So I decided to try and get into infosec as a hobby couple of months ago, after dusting off my programming skills and going through some of my old networking notes as a refresher, I did some courses for beginners in bug bounty and familiarized myself with some core tools. Then I noticed that a lot of people were suggesting PentesterLab Pro as a way for newbies to get into the infosec/bug bounty field so I decided to give it a go. Did the introductory and unix badges no problem but since I 've gotten into the essentials badge, I feel like I donât understand what Iâm doing, sure I get the gist of what Iâm supposed to do and I can solve most labs by playing around a bit with burp but I donât actually understand what Iâm doing. Most of the time Iâm just doing random stuff like adding some parameter or changing some values etc until something works but I donât get why that worked and something else didnât. For example I donât get why adding a parameter = True in the request text works but adding it from the params tab in burp doesnât or why setting a parameter = True doesnât work but setting same parameter = 1 does. Or why tweaking the URL grants you access, I get how to do it but I donât understand the concept behind it or how I would know what to do if the lab didnât have clear instructions and hints. Sure I could google that stuff but if I just google everything, isnât actually using PentesterLab kind of useless? I know there are videos that go with every lab as an explanation but they are more like quick solutions without much explanation and I guess they are more geared towards people with a bit more knowledge than me. Any advice on how I should approach this? Is there something Iâm missing or should I just use some other resources until Iâm ready for PentesterLab?
Thank you in advance!
Edit: Sorry if I make it look like Iâm bashing on PentesterLab, the platform actually seems great Iâm just wondering if itâs right for me atm
Sure I could google that stuff but if I just google everything, isnât actually using PentesterLab kind of useless?
I think you should definitely be googling this stuff - but specifically googling the âWhyâ. PentesterLabs will show you the âwhatâ and the âhowâ, and give you hints on the âwhyâ, but fundamentally hacking is about reading and understanding the original intent of a thing versus the actual implementation, and how youâve managed to make something to a thing it wasnât intended to do.
If youâre not understanding the why, try to figure out what it was that you were affecting, and read up on it. Was it something in the HTTP request? Maybe you need to go read up on HTTP requests - the RFCs can be pretty authoritative sources of information.
Not sure why that parameter = True worked? Maybe youâre affecting application logic. How was the web server built? Is it a Python app, written using the Django framework? Understanding what âTrueâ means in that context will help - maybe have a go at making a very simple Django website with an auth system, and figure out how you can circumvent the thing you just built.
Hacking sure isnât easy.
If you have specific questions, you can hit me up on our Discord (Iâm @arcwhite) and Iâd be happy to help either explain, or point you to materials that might explain it!
Iâd recommend that you consider starting with the Web Security Academy that PortSwigger (the makers of Burp) offer.
Whatâs nice about it is that they offer tutorials to explain the vuln type and offer live labs you can practice on that incrementally builds on your experience from other labs so you can piece together how it works.
Like other places you have tried, it offers a bit of gamification so you can keep track of which labs you have completed. So you can tackle the novice labs and come back to the more expert labs later as you build up your skills and confidence.
HTH. And if you need more help as you progress reach out here or on Discord.
I think you ask a very good question hereâŚtrying to understand the âwhyâ and not just the âwhat.â Thatâs a core element of the hacker mindset and I encourage you to keep asking, âwhy?â
Regarding your questions about why some things work in some contexts but not in others, and vice versa â this likely comes down to whatâs happening on the server side. For instance, depending on the web server platform, programming language, and web app code, â1â might be considered equivalent to âtrueâ or it might not. Much of web application hacking is a matter of trying to deduce whatâs happening on the server side. In any event, note your observations and keep trying other inputs to see what you can deduce based upon the results. It will probably feel like youâre floundering around at firstâŚand thatâs okay. Just keep at it and remember that every âfailureâ has something to offer.
I would also highly recommend setting up a home lab; even if itâs just VirtualBox on your laptop. Then go through the process of building your own web server, integrating different programming languages (e.g. PHP, Python, perl, etc.), and see if you can imitate some of the web application behavior that youâre curious about. Itâs time consuming, for sure, but ultimately will pay dividends many times over.
Good luck and feel free to ping me on discord if you get stuck.
You might be wondering why you got so much great advice from some skilled individuals so quickly. I would venture to guess itâs because itâs so refreshing to see someone who cares about the âwhyâ as much (or more) than the âhowâ! While so many others are all about having the phattest word lists and how many requests they can send per second, youâre saying, âWait a secâŚwhy did this work?â This tells me you very likely may âhave what it takesâ to do this stuff.
I can only echo whatâs already been said: get a lab going and build out some stuff that emulates some of what youâre working on. The ability to visualize what might be going on on the back end itâs huge so if you wrote it - no more mystery.
Thank you all for your input, unfortunately I can only code in python and have never built an actual web application so I guess I have some reading to do ! Will definitely keep going at it and finally make the decision to actually read Web applications hackers handbook ( I thought I might be able to pull it off without having to go through a 900 page book ) since it seems to also explain a lot of concepts fairly in depth.
While practicing labs and googling the âwhyâsâ is definitely the way to go, I would say reading up on the basics from books are understated.
There are two books that did a great deal of help to me
Web Application Architecture: Principles, Protocols and Practices
Web application hackers handbook.
While this may seem to be obvious, not many take the time to actually give these books time for a detailed read.
It would definitely up your game. In fact doing the reverse, now that you have done some labs and messed with burp, try going through these books. There would be so many things that would make a lot of sense when reading. Web app hackers handbook might be a little dated, but core concepts are solid!
Thank you for the reply! I have not heard of Web Application Architecture, will definitely add it to my list. I have been slowly going through Web application hackers handbook, I figured reading it in one go will not make a lot of sense so I have been following this pattern:
Learn about a new vuln type using Portswiggerâs Web security academy ( I find that it is better suited for beginners than PentesterLab) and do the first few labs there
Start reading the corresponding chapter in Web Hackers Handbook and stop when Iâm feeling out of depth
Start doing the labs at PentesterLab
Read the reports in Web Hacking 101
Finish the chapter in Web Hackers Handbook
So far Iâve done this process for XSS,CSRF and Iâm just starting on SQL Injection!
Unrelated question: Any advice on which vulns to learn about next? Or are XSSs,CSRFs and SQL Injections enough to start hunting and slowly get into other vulns in the near future
The learning pattern you have outlined here makes a lot of sense. Itâs a nice way of going about learning. Honestly my learning wasnât this structured. I think your learning pattern is solid!
On which vulns to learn about, I ll be honest, till date I have just touched upon XSS and donât know crap about SQL injection. I donât know why, but I have been procrastinating on those two vulns.
Tell you what, hereâs my two cents. When it comes to starting to learn vulns, most beginners start with learning XSS or CSRF or SQL inj. Thereâs nothing wrong with this.
I am a beginner too (doing real world bug hunting for the only for the last 11 months). But I took another route,
I rather concentrated on learning how to recon well. The aim here is to increase my attack surface.
Content discovery, directory and file brute forcing
Learning how to map an application for end points
Fuzzing end points with payloads - open redirect, path traversal and possibly ssrf ( still need some practice with these vulns though, not very successful yet). But I ll catch up.
Logic bugs - I 'll go on for hours trying to know the flow of a particular pattern in the app. Do crap with the parameters.
Authentication bugs
CSRF
This has been my route.
In fact, now I am thinking I have to start learning some technical vulns, like XSS or SQL inj.
It is normal and healthy to feel some anxiety before an exam. Many students, however, complain about âtest anxietyâ, explaining that they went into a test knowing the material but that they âwent blankâ when they began to take the exam.
) since it seems to also explain a lot of concepts fairly in depth.