Reconnaissance
Before attacking, they gather intel:
| Technique | Reveals |
|---|---|
| Page source, JS files | API endpoints, framework version |
/robots.txt, /sitemap.xml | Hidden pages, admin panels |
| Error messages | Stack traces, database type |
| HTTP headers | Server software, missing security headers |
| GitHub search | Leaked creds, internal docs |
Assume attackers know your stack and your API surface.
Parameter manipulation
GET /api/orders/12345 # Your order
GET /api/orders/12346 # Someone else's?
GET /api/admin/orders # Admin endpoint with user token?
GET /api/orders?userId=admin&status=all
Check permissions on every request based on who's asking, not just whether they have a valid token.
Privilege escalation
| Type | Example |
|---|---|
| Vertical | User gains admin |
| Horizontal | User A accesses User B's data |
| Context | Free tier gets premium features |
Vectors: role field in request body, unsigned JWT payload, admin endpoints hidden only by UI, race conditions during permission checks.
Bug chaining
Low: Username enumeration
+
Low: No rate limiting on password reset
+
Medium: Predictable reset token
=
Critical: Account takeover
A "low" severity bug is only low in isolation.
Attack surface
Network: Web endpoints, APIs, admin panels, health checks, webhooks, file uploads.
Data: Forms, URL params, headers, cookies, file uploads, request bodies.
Indirect: Email processing, third-party integrations, queue messages, CI/CD inputs.
Prioritise: unauthenticated endpoints, file uploads, sensitive data, elevated privileges, forgotten endpoints.
Broken assumptions
| Assumption | Reality |
|---|---|
| "Client-side validation prevents bad input" | Trivially bypassed |
| "Only admins can access /admin routes" | Unless the server checks |
| "Nobody will guess that URL" | Predictable IDs, directory brute-forcing |
| "File upload only accepts images" | MIME type checks are easily faked |
STRIDE
| Threat | Question |
|---|---|
| Spoofing | Can I pretend to be someone else? |
| Tampering | Can I modify data I shouldn't? |
| Repudiation | Can I deny it happened? |
| Information disclosure | Can I see data I shouldn't? |
| Denial of service | Can I make it unavailable? |
| Elevation of privilege | Can I gain higher access? |
Walk through each letter for every endpoint.
Practical testing
Browser DevTools:
- Network tab: Watch every request, note endpoints and params
- Application tab: Check cookies/localStorage for tokens
- Sources: Read client-side JS for hardcoded secrets
Intercept and modify (Burp Suite, OWASP ZAP):
- Capture a normal request
- Change the user ID to another user's
- Change the role from "user" to "admin"
- Remove the auth header entirely
- Add unexpected fields to the JSON body
The takeaway
The best time to think like an attacker is while you're still writing the code.