web_application_pentester.md

Not The Hidden Wiki - Learning Paths

👋 Web Application Pentester - Intro

A web app penetration tester is a specific type of penetration tester who focuses on internet-facing web applications. Many of these apps handle personally identifiable information (PII) like credit card data or health records. It’s in a company’s best interest to hire a web app penetration tester to perform pen testing and vulnerability assessments that meet regulatory compliance.

In general, the role of penetration tester is not an entry-level job – you must gain IT and cybersecurity experience first. This is especially true for a web app penetration tester. Employers will expect candidates to understand how to identify scripts in various software deployments and explain how they used various tools during the phases of a penetration test.

Web application penetration testing is the practice of simulating attacks on a system in an attempt to gain access to sensitive data, with the purpose of determining whether a system is secure. These attacks are performed either internally or externally on a system, and they help provide information about the target system, identify vulnerabilities within them, and uncover exploits that could actually compromise the system. It is an essential health check of a system that informs testers whether remediation and security measures are needed.

Junior Level

💪 Web Application Pentester - Basic Skills (What you need to know before you start this path)

• Basic programming knowledge: SQL, PHP, JavaScript, python
• Understanding of networking concepts
• Experience with Windows, Linux systems

🔧 Web Application Pentester - Tools

• BurpSuite
• nmap
• gobuster
• FFuF
• SQLMap
• metasploit
• Katana
• Feroxbuster
• WAFW00F
• jwt_tool
• PHPGGC
• Aquatone
• ysoserial
• ysoserial.net
• WhatWeb
• droopescan
• CMSeeK
• graphw00f
• tplmap
• smuggler

📰 Web Application Pentester - Articles

In progress...

💥 Web Application Pentester - Platforms

• TryHackMe especially:
  • Junior Penetration Tester Path
  • Web Fundamentals Path
  • CompTIA Pentest+ Path
• Web Security Academy - important platform
• HackTheBox Academy especially:
  • Introduction to Web Applications
  • Web Requests
  • Using Web Proxies
  • Bug Bounty Hunting Process
  • Injection Attacks
  • Information Gathering - Web Edition
  • Attacking Web Applications with FFuF
  • SQL Injection Fundamentals
  • Blind SQL Injection
  • SQLMap Essentials
  • Advanced SQL Injections
  • Introduction to NoSQL Injection
  • File Inclusion
  • Command Injections
  • Broken Authentication
  • Web Attacks
  • File Upload Attacks
  • Server-side Attacks
  • HTTP Attacks
  • Abusing HTTP Misconfigurations
  • Introduction to Deserialization Attacks
  • Advanced Deserialization Attacks
  • Web Service & API Attacks
  • Parameter Logic Bugs
  • Modern Web Exploitation Techniques
  • Cross-Site Scripting (XSS)
  • Advanced XSS and CSRF Exploitation
  • Login Brute Forcing

🎓 Web Application Pentester - Courses / Certification

• eJPT
• CompTIA Security+
• CompTIA PenTest+
• HTB CWEE
• BurpSuite Certified Practitioner

🔓 Web Application Pentester - For a job interview you need to know:

In progress...

Regular Level

In progress...

Senior Level

In progress...