2023 Hacker's Guide: How to Break into Pentesting and AppSec.
(thread)
1. Hands down, one of the best practical resources is @RealTryHackMe. I would take the "Complete Beginner" learning path, then the "Jr. Penetration Tester" path. It will get you off the ground in no time.
4. Participate in VDPs and rank on their leaderboards. Don't do paid bounty programs!
The goal is to become a pentester, who gets paid good money on a frequent basis, unlike a bounty hunter.
5. As your rank on HOFs/leaderboards and as you become experienced in finding security issues, apply to pentesting and appsec-related jobs.
PRO tip: Link your HOFs and ranks in your resume. It's the best showcase of skills. Nobody really cares about your certs.
6. Contribute to open-source security projects and publish your scripts (yes, learn coding!) to your GitHub profile. That goes perfectly well into your resume, as well.
You also give back to the community this way. You're a giver, not a taker.
7. If you enjoyed this thread, there's much more to come! So, stay tuned.
Motivate me to continue posting by liking, retweeting, and following me @cristivlad25.
A fully automated workflow that you've never seen before.
(thread)
1. This script scrapes the disallowed paths from the robots.txt files of a list of domains and saves them to a single file. It also removes any unwanted entries and sorts the file in a particular way.
Can you write it yourself? Here’s how the script should look like.
2. Create a directory called "massrobots" in the pwd. This is where you'll save all the robots.txt files for later processing.
The most frequent vulns I found in 80+ pentests in 2022.
(thread)
1. Rate Limit Bypass
In more than half of the pentests I conducted, I found that there were no rate limits imposed on login functions or authentication mechanisms. This lack of rate limiting, combined with weak password policies, can lead to accounts being easily compromised.
2. Session Token not Invalidated upon Logout
This vuln is caused when the session token is not invalidated at user logout. If the validity of the token or the time to expiry is long, this can lead to the token being leaked, potentially resulting in a data breach or other vulns.