Posted in Thoughts, web app testing

Where did that come from?


The scene above is one every person, new to InfoSec, should get used to. A vast empty road that rolls on for miles and miles with what looks like, no end.

I feel I’ve reached a pivotal point in my journey. I haven’t written anything in my blog for a few weeks, because I’ve been so immersed in learning. Attacking the Vulnhub VM’s was a great step in the ladder on my road to OSCP, however, I feel I was neglecting my real passion for Web Application Pen Testing so I switched up the format a little in the last few weeks.

The Journey is long

This industry will take you to your limit and beyond. It will test you until you break. Unfortunately I feel I’ve stalled a little in the last few days. When that happens I tend to write about it to iron out the creases.

In the next few days I start the OSCP journey. I would like to have entered into it with more confidence and ability, however, lately things haven’t been going to plan. I felt I was walking the road no problem until I stalled for no reason.

Web Application Pen Testing (WAPT)

On every CTF I gravitated to the Web App challenges. Excitement filled the air. The reality of WAPT is very different to CTF’s and I guess it was something I wasn’t really prepared for. Websites aren’t designed to be vulnerable. Sometimes they just are, sometimes they aren’t. The key is to find the vulnerabilities by way of utilising every skill you have at your disposal.

There lies the problem. A true test of what you think you know comes from entering the world of Bug Hunting on Bug Bounty websites. There is no introductory medium.

Vulnerable beginner Apps —————————–> Live site testing

There’s no medium. One minute your pushing the same XSS payloads to different Vuln Web Apps and likewise with SQLi . One day you just have to jump into the real world.

Sucking it up

You get down about failing. It’s human nature. You feel embarrassed. You want to crawl into a cupboard and let the storm blow over, however, get over it.

There’s teenagers that know more than I do about WAPT. It’s depressing to read disclosure reports and not know one thing about what’s in them. Your silly little XSS payloads that worked so well in your vulnerable web app won’t work here. You’re going to need to come up with something more special to fool decades of experience in web development.

I’ve been told I need a solid grounding in WAPT experience to get by in OSCP. Of course that was a kick in the groin. I had a difficult last few days trying out Bug Hunting getting my rear end handed to me on a plate. I’ve learned a lot in two days, and that’s important.

Moving On…

I expect a lot from myself. Sometimes it causes greater crashes, however, I don’t walk the road. I run it. I just need to train harder, give myself a slap and use my time more effectively.

Soon new roads won’t seem so daunting. You won’t fear the journey. You’ll get excited about what you’ll learn on the way. Writing about how you feel can make a massive difference. Even if no one reads it, it can help you clear the cobwebs and confusion.

Seize the Day!!

P.S. – This was me trying to kick my own ass today. I sat with my head in my hands wondering where the hell I was going and what I was doing. That won’t happen again.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s