Overview

Overview

There isn't a single agreed-upon process - organizations have their own standards. This process is formulated based on experience and various resources.

---

The 4-Step Process

Order	Step	Description
1	Code Review	General review to understand functionality and shortlist potentially vulnerable functions
2	Local Testing	Testing/Debugging code locally to test findings and identify vulnerabilities
3	Proof of Concept	Writing exploit to prove exploitability automatically
4	Patching & Remediation	Patching vulnerability and all its sources/causes

---

Process Flow

┌─────────────────────────────────────────────────────────────────┐
│                        CODE REVIEW                              │
│  Planning → Scope Selection → Prioritization → Reverse Eng →   │
│                    Target Prioritization                        │
└──────────────────────────┬──────────────────────────────────────┘
                           ↓
┌─────────────────────────────────────────────────────────────────┐
│                       LOCAL TESTING                             │
│     Backend Replication → Testing → Exploitation                │
└──────────────────────────┬──────────────────────────────────────┘
                           ↓
┌─────────────────────────────────────────────────────────────────┐
│                     PROOF OF CONCEPT                            │
│  Full Chain Exploitation → Exploit Development → Test on Real   │
└──────────────────────────┬──────────────────────────────────────┘
                           ↓
┌─────────────────────────────────────────────────────────────────┐
│                   PATCHING & REMEDIATION                        │
│              Patching → Reporting → Verification                │
└─────────────────────────────────────────────────────────────────┘

---

Step 1: Code Review

Goal: Static analysis of code to identify potential vulnerabilities

Key Activities

• Read and understand application design

• Identify interesting/sensitive functions

• Shortlist and prioritize findings

Requirements

• Programming language knowledge

• Understanding of application design

• Knowledge of potential code flaws

Challenge

Large codebases make attack surface huge → must learn to quickly identify and prioritize

---

Step 2: Local Testing

Goal: Dynamic analysis to confirm/deny vulnerabilities

Key Activities

• Set up test environment matching production

• Test prioritized functions

• Determine if exploitable

Requirements

• Test environment setup

• Debugging skills

• Understanding of exploitation

Advantage

Greater visibility into request handling → identify hard-to-find vulnerabilities

---

Step 3: Proof of Concept

Goal: Create working exploit that automatically proves vulnerability

Key Activities

• Write exploit script

• Test on test environment first

• Modify for production target

Requirements

• Scripting knowledge (Python, Bash, JavaScript)

• May reuse application code for complex operations

Safety

Tests on production must be safe - no downtime or data loss

Note: In secure coding modules, full exploit may not be needed - just exploitation request as PoC.

---

Step 4: Patching & Remediation

Goal: Provide actionable fixes for identified vulnerabilities

Key Activities

• Detailed patch descriptions

• Specific code changes

• Secure coding recommendations

Verification

1. Test patch fixes vulnerability

2. Test patch retains functionality

3. Re-run PoC to confirm fix

4. Re-do local testing to ensure complete remediation

---

Comparison: Whitebox vs Secure Coding

Aspect	Whitebox Pentest	Secure Coding
Scope	Interesting functions only	Entire codebase
Depth	Deep on priority items	Rolling coverage
Goal	Find exploitable vulns	Ensure secure code
Exploit	Full PoC required	Request/process enough

---

Quick Reference

1. CODE REVIEW
   └→ Understand design
   └→ Shortlist functions
   └→ Prioritize by risk

2. LOCAL TESTING
   └→ Setup test environment
   └→ Test shortlisted functions
   └→ Confirm exploitability

3. PROOF OF CONCEPT
   └→ Document exploitation steps
   └→ Write automated exploit
   └→ Test on production

4. PATCHING
   └→ Provide specific fixes
   └→ Verify remediation
   └→ Secure coding tips