TCM Security is offering free Active Directory Health Checks to any company with 10 or more employees. To inquire, please contact us here.

In 2023, there are more resources to learn new skills and progress than ever. However, this industry is also moving and growing rapidly, and more isn’t necessarily better. The phrase “drinking from a fire hose” comes to mind. Today we’re going to be looking at a path you can take that will help you on your journey to becoming a web application penetration tester or application security engineer.

It’s likely that you already have some skills and knowledge already, so no need to follow this blindly from start to finish. Make sure to apply it to your situation and your needs.

Prefer to watch instead of read? You can find the corresponding video here.

Web Application Pentest Path

Fundamentals of Web Applications

Before we dive into what you need to know, let’s take a moment to consider that our knowledge will never be complete. Furthermore, you don’t need to let these sections get in the way of doing the things you want to do. For example, if you want to learn about SQL injection and do some CTFs or bug bounty, go for it. Nothing should stand in your way, but, make time to learn the fundamentals too. Not all in one sitting, and certainly don’t think that you need to “complete” this before you can start getting more hands-on with the fun stuff, but over a period of time, some of your studies should be dedicated to this.

What are the fundamentals?

You should have a good grasp of:

  • How web applications work
  • Differences between client-side and server-side
  • Common architectures
  • Common databases

Develop some basic programming skills

Not everyone wants to hear this, but if you’re working in technical roles in Cybersecurity, it’s likely that learning some programming skills will be a huge advantage to you. Realistically, it’s not that hard either, it just takes some consistency. Here is a video dedicated to this topic.

What languages should we learn?

For web application penetration testers and application security engineers:

  • JavaScript
  • Python and/or a server-side language

JavaScript is used in almost every single web application, you’ll see it on 99% of your engagements. The only time we usually don’t see JS is when we’re testing APIs, and even then the backend might be node.

Python is an excellent language for automating tasks and writing exploits or PoCs. It can also help you test scenarios that are unusual or some edge cases that your usual set of tools doesn’t cover.

What are the best resources to learn programming?

Security & network concepts

Our next step is really in the direction of security. We need to start to understand what it means to secure our applications and the surrounding infrastructure. Whilst we might specialize in a specific layer, having a good overview of the full stack and how we can apply security measures to different parts of it to achieve defence in depth is really important. Working in silos and focussing too much on one piece of the puzzle means we lose oversight of security as a whole.

Some of the key things we want to start to read up on are:

  • Web application security
  • Basic networking
  • Containers and container security
  • Server and database security

A great resource to get started on many of these topics is the OWASP Cheatsheet Series. Once you have the basic grasp of a topic, you can decide if you want to dive deeper.

OWASP Cheatsheet Series

Common vulnerabilities and tools

So now we need to really start honing our craft. Whilst it’s widely quoted and referenced, there’s actually a lot more to web application security than the OWASP Top 10. That’s not to say it’s not useful, the OWASP Top 10 list is a great starting point, and any web application penetration tester or application engineer should know and understand these categories in detail but really, they are the fundamentals.

The best resource for starting out here is undoubtedly PortSwigger’s Web Security Academy, and if you prefer video content over text, check out Rana Khalil’s YouTube channel here.

Certifications and further practice

I recommend trying to gain at least one security-related certification. This will set you apart from a lot of candidates when applying for roles. There isn’t really an industry leader for web application pentesting certifications so choose something that you feel demonstrates your level of skill. Personally, for web application security, I’d recommend taking PortSwigger’s Burp Suite Certified Practitioner.

Once you’ve built some confidence, sign up to TryHackMe and start to go through some of the easier web CTFs. They will showcase common vulnerabilities and also help you develop your methodology and enumeration skills. If you’re stuck, don’t be afraid to check the writeups, just be sure to give it a good attempt before you do. Generally when I work on CTF machines like this, if I don’t make progress within an hour, I’ll look at a writeup for hints or see if I’ve missed something. This is a great opportunity to update your notes and continue learning.