Learning Web App-Sec at PentesterLab

10 learning hacks on how to gain more from the PentesterLab Pro account.

After sharing my PentesterLab progress on Twitter, I got a couple of DMs and replies with questions regarding my personal experience. Most of the questions were about the time it takes to finish a challenge, if the price of labs is matched with the content and to generally rate the labs.

This blog post try to answer all these questions and further account my learning experience at PentesterLab Pro. The suggestions provided herein are totally personal and might even contradict with another Pro user. I welcome feedback, more questions and conversations around the same :)

1. Don’t Rush to Finish the Challenges

When I started the Pro Labs, I stumbled upon challenges that were way too easy. Earning the first badge felt good and I wanted to earn the second, third…. You get it. However, if you find yourself rushing to finish the challenges rather than learning something new, slow down.

The labs are fairly cheaper compared to other existing online labs. I can’t find better web-hacking labs for such a price! We all learn and consume content differently, it might take me about 6 hours to fully understand the basics of Serialization in Java while someone else might spend about 3 or maybe 20 hours to learn the same thing. So when you subscribe for Pro account at PentesterLab, don’t fight to finish all the challenges in one month. Keep calm and learn something new in each lab challenge you solve.

2. Follow the Labs in the Order Provided

This second advice kind of continues the thoughts I had in the previous one (1). I have been using Linux for some good number of years now and I was shocked to learn new tips and trick on the first introductory lab -Unix Badge. The author of the labs has tried his best to make the labs friendly to anyone willing to dive into Web Application Security (Web App-Sec). It doesn’t matter if you are a pro or a newbie, the challenges are well structured from introduction, basics, medium to advanced topics.

Some tasks require skills you will learn from other challenges so following the labs in order is an advantage. OCD got me stuck on one of the challenges and have not been able to move on until I solve it. When I got stuck (on the last CTF badge challenge) for the first time, I realised the labs were meticulously and strategically structured in order of their complexity.

3. Try Solving the Challenges Before using the Guide

Most of the Introductory and Basic challenges have a simple to follow guide and some have videos that show you how to solve them. I noticed the guides and videos are mostly available on challenges that introduce new concepts. To get you started in the problem solving mindset, just try to first hack the challenges without going through the guides or videos. This will help you identify loopholes in your attacking procedure and understand how to independently probe an application with your original perspective. Basically, this is important when looking for bugs in an application that has been analysed by other security analysts or when hunting for bugs.

4. RTFM

When I first encountered the word ‘RTFM’, I was in Python IRC chan trying hard to fix a trivial problem I was encountering on my setup. Someone offered some help and even gave me a few commands to run on my Linux box to get things in order. He finished with, “Next time if it doesn’t work just RTFM” and my quick response was, “zsh: command not found: RTFM”.

Working on the PentesterLab Pro labs and checking how the author writes the guides, it bring it back to me how Reading The Frickin Manual is important. A practical example is let’s say you are learning how to fiddle with JSON Web Tokens (JWT), it would make more sense and save you more time if you have beside you a JWT official developer documentation. The labs will teach you more of how to hack than spending time on detailing the fundamentals of a particular web technology.

5. Write Short Notes

One important skill we (techies) don’t take seriously is documentation. I believe you have encountered a well written application or libraries that you cannot make fully utilise because they lack a proper documentation (you can’t RTFM). Writing can be boring especially if you lack the right tools and rarely practice.

When solving the pro challenges at PentesterLab, you will of course learn something new and as said, you will find challenges that are based on other previously solved ones. Documenting your solutions will save you time on other challenges and also reinforce your knowledge of the problem solved since you have to put down (explain) in your own words.

Your organised personal notes of the new things you have learned will arm you with a good repository of attacking methods, payloads, exploits, PoCs and report templates that you can reuse in future related engagements. I personally use Ghostwriter, a distraction-free Markdown editor for Windows and Linux (you can export to other formats including Microsoft’s Docx) — https://wereturtle.github.io/ghostwriter/ and organize my notes (and other resources) as shown below.

High level view of the Badges
Overview structure of a single Badge

6. Learn to Script

I can’t stress this enough! Not only is this an important skill to learn for the challenges but for your survival in the practice of application security testing. Whenever I find a necessary step that I have to repeat more than 3 times now and then, it qualifies to be scripted :)

Personally, I love Python. It has a wide support of necessary libraries, nice documentation and an easy to follow syntax. However, I still spend time writing BASH, Perl and Ruby scripts. Once you learn and master one of the high-level programming languages you’ll find the rest easy to comprehend and even notice some similarities. For web application automation, start by teaching yourself basic stuff - writing a script that connects to a website, make web requests and check for things like session handling (authentication, cookies e.t.c).

7. Read CVEs and Bug Bounty Reports

What I like most about PentesterLab Pro challenges is the fact that the examples are drawn from real life cases. You don’t learn hypothetical stuff or break unrealistic vulnerable web app that you will not easily find in your application security testing engagements. Therefore, make a habit of digging up the details of a CVE entry, get the affected application version and test out any PoC provided. Learn the thought process of the security researcher, understand what to look out in your own security testing engagements.

Another great resource for real life examples of how other security researchers analyse and probe web applications is to read public bug bounty reports. You’ll find interesting perspective of how others organise and run their manual test. I personally enjoy reading Bugcrowd and HackerOne (H1) reports, you can check H1 reports and write-ups here — http://h1.nobbd.de/

When tackling a challenge on PentesterLab Pro, also make sure to use Google search engine to find related published write-ups for similar vulnerabilities identified in Bug Bounty or CTF programs. I usually search for something like “jwt bug bounty write up” if I’m working on JWT challenges, this gives me a chance to relate the process of finding similar bugs in real-life cases.

8. Enroll in a Bug Bounty or CTF program

This is also like a continuation of points made on 7. Technically, you want to practice what you are learning on PentesterLab Pro and strengthen your skills. There are no better places to practice what you learn than Bug Bounty and CTF programs. Especially Bug Bounty programs, since you get paid for each valid submission made based on the quality of your report and program’s guidelines.

I like playing CTF challenges, they kind of stretch my imaginations when it comes to problem solving. They also help you humble down after trying all methods you can think of breaking into an application. You will expand your network of people with similar interests, different skills and get more creative when practicing application security testing.

Check out https://ctftime.org/ for upcoming CTF challenges and try out the following:

9. Read All the PentesterLab Blog Posts

PentesterLab has a blog were new updates on the Labs, testimonials and related application security testing tips are published. Keep a tab on the blog — https://blog.pentesterlab.com/ and follow them on Twitter as well (you’ll connect with other PentesterLab Pro subscribers). If you are just getting started and need a clear path into Web Application security testing and general information security, please follow the Bootcamp guide provided on PentesterLab — https://pentesterlab.com/bootcamp

10. Share your Experience

If you are a Pro user of PentesterLab and you having fun learning new stuff, find time and share with your friends. Spread the word and organise Web Security meetups, talks and brown bag sessions. PenterLab provides light ISO images and some pretty slides to run hands-on sessions during your meetups.

Have fun and share your winnings. When PentesterLab helps you get a bug bounty, blog about it. And just in case you happen to reading this blog post and you are not yet a Pro member of PentesterLab, please use this link to register https://pentesterlab.com/referral/ia7klDWLzMEtCg ; there are options for students, individuals and a special option for corporate to track their employees growth.

Bonus

PentesterLab assume you know how to use a web proxy like ZAP or Burp Suite. Make sure to spend sometime learning how to use a proxy. Get comfortable with Linux and practice with your favorite text editor (the author likes Vim). Personally, I love Burp-Suite and Vim as well, you can find a free starter guide on Youtube on how to use Burp Suite or check out the full training (available for free) at — http://hackademy.aetherlab.net . For a text editor just roll with what you feel comfortable with.

I also recommend the following books for starters:

Happy Web AppSec testing with PentesterLab Pro.