Overview
Overview
There isn't a single agreed-upon process - organizations have their own standards. This process is formulated based on experience and various resources.
The 4-Step Process
1
Code Review
General review to understand functionality and shortlist potentially vulnerable functions
2
Local Testing
Testing/Debugging code locally to test findings and identify vulnerabilities
3
Proof of Concept
Writing exploit to prove exploitability automatically
4
Patching & Remediation
Patching vulnerability and all its sources/causes
Process Flow
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CODE REVIEW β
β Planning β Scope Selection β Prioritization β Reverse Eng β β
β Target Prioritization β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β LOCAL TESTING β
β Backend Replication β Testing β Exploitation β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PROOF OF CONCEPT β
β Full Chain Exploitation β Exploit Development β Test on Real β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β PATCHING & REMEDIATION β
β Patching β Reporting β Verification β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββStep 1: Code Review
Goal: Static analysis of code to identify potential vulnerabilities
Key Activities
Read and understand application design
Identify interesting/sensitive functions
Shortlist and prioritize findings
Requirements
Programming language knowledge
Understanding of application design
Knowledge of potential code flaws
Challenge
Large codebases make attack surface huge β must learn to quickly identify and prioritize
Step 2: Local Testing
Goal: Dynamic analysis to confirm/deny vulnerabilities
Key Activities
Set up test environment matching production
Test prioritized functions
Determine if exploitable
Requirements
Test environment setup
Debugging skills
Understanding of exploitation
Advantage
Greater visibility into request handling β identify hard-to-find vulnerabilities
Step 3: Proof of Concept
Goal: Create working exploit that automatically proves vulnerability
Key Activities
Write exploit script
Test on test environment first
Modify for production target
Requirements
Scripting knowledge (Python, Bash, JavaScript)
May reuse application code for complex operations
Safety
Tests on production must be safe - no downtime or data loss
Note: In secure coding modules, full exploit may not be needed - just exploitation request as PoC.
Step 4: Patching & Remediation
Goal: Provide actionable fixes for identified vulnerabilities
Key Activities
Detailed patch descriptions
Specific code changes
Secure coding recommendations
Verification
Test patch fixes vulnerability
Test patch retains functionality
Re-run PoC to confirm fix
Re-do local testing to ensure complete remediation
Comparison: Whitebox vs Secure Coding
Scope
Interesting functions only
Entire codebase
Depth
Deep on priority items
Rolling coverage
Goal
Find exploitable vulns
Ensure secure code
Exploit
Full PoC required
Request/process enough
Quick Reference
Last updated