My First Month as a Pen Tester

Photo by Roman Bozhko on Unsplash

Hello Friends,
I am here to document my first month as a Pen Tester, to share my experience with others who are interested in this field as I am.

Getting to this position was not easy, I had to up my skills, even for a Junior penetration tester position. I did CTFs, I read write-ups on how to solve some of those CTFs because I knew almost nothing. I took lots of notes, and saw patterns, I will have other posts that detail my journey better if you are interested. Luckily it worked out because I landed in this Jr. Position. So here we are.

Week 1:
We work individually, but since we are a team, groups of us end up on same tests. I was placed with my hacker buddies in two tests. One was a Web App, and the other was an API test.

The Web App test:
I mainly used Burp Suite Pro for this to see what I can do, I had a limited role, so my account couldn’t do much. So I basically cracked open some of the books that I have on Web App testing, and tried a few things. I didn’t find a vulnerability per say, but I did notice a weird functionality. I dug deeper into it, but still no exploit. At our team meeting, I spoke about what I found, and our boss asked me to create a video of what I found, I think it may end up being for informational purpose.

The API test:
This one was harder, because I have not done a single API test before. So I ended up spending most of my time researching the topic, and researching a tool called Postman and how to use it. After many readings and articles, I was finally able to actually connect to the test. I still couldn’t do much, but I now have learned the basics of a new tool, and a new kind of testing that I very much need to learn more about.

Week 2:
On this week, I had only a single test. Again due to me being a Junior tester, the role to my account was very limited. This did give me the opportunity to do a couple of things.

First: I was able to focus a bit more on how to use Burp Suite a little better. One of my fellow white-hats showed me his trick on how he sets up his scope.

Second: I decided to be adventures and to also use ZAP, which is another tool that is used in similar fashion as Burp Suite. And that was a neat experience. Because it seems that ZAP finds some things that Burp didn’t.

The lesson is to use multiple tools that do the same thing, because it looks like they do find different things.
I have yet to find a vulnerability, but looking at what Burp Suite found in its scans, it gives you an educated guess of the “low, medium, high” of issues. So now, I got to look at them, and read up on what they are and how to exploit them.

Week 3:
I’m starting to develop a strategy, I would be placed on 2 tests per week, so in order to make sure I can focus, would for example work on one test Monday & Tuesday, and the 2nd test Wednesday & Thursday. This leaves me with Friday, which I can use to try different things on either test. There is fairly a lot of reading and researching that happens, so if I come across something that I think could be helpful to either test I can try it on Friday.

Taking what I’ve learned from the week before about Burp Suite & ZAP giving me slightly different results, I would incorporate that into my 2 day test plan. One day I would use Burp Suite, and the Other day I would use ZAP, that way I get to use both tools on both tests, and using one per day helps me learn more about the tool in a more focused manner for me.

Staying organized helps A LOT, the way I do that is I create a folder for each test, and the first thing I do is create a little text file, in the file I would have some basic info about that test, and of course anything I would like to try, and make note of what I have tried, that way I don’t try the same payload or same thing accidently.

Imposter syndrome is real.
The excitement has turned into a bit of overwhelm-ness, tools like Burp Suite & ZAP can give you hints or potential issues on the site that you have scanned, so I would try to research the issues, be it via google or some of the books that I have, but of course since the books don’t know the site your working on, it gives you general information on how things works, and its up to you to figure out how it would pertain to your particular test. Being new to the field, I do tend to get lost sometimes, because I would feel like I don’t know what I’m looking for, or if I see one of these hints, I don’t know how to use it to my advantage, then I would, freeze. Which is a terrible feeling.
At this point, I take a break, maybe go outside for some fresh air and I would come back and look at it with fresh eyes.

Sometimes I would find things that are beyond my ability to do, such as something related to API, at this point, I reach out to my senior testers and present them with the information, if its something they can exploit easily I would let them go a head and do so, we are all on the same team. If I find something that I think I can do but need help with, then I would ask my senior to help me with it so that I would get a better understanding.

Week 4:
I am on 2 tests this week, so far for the first test its been frustrating. Some of my co-workers (who have been doing this more than I) have been able to find some Cross-Site Scripting (XSS) vulnerabilities, yet when I try it, I am not able to do so. It’s a bit frustrating and discouraging. I came across my username and password being passed as cleartext, but since it required me to actually intercept that specific page at the exact time of logging in, and I was not able to get to a page with multiple other usernames and passwords, it was not considered a finding. I feel like I keep swinging and missing, but I must keep going, it’s the only way to learn.

// Conclusion
There you go.
I found creating notes and templates to help me get things done quicker has helped, the simple text file with brief notes on first steps, simple XSS commands to try, and a section for any ideas to try. That seems to help give me some structure, because it can get a bit overwhelming to simply be given a URL, a scope, login credentials and just left to your own devices.

*UPDATE*
Since the original timing of drafting this post, it has been a few more months. I still have not caught a vulnerability yet, but it has become a bit less overwhelming, due to finding a routine in my work day. My XSS command sheet is getting larger, due to me continuing my education via blogs, CTFs, and classes. Though I have to say the feeling of “determination” is overlapping the feeling of “deterioration”. Don’t get me wrong, I still have days when I’m at the lowest of the low, but by simply learning something new really lifts up my spirits.

I hope that was helpful.
Go (ethically) Hack The Planet.
[R/F]