Advice for new pentesters

PentesterLab
PentesterLab
Published in
5 min readMar 23, 2017

We put together some advice for new pentesters; we hope you will like them!

Be precise

One of the key issues new pentesters have is being precise… It’s especially annoying when communicating by emails or instant messaging.

One of the most common examples is:

“I can’t access the web application.”

I “can’t access” means nothing…

  • Do you have DNS resolution for the host?
  • Is the TCP port accessible (hping is your friend)?
  • Is the web server available but you have the wrong virtual-host?
  • Is the web server available but the application throws an error?

In the same way:

“I can’t log in.”

It’s not precise enough…

  • Can you access the application (see above)?
  • Can you access the application and can’t log in because the credentials are wrong?
  • Can you access the application and can’t log in because the application crashes?
  • Do you have a message saying why?

An essential skill to work (remotely) on the same pentest is accuracy in the information you provide, so as a new pentester being accurate is easy and will make working with you easier…

Don’t only focus on security

To stay up to date, you should read about security. But you should also read about what developers and system administrators do: what software are trendy, what tools (Docker, Ansible) and libraries (JWT for example) are now used everywhere… If people are using something more and more, it’s likely that you will need to look into it in the close future.

You also need to learn about work methodology. If you have never heard of Agile development/ DevOps/… things are going to get awkward really quick if you work with startups for example.

It’s also a really good way to get a talk at a local conference. Find the latest subject people are talking about in the development community and add the word “security” in front of it. If you are one of the first persons working on this subject, you are likely to be accepted in a conference. Most attendees are after new content; this is why most conferences’ organisers easily go for this kind of presentations.

Don’t work on your own

Especially, when you start in security. Avoid being on your own, you will be likely to miss something. You need more than one brain to perform a pentest and every tester has his own knowledge and methods. Mixing testers on a pentest is a good way to ensure that the test is performed correctly. For example, some testers will be looking at finding all the bugs where others will focus on finding the hard-core stuff. It also depends a lot on how well the tester know a technology, working with someone will show you new tricks, things you didn’t think about or new way to test something.

Internet is not forever

A common mistake that most people do is to think that information or websites will always be there. Unfortunately, you will quickly learn (at your own expenses) that websites disappear and information gets removed. That’s why you probably want to save important information such as:

  • Exploits, exploitation write-up, bugs reports
  • Scripts and tools;
  • Documentation, write-ups;

Nothing is more frustrating than realising that the blog post with working exploit for CVE-XXXX-XXXX you read 2 days ago disappeared and no one mirrored its content.

Spend some time doing some code review

When you are doing penetration testing, you don’t necessarily have the time to see what the code behind a bug is. However, reading vulnerable code is a really good way to have a better understanding of an issue (and how to fix it).

If you don’t have access to source code as part of your daily testing, a good way to read some interesting code is to check the source code of security advisories. You will find information on the vulnerable code (what you need to look for in your next test) and the patch (what you need to recommend if you find this type of issues). If you do that for well-known projects, it will probably get you to learn about issues you may not have seen before.

A good way to speed up penetration testing is to have both the application and the source code available. Some vulnerabilities are indeed easier to spot on a live application and others are easier to spot in the source code. It also allows you to find patterns of vulnerability in the application and check whether or not this pattern is repeated in the source code.

Don’t work on too many projects

Penetration testing requires a lot of focus and it’s really hard to stay focus and provide a good test if you spend your time juggling between projects. Ideally, you should only work on one project at a time and at least have one day of non-billable between two projects. This day can be used for the following tasks: updating your system, keeping notes on your previous test, working on a specific issue/bug, researching your next test…

The same applies to your research, don’t work on too many things. You want to go deep on few subjects and not being average at a lot of things (read more: T-Shape Skills).

Read security news

But…Instead of spending your time reading all the security news you can find, pick one bug/vulnerability and work on it!

Dig deeper maybe write a small detailed explanation on it, share it or publish it on a blog. You will get far more value from inspecting deeply an issue to understand his cause and consequences than just reading hundred of security bugs and not paying attention to the details.

Furthermore, it helps you stand out from the crowd. If you have a vulnerability in a product, hundreds of person will tweet about it or comment on social media. Only few people will do a deeper analysis and provide exploits or additional information. Be one of them!

To conclude

Thanks for reading, we will probably add more advice in the future. In the meantime, you should probably check-out our free bootcamp if you’re looking at improving your skills!

--

--

PentesterLab
PentesterLab

PentesterLab provides online exercises to learn web penetration testing. You can learn more about PentesterLab by visiting https://pentesterlab.com/