📋
A Journey From IT to IT Security
  • IT Training Resources
  • IT Security Roles
    • Web Application Security Specialist
      • Training Guide
      • Self-hosted Training Lab
        • Vulnerable Web Apps
      • Web Security testing Methodology
        • 1 Footprinting
        • 2 Scanning
        • 3 Enumeration
        • 4 Gaining Access
        • 5 Maintain Access
        • 6 Covering Tracks
        • 7 Vulnerability assessment
    • DevSecOps Engineer
      • Training Guide
      • Building a DevSecOps CD/CI Pipeline
        • Self-hosted DevOps CD/CI platforms
        • Software Component Analysis (SCA)
        • Static Application Security Testing (SAST)
        • Dynamic Application Security Testing (DAST)
        • System Hardening
        • System Compliance Analysis
        • Vulnerability Analysis
      • Ready-to-use and train DevSecOps CD/CI Pipeline
    • Chief Information Security Officer (CISO)
    • Digital Forensics Investigator
      • Forensics Methodology
    • Cloud Security Engineer
      • Getting started with kubernetes
  • Resources
    • IT Basics
      • Networking Basics Study Guide
      • RBAC / ABAC
      • Anonymous Surfing
      • Python Programming
      • Infrastructure as code
      • Containers
        • Docker
        • Docker security
      • The Security Development Lifecycle (SDL)
    • Literature
    • Useful Tool Tutorials
    • Useful Online Tools
    • Exploits
  • Unsorted
    • Gitlab-ci with docker-compose
Powered by GitBook
On this page
  • For whom?
  • What is Web Application Security Testing?
  • Most popular tools of the trade
  • Programming languages in demand
  • Keywords
  • Get the tools - Pentesting OS compairison
  • More methodologies
  • Automated Web Application Security Testing
  1. IT Security Roles

Web Application Security Specialist

A penetration tester with a focus on web applications

For whom?

  • Test Engineers who want to add security testing to their skillset.

  • Web Application Developers who want to secure their web applications.

  • Engineers who want to become a penetration tester.

What is Web Application Security Testing?

Web Application Security Testing is actually penetration testing web sites and its methodology consists always of the following steps Web Security testing Methodology

A lot of the mentioned tools have integrated automated testing such as automated checks against vulnerability databases, predefined attack payloads and predefined attacks that one can use out-of-the-box.

It's a good starting point for anyone who wants to begin with penetration testing.

Important terms in Job offers.

Most popular tools of the trade

  • nmap

  • wireshark

  • owasp zap

  • Metasploit

  • burbsuite

  • nessus

Programming languages in demand

  • Python

  • Java

  • Shellscript

Keywords

  • vulnerability scanner

  • network scanning

  • networking

  • reverse engineering

Get the tools - Pentesting OS compairison

How to get to the tools? By using an especially for the purpose of penetration testing designed OS. The most popular pentesting OS on the market as of today are listed here. As a pentester, you should have seen an instance of each. Install all of them in virtual machines and play with it. If you plan to certify in pentesting, I recommend to use the OS of the school. EC-Council uses parrot, Offensive-Security kali for instance. BlackArch is the most difficult to manage.

criteria

kali

parrot

blackarch

RAM usage

450MB

550MB

170MB

Based on OS family

Debian

Debian

Arch Linux

Recommended user interface

Gnome&xfce

KDE&Mate

XFCE or

none (light version)

Anonymous mode

no

anonsurf

tor

Space on disc

1GB

320Mb

N/A

Tools preinstalled

400

600

2676

Updates

frequent,stable

frequent,stable

very quickly,instable

Configuration

easy

easy

hard

Used by school

offensive-security

EC-council

N/A

So, to be good at web application security testing, you should know in that exact order: common vulnerabilities and attacks, where to find them, choose a penetration testing OS, know the tools and apply them according to your methodology.

More methodologies

Automated Web Application Security Testing

Different types of testing:

SCA, Software Component Analysis

SAST, Static Application Security Testing

DAST, Dynamic Application Security Testing

OAST, Out-of-Band Application Security Testing

System Hardening

System Compliance Testing

PreviousIT Security RolesNextTraining Guide

Last updated 3 years ago

OWASP has also defined a Web Testing Framework that you can use to conduct a guided pentest. Follow instructions on

https://github.com/owtf/owtf
LogoBasic Hacker Methodology – Steps to the Hacking ProcessHackmethod