I get the question a lot, how to get into pentesting. I think the shortest way to do that is through web pentesting and in this post I will explain why do I think that.
I have three main reasons why I think learning web assessment is the fastest way to get into the pentesting business:
1) Web is everywhere.
I don’t know whether you noticed but more or less everything has a web interface. And I am not talking about the normal web applications on the Internet, which by the way would still provide enough work for all current pentesters for their lifetime. I also mean IoT and embedded devices. Have you noticed for instance that when you withdraw money from an ATM it gives you the same clicking sound as old Internet Explorers. They do that because they run old Internet Explorers :). So they are basically web applications running in an ATM looking box. Also basically 99 % of embedded devices have a web interface. Like trains, cars, home control systems, your fridge, etc…
2) Market demand
The most trivial attack surface of a product or company is their website and there were quite a few hyped attacks in the past couple of years. So when you ask somebody what they would protect first, they would say that their website. All these built up an acceptable level of security aweraness in the web world. This is still lacking for instance in the embedded or control system world. These led to a very high market demand for web assessments. I think right now it is very difficult to find a pentesting job where you wouldn’t do web assessments. Even if you do a network assessment, you will find web application in the network that you will need to test. Most of the consulting companies have around 80% web assessments.
3) The “easiest” to learn
Compared to the other fields of security assessments, web is a very pentester friendly topic. Starting with the fact that HTTP is a plain text protocol. It is much easier and faster to manipulate general web application traffic then some weird proprietary protocol. Also easier then reversing a binary and exploiting a buffer overflow. Although these are also super interesting topics, I only say that web is the easiest to learn.
Probably there are hundreds of other reasons why to learn web pentesting, but I think these are the most significant. And with that let me elegantly change the topic to promote my own course. Ohh, did I just say that out loud. Damn. Anyways, you knew already that I was working on it. So I created a full blown web hacking course cleverly called Web Hacking – Become a Web Pentester. Check it out, there is a Promo video where I explain everything and there are quite a few preview lecture that anybody can watch. The normal price is $180, but for my readers I created a coupon code the give you the course for $20. So use the following link:
or the use the coupon code:
Otherwise let me know what you think about web pentesting.