How to become a web pentester

I spent quite some time trying to figure out the answer to this question when I created my online training with the clever title “Web Hacking: Become a Web Pentester“. In this post I will try to summarize what I learnt when I looked at my own career and what we look at when we hire new people to my team.

Process

Since this post is about ‘how to become a web pentester‘ first I wanted to give an overview of the process that I find most efficient:

1. Establish a security mindset
2. Acquire technical knowledge
3. Learn attack techniques
4. Acquire social skills
5. Create proof-of-knowledge

Let’s go through these points one by one.

Security Mindset

One thing that is probably more important then the technical knowledge is what I call here ‘security mindset’. This is a point of view or way of thinking. Most of the people that work in IT security don’t necessarily have technical knowledge, but they have a security mindset. This means that they can look at systems, and more broadly the world, in a critical way that helps identify things that can go wrong or can be maliciously exploited.

I originally worked as a normal software tester, and if you read any book about testing, it will have a chapter called the “Psychology of Testing”. This chapter will tell you that while a developer’s goal is to write good code, the tester’s goal must not be to prove that the code is bug free. The tester’s goal must be to find bugs. Because if he tries to prove that the code does not have bugs, then he will never have success. The tester must train himself to be happy when he finds a bug. Because otherwise he will unconsciously not test things that might actually fail. This is, for instance, why developers shouldn’t test their own code, because they want it to work. But the tester wants it to break, so they will test the code with the meanest tests.

This is the same with security but instead of just focusing on functionality problems one needs to keep security in mind. How could this system be cheated? How can be a protection bypassed? What data is confidential and how can I access it? Etc. You need to develop this constant assessing mindset where you always look for things that could go wrong.

How to learn it:

You can consciously train your mind for this. Wherever you go in the world try to look for security weaknesses. It doesn’t have to be computer systems, it could be anything, for instance:

• You fly somewhere and pay attention whether your identity is checked at all while you get to the plane. Sometimes they check you many times but only your boarding pass and never your ID.
• You go to concert and you notice that there is a door where nobody checks the ticket.
• When you go to a cinema your ticket is checked but not invalidated, so with 2 tickets you could bring in as many people as you want.

Technology

Obviously big part of pentesting is technical skills. However this is something that you will never stop learning. There will be always new tools, new frameworks. I think the goal here is to get the basics and keep developing yourself as you work. Here is what I think is the basics:

• HTTP: You need to understand the HTTP protocol, how requests are sent to the server and how responses are sent back. Fortunately HTTP is fairly simple so this shouldn’t be difficult.
• SSL: since it is used in HTTPS, it is good if you understand how it works. On an average pentest you don’t have to do too much with SSL but it is necessary to know what that is.
• Web applications: you need to have a general understanding about how web applications work. I recommend to look into PHP, because that is a pretty traditional way of programming web applications, and look into MVC frameworks such as django or Ruby on Rails, which are rather the more modern way. I don’t think you need to be a web developer to be a good pentester, but you need to be able to imagine what could be happening on the server when you test the application.
• Browsers: you need to have a basic understanding how browsers work, because that is one half of the attack surface. Here I mean things like, how pages are rendered, how cookies work, how the Same Origin Policy works, etc..
• JavaScript: 99% of web applications use JS to some degree. So it is necessary to understand how it is used in the browser (i.e., XMLHttpRequest) and at least be able to read JS code and debug it in the browser.
• Networking: for pure web testing you don’t necessary need a deep understanding of the underlying network stack (TCP/IP), but it is a plus for sure.
• HTML: since it is still the base of all web pages HTML is pretty essential to understand.

What I listed here is the minimum, or the core of what you need to know. The stronger your IT knowledge is the better. And as pentester you need to be ready to learn about any exotic corner of IT.

Attack Techniques

Of course you will have to know the basic attack techniques. Partly because they are the first you need to check in every app, and also because they help you understand how attacks work which will be good when you start building your own attacks. I think the OWASP Testing Guide or at least the OWASP Top 10 is a really good starting point. Here is a must know list:

• Cross-site scripting
• Cross -site request forgery
• Direct URL access
• Session hijacking
• SQL injection

This list might seem short but as I said this is the must. Also the first thing you do when you start testing an application should be to research the technology in use whether there are documented attack techniques against it. This way you will build up your arsenal pretty fast.

Practice, practice, practice

The best way to acquire knowledge is to challenge yourself, and the challenges will force you to learn. This means that independently from your skill level you should always practice. It is like learning a language, you shouldn’t wait with speaking to people until you feel that you are perfect (mostly because that never happens), but you should rather start talking and practicing from the very beginning.

Fortunately there are a lots of ways nowadays to practice hacking (without legal problems):

• Download open source software and start to test that.
• Do capture-the-flags (ctftime.org)
• Test websites which have a bug bounty program (a good list of bug bounties: https://www.bugcrowd.com/bug-bounty-list/)
• Test educational websites, such as
  • Hackthissite.org
  • Webgoat
  • Damn Vulnerable Web Application

Social Skills

Whether you are a hard core nerd or not (I am pretty introvert myself), you need to understand that a pentester is a consultant. Usually you will have ‘Consultant’ on your business card instead of ‘Pentester’ anyway. What this means is that you will need to be able to effectively communicate with your customers. There are two main things you need to focus on:

1. Report: this is really important. The single output of your work is the pentest report. You could be the most l33t hacker on the world, if your report is crap then your customer will think that your work is crap. So your report needs to be very clear, objective, and easy to understand. Don’t misunderstand me, everybody hates report writing, but it is a very important part of the job.
2. Communication with the customer: you will have to do some verbal and written communication with the costumer before, during, and after the pentest. You will mostly talk with management, because they are the people who pay you, so you need to be able to explain everything to people who are not necessarily technical people. You will also need to talk to the developers and explain them your findings, without offending them.

Proof-of-Knowledge

In my point of view the most important thing when you are looking for a job is to be able to prove that you actually know what you say you know. Yes the work experience and jobs look great on your CV and that might pique the attention of the recruiter, but whether you are chosen or not depends on how well you can show what you know. A great way to do this is to document whatever you do. So when you do any of the things I recommended in the ‘Practice, practice, practice‘ section find a way to document it. Here are some ideas:

• Write a blog about the things that were interesting
• Create youtube videos about your hacks
• If you code anything upload it to github

You can put all these on your CV, it will show more about your knowledge as the highschool where you went.

Resources

Let me just list here a couple of resources that could be useful.

• [Book] The Web Application Hacker’s Handbook https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470
• [Book] OWASP Testing Guide https://www.owasp.org/images/1/19/OTGv4.pdf
• [Checklist] Web Application Assessment Checklist http://aetherlab.net/waac
• [Checklist] OWASP Top 10 Vulnerabilities https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• [Online Training] AETHER Lab: Web Hacking: Become a Web Pentester http://aetherlab.net/y/ho
• [Online Training] AETHER Lab: Learn Burp Suite, the Nr. 1 Web Hacking Tool https://hackademy.aetherlab.net/p/burp-suite
• [Live Training] SANS SEC542: Web App Penetration Testing and Ethical Hacking https://www.sans.org/course/web-app-penetration-testing-ethical-hacking

Tools

There is only one tool, which I find absolutely essential for web testing, and that is the Burp Suite. For the rest I don’t think it makes sense that I write my own list here when there is already awesome tool lists out there. Check this out and scroll to the web part (you will also find other great resources here):

https://github.com/enaqx/awesome-pentest

Summary

I think web pentesting is not rocket science and it is a great way to get into hacking. I wrote another post about why to get into web pentesting there I explain the details. But the point is to start learning and practicing. The learning will never be over but you can start working pretty fast.

It is great if you read the whole article, let me know what you think. What was or what is your experience in becoming a web pentester? Let me know in the comments.