🌐

Moving Away From…

💡
Preface: I’m not saying Web Security is not important. I’m saying I’ve learnt enough, and I’m less inclined Web Security Research, Bug Bounties and CVE hunting in that space. and would like to grow in Windows Security
… Web security research
The space is extremely crowded with “freelance bug bounty hunters” who celebrate finding an SQL injection attack on an application that has been archived on GitHub with no code updates for 5 years, or create a vulnerable application with a stupidly simply vulnerability, but mask the details so it seems like they found an actual vulnerability in the wild.
After getting 6 CVEs, I found them to be very meaningless and I’m even ashamed of publishing some of them because of the lack of technical depth and impact. To me, it used to be this mythical thing to achieve, but now I see CVE hunting as a waste of time. The amount of CVEs published that found vulnerabilities in low quality sites like https://phpgurukul.com/ or https://www.sourcecodester.com/ is astounding. I got 2 CVEs this way just to get my feet wet with the process of getting a CVE, but I would never acknowledge or showcase these them.
I do respect people who go deep into the Web space like James Kettle, and there were times I aspired to do research at that level, but maybe I’m just bored of the web research. Web security is still important and needed, but I think I’ve grown and learnt enough in this space and won’t be taking CWEE from HTB.
Instead, I’m moving my research focus to the Windows environment which covers quite a few areas:
  1. APT techniques
  1. Malware creation
  1. EDR evasion
  1. Active Directory
I feel more drawn towards this space namely because it’s not that crowded where you have random people contributing to the Windows environment. It’s a closed system managed by Microsoft where most of the time you’re finding vulnerable configurations as opposed to vulnerable code, and abusing these configurations to achieve certain objectives. If you do find a piece of vulnerable code in the Windows space, you’ve essential found a Zero Day which is a big achievement.
Researching techniques to bypass enterprise level EDR and Windows Defender feels much more complex and satisfying to look into rather than trying to bypass:
if session["admin"] == True: ...
I don’t find myself embracing my “tech” side enough in Web research, but Windows research requires me to write code, compile binaries, play around with user/kernel space, and that makes me feel good when I do find something (Like an undocumented DCOM method to LFI, or Phantom DLL hunting).
Also, Happy New Year! And this shift would probably be my New Years resolution. A few certs I have in mind already:
  1. Active Directory
    1. All the stuff from Altered Security: CTRP, CTRE and CRTM
  1. EDR Evasion:
    1. Their new EDR evasion course https://www.alteredsecurity.com/evasionlab
  1. Wrap up on Malware Dev, and compile binaries for each of the techniques and possibly do an EDR bakeoff