Web Application Security Specialist

A penetration tester with a focus on web applications

For whom?

  • Test Engineers who want to add security testing to their skillset.

  • Web Application Developers who want to secure their web applications.

  • Engineers who want to become a penetration tester.

What is Web Application Security Testing?

Web Application Security Testing is actually penetration testing web sites and its methodology consists always of the following steps Web Security testing Methodology

A lot of the mentioned tools have integrated automated testing such as automated checks against vulnerability databases, predefined attack payloads and predefined attacks that one can use out-of-the-box.

It's a good starting point for anyone who wants to begin with penetration testing.

Important terms in Job offers.

Most popular tools of the trade

  • nmap

  • wireshark

  • owasp zap

  • Metasploit

  • burbsuite

  • nessus

Programming languages in demand

  • Python

  • Java

  • Shellscript

Keywords

  • vulnerability scanner

  • network scanning

  • networking

  • reverse engineering

Get the tools - Pentesting OS compairison

How to get to the tools? By using an especially for the purpose of penetration testing designed OS. The most popular pentesting OS on the market as of today are listed here. As a pentester, you should have seen an instance of each. Install all of them in virtual machines and play with it. If you plan to certify in pentesting, I recommend to use the OS of the school. EC-Council uses parrot, Offensive-Security kali for instance. BlackArch is the most difficult to manage.

criteria

kali

parrot

blackarch

RAM usage

450MB

550MB

170MB

Based on OS family

Debian

Debian

Arch Linux

Recommended user interface

Gnome&xfce

KDE&Mate

XFCE or

none (light version)

Anonymous mode

no

anonsurf

tor

Space on disc

1GB

320Mb

N/A

Tools preinstalled

400

600

2676

Updates

frequent,stable

frequent,stable

very quickly,instable

Configuration

easy

easy

hard

Used by school

offensive-security

EC-council

N/A

So, to be good at web application security testing, you should know in that exact order: common vulnerabilities and attacks, where to find them, choose a penetration testing OS, know the tools and apply them according to your methodology.

More methodologies

OWASP has also defined a Web Testing Framework that you can use to conduct a guided pentest. Follow instructions on https://github.com/owtf/owtf

LogoBasic Hacker Methodology – Steps to the Hacking ProcessHackmethod

Automated Web Application Security Testing

Different types of testing:

SCA, Software Component Analysis

SAST, Static Application Security Testing

DAST, Dynamic Application Security Testing

OAST, Out-of-Band Application Security Testing

System Hardening

System Compliance Testing

PreviousIT Security RolesNextTraining Guide

Last updated