Stepping into Industry: Week Two

The Second Week

Going into the week extremely optimistic, after reflecting on my first week I'd realised rapidly that I had been extremely hard on myself. Anyone in my position would have performed in exactly the same manner. The main thing was taking the positives! I did find a number of things worth reporting and that is what matters!

I logged on at the beginning of the day, and received my brief for the week. One project for the next week, a large web-app test with a number of different domains. Starting off with the usual as expected; basic scans and enumeration before testing the platform.

If the first week taught me anything, it was that developing a firm methodology to stick to is 100% needed, so during my time off I decided to start making notes to stick to and check for every time.

Due to the scale of the web-app being tested I decided it would be best to walk through the entire application during the first day and gain an understanding of how it worked. I firmly believe in order to exploit something and find vulnerabilities you need to first understand how it works. It became apparent within the first few hours that this wasn't going to be a small task as it had many intricate details to it. Taking notes as I went as to how pieces of information were used and reflected. Combing through the linked JavaScript files.

This wasn't by any means glamorous but it certainly helped going into day two, going into it I had a fairly decent understanding as to how the application worked and had a list of different things to filter through in order to identify what vulnerabilities exist.

Day two and three were very similar in this regard, there were some interesting interactions that were noted down and combing through the JavaScript files the day before proved extremely useful in understanding how the application was processing data and how you could potential manipulate this. However, there weren't any big vulnerabilities found. It certainly proved useful having a methodology and an understanding of the application from of the engagement.

I wish I had more information to drop into this weeks blog post however it hasn't been all that eventful other than a massive growth to confidence so I'll drop some takeaways below for this week.

Takeaway for the week

  • Don't be so hard on yourself. If you're like myself and this is your first time in industry, it won't be easy and you won't understand everything. That's fine, use it as a learning experience in the long run!
  • Implement a methodology and stick to it, you won't regret it!
  • Take your time to understand the application and identify potential vectors for exploitation! (This I can't emphasis enough!)
  • Take plenty of notes on how things are working! You can fall back on these as you progress with testing.
  • Research outside of your working hours. This is one I'd usually have a problem with but it helps so much with your daily work, especially as a penetration tester. After all, it is your job to identify potential attack vectors! Keeping up to date with new vulnerabilities will help. I can't emphasis how useful platforms such as HackerOne and their Hacktivity feed can be, alongside following bug bounty hunters on Twitter!

Thanks for reading and I hope this series continues to develop as I progress within this role. The learning for this week was to ensure you develop a methodology early on and take plenty of notes. That's something I never really had in place when completing rooms on HackTheBox however, as I've been doing rooms lately I've been using it as a chance to improve my note taking so I don't have to return after and update them. It's better to refine what you have already done instead of repeating it!

Show Comments