Hello and welcome!
In this blog, we will discuss the following topics to prepare and practice to become a great web-app pentester:
- What is Web-app Pentesting?
- Books to Read
- Where to Practice?
- Tools to Use
- Value of Web-app Pentesting
What is Web-app Pentesting?
Web-app pentesting is a skill/practice of testing a website to see what security vulnerabilities it contains. Web-apps have become extremely popular in recent years because of the convenience cloud service infrastructure offers. When developing an application before cloud was a thing, developers had to decide what OS they wanted their application to be available on. They would have to pick between Linux, Windows, Solaris, etc.
Now, companies can run their applications straight on their websites and not have to deal with that problem since anyone can access the internet! Well, guess what- with the introduction of new technologies comes the introduction of new vulnerabilities- and this is where us Pentesters come into the rescue.
Books to Read
There’s a lot that needs to be learned when it comes to website pentesting. There are so many different services and protocols we need to understand and even how websites themselves work with servers and databases. This can be extremely overwhelming to a newcomer- but staying organized with your learning process and having a true passion for this subject will get you up to speed in no time.
I was watching a Youtube video on how to learn web-app pentesting and I was recommended the book:
The Web Application Hacker’s Handbook 2nd Edition
I will admit, I am still reading this book as I am writing this blog, but they teach you from the ground up on how all the different protocols, services, etc work and communicate with each other. Currently, I am on the 4th chapter and I understand the HTTP protocol, proxies, cookies, response headers, encoding, and way much more. It is definitely a heavy read, totaling about 850 pages; but hey, the more information you get, the more you understand about web-apps, which is a must. This book is great for anyone that wants to learn how web-apps work and how to exploit its vulnerabilities to their advantage. I picked up this book because it teaches you these concepts about the inner-workings of websites, but from a hacker’s perspective which is perfect for the OSCP.
Where to Practice Your Pentesting Skills
There are so many free sources that I have found to practice cross-site scripting, dns-cache poisoning, etc. I will give my honest opinion on each source as to how my experience was with it:
OverTheWire: Natas
OverTheWire seems to be my choice of practicing my pentesting skills in general as I have had a great experience learning so much from them. In my other blog, I talked about Bandit which is geared towards beginners (which I finished, yes I am bragging- leave it at that) and what an amazing resource to take advantage of. In Natas, you have to log into each website and find the password to the next site. To find the password, you have to go through the source code of the website, modify HTTP requests, and much, much more. It definitely helps you learn how to develop a process of attacking a website, which is important to becoming a great hacker. I recommend working on Natas while reading the book. I recommend this so you can have a healthy balance of learning new concepts as well as doing hands-on work.
PortSwigger Academy
PortSwigger is the maker of the Burpsuite tool (one of the most important tools to learn for web-app pentesting) that has made a free academy for you to go through and also practice your pentesting skills. When I started this academy, in my honest opinion, it didn’t seem that organized at all. They have a nice balance of readings and labs to go through, but there was no context of where to start learning. They offer so many different subjects to learn in web-app pentesting and each subject has their own labs which is actually amazing, but I was just confused as to see which one I should start on.
Another thing I didn’t like is that their readings did not hold enough information for you to complete their labs. Granted, I am not asking for any hand-holding whatsoever (go look at Natas, there’s zero hand-holding and you’re all on your own), but I would look at the solution to the lab and would think “Dude, how the hell am I supposed to know how to do that.” The academy is like that one professor that teaches a super interesting class, but has crappy lectures that don’t hold enough context or information. I say use this academy to practice your pentesting skills as the labs are awesome, but don’t rely on the readings as your source of learning.
Other free resources I have not checked out yet but have heard great things about them:
Tools to Use
With web-app pentesting, there are various tools out there that help you get your pentesting skills going!
Server Proxy
The use of proxies (where you have software where it is connected between you and the internet is crucial to use when pentesting. What is a proxy? you may ask: A network proxy is a gateway that is between you (the client) and the internet. It oversees all the communication you conduct with every website you visit. When using particular proxies, you can capture HTTP requests that are traveling between you and the server to modify, drop, resend, and pretty much alter in any way that will help you gain information (sometimes extremely important information like user logins, tokens) on the website you are attacking. A server proxy that I have been messing with for practicing my web-app pentesting is Burpsuite. They offer most of their key features for free (which I am currently using).
Reconnaissance Tools
Kali Linux offers a bunch of built-in tools that help us understand what we are attacking exactly. One thing you will learn in pentesting in general is that you need to confirm to the best of your ability of what type of software your victim is running, what operating system its using, what ports are open, what protocols, etc, which is why you need to do some reconnaissance on the target before performing any attacks whatsoever. The following tools help get information about the website:
- nmap – a port scanning tool that helps identify what ports and services are open on the server
- Builtwith.com – type in the website you are attacking and it will show any plugins, what web hosting service it uses and more
- wpscan – a scanner for specifically wordpress hosting websites. It scans for vulnerabilities, usernames, even passwords if it can guess it super easily
- whatweb – used to detect plugins of th website, what type of server it is running on, version of Jquery, javascript, html, types of XSS protections it uses and more
- Other common information-gathering tools can be found here as well: Top 25 Kali Linux Penetration Testing Tools
Remember, practice makes perfect- learn how to use these tools and if you have a website you own, you can test for vulnerabilities and see what exploits you can use to gain access!
Value of Web-app Pentesting
In my situation, when studying for the OSCP, it is a MUST to get a very good understanding of web-app penetration testing. But, there is more value that is brought to the table when learning web-app pentesting – bug bounties – where companies put out either their websites, or open source projects for people to test for bugs where they will pay the person who finds a bug and depending on the severity of the bug it can range from $0-$10,000+! This is definitely one of the most valuable skills to learn as a pentester and will serve you well in the near future if you enjoy doing it.
Conclusion
Web-app pentesting is becoming a more popular niche in the Cybersecurity field (and a more lucrative one). As more technology infrastructure moves to the cloud, the need for Cybersecurity rises. As a beginner trying to get into this field – I highly, highly, highly, recommend you read the book I posted above. It is a heavy read for a reason: because there’s a lot of things you need to know as a web-app pentester and if you get really good at it then you can make a side hustle with bug bounty programs.
As a learner, I find myself to get the most out of my time when dedicating a balance of reading/note-taking and applying what I have learned in the real world with hands-on challenges that are littered all over the internet.
Get started on your journey, and if you have any questions just bang our line at: [email protected].
I’ll catch you all next week and thanks for reading!
Peter