Code

Getting Started in Web Application Penetration Testing

As the complexity and diversity of our connected systems expand, the need for specialized offensive security skills is increasing. In particular, specialization in application security has been forecast to drive the growth in penetration testing services. Combined with the allure that comes with breaking into systems as a career, it’s no surprise there are many interested in breaking into the field itself.

That there is no formal route into such a career is both a challenge and blessing. On the one hand, it can be difficult to put yourself on the right course to maximize your success in landing a position. There is no professional program or designation that will guarantee your success. On the other hand, this absence also means there are few strict requirements for landing a job. Because of this, most firms have developed processes to assess technical skills and knowledge rather than relying on education or credentials. This is good news for motivated candidates who test and interview well.

These days, there is no shortage of freely available online material for self-directed learners to become capable application penetration testers. Absent still is what I would consider a fully fledged curriculum or program that provides all the foundational knowledge and skills while instilling a proper understanding of and intuition for methodology and exploration. After all, application testing is at its core an act of exploration and discovery. Skilled penetration testers do not strictly follow a predetermined set of tests, but deeply engage the complexity and novelty that comes with each unique application. The importance of this aptitude is best exemplified by the state of dynamic application vulnerability scanners; these are automated tools that have a place in application security programs, but are unable to detect and exploit the majority of security issues and vulnerabilities that a skilled tester can.

This post is not an indictment against vulnerability scanners (I will save this for another post), but a collection of resources and recommendations for those aspiring to become application penetration specialists. The content is drawn from my own expertise and experiences as a trainer, teacher, manager, and application penetration tester. While many application security specialists come from a development background, this is not a strict requirement. Though coding abilities are expected to advance in this field, my team has hired testers from a range of backgrounds and they have all found success. No assumptions will be made other than the following: you must be a technically competent computer user. That said, web security is not generally considered an entry-level field and you will have a long learning journey ahead if you are entirely new to software and technology.

The material provided will focus on web security and web application penetration testing. Even if your interests are outside the web (for example, in mobile applications), I would nevertheless recommend beginning here. Assessing mobile applications, for example, requires building on web knowledge. I have interviewed candidates for mobile positions who did not know fundamental web security issues. Considering how reliant mobile applications are on web services, this is a major issue.

Tracking Your learning

Before you dive into the technical material, I would like to recommend that you adopt a very powerful habit: robust note taking. Taking good notes as you learn is valuable for a number of reasons. Firstly, it can help solidify your learning by forcing you to summarize the material you consume and pick out the important elements. Secondly, you can use it to track what you have learned and what you need to work on or follow up with. Finally, the notes may provide great utility as a quick reference in the future. This is my primary intent with my own notes and is something I wished I developed good habits with earlier on.

An important note about application penetration testers is that we are more generalists than specialists. In many other professional domains of technology (in particular, development), practitioners spend a great deal of time honing their skills with specific languages, frameworks, and toolsets. While still true to some degree in security (we are specialists in security, of course), one of the challenges we face is the requirement to assess applications constructed and deployed across the entire available range of technologies. As such, it is extremely valuable to be proficient at getting up to speed with any given target technology. Having detailed notes from past efforts can greatly improve your success and versatility here. You can find many “cheat sheets” for pentesting different technologies, but I find I am most efficient consolidating the information into my own notes.

In terms of note taking software, I will recommend two possible platforms, but there are many that will accomplish this task and you may already use some alternative that is just fine. Personally, I use Notable, which I like for its simplicity and for the fact that it uses markdown rather than some proprietary format that your notes will be stuck in. A much more popular but similar alternative is Obsidian. One of these two program will serve you well. I would recommend a strategy to taking notes with these, but I think it best that you experiment and iterate on this as you learn. You will inevitably have to refactor some notes, but this is all part of the process.

Learning The Fundamentals

Before you zip up your hacker hoodie and let loose on some vulnerabilities, it is worth learning some fundamentals. You may find this section to be a long and sometimes dry journey, but I highly recommend building a foundation of knowledge in these areas. If you get bored, save some links, skip ahead, and return to this material later. Keep in mind, this is only a small sample of a wide base of knowledge from different disciplines that intersect with application security. There will always be more to learn.

In no particular order, here is some recommended learning material:

  • Learning Linux will serve you well. A great resource is Linux Journey. At time of posting, there appears to be an issue with the live site. You can try the archived site as an alternative if there are issues for you.
  • Networking is another core skill, though you don’t need to be a networking guru for application security. This YouTube video by TomNomNom covers the fundamentals.
  • If you do not have any programming experience, Python is a good language to approach as it is commonly used in the field. Automate the Boring Stuff with Python is a popular book/resources that teaches you Python as an absolute beginner. You do not have to be an expert, but must understand the general logic and flow of software programs.
  • Now, let’s learn “The Web”. This video provides a short and simple introduction. Here is a similar playlist (still short, but more depth). This course (with content available freely online) provides an intro to web technology/communication. You can read a brief explanation of HTTP here and further reading from MDN here. As web app traffic is predominantly HTTP, you ought to be quite familiar with it. Why web tech is like this (another YouTube video) may be interesting to you.
  • It will be essential to become familiar with HTML and JavaScript. MDN provides fairly comprehensive learning resources. For additional JavaScript learning, try this site.
  • This article covers a few forms of data often encountered on the web. It also references the tool CyberChef, which we use quite often to manipulate data.
  • You certainly do not have to be a cryptography expert, but it helps to have a grasp of the basics. I quite like this free web-based book.
  • Finally, you should develop an understanding of basic web architecture. Here is an intro to databases and the web. This reading will teach you a number of additional common components used in large scale systems. As an exercise, I would recommend constructing a simple LAMP server. Digital Ocean has some tutorials on this. Cloud architecture considerations are increasingly important, but you can save this learning for later in your journey.

Setting up your Testing environment

Application security testing is an area where you must learn by doing. The best way to approach this is to set yourself up with a dedicated environment. There are many ways you can do this and much has been written on this topic. My recommendation is to setup a local virtual machine on your system that you use to follow tutorials and complete labs. If you are on a Windows system, you can use VMware Workstation Player. The most popular approach would be to set up an instance of Kali Linux. This is a distribution of Linux designed for security testing. You do not need Kali and could use your preferred distro, but I do recommend some variant of Linux for getting started.

To get your environment setup for the basics, you really only need one tool: Burp Suite. Burp, as it’s often simply referred to, is the primary testing tool used by professional application penetration testers. While it is a professional tool, a free community version is offered that is more than sufficient for learning. You can get started here (note that Burp is preinstalled in Kali Linux, saving a download/install). Zed Attack Proxy (ZAP) is a completely free alternative to Burp that is used by many bug bounty hunters, but it is less commonly used by professional penetration testers.

Learning Web Security The old(ish) way

Before the proliferation of modern application penetration testing platforms and resources, many of us learned on what is best described as the seminal tome of offensive application security: The Web Application Hacker’s Handbook. The second edition of this book was published in 2011, which is rather ancient in the context of web security. That said, the book is perhaps the most comprehensive collection of material on this topic. So, to this day, I still recommend the book be considered as a primary learning resource. Naturally, some of the content from is no longer relevant, but it won’t hurt your success; you will instead have some additional knowledge of historical technologies and approaches.

Your mileage may vary depending on how well you consume large texts, but if reading is not your thing, I will issue this warning right now: ongoing reading and learning is essential to this field. For example, I would not recommend RFCs to novice learners, but reading this type of technical documentation may be a common task depending on the direction of your career. You can skip the Handbook, but I nevertheless still recommend it if you can stomach it. I recommend approaching it by setting a target number of pages a day at whatever pace suits you. It is best to approach this book in combination with the practical material outlined below.

Modern Web Security Material

When it comes to contemporary platforms, there are numerous contenders, but some that stand out to me. Primarily, there is PortSwigger’s Web Security Academy. The best way to approach this is with their Learning path. PortSwigger is behind the development of Burp and is also increasingly responsible for good quality web security research and learning material. Though there is much web security content still absent from their developing training library, if you study most of their material, you will be in a good position. They also provide accompanying labs that are essential for you to practice what you have learned. Make sure to augment their material by learning about the techniques and technologies you encounter elsewhere as well, especially if anything is unclear to you. Rana Khalil makes YouTube companion videos for the material that may help you.

Another popular lab-based option is PentesterLab, but not all of the exercises are free (you can also find their intro to the web here). Beyond this, there are many platforms that offer a range of challenges for you to practice and improve your application penetration skills. Most of them I do would recommend for beginners. In particular, those styled as CTFs (Capture the Flags) rather than guided learning paths can be both frustrating and an inefficient use of your time. These can be valuable exercises, and there may be an argument in approaching them to develop your creativity, problem solving, and persistence, but for beginners it can feel like trying to learn a language by solving riddles. Save the riddles for when you understand the language.

Where else can you read about web security topics? OWASP can be a great resource. As an example, simply search “OWASP SQL Injection”. Their material is not always perfectly organized or up-to-date, but their community-driven efforts effectively place it as the Wikipedia for web security. A particular project you may find valuable is the Web Security Testing Guide. Additionally, the Application Security Verification Standard is often used by organizations as a standard to assess applications and may provide you with some insight into best practices in web security that go beyond protecting an application from common vulnerabilities you will learn about in training labs. I wouldn’t say that these OWASP resources are necessary to land a job.

During your learning, you may come across references to the OWASP Top 10. This is a project that simply tries to identify and classify the top risks posed to web applications based on community consensus. There are Top 10 lists for domains other than web security, but the web Top 10 is their flagship list. I don’t consider this crucial information for a novice and I would never ask you to recite the list in the interview, but based on job postings I have seen, this may be something you will need to brush up on to prepare. In my opinion, there is far too much emphasis placed on this project, which provides limited value in practice.

Avoiding the noise

For every high quality resource available for learning web and application security, there are numerous low quality resources designed to farm clicks, sell a product/service, or boost a reputation. Performing a Google search for “learning web application penetration testing” yields mixed results for me. The first result honestly appears like an AI-generated page with the intent of being an example of a poor resource for this blog post. Unfortunately, there are many sites like this. My search did yield some good resources, but it mostly returned uninformative results or sites selling a course or product.

In general, I would recommend avoiding this approach to finding general “getting started” content. As you are learning, it can be challenging to assess the quality of a learning resource, especially without sinking substantial time into it. If you stick to the resources outlined in the above sections, you will be just fine. The exceptions to this recommendation are when you are looking for information on specific technical topics. Consider searches like “how to modify the DOM with JavaScript” or “cheat sheet for mysql injection”. These are totally fine, and you will begin to recognize reliable resources and be able to build references in your notes for quick access in the future.

I used to recommend Twitter for application security (and I still do in some cases), but I have been seeing increasing “content mill” type tweets that can be both distracting and misleading, especially for beginners. Accounts like this one I find quite frustrating for various reasons. You may want to start to curate a social media network in the security space, but this will be easier to navigate as you gain experience.

Certifications

If you have explored the various threads and discussions addressing how to break into this field, you will have likely encountered substantial discussion on certifications. This seems to be a strong focus of those trying to secure their first job in application security. My guess is that this focus has arisen from firms that require (or at least state that they require on their job posting) certain certifications for entry level positions. I hire for my own firm (not others, obviously), so I can’t speak to what are true requirements at every firm, but I can speak to my own experience, approach, and opinions.

The certification landscape for application security is generally bad. I have obtained certifications and reviewed content for others that I have not obtained. I am not going to name any specific organization or certifications. The issues I have with certifications in this space are as follows:

  1. Certifications are expensive for what they provide and do not provide enough unique or valuable content to make them competitive with freely available resources, which continue to improve in quantity and quality.
  2. Certifications demonstrate a candidate’s commitment to the craft and ability to learn the material, but do not adequately demonstrate their ability to perform actual tasks that would be expected on the job. While there are an increasing number of certifications with “practical” components, the ones I have seen are often quite contrived and do not replicate realistic scenarios.
  3. Even limited job experience typically provides enough of a learning opportunity to render the material covered in introductory (and sometimes intermediate level) certificates merely review.
  4. Certification material does not keep up with the field. This is less relevant for novices, but when I am interviewing senior candidates, I make sure to evaluate their grasp of recent developments and research where appropriate.
  5. As a manager, I am less interested in your ability to obtain certs and more interested in your ability to learn independently and think critically about web security and testing processes. I am not claiming that the certification process does not touch on these skills, but I do not think it is particularly focused on them.

With all that said, there is some value in pursuing industry certifications. First, as mentioned, a firm that you wish to work for or a client of a firm that you work for may require a cert. This is silly, in my opinion, but it’s the reality. If you encounter a company that requires a specific certification for an application penetration testing role, I would be skeptical of their ability to assess that landscape unless they themselves are bound by some industry requirement. I can get a better read of someone’s technical skills and experience from a brief interview than I can from reviewing their certification history.

The second benefit of pursuing a certificate is that you may learn a great deal in the process of studying for it. In my experience, candidates over-study for application security certs. This isn’t necessarily a bad thing. Further, you may find it helpful to have the deadline of a certification date, but if you need deadlines to motivate you to learn this material, the field may not be for you; ongoing learning is a necessity.

Final Notes

If you covered a majority of material from the resources provided, you would be in a strong position to enter this field. In addition, you would have demonstrated your motivation and capacity for self-directed learning, which is perhaps the most essential attribute and certainly one that we try to gauge during an interview. That said, because of the breadth of material, I would caution you against setting unrealistic goals. Pace yourself and, if you are consistent, you will eventually master this material. You may have trouble self-assessing to identify when you are ready to start applying for positions. I don’t have a perfect rule or standard for you, but this is best thinking about in relation to the hiring process, which will likely involve some form of practical assessment. Are you comfortable opening up Burp and finding vulnerabilities in an application you haven’t seen before? Can you document issues that you identify, explaining their impact and suggesting how to fix them? Then you are probably ready.

If you encounter other resources that you found valuable in your journey, I would love to hear about them to update this guide. Please let me know.

Leave a Reply