IT jobs aren’t as easy to come by as they were 20 years ago, but web app pentesting is one subset of the field that I don’t see slowing down any time soon. Unfortunately it’s a poorly understood one.
But if you spent any significant time in the 1980s or early 1990s abusing commercial software, especially Commodore and Apple and Atari and Radio Shack software, I’m looking at you. Even if you don’t know it, you’re uniquely qualified to be a web app pentester.
The statute of limitations is up, so I can say I knew or knew of a number of people 20 years ago who may have scanned disks for the answers to questions from code wheels and manuals and then changed all of the answers to be the same. Or they may have gone a level deeper and found the code that looked for defects on disks and no-op’ed out that code–solely because that copy
protection prevention scheme prevented the software from working with third-party disk drives, of course.
That’s my story and I’m sticking to it.
Many web app pentesters and their managers are too young to remember this era, so they don’t realize there’s a generation of people who would make great web app pentesters even if they don’t know it.
Here’s what 1980s copy prevention schemes have to do with modern web app pentesting.
In both cases, you’re changing the behavior of software in unexpected ways, and in both cases, you’re manipulating the software without the benefit of access to the source code.
It’s a popular misconception that you have to be a software developer, or have a developer’s mindset, to perform web app pentesting. That’s not true at all. What you need to be able to do is follow a methodology and anticipate things that the developer didn’t anticipate. For example, if a web form was anticipating numeric input, a pentester defeats the checks on the form and sends alphabetic input to see if the application fails gracefully. If it doesn’t, that’s a finding.
The tools are similar to those of yore as well. A web app pentester uses a web browser configured to use a proxy server that sits on the same computer and allows you to intercept requests and change them before passing them on to the web application. Using these proxy servers isn’t much different from using a disk sector editor or machine language monitor was–it intercepts the data and allows you to view and manipulate it in various ways.
So, to be a competent if mediocre web app pen tester, all you have to do is learn the tools and follow a methodology. A good web app pen tester knows when to deviate from the methodology, but one must become competent before becoming good, and the field is empty enough that a mediocre pen tester can make a good living.
The book The Web Application Hacker’s Handbook, Second Edition discusses the tools and concepts and presents a good methodology in its final chapter.
I don’t think the lack of web app pen testers is due to lack of people with the necessary skills. I think we just don’t know where to look for those people, and I think finding a match will solve two problems.