Learn WebApp Pentesting: 2023 edition

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
if you want to become a web application penetration tester or security engineer in 2023 this is how you do it I'm going to show you a path but not just tell you and have you blindly follow but explain why each part is there and give you practical tips on getting the most out of your study time this isn't just a one two three do this set then that formula it's all about building the foundations and the right mindset and habits so that you have a long successful and exciting career in the world of application security if you enjoy this video don't forget to like And subscribe let's dive in the Knowledge and Skills to be a successful web application penetration tester are actually quite different to that of network penetration testing our path is going to look something like this the fundamentals of web apps some basic programming Network and security Concepts tools and common techniques and then we'll talk about certifications and experience at the end here's my advice though on following this path stay flexible if you don't feel like doing some Dev work today and you just want to do a CTF then do that instead don't punish yourself for missing a day or doing something a little bit different than what you had planned Perfection is a myth but consistency is going to lead you to some amazing things so with that let's dive into the fundamentals there are some key things here that we really need to get under our belts to be successful this includes however applications work what technologies exist HTTP https HTML CSS javascripts now there are a lot of web related Technologies and you don't necessarily need to know them all but understanding things like how templating engines work and the difference between the front end and the back end Technologies is really really important later on you might decide to specialize in a specific technology or technology stack but you still need to know generally what's out there to have a high level understanding of the strengths and weaknesses of different systems and architect and where can we go to learn all of this well my advice is to start with YouTube there's a great crash course on HTTP on the traversing media channel and web dev simplified has a whole series with introductions to HTML SQL modern development and a lot more in terms of learning resources in 2023 there's really no shortage of free and paid resources available let's move on to some basic programming learning how to read and write code is a skill that will pay dividends throughout your entire career and in 2023 there's no excuse for lacking in this area there are more courses on programming than you can shake as stick outs but why is it important learning some basic developments and building some applications will help you tune into how web applications work and also enable you to go much deeper in the future with things like code review now a lot of the time people also say do I need to be a developer no the goal of learning Sim development is to understand how applications work not just memorize syntax so to get started here are two great resources that are free the first is free code camp and the second is the Odin project definitely worth checking out and putting some time into developing your skills let's talk about some other fundamental knowledge that we're going to need basic web app security knowing about input validation the differences between block lists and LL lists and why things like hard-coded secrets are bad is really really important and since we want to make sure that we have relevant and up-to-date knowledge understanding the basics of how servers and networks work as well as containers should also be considered fundamental knowledge the best way to learn these things in my opinion is to wrap your application in Docker build a web server deploy your app and do all of the necessary configuration to get things working experiences like this really shape you as a security professional they can turn your theory into practical skills that you can apply another resource I'd like to share is the wasp cheat sheet Series this gives you concise information on a huge range of topics for example take a look at the docker security cheat sheet after you've deployed your app and see what you missed from a security perspective it's also handy if you need to check some minor points or get familiar with the best practices on a certain topic quickly so with common vulnerabilities and tools let's talk about tools first you need to know your way around burp suite and also a directory Buster or buzzer of your choice you need to understand how enumeration tools work and of course you need excellent notes taking skills your best bet is to learn the basics of all of these tools and then improve your knowledge and understanding of them as you're doing practical things like Capture the Flag or actual pen tests most of the tools within web application security are designed to be fairly easy to use so no need to go nuts here common vulnerabilities need to be your bread and butter you need to spend a lot of time studying these vulnerabilities how they work and how to exploit them not just because it'll make up a large proportion of your testing but knowing common vulnerabilities inside and out will help you find these vulnerabilities more quickly it will help you pass job interviews it will help you your understanding so that you can chain vulnerabilities together and finally if you're reporting or presenting your findings you'll be able to better explain what the issue is and the impact the number of people I've interviewed who have years of experience but couldn't explain cross-site request forgery to me is frankly embarrassing the OAS top 10 is a really common topic to be tested on in interviews so you'd be doing yourself a disservice if you couldn't clearly explain every category on the list and give some examples or scenarios aside from the O wasp top 10 check out the learning path on portsmiga's web Security Academy everything here is common vulnerabilities or fundamentals that you really need to know and this actually kind of links us nicely to our next topic hands-on experience if you're just starting out try and get at least one security related certification under your belt it will really pay dividends when you're applying for your first security role you also want to start honing your skills on platforms like try hack me or pen tester lab and if you have time try to improve your methodology a bit by going over things like the owasp testing guidelines and learning a bit about the phases of a penetration test so with our path out of the way there are a number of things that we can do to increase our chances of Landing a job in the appsec industry now these things are building some kind of online presence to Showcase your projects and skills you could contribute to open source projects or start to get Hands-On with tools like semgrap and other vulnerability scanners and it's definitely worth refining your interview skills by practicing answering questions and really make sure that you can explain any common vulnerability as though you are talking to a five-year-old a quick bonus tip for those who are interested in CTF competitions and these can be a little bit like Marmite some people love them and some people hate them but for web application security specifically ctfs are actually a great way to build your skills even when the challenges are unrealistic and why is that well it forces you to try and understand what's going on do research and think outside the box and in an industry where every application we come up against is essentially bespoke following only the rules and guidelines that the developer or the team that built it chose it's a skill that we really need to develop now getting started with ctfs can be tough so the best way to do it is join a team and read lots of write-ups if you want to find upcoming events and teams check out ctftime.org that's a great place to get started so that's all I have for you today and I hope that was helpful it's likely that most of you already have some skills or knowledge in some areas so if that's the case don't start from scratch build on what you know nothing is really set in stone good luck on your journey and I'll see you next time
Info
Channel: The Cyber Mentor
Views: 23,482
Rating: undefined out of 5
Keywords:
Id: wiK1o3b783U
Channel Id: undefined
Length: 8min 9sec (489 seconds)
Published: Mon Apr 17 2023
Related Videos
Top 3 Programming Languages for Cybersecurity in 2023
The Cyber Mentor
29K
Web App Penetration Testing - Introduction To HTTP
HackerSploit
48K
Oil Shock | Bloomberg Surveillance 12/07/2023
Bloomberg Television
36K
Ethical Hacking 101: Web App Penetration Testing - a full course for beginners
freeCodeCamp.org
1.7M
Hacking APIs: Fuzzing 101
The Cyber Mentor
32K
Top Hacking Books for 2023
David Bombal
320K
Application Security 101 - What you need to know in 8 minutes
Snyk
21K
Beginner Web Application Hacking (Full Course)
The Cyber Mentor
244K
Beginner Bug Bounty Course | Web Application Hacking
Ryan John
168K
Hacking Web Applications (2+ hours of content)
The Cyber Mentor
71K
Simple Penetration Testing Tutorial for Beginners!
Loi Liang Yang
479K
The best Hacking Courses & Certs (not all these)? Your roadmap to Pentester success.
David Bombal
247K
Appsec Careers in 2023 (is bug bounty right for you?)
The Cyber Mentor
8.6K
2023 WebApp Pentesting/Hacking Roadmap // How To Bug Bounty
NahamSec
51K
How to Be An Ethical Hacker: 2023 Edition
The Cyber Mentor
77K
What is the BEST Hacking Platform?
The Cyber Mentor
27K
Googles GEMINI Just SHOCKED The ENTIRE INDUSTRY! (GPT-4 Beaten) Full Breakdown + Technical Report
TheAIGRID
1.7M
3 Things I Wish I Knew. DO NOT Go Into Cyber Security Without Knowing!
Cyber Tom
287K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.