Web Application Penetration Testing: How Do You Get Started? - Part 1
Beginner's guide to Web Application Penetration Testing
Websites play a significant role in the internet as we know it. If the internet-facing websites are not routinely patched, they are extremely vulnerable to cyberattacks and a lucrative target for hackers.
The demand for skilled web application penetration testers is on the rise, as per the report here:
“The US Bureau of Labor Statistics (BLS) projects 35 percent job growth for information security analysts, including penetration testers, between 2021 and 2031.” - Coursera
The good news is that most of the information you need to learn and become a web application pentester is available for free, thanks to the awesome people who make this content.
I’ve put together a list of free courses that anyone can follow to learn and practice the necessary skills.
Broadly speaking, there are four main categories of foundational skills.
Linux and using the command line
Understanding some of the fundamental ideas, such as "What is the Internet?" and how it functions, is very valuable.
Understanding of the OSI model and how we can visualize the traffic through Wireshark
Linux and using the command line:
It is helpful to learn how to use a Linux operating system, especially one like Kali Linux which is custom-made for penetration testing. This video from The Cyber Mentor is well-designed and also goes over the basics of shell scripting.
Understanding some of the industry's core concepts, such as the CIA Triad (Confidentiality, Integrity, and Availability), threat modeling, cryptography, and reverse engineering, is essential for developing a comprehensive understanding of this field.
Professor Messer’s updated course on security+ is very useful.
Python is currently the most versatile programming language, and it is quickly becoming one of the most valuable skills in IT security. The ability to automate tasks increases an individual's productivity level and significantly increases their chances of landing a job. Companies such as Google already require security engineers to go through rounds of coding interviews.
There are numerous Python coding tutorials available, but I also recommend learning Python in the context of networking and cybersecurity.
In Part 2, I will go over more tailored courses to learn about topics such as OWASP Top 10 and hacking vulnerable servers such as DVWA and OWASP Juice Shop.