Page 25 - Hands-On Bug Hunting for Penetration Testers
P. 25

Joining the Hunt                                                            Chapter 1

            What You Should Already

            Know ` Pentesting Background


            This book assumes a familiarity with both web application engineering and the basics of
            web application security. Any experience with the frontend technologies that will provide
            the interface and context for many of your discoveries is an asset, including a basic
            understanding of HTML/CSS/JS, and the DOM; the client-server relationship, session
            management (cookies, TTL, and so on); and the browser environment. In addition, a
            general acquaintance with the RESTful API architecture, popular application frameworks
            and languages (Django/Python, RoR/Ruby, and so on), common application security
            techniques, and common vulnerabilities, will all be handy. You might be a full-time
            security researcher, a moonlighting web application engineer, or even just a programming
            enthusiast with a light background and a historical interest in security d you'll all find
            something useful within these pages. If you're just beginning, that's OK too d working
            through the step-by-step walk-through in later chapters will help you develop as a security
            researcher; you just might need to fill in the gaps with outside context.

            In addition to these topics, it's assumed you'll also have experience using the command
            line. While many great graphic tools exist for conducting and visualizing penetration
            testing engagements, and we'll use many of them, the CLI is an invaluable tool for
            everything from package management, to real-time pentesting execution, to automation.
            And while many of the tools used will have a compatible Windows counterpart, the actual
            engagements will be conducted (for the most part) on a 2015-generation MacBook Pro
            loaded with High Sierra (10.13.2), if you are working on a Windows PC, you can still
            participate by using a virtual machine or emulation software.



            Setting Up Your Environment ` Tools To

            Know


            All of the tools we'll use in this book will be free d you shouldn't need to purchase anything
            outside of this work to recreate the walk-throughs. In the survey of other security software
            not used directly in our engagements in $IBQUFS   , Other Tools, there will be a discussion
            of other technologies (paid and free) you can leverage for extra functionality.









                                                    [ 10 ]
   20   21   22   23   24   25   26   27   28   29   30