Skip to content

Latest commit

 

History

History
191 lines (168 loc) · 11 KB

web-pentest-study-plan.md

File metadata and controls

191 lines (168 loc) · 11 KB
Raw

Web Application Penetration testing Study Plan

This study plan is based on milestones. So, check how much you can cover and close the checkboxes. The more you close, the better candidate you are for the job role. Also, I assume you have already checked and are comfortable with Common Security Skills study plan.

Just to make sure that everyone understands what you need to learn to be a pentester. It is altogether different from bug bounty, Red Team etc. but to excel in any of those roles you should be good at pentesting. It's not necessary that you can be a Red Teamer or Bug bounty hunter if you know pentesting. But a red teamer is surely very good at pentesting. Also, Vulnerability assessment is not pentesting, however, VAPT is a common skills required for pentesters job.

In short:

  1. Pentesters are offensive security folks who try to find as many security vulnerabilities as possible, access the risk and exploit as much as possible. They can play as internal or external attackers for the organization.
  2. Red Teamers are least bothered of finding all security gaps, and their ultimate goal is to find one way in, exploit it and then escalate laterally through your system to access the juiciest data they can.
  3. It's totally upon your preference and timings that you should join bug bounty platform or not.

Read more here about Pentesters vs Red Team

Usually it will take you 6 months to be good at fundamentals to get a job at entry level.

ToC:

  1. Pentesting Concepts - 6 weeks
  2. Tools fo Trade - 2 weeks
  3. Lab Practices - 8 weeks
  4. Books (Read 1-2 books) - 2-3 months
  5. Videos
  6. Courses - Try to complete at least one course (1-2 months)
  7. Certifications - on your bandwidth and wish

Pentesting Concepts

Go with your pace, but make sure you understand the basic security concepts very well like HTTP Security Response headers, Bruteforce, DoS, XSS, CSRF, Injection, IDoR, JWT etc.

Basics

  1. Understanding of various HTTP methods, PUT vs POST, UPDATE vs PATCH, leverage OPTIONS method
  2. Ability to understand response status codes.
    1. what if you got 200, when you tried something malicious
    2. what can we do if we get 403
    3. let's try to get 500 status code, and why so? What will it reveal.
    4. Try to understand each status code which as a pentester you would love to see.
  3. Understand HTTP headers very well, specially response headers. You would need it more often while doing pentest.
  4. TCP 3 way handshake
  5. How SSL works
  6. Basics of security terminologies
  7. Essentials Security Concepts

Security Concepts

You can find majority of the security concepts at OWASP Cheatsheet

Understand the fundamental concepts on what it is, how it can be vulnerable and how you can either exploit it or mitigate it.

  1. Understanding how proper implementation of AuthN and AuthZ contribute to robust security. What can an attacker do to exploit it.
  2. How session and cookies can be vulnerable, bypassed or even exploited
  3. In-depth understanding of XSS
  4. Some REST concepts like CRUD.
  5. Different types of injections specially SQLi, RFI,LFI
  6. Mass Assignment
  7. CSP concepts
  8. SSRF
  9. Automated Bruteforce
  10. Credential Stuffing
  11. JWT Tokens
  12. Basic of encoding, decoding, hashing
  13. Session Fixation, Session Hijacking
  14. 3rd Party Vulnerability checks and exploitations
  15. Understand the work defined for black box and white box testing
  16. SAST vs DAST
  17. CORS

Advance Level of security skill sets

  1. Very good at OWASP Testing Guide hands-on
  2. How to leverage a vulnerability to achieve RCE
  3. Learn how to test for OS Command Injection
  4. Understand what causes BOLA and BFLA and try to be good at testing these vulnerabilities
  5. Various weak cipher suites
  6. Advanced SQL Injection
  7. XML Injection, JSON Injection
  8. Understand SAML and LDAP Injection
  9. NoSQL Injection
  10. GraphQL Injection
  11. XXE Attacks
  12. Template Injection
  13. Deserialization

Tools of Trade

They say tools are not everything but tools play an important role to make you a better and efficient penetration tester. But, don't just be tool junkie. Try to understand in-depth of each tool, its functionalities and when to use with how concept! I am not writing names of many tools for DAST, SAST etc like acunetix, appscan, checkmarx etc. Kali OS will have almost all the tools that you would need for pentest, but I would explicitly mention few of them here as well.

  1. Kali Linux (I am sure majority of us would be using this only)
  2. Burp Suite Pro or OWASP ZAP (Really a single tool for bread and butter ;) )
  3. Metasploit
  4. nmap (you would use it everytime you start with pentest)
  5. dirb
  6. nikto
  7. fierce
  8. dnsenum
  9. sqlmap
  10. Shodan
  11. BeeF
  12. Arachni
  13. wireshark
  14. hydra
  15. cain and abel
  16. w3af

Lab Practices

  1. Kontra for OWASP Top 10 for Web
  2. hackthebox
  3. tryhackme
  4. OWASP WebGoat
  5. OWASP JuiceShop
  6. PentesterLab
  7. AttackDefense Lab - Recommended (you would need paid subscription)
  8. DVWA

Books

  1. The Web Application Hacker's Handbook (read this book as the first thing or learn from web security academy)
  2. OWASP Top 10 2021 Testing Guide (read this as the 2nd book)
  3. The Hacker Playbook 3: Practical Guide To Penetration Testing
  4. Real World Bug Hunting
  5. Web Hacking 101 by Peter Yaworski - pdf

Videos

  1. Penetration Testing for Beginners - Youtube
  2. Web Security Course - Playlist

Blogs / Other References

  1. exploit-db
  2. cve
  3. schneier on security
  4. KrebsonSecurity

Courses

It's upto you to choose some paid or free courses to speed up what you have learned so far to test how much you understand under web pentesting category. You should choose lab based courses though.

  1. Cybrary
  2. Pentester academy - I liked few of its courses on
    1. Python for Pentesters
    2. JavaScript for Pentesters
    3. Pentesting with Metasploit
    4. WAP Challenges
    5. Web Application Pentesting
  3. Introduction to Web Security form Stanford
  4. Pentesting for beginners
  5. Pentesting from EdX
  6. Web Security Academy (You can ignore reading Web Application Hackers Handbook, if you are learning from here!)
  7. Computer Systems Security form MIT

Certifications

Certification gives you an entry for HR calls, but remember real hands-on experience can beat anything.

  1. CEH: not highly recommended, but good to start with if you don't know anything about security.
  2. eJPT
  3. eWPTXv2
  4. OSCP
  5. OSWE
  6. GPEN
  7. GWAPT

List of other famous cybersecurity certifications are mentioned here.

Networking matters

Once you are on track and now understands the heat, it's time to:

  1. Make some good LinkedIn contacts from security domain
  2. Find a mentor
  3. Make connections through various security conference online/offline
  4. Publish some good hacking articles, may be basic concepts but you must publish. Choose medium
  5. Join webinars, conferences
  6. help someone who is still a beginner

By the time you cover all these checklists, you will be already on a way to have a good start in web security job role. All the best!

Whom to follow on twitter

Why twitter? Because you will see lots of security professionals very active here and sharing cool stuffs often.

  1. Dave Kennedy
  2. Kevin Mitnick
  3. The Hacker News(THN)
  4. PortSwigger
  5. Dark Reading
  6. Defcon
  7. Nullcon
  8. NahamSec
  9. TryHackMe
  10. HackerOne
  11. BugCrowd
  12. OWASP
  13. Troy Hunt
  14. Jason Haddix
  15. Security Princess - Parisa Tabriz
  16. Binni Shah
  17. Random Robbie
  18. TomNomNom
  19. Aditya Shende
  20. Infosec Community
  21. Hacking Articles
  22. harsh Bothra

Interview Questions

Possible Web Security interview questions is shared at different github repo to keep it aligned with career roadmap guide.