In 2023, there are more resources to learn new skills and progress than ever. However, this industry is also moving and growing rapidly, and more isn’t necessarily better. The phrase “drinking from a fire hose” comes to mind. Today we’re going to be looking at a path you can take that will help you on your journey to becoming a web application penetration tester or application security engineer.
It’s likely that you already have some skills and knowledge already, so no need to follow this blindly from start to finish. Make sure to apply it to your situation and your needs.
Prefer to watch instead of read? You can find the corresponding video here.
Fundamentals of Web Applications
Before we dive into what you need to know, let’s take a moment to consider that our knowledge will never be complete. Furthermore, you don’t need to let these sections get in the way of doing the things you want to do. For example, if you want to learn about SQL injection and do some CTFs or bug bounty, go for it. Nothing should stand in your way, but, make time to learn the fundamentals too. Not all in one sitting, and certainly don’t think that you need to “complete” this before you can start getting more hands-on with the fun stuff, but over a period of time, some of your studies should be dedicated to this.
What are the Fundamentals?
You should have a good grasp of:
- How web applications work
- Differences between client-side and server-side
- Common architectures
- Common databases
Develop Some Basic Programming Skills
Not everyone wants to hear this, but if you’re working in technical roles in Cybersecurity, it’s likely that learning some programming skills will be a huge advantage to you. Realistically, it’s not that hard either, it just takes some consistency. Here is a video dedicated to this topic.
What Languages Should We Learn?
For web application penetration testers and application security engineers:
- JavaScript
- Python and/or a server-side language
JavaScript is used in almost every single web application, you’ll see it on 99% of your engagements. The only time we usually don’t see JS is when we’re testing APIs, and even then the backend might be node.
Python is an excellent language for automating tasks and writing exploits or PoCs. It can also help you test scenarios that are unusual or some edge cases that your usual set of tools doesn’t cover.
What are the Best Resources to Learn Programming?
- FreeCodeCamp
- The Odin Project
- Javascript.info
- Free Programming 100: Fundamentals course from TCM Academy
Security & Network Concepts
Our next step is really in the direction of security. We need to start to understand what it means to secure our applications and the surrounding infrastructure. Whilst we might specialize in a specific layer, having a good overview of the full stack and how we can apply security measures to different parts of it to achieve defense in depth is really important. Working in silos and focussing too much on one piece of the puzzle means we lose oversight of security as a whole.
Some of the key things we want to start to read up on are:
- Web application security
- Basic networking
- Containers and container security
- Server and database security
A great resource to get started on many of these topics is the OWASP Cheatsheet Series. Once you have the basic grasp of a topic, you can decide if you want to dive deeper.
Common Vulnerabilities and Tools
So now we need to really start honing our craft. Whilst it’s widely quoted and referenced, there’s actually a lot more to web application security than the OWASP Top 10. That’s not to say it’s not useful, the OWASP Top 10 list is a great starting point, and any web application penetration tester or application engineer should know and understand these categories in detail but really, they are the fundamentals.
The best resource for starting out here is undoubtedly PortSwigger’s Web Security Academy, and if you prefer video content over text, check out Rana Khalil’s YouTube channel here.
Certifications and Further Practice
I recommend trying to gain at least one security-related certification. This will set you apart from a lot of candidates when applying for roles. There isn’t really an industry leader for web application pentesting certifications so choose something that you feel demonstrates your level of skill. Personally, for web application security, I’d recommend taking PortSwigger’s Burp Suite Certified Practitioner.
Once you’ve built some confidence, sign up to TryHackMe and start to go through some of the easier web CTFs. They will showcase common vulnerabilities and also help you develop your methodology and enumeration skills. If you’re stuck, don’t be afraid to check the writeups, just be sure to give it a good attempt before you do. Generally when I work on CTF machines like this, if I don’t make progress within an hour, I’ll look at a writeup for hints or see if I’ve missed something. This is a great opportunity to update your notes and continue learning.
TCM Security also offers some excellent resources on web application hacking and penetration testing. TCM Security Academy has several courses that will help you on your web app journey including the Practical Bug Bounty, Practical API Hacking, and Practical Web Hacking courses. We also offer two certifications, the associate-level Practical Web Pentest Associate and the professional-level Practical Web Pentest Professional certification to help prove you have a solid foundation in web app pentesting.
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.