Since I got into Infosec a couple of years ago, I've come across some key learning points which would have been really valuable for me, had I had them when I was starting out.
For everyone who is getting started with web application security, I believe these learning points which I have shared below will be extremely useful for you to kickstart your career and become a web application security practitioner in no time.
Obviously, it requires the commitment of both time and effort, but trust me, if you have a plan laid out in front of you of what you are going to learn and how you are going to learn, you are already a step ahead compared to the rest.
As the famous quote says, 'It’s not only about the hard work you put in, it’s the smart hard work that matters.'
With that, here are the 10 Steps to kickstart your web application security career:
1. Get Familiar and Comfortable With Linux:
I can’t emphasize this enough. If you are starting out in web application security, it’s highly recommended that you make yourself comfortable with Linux. This might mean ditching your Windows instance (if you want) and moving completely to Linux.
This is because, during penetration tests, you will often encounter environments built on top of Linux. Yes, there are a number of Windows servers out there, but the popularity of Linux cannot be ignored.
I made the switch 2 years back from Windows to Linux as my full-time environment, and it has helped me both while using various tools and scripts, as well as when I have compromised a web application and I would need some additional exploitation to gain more control of the target.
You could use Kali Linux, but you might also consider starting up with Ubuntu as your full-time OS and learning the various nitty gritty of the things that come with Linux and getting yourself familiar with basic tasks such as installing new packages, configuring tools, writing automated scripts and Cron tasks, and more.
2. Find Mentors, Ask Questions, and Use the Online Resources:
I can absolutely understand the enthusiasm and the rush that comes when you jump into security - you want to learn everything and then there are 100s and 1000s of blog posts mentioning how a particular “security researcher” compromised a given target.
Yes, you will need to learn all of that, but it needs to be in a plan and not all at once, especially when starting out.
Try to start from the basics of web application security focusing on looking for common security issues, applying that knowledge on vulnerable targets, and then move to taking on real world web applications as your target.
It is also recommended that you find a mentor who has gone through the entire journey themselves and can guide you on what kind of things you need to focus on.
There are a number of Youtube channels, blog posts and articles, and online educational resources to help you with this. You should also engage in online discussions and various forums in order to get comfortable with the community and sharing what you’ve learned and learning from other people's experiences firsthand.
Remember, if you ask for help from a person at each and every time you get stuck, it will slow you down. Take things into your own hands and go out online to learn.
3. OWASP Top 10 and PTES:
As someone interested in learning about web application security, you might have come across the term OWASP Top 10 a number of times.
Based on my experience while starting out, I would highly recommend you go through both the OWASP top 10 and Penetration Testing Execution Standard (PTES) to give you a much clearer and more in-depth picture of the what and how of web application security.
I’ll also recommend that you join a local meetup group of OWASP or any similar and relevant security community and SHOW UP for the meetups. Once you feel that you have an interesting topic and experience to share, ask the meetup organizers to give you a speaking slot for the next event. You will receive tons of honest feedback, criticism and learning points, which will push you toward becoming a better web application security researcher.
Remember - Taking Action is the first, second, and third step to succeed.
4. Learn Programming Languages:
In order to be a good web application security researcher, you must have a good proficiency in programming languages. Even if you're not writing full-blown applications, you need to have enough knowledge of the languages that are used to build these apps to at least figure out what a particular code block is intended to do.
In pen testing, you might encounter situations where you have the source code of the application (a white box pen test) or you want to bypass the application whitelisting or break regex. All of this needs hands-on experience with the programming languages and a decent familiarity with them.
The reason being that most of the time, you won’t find a direct answer online to what you are trying to solve, and you need to come up with your own solutions to break the application’s security.
Programming experience can also come in handy later on once you want to write your own tools or scripts.
5. Learn Security Tools but Don't Be Tool Reliant
As you might recall, I mentioned, in my very first point, that you could start your journey in web application security using Ubuntu and not necessarily Kali Linux.
The reason for this is that once you are on Ubuntu, you will get a better understanding of how various tools work and how you could fix bugs by yourself in case something doesn’t work on the first go.
You might later make a switch to Kali Linux once you feel you’re confident enough, but always keep in mind that it’s not about the tools, rather how you use the tools.
In the numerous pen tests I have conducted over the past couple of years, I never rely solely on tools. I use an approach where tools are just an aid of what I am working on.
6. Vulnerable Targets:
As someone who is just starting out in web application security, try out your skills with various web application security and exploitation techniques on vulnerable targets.
These days there are a number of vulnerable web applications which you can exploit in order to get familiar with web application security concepts. DVWA and bWAPP are good examples of what I would recommend to you for your early days as a web application security researcher.
Move from one vulnerable target to the other with tougher exercises.
Read, Practice and Repeat.
7. 1 VM per Day:
In order to build a successful career and expertise in web application security, setting goals is vital.
I set a goal for myself to exploit one Virtual Machine every day for 30 days to get good exposure to various techniques I could use in order to exploit web applications.
If you get stuck at any point in time, you can also refer to the walkthroughs and keep going from there. You can also refer to multiple walkthroughs once you have completed the exercise to learn about all the different methods you could have used to achieve the goal.
If you do it for a 30 day period, trust me, you will realize how far you've come your in web application security journey.
8. Bug Bounty:
Moving from VMs, it’s time to go to the real world.
One of the approaches I have found useful for myself is to go for less famous websites in order to increase your chances of finding bugs.
It also helps if you jump into finding bugs for a particular website as soon as they launch a bug bounty, rather than do a bug bounty program which is a couple of years old.
9. Read, Read, Read:
Make sure you read a new piece of content every single day.
Subscribe to the various newsletters from security websites, follow all relevant blogs, follow Twitter accounts which tweet about web application security and refer to recently disclosed bugs, and most importantly, try to understand the thinking process which would have gone into finding those bugs.
10. Build Something of Your Own:
By the time you get to this step, you should have decent exposure to performing web application security assessments and penetration tests.
Here comes the next part, based on your experience, build something which you think would be useful for you. Just focus on what can you build in the next 10 or 20 days, which could help you in the bug discovery or exploitation process.
Once you're done, you could release your project as an open-source tool, or use it internally within your organization - it’s up to you.
The key thing is to build something that allows your to apply your newly gained knowledge.