How to Research & Reverse Web Vulnerabilities 101

src/pentesting-web/web-vulnerabilities-methodology.md

@@ -131,5 +131,64 @@ These vulnerabilities might help to exploit other vulnerabilities.
 - [ ] [**Parameter Pollution**](parameter-pollution.md)
 - [ ] [**Unicode Normalization vulnerability**](unicode-injection/index.html)
 
+## Reversing & Researching Web CVEs: Patch Diffing and Runtime Debugging
+
+When advisories are vague, reproducible research starts by cloning the affected stack, watching requests reach the insecure sink, and validating the vulnerable primitive through the patch diff. A repeatable workflow greatly accelerates PoC and detection authoring.
+
+### Reconstructing the target stack
+
+- Mirror the exact vulnerable release (version, build ID, feature flags, optional modules). For closed products harvest vendor changelogs, support docs, forum exports, or MSP mirrors to recover installers and default deployments (edge-facing vs internal).
+- Replicate production topology: same app server (Tomcat, IIS, node CLI, PHP-FPM), SSL offloading, reverse proxies, tenant modes, and external dependencies. Minor differences (e.g. extra module, hotfix rollup) often eliminate the vulnerable code path.
+- Document bootstrap steps, credentials, and dataset so the environment is easily rebuilt when you later diff, debug, or validate mitigation.
+
+### Runtime debugging playbooks
+
+- **Java / JVM**: start Tomcat or standalone launch scripts with `-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005` and restart. In IntelliJ IDEA, import every product JAR via *Project Structure → Libraries*, create a *Remote JVM Debug* profile (host/port matching the JDWP listener), and set breakpoints in controllers, filters, deserializers, and template renderers. Use *Evaluate Expression* on suspended requests to inspect headers, cookies, and body parsers as payloads traverse toward dangerous sinks.
+- **.NET (Framework/Core)**: load assemblies into ILSpy, dotPeek, or dnSpyEx to recover readable C#, search namespaces referenced in release notes, and attach their inbuilt debuggers to the IIS Express/Kestrel worker. Break on controllers, middleware, or helper classes referenced by the patch and watch how unsanitized input reaches file, process, or auth routines.
+- **Node.js**: instrument the service with `node --inspect` (or `--inspect-brk` to halt on entry) and attach VS Code’s Node debugger. Break on Express/Koa route handlers, middleware, or templating hooks to confirm which query/header/body fields reach sinks such as `child_process.exec`, `fs.readFile`, or ORM helpers.
+- **PHP**: enable Xdebug, point VS Code or PHPStorm to the listener, and break at the front controller, router, parameter normalizers, and file/system call sites. Stepping through legacy superglobal handling exposes traversal, include, or SQL injection primitives hidden behind convoluted glue code.
+
+### Patch diff workflow
+
+- When vendor patches are not published, decompile both vulnerable and fixed builds (e.g. `jadx` for JARs, `ilspycmd` for .NET, `unzip` + diff for PHP) and compare them with Git to spotlight the security fix:
+
+```bash
+mkdir -p /tmp/cve-reverse && cd /tmp/cve-reverse
+jadx -d vulnerable-src /path/to/vulnerable.jar
+jadx -d patched-src /path/to/patched.jar
+cp -r vulnerable-src repo && cd repo && git init
+git add . && git commit -m "vulnerable version"
+rsync -a --delete ../patched-src/ .
+git add -A && git commit -m "patched version"
+git --no-pager diff HEAD~1 HEAD > ../patch.diff
+```
+
+- Focus review on freshly added guards (auth checks, header normalizers, path canonicalizers), new helper functions, or altered call arguments. Each change usually reveals the missing precondition that an attacker can violate.
+
+### CVE triage & primitive extraction
+
+- Prioritize advisories exposing pre-auth network surfaces, default configurations, or low-complexity triggers—especially where vendor notes mention header trust, serialization, templating, or path normalization mistakes.
+- Small, surgical diffs (single conditional, newly wrapped sink, swapped validator) normally indicate a stable exploit primitive and are ideal hunting grounds for variants across the same product family.
+- Use debugger traces plus diff context to express the primitive precisely: *“unvalidated `X-Proxy` header is parsed before auth and later passed into YAML deserialization.”*
+
+### Safe PoCs & detection templates
+
+- Derive the smallest reproducible HTTP interaction that reaches the vulnerable branch (distinct body field, crafted header, traversal path). Keep it side-effect free: target read-only endpoints, reversible writes, or time-based markers.
+- Version-pin PoCs and always replay them against at least one fixed build as a negative control to prove the indicator disappears post-patch.
+- Convert the trigger into a [Nuclei](https://github.com/projectdiscovery/nuclei) template with raw HTTP requests, explicit status/body matchers, optional `dsl` duration checks for timing primitives, `stop-at-first-match: true`, bounded redirects, and method-specific timeouts. Split templates when OS-specific normalization (Windows vs Linux paths) or tenancy modes require separate payloads.
+
+### Knowledge management for repeatability
+
+- Maintain a per-CVE folder structure under VCS (Git + Git LFS for large artifacts):
+  - `lab-notes.md` for chronological hypotheses, payloads, dead ends, and environment quirks.
+  - `lab/` for Docker/compose manifests and debugger configs.
+  - `requests/` for Burp exports or raw HTTP reproductions.
+  - `diffs/` for decompiled source trees and `patch.diff` files.
+  - `detections/` for PoCs, Nuclei templates, and validation logs.
+- Log even partial primitives (odd normalization, limited info leaks, timing anomalies). Revisiting these “quirks” later often enables chaining into full pre-auth RCE once a compatible sink or gadget is found.
+
+## References
+
+- [ProjectDiscovery - How to Research & Reverse Web Vulnerabilities 101](https://projectdiscovery.io/blog/how-to-research-web-vulnerabilities)
 
 {{#include ../banners/hacktricks-training.md}}