My 3 reasons why you should learn web pentesting

I get this question a lot: how to get into pentesting?

I think the shortest way to do that is through web pentesting and in this post I will explain why I do think that. I have three main reasons why I assume that learning web assessment is the fastest way to get into the pentesting business.

1) Web is everywhere.

I don’t know whether you noticed but more or less everything has a web interface. And I am not talking about the normal web applications on the Internet, which by the way would still provide enough work for all current pentesters for their lifetime. I also mean IoT and embedded devices. Fun-fact: have you noticed for instance that when you withdraw cash from an ATM it gives you the same clicking sound as old Internet Explorers. They do that because they run old Internet Explorers :). So they are basically web applications running in an ATM looking box. Also, basically 99 % of embedded devices have a web interface. Think about trains, cars, home control systems, even your fridge, etc…

2) Market demand

The most trivial attack surface of a product or company is their website and there were quite a few hyped attacks in the past couple of years. So when you ask somebody what they would protect first, they would answer right away : their website. All these built up an acceptable level of security awareness in the web world. This is still lacking for instance in the embedded or control system world, thus led to a very high market demand for web assessments. I think right now it is very difficult to find a pentesting job where you wouldn’t do web assessments. Even if you do a network assessment, you will find web application in the network that you will need to test. Most of the consulting companies have around 80% web assessments.

3) The “easiest” to learn

Compared to the other fields of security assessments, web is a very pentester friendly topic. Starting with the fact that HTTP is a plain text protocol. It is much easier and faster to manipulate general web application traffic than some weird proprietary protocol. Also easier then reversing a binary and exploiting a buffer overflow. Although these are also super interesting topics, I only say that web is the easiest to learn.

Probably there are hundreds of other reasons why to learn web pentesting, but I think these are the most significant. And with that let me elegantly change the topic to promote my own course. Ohh, did I just say that out loud. Damn. So I created a full blown web hacking course cleverly called Web Hacking — Become a Web Pentester. Check it out, there is a Promo video where I explain everything and there are quite a few preview lecture that anybody can watch.

Otherwise let me know what you think about web pentesting.