Today I saw an interesting post by Keatron Evans on the "Ideal Skill Set For the Penetration Testing". You can find his blog here.
While I think it is a good summary about the skill-set for pentesters, I think it is not the correct skill-set for web application security testers. So I have made a slightly modified version of it for (what I think to be) the basic skill-set of a web application security tester.
I tried to maintain the original list as much as possible and provide the webappsec analogies of the items. I also copy/pasted the good bits and the things I thought to be applicable in both lists.
1. Mastery of web and application servers. Each and every web and application server has its own configuration options, behaviour, quirks and file locations. Learn them and learn how to abuse or break them.
2 Good knowledge of the HTTP protocol. Understand and learn the header fields, how cookies work and the different request methods. Understand how HTTPS works. Get the basics of AJAX, JSON, serialized streams, etc.
3. If you don’t understand the things in item 2, then you can’t possibly understand how session management, CSRF or a (layer 7) MiTM attack actually works.
4. Learn the ins and outs of HTML, javascript, CSS. Learn the different encoding mechanisms, their uses and limitations. Also learn how each browser handles exceptions and strange input (see 6)
5. Learn the ins and outs of the mechanisms behind IDS and IPS. Learn how to pass data past them using basic encoding and other simple techniques. There’s no better way to understand these concepts than to apply them. Once you’re mastered this, you can move to a WAF and start the process over again. Start experimenting with different encodings and obfuscation techniques and other attacks.
6. Know your browsers. Despite all the standards browsers tend to handle HTML, javascript and encodings in a (slightly) different way. Next to that, each browser has its own configuration options, behaviour, quirks and file locations.
7. Eventually learn a programming language. Focus on Java, Python and Ruby. Figure out something you want to automate, or think of something simple you’d like to create. For example, a simple fuzzer or request/response interceptor.
8, 9 and 10. Same as Keatron Evans' list.
No comments:
Post a Comment