[guessmyname]

Disclaimer: I have been working as a security researcher for +5 years (web and mobile apps).

I personally use tools that report all the activity that a software produces, most of that is TCP or UDP connections. Among the tools that I use are WireShark, Burp Suite and mitmproxy. I also keep myself updated with techniques used by other researchers in other areas by collaborating on different forums and networking events. I also have several hundred honeypots distributed around the planet powered by OSSEC to collect and analyze bad traffic.

Less than 3 years ago I switched to do vulnerability research on mobile and desktop software and a whole new world opened in front of me. Debugging HTTP connections is one of the most common tasks and there are plenty of tools available out there, I have a small set of tools to do network sniffing and analyzing. Going deeper into the software, I frequently do black-box penetration testing (which basically means, I don't have access to the source code) and so tools like IDA, Hopper Disassembler, Binary Ninja, Cutter are first hand in my toolset.

> How do people there [Google Zero] decide upon a course of research?

• Someone tips you some information about suspicious activity,

• You are using the software as a regular user and notice something weird,

• You are interested to know how a software works and diving into it reveals secrets,

• One of your honeypots and/or network sniffers alerts you about unwanted connections,

• The author of that software requests you to do some penetration testing for an audit,

• Someone found a small problem in the software and you dive into to try to find more,

• And more commonly, you are bored and want to pass the time doing something more boring :D

[paulriddle]

I feel like black box assessment is highly inferior to white box or whatever it is called, when you have access to source code. Huge waste of time for both company and security specialist. It is only acceptable for ongoing bug bounties.

Am I wrong? I'm not in the field, so I don't really know. I have lots of questions. Is it common for security consultancies to do only white box reviews or this wouldn't be a good decision business-wise? Is it common to charge for fixes to found vulnerabilities during an audit? What if the flaw is in open source library?

[sheldorr]

Security consultancies will usually do whatever the client asks for, or try and cater exactly for their needs. This may result in either a white box attack or black box.

Usually the test will be done at a fixed price, with a fixed scope (What they are/aren't allowed to test). The result of this will usually be a report detailing the vulns, along with reccommended fixes/remediations and sometimes a 'post-fix test' to check if the company has successfully remediated the issues.

White box testing tends to look at the system/application from an internal-looking out perspective, whereas black box is an outside-in view. Benefits to whitebox being a very thorough assesment of the system but this will be time-consuming and expensive. Blackbox on the otherhand can simulate the likely attacks from an adversarie and sometimes be relatively quick dependent on the systems attack surface.

Hope this helps.

[kdbg]

You're not wrong at all. Having access to code is far more efficient. My favorite type of assessment to get is when I get a test env and code access. It is uncommon though, a lot of companies are protective of their source code and don't want to hand it out to machines they don't totally control. In most cases when I get code access I either get a laptop from the client or a VPN and rdp onto a machine they control.

As for charging, I've never been paid based on findings, but based on time. If they fix while I'm testing that is great work by their team, but I'd prefer a stable test env so it's a bit annoying.

Libraries can be an interesting area, I focus my testing on code the client controls and only note known vulns in libraries they use. I have found issues in libraries before and we report it to the client, and work with them to disclose to the vendor if they want.

[rootsudo]

This is a great post. Wireshark, burp site, mitm tools are all that I use. You'd be surprised how far you can get with kali/fiddler with most apps.

OWASP also is a great baseline to start recon.

Buto to add on more, most of the time it's because of misapplication or something not following good practice and knowing this is only possible by being in the field for a while.

[srednalfden]

Would those three tools be enough to get started/find some bug bounties?