This is my first article in an international arena. Basically, from my web application testing background, I will share a few lists of resources and tools that will help you in your day to day activities.
There are three basic types of pentesters:
Testers who just blindly follow the tools
Testers who follow the tools according to the requirements and concepts
Testers who write the tools and scripts
The resources in this article will mostly pertain to the second category of testers.
Let’s discuss a few important tools here and some tips related to them. Before starting, here are a few brief rules for beginners that need to be considered while testing:
Never trust automated scanner’s output as it might contain false positives
Test thoroughly for each and every endpoint
Always manually fuzz the application, not with automated fuzzers
Never brute-force or social engineer the webserver
Learn about OWASP top 10 vulnerabilities, which is the common standard for everything
If you are looking for a methodology that you can follow, you can look at the OSTTM, which will guide you with a step by step approach
I want to learn but I don’t know where to start. If this is your first thought, follow the instructions or some short tips:
Start with Google bug bounty university guide where they will provide you with enormous ways to test
You can read the OWASP testing guide https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents for a basic list of tests and training
Look for some YouTube channels or security blogs that you can follow
Some books and valuable resources that a web application pentester shouldn't miss are:
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, 1st Edition
The Tangled Web by Michal Zalewski
Ross Anderson's Security Engineering
Writing Secure Code v2 from MS Press
Some Black Box Testing Tools:
If you need to know about some tools that exist in the market, the OWASP has a list here: https://www.owasp.org/index.php/Appendix_A:_Testing_Tools
Bug Bounty Platforms:
Acunterix test sites
For future reference, you can download or import this bookmark list which will be helpful in following up issues:
During pentesting, you will come across a lot of things to test. In order to assist you, the following cheat sheets may help you during testing. These are the three most common types of cheat sheets:
2) SQL Injection
3) Command Injection
Although there are a lot of tools in the market for testing, I hereby present some of the tools that might help you in your day to day life:
I hope I covered some of the basic resources that will help my fellow testers for day to day usage. In the future, if I get a chance, I will come back with another set of helpful links.
Google VRP, Pentester by profession ,bug bounty hunter whom spends main time at analysing web and malware.