where you will use any hacking techniques for most of your time. Many good people have already given advice on how to get into the information security industry, so here I will be brief.



I recommend a practice-oriented approach, starting from our Academy of Network Security , moving on to more open tasks, such as on my hackxor.net , to move forward first through simple tasks with a small reward for efforts at HackerOne and BugCrowd , and then finally Switch to well-proven generous, well-paid generic vulnerability programs. After you find and analyze several vulnerabilities, becoming an information security consultant and conducting hacking on new sites and web applications every day should be easy.



There are many free online resources that will serve you well along the way, including our Burp methodology, HackerOne's 101 Hacker 101, and OWASP testing guide. For books, I would recommend reading the WebApp Hacker's Handbook and The Tangled Web . The above Network Security Academy is intended to be used interactively as a replacement for the WebApp Hacker's Handbook, but it will take us some time to cover all the necessary topics, so for now I would recommend using both sources.



Going beyond known methods



As soon as you begin to work and will be engaged in hacks all your working day, you will understand the level of workload, after some time your experience will be extensive and new knowledge will be difficult. At this stage, the most important step is not to allow yourself to rest on our laurels and to continue to learn and practice. Only in this way will you become a real specialist.



The hunt for forgotten knowledge



Everyone understands that you need to keep up with new developments and monitor industry experts , news aggregators and attend security conferences. However, to follow exclusively new developments means not to notice the precious knowledge and research that was done a long time ago and forgotten.



Every time you find a good blog article, do not skimp on time - read the entire archive. Priceless and forgotten pieces of information are often hidden there. For example, take this RSnake article on DNS re-binding, written in 2009. Rebinding DNS bypasses IP / firewall-based access controls on websites, and the only effective way to avoid it is to whitelist your application in the Host HTTP header. People quickly decided that browsers could handle this, and nine years later, with a new series of exploits, it became clear that this vulnerability was re-used.



Browsing archives will also help you not reinvent the wheel that someone else has already invented, for example, as was the case with the reinvention of CSS attacks ten years later. However, some studies are really hard to find, so accidental duplication is inevitable. Once I published a study and discovered that kuza55 was already doing the same thing five years ago. Therefore, do everything possible to avoid duplication of research, but if this happens, do not panic, it happens to everyone.



Collect rarities



To connect topics and identify opportunities that other people miss, it’s very important to gather information from various sources. For starters, do not limit yourself to reading information security content; You will quickly find documentation that will guide you through the exploit. Again, the next tip may be pretty obvious, but before you browse Google or try to formulate a question on Twitter / Reddit / StackOverflow, be sure to ask your colleagues. It often happens that the necessary knowledge is somewhere nearby, but some people simply do not share it publicly.



In addition, try to maintain diversity in your experience.



Performing black-box penetration testing for information security consultations should provide you with a wide range of external and internal web applications that you may never meet with in the bug bounty program. However, the time limit will prevent you from delving into the level of understanding of the application that comes in months of bug bounty for one purpose. Although this is a slow and limited process, a review of the white-box source code may offer an alternative attack perspective that a black-box pentester would not have thought of. To develop as an analyst, you need to combine all three working methods. Additional features such as CTF games and writing web applications will also expand your perspective.



There are no too stupid ideas



One of the worst pitfalls you can fall into is to drop a great idea, assuming that it definitely won’t work, and not try it because “someone else would have noticed it” or “it’s too stupid to to work. " I had suffered so much before, to such an extent that one part of the study appeared two years later than it should have. It makes no difference whether this bypasses authentication by re-entering the same password, or hacking the Google administration page from your phone, instead of a laptop, because the next significant exploit can come from a really stupid idea.



Give up comfort



If some technology is considered complex, inconvenient or dangerous - this is clearly a topic that needs to be investigated. After repeated experience of real breakthroughs after studying topics that are far beyond my comfort zone, I decided that the fastest way to new discoveries is to actively search for topics that make me feel uncomfortable. Most likely, other hackers avoid these topics, giving them serious research potential. For me, this is the only plausible explanation for why I was able to take the equipment, first documented in 2005, and again presented at DEF CON in 2016, and use it to earn $ 70,000 in bug bounty in 2019.



Repeat, reinvent, share

To repeat



The easiest way to start work is to find someone else's prospective research, build something of your own based on it, mixing some methods, and then try to apply your new approach in the field and see if something interesting happens.



For example, this article on CORS misconfiguration pointed to interesting behavior and it said that such behavior is extremely common, but the author stopped there and did not study the effect on individual websites.



I took the proposed concept as a basis and applied it to bug bounty sites, on which I could quite legally experiment and try my hand at avoiding all possible ways of protecting them. Along the way, I improved something using the well-known open redirect exploit techniques, finally discovered the origin of “null” by reading the CORS documentation, and explored the possibilities of cache poisoning.



There was nothing in this process that required incredible intuition or outstanding technical knowledge, however, the final result was easily obtained - the operation of CORS misconfigurations for bitcoins and bounty .



Invent



Repeating other people's work is cool, but the coolest research comes from nowhere, whether rewriting the relative path or poisoning the web application cache. I believe that such discoveries are caused by personal experiences that add up to clues. I call them “leading experiences” or “bread crumbs,” because they are sometimes mysterious and can take many to bring you to a useful discovery.



For example, in 2011, I tried to crack the CSRF protection used by addons.mozilla.org



. I circumvented the token check, but they also checked that the host in the Referer header matches the current site. I asked the sla.ckers



forum for help, and 'barbarianbob'



said that Django determines the host of the current site by looking at the value of the Host field in the HTTP headers, and it can be overridden by the X-Forwarded-Host header. This idea could be combined with the idea of ​​a Flash header embedding vulnerability to circumvent the CSRF check, but more importantly, it was the first breadcrumb. It was she who led the idea that applications could rely on the host header to determine their current location.

Some time later, I looked at the source code of the Piwik password reset function and found a line that looked something like this:



$passwordResetLink = getCurrentUrlWithoutQueryString() + $secretToken







Yeah, I thought. Piwik uses PHP, which has a lot of fun handling the path, so I can request a password reset at piwik.com/reset.php/foo;http : //evil.com, as a result I get an email with two links, and the secret token is sent on evil.com



. This idea worked, brought me benefits and laid the foundation for the subsequent searches.



The third and final crumb was how Piwik tried to fix this vulnerability. They replaced getCurrentUrlWithoutQueryString()



with getCurrentUrlWithoutFileName()



. This meant that I could no longer use my method for exploit. Due to the fact that I was already familiar with Django, I decided to delve into the code and find out how Piwik determined what the current host name is. I found that, like Django, they used the host header, which meant that I could easily generate sent emails to reset the password. As it turned out, this trick worked for addons.mozilla.org



and Gallery, and Symfony, and Drupal, and a number of other sites. As a result, this led to the practice of attacks with the substitution of the HTTP Host header.



Describing the appearance of discoveries so verbose, I hope I was able to dispel the mystery around the research process and show it unlike a spontaneous idea from nowhere. From this point of view, it seems that the main skill (in addition to the existing knowledge and experience) is to recognize such breadcrumbs and follow the path that they indicate. I can’t formulate how to do it in an accessible way, but I know how to consider those things that make you say “this is pointless” over and over again.



Share



It is important to share your research with the community. This will help to increase your portfolio and perhaps encourage your employer to give you more work time for research. In addition, it helps you avoid wasting time and stimulate further research. Criticizing your work and commenting on it can help you see what you have not noticed before. There is also nothing more useful than seeing how another analyst develops his methodologies based on yours.



Please do not think that technology or an idea should not be shared just because it is not innovative. Two logos and a presentation - publish everything you have (ideally, on a blog, and not on any poorly indexed closed platform like Twitter).



When you share your research, it’s always useful to show an example of applying your method to a real web application. Without this, people will inevitably have difficulty understanding it, and they may doubt its practical value.



Finally, presentations are great for reaching a wider audience, but don’t fall into a vicious circle and don’t waste your time endlessly repeating past presentations.



Conclusion



I myself still have a lot to learn about network security, so I would return to this topic a few years later with a fresh look and new ideas. In addition, I know that other analysts may have different points of view, and I look forward to ideas that they can share.



A summary of my tips on becoming a network security analyst:





So, if you are looking to get started, I can advise you on our annual selection of the ten best web hacking techniques . In addition to this, I have created a list of various blogs that have inspired me for many years. Good luck with your research and have fun!



All Articles