How to Become a Web Application Penetration Tester

Discover how to embark on a career as a web application penetration tester with our comprehensive guide. Learn essential skills, tools, and certifications needed to excel in this dynamic field and safeguard digital assets against cyber threats.

Are you interested in cybersecurity and want to get into the technical world of web application penetration testing? This detailed guide will lay out a step-by-step strategy, with subjects to address and suggested resources to help you along the way. Although the article is about ‘how to become a web pentester’, first I wanted to start with an overview of the approach that I find most helpful:

Establish a security mindset
Acquire technical knowledge
Learn attack techniques
Acquire social skills
Create proof-of-knowledge

Let’s explore these points one by one.

1. Security Mindset

An aspect that is probably more significant than technical expertise is what is known as the’security mentality’ (disclaimer: I saw this term somewhere but can’t remember where). This represents a perspective of view or method of thinking.

Most IT security professionals lack technical understanding but possess a security mindset. This means they can look at systems, and the world as a whole, in a critical approach, allowing them to discover things that may go wrong or be maliciously exploited.

If you read a book about testing, there will be a chapter titled “Psychology of Testing”. This chapter will explain that, while a developer’s purpose is to create good code, the tester’s goal should not be to establish that the code is bug-free.

It is exact the opposite: the tester’s purpose must be to discover bugs. Because if he attempts to prove that the code is bug-free, he will never succeed. The tester must teach himself to be joyful and satisfied when he discovers a bug. Otherwise, he would automatically avoid testing items that may possibly fail.

This is also related to security; however, instead of focusing just on functionality issues, security must be considered. How could this system be cheated? How may a protection be bypassed? What information is confidential, and how can I obtain it? etc. You must cultivate a continual analyzing attitude in which you are always looking for potential problems.

2. Technology

Technical abilities are undoubtedly an important aspect of pentesting. However, this is something you will never stop learning. There will always be new tools and frameworks. I believe the idea here is to learn the basics and then continue to grow yourself while working. Here’s what I believe are the basic concepts:

HTTP: You need to understand the HTTP protocol, including how requests are routed to the server and how responses are returned. Fortunately, HTTP is quite straightforward, so this should not be difficult.

SSL: because it is used in HTTPS, it is useful to understand how it works. On average, a pentest does not require much work with SSL, but it is essential to understand what it is.

Web applications: You should have a general grasp of how they function. I recommend looking into PHP, which is a fairly traditional way of developing web applications, as well as MVC frameworks like Django or Ruby on Rails, which are more modern. I don’t believe you have to be a web developer to be a skilled pentester, but you should be able to visualize what may happen on the server when testing the application.

Browsers: You should have an understanding of how browsers function because they constitute nearly half of the attack surface. Here I’m talking about how websites are rendered, how cookies operate, how the Same Origin Policy works, and so on.

JavaScript (JS) is used in 99% of online apps. As a result, understanding how it works in the browser (i.e., XMLHttpRequest) is required, as well as the ability to view and debug JS code in the browser.

Networking: While a thorough grasp of the underlying network stack (TCP/IP) is not required for pure web testing, it is undoubtedly beneficial.

HTML: Understanding HTML is fairly important because it still serves as the basis for all web sites.

This is a summary of the essential information that you should be aware of. The greater your IT knowledge, the better. And as a pentester, you must be prepared to learn about any unusual aspect of IT.

3. Attack Techniques

Of course, you’ll need to be familiar with basic attack tactics. Mainly because they are the first thing you should check in any app, but also because they help you learn how attacks operate, which will be useful when you start developing your own attacks. I believe the OWASP Testing Guide, or at least the OWASP Top 10, is an excellent starting place. Here’s a must-know list:

Cross-site scripting
Cross-site request forgery
Direct URL access
Session Hijacking
SQL injection

This list may appear short, but it is necessary, as I previously stated. When you initially start testing an application, you should examine the technology in use and see whether there are any revealed attack strategies against it. This way, you’ll be able to grow your arsenal quickly.

The best way to gain knowledge is to push yourself, and these challenges will compel you to study. This means that no matter your skill level, you should always practice. It’s similar to learning a human language; you shouldn’t wait until you feel great before speaking to others (mainly because that never happens), but rather start talking and practicing right away.

Fortunately, there are several methods to practice hacking nowadays (without legal consequences):

Download open source software and start to test that
Do capture-the-flags
Test websites which have a bug bounty program (here is a good list of bug bounties)
Test educational websites, such as Hackthissite, Webgoat or Damn Vulnerable Web Application

4. Social Skills

Whether you are a diehard nerd or not (I am an introvert), you have to acknowledge that a pentester is a consultant. In most cases, your business card will say ‘Consultant’ rather than ‘Pentester’. This implies that you will need to be able to interact successfully with your clients.

There are two major things you should concentrate on:

Report: This is important. The pentest report is the only result of your hard work. You might be the world’s most l33t hacker, but if your report is poor, your customer will assume your job is poor as well. As a result, your report must be extremely clear, objective, and easy to understand. Don’t get me wrong, everyone hates report writing, but it’s a necessary aspect of the work.

Communication with the customer and your team: You will need to communicate verbally and in writing with the customer before to, during, and after the pentest. But you’ll usually communicate to management because they’re the ones who pay you, so you should be able to explain everything to them. Remember, they are not necessarily technical people. You’ll also need to communicate with the developers and explain your results without disparaging them.

5. Proof-of-Knowledge

When looking for a job, I believe the most crucial thing is to be able to demonstrate that you know what you say you know. Yes, your work experience and employment appear fantastic on your CV, and they may attract the attention of a recruiter. But hear me out on this: whether or not you are picked is determined by how well you demonstrate your knowledge. Documenting your activities is an excellent approach to do this. So, if you perform any of the things I suggested in the ‘Practice, practice, practice’ section, find a way to document it. Here’s some ideas: