Angara Security employee experience

We continue our series of materials about starting a career in cybersecurity.
This material was prepared by an employee of the security analysis department of Angara Security; at the request of the author, we will not disclose his name. If after reading the article you have questions, welcome in the comments or private messages to our expert. So, how to get into pentesting in 2024.

Hi all! I’m @the_ospf, I work on the Angara Security security analysis team. We are engaged in pentesting of the information security infrastructure of large and medium-sized companies, testing web and mobile applications. In this article, I will talk about my journey from a beginner to a security analysis expert, how I collected the necessary knowledge, my mistakes, and share materials that will help you prepare for your first job as a web application security analysis specialist.

The article is mainly aimed at beginners in the field of web application security analysis, as well as at students who strongly desire become a hacker try your hand at this.

Disclaimer: Most of what is described here is my opinion, often supported by my fellow professionals and market analysis.

WEB Offensive/Application Security

Pentester is a rather difficult profession. Working as a web security analyst involves searching for various bugs and vulnerabilities in web applications using different methods (black, gray, white box). In order to work in this direction, it is important to continuously develop. Because while you are dealing with vulnerabilities in one framework, 10 other “research” are coming out on them (exaggerated), and need to have good self-education skillsso that when you encounter a previously unknown framework and technology on a project, you can relatively quickly figure out what vulnerabilities could potentially be present.

The web direction is the most creative, since for the most part you do not have a clear approach to how to proceed with this or that application, and everything depends on its functionality (and sometimes there is very little of it).

Required technical knowledge

The main object of our research here is web applications. Accordingly, you need to know well the base that somehow relates to them.

  • Principles of networking. If you want to work as a “Weber”, but don’t know how the application works at the network level: TCP handshakes, IP resolutions, domain names, proxies, etc., then I have bad news for you))) Therefore, it’s good to know networks at a basic level are a must have.

  • How the HTTP/HTTPS protocols work. This, in fact, relates to the first point, but I decided to subjectively separate it into a separate one. It is important to understand the difference in http methods. Why is PATCH used instead of POST in certain cases? What is OPTIONS? Differences between HTTP 0.9/1.1 and HTTP2? What are certificate authorities for? I suggest answering all these questions as part of your preparation.

  • Architecture for building web applications. Vulnerabilities do not always depend on the code of the web application itself. Sometimes it happens that the vulnerability is inherent in the architecture itself, for example in the web server (hello, Request Smuggling). And almost always, as a specialist, you will not be able to clearly define the architecture, but will only make assumptions about what it might look like. Therefore, without the appropriate knowledge it will not be easy.

  • Understanding vulnerabilities. Over the past 10 years, security has come a long way and now analyzing web applications is much more than putting quotes and “” into web forms. Working on projects, you will have to explore more complex vulnerabilities, as well as the chains in which they can occur. If you come to this direction with almost zero level, it is unlikely that you will be able to find a job, plus it will be extremely difficult to simultaneously look for vulnerabilities and understand them. The more knowledge you have about vulnerabilities at the start, the easier it is. By the way, when I started working in pentesting, I already had a decent understanding of vulnerabilities, but there were still cases when I didn’t find something because I didn’t know about the existence of such a technology or vulnerability.

  • Basic open source search skills. You need the skill of finding answers to any questions you have on your own. Even if you have friends who have experience on your issue, the first thing we do is go to open sources, and if you can’t figure it out on your own, go to your friends for help. Over a long distance, this skill will greatly simplify your life.

  • Ability to write/read code. As described above, there are several methods for analyzing web applications. And in the case of using the “white box” method, you will have the source codes of the application – here experience in developing web applications will not hurt at all))) It is often much easier to see how a particular mechanism is implemented in the code than to test it dynamically. Not to mention that you will constantly have to parse JavaScript on the client side. Therefore, you must be able to read code, and what is important is be able to read code in different languages.
    At least basic: PHP, JavaScript, Python, Java, C# и упаси господи C++. Also, often in your work you will have to write automation scripts or adapt other tools/scripts for yourself.

  • General understanding of the scope of work. There are often situations where you have to analyze web applications from the point of view of testing the external perimeter, so it is important to know something from infrastructure pentesting. Under such conditions, part of your arsenal as a “Weber” becomes useless. You need to have a basic understanding of how to scan a network, what vulnerable services are, and what ports they run on. So as not to miss some ball sticking out that contains cleartext credits, due to the fact that you only know how to watch the web)))))

  • Information security database. You need to understand the basic terms from a series of databases, the properties of information, what is vulnerability, exploitation, etc. I’m silent about English at the level of reading technical documentation))) And also the must-have skills are the administration of Windows and Linux systems. But not what 99% of students write on their resumes, but real skills to customize the environment for themselves, roll out the necessary tools, solve dependencies, in general, everything you need in your work.

And now the answer to the main question of this publication. But how do you start a career in pentesting?

I will tell the story of my employment as a security analysis specialist.

To some extent, I was lucky; I started looking for a job in information security while studying in my third year at Moscow Polytechnic University. We studied under the “associate” program, which means immersion in the specialty, and only then theory. Therefore, already in the third year, I knew networks well (I could pass CCNA R1), we also had several good courses on development, including web applications, but we could not do without the administration of Windows and Linux. I also managed to work a little as a PHP developer and already wanted to move further along this path, but…

My fate was changed by two subjects that appeared for the first time: security analysis and security analysis tools. The courses were very crude, but even then this area seemed interesting to me. I and several other interested students began to work in this direction, asking the teacher questions along the way. This all lasted for six months.

Then I gained basic skills in the field of security analysis, managed to dive into bWAPP and DVWA, and even practiced a little in infrastructure pentesting. When I decided to look for a job in this direction, I was faced with a choice: web or infra. Given my previous experience in web application development, the choice was obvious.

But when I proudly sat down to look for vacancies as a web pentester, I was disappointed, because at that time companies had a slightly different approach to this position and practically did not recruit juniors/interns (it’s not like that now).

My knowledge, to put it mildly, did not reach the required level. I started looking for companies through which it would be possible to grow into a security analysis specialist. I got a job at Angara Security in information security technical support, declaring at the first interview that I planned to go to OAZ (security analysis department). After a couple of months, I finally got an interview as a security analysis expert, where I realized my weak points.

Well, then nothing interesting, they gave me a mentor and educational materials to close my gaps. And after 4 more interviews… and several months of study, the goal was achieved.

Same rake twice

My main mistake in the process of studying was this: I thought that the more vulnerabilities I studied, the better I would be as a specialist, but in reality it turned out to be completely different. Performing vulnerability laboratories only provides direct understanding of the vulnerability, but does not provide the skills to search for this vulnerability or its manifestations. For example, solving a lab on root.me using XSS, you have: an application with very limited functionality, the vulnerability of which is known from the very beginning. In this way, the difficulty of finding a vulnerability is minimized.

In real projects, you never know where the vulnerability may be, and the main difficulty lies in finding it. Because of this, at first I often lacked perseverance. Plus, the exploitation of bugs in real projects is often complicated by other issues, for example, the session mechanism, WAF, etc.

I highly recommend, in addition to studying the above, to roll out and analyze various vulnerable applications, without looking at the technology stack in advance and where the vulnerabilities are located. This will give you minimal experience and an understanding of what a real project might look like (I’ll leave links to a few).

Weber Beginner’s Pain

At the job search stage, you will most likely be faced with a choice: go to a well-known company or to a no-name company. And here the choice is not as clear as it seems at first glance.

If you go to a well-known company, then there will be a higher level of expertise, most likely a well-developed mentoring policy, but the paradox is that There will be very few critical and interesting bugs on projects.

This is mainly due to the fact that pentesting services cost more for large or relatively well-known companies, and accordingly, customers will have normal budgets for development and security analysis, which means they will need to test “strong” applications, or applications that are before you someone has already tested it. And if there is no practice before, it will be especially difficult).

I recommend looking for companies that work mainly on external projects. You can go to work for companies that hire a team for internal projects, but the requirements there are higher and the work is routine, so I still recommend considering integrators.

In the case of little-known companies, most likely you will not have a mentor. And you will also have to sit with a low level of expertise and pay. But it is precisely these companies that will most often order a pentest for the most “leaky” and most interesting applications from the point of view of analysis.

Where to move is your choice; I chose the first option for myself. But I have at least a few friends who took path 2 and now have a good level.

Material for preparation:

As promised, I’m making a list of things that will definitely help (will definitely help) in preparing for your first job. I tried to select mostly free materials so that everyone had the opportunity to learn.

If you have absolutely no basics in the field of security analysis (for example, there were no classes on this topic at the university or you did not study in your specialty), then I recommend taking any paid basic course on pentesting. To be honest, good courses (CEH, for example) are very expensive, and I don’t know any good ones from the more budget segment.

Attached a selection of some courses, see what interests you. Look at any course that is closest to you, so you will have a foundation on which knowledge will later be layered. The main thing is to understand that the course will give only a primary understanding of the field, and will not turn you into ready-made specialists, as course developers often position.

Studying vulnerabilities and their exploitation:

PortSwigger Web Academy – a cool academy for web pentesters, includes a very good pool of vulnerabilities with explanations, as well as labs for training. This was a key resource for me during preparation. If you don’t look at the write-ups, but try to immerse yourself in every vulnerability, you will definitely improve a lot. The only negative is that sometimes there are very sophisticated chains that you will never see on projects, but there is a significant chance of getting burned.

Root.me – a good resource for studying vulnerabilities. But the downside, again, is that the concept of the lab is far from real projects. It’s worth using as a reinforcement for Portswigger and solving labs on the topics you’ve studied. You shouldn’t get too immersed, since all the labs, starting with the “difficult” difficulty level, are not for beginners at all…

Hacktricks – pentester encyclopedia. A collection of payloads for exploiting a huge range of vulnerabilities.

PayloadAllTheThings – another gigantic collection of payloads that will definitely be useful.

Apps worth digging into (WebGoat, DVWA, V.W.A.)

Vulnerable “project-like” applications:

I definitely recommend trying out similar applications for yourself and deciding, imagining that you are on a project and analyzing the security of this application.

OWASP Juice Shop – vulnerable store from OWASP.
DVGA – vulnerable ad with graphql.
Generic University – a very good application in terms of searching for vulnerabilities in the API.
VAPI – a little more vulnerable API.

Web application architecture:
This – a very good video about web application architecture.
This – a little complicated article from the point of view of terminology, but it will be very useful as an attachment to the video. Plus, it describes various technologies and frameworks that are used in modern web applications.

Ability to write/read code:

If you have no programming skills at all, but have a very strong desire to learn, then you can start with free C++ courses(not rofl), and later switch to Python.

Eat paid alternativebut this is at your discretion, but I have not watched this course myself and cannot be sure of the need.

I believe that Python is the most suitable language for web-office because it is quite fast in terms of writing code, which saves time on projects. It is also important that Python is interpreted and does not require creating a project, such as Golang. But in any case, you are free to choose.

Principles of networking / How the HTTP/HTTPS protocols work:

This is a fairly simple and understandable course that comprehensively describes a web application. If there are gaps in your understanding of interaction with a web application, I highly recommend it.

Information security database:

Here I will simply present everything that I have ever watched and consider useful in order to refresh my knowledge and close the gaps.

Database course
Based book on information security
JavaScript for Pentesters
Cool course on OS Linux administration

Good course on networking – I don’t recommend delving too deeply into the configuration of intermediate devices if you haven’t studied networks before. In any case, Packet Tracer is worth understanding, especially in Simulation mode, since it allows you to see how packets move across the network. You can also view the contents of the package, for example, “roll out a web on the server,” and see how the client accesses the web application server.

Useful tools:

Here is a list of tools that I find most useful. But you must understand that there are a huge number of different options for performing certain tasks, and everyone uses what they find convenient.

Burp Suite – a fundamental tool for analyzing web applications, also works great as an HTTP/HTTPS traffic analyzer. There are analogues, for example OWASP ZAPbut in terms of functionality and extensibility, Burp is very much superior to them.
Ffuf – an excellent tool for fuzzing, brute force attacks, and race condition exploitation. Analogs – WFuzz, GoBuster.

x8 – a tool for detecting hidden parameters in web forms. Good analogue ParamMineris an extension for Burp Suite.
SqlMap – SQLi search automation, preinstalled in kali.

Burp Active Scan – is a component Burp Suite Professionalprobably the best scanner for searching for vulnerabilities in web applications.
In case of “stupor” at the stage of searching for vulnerabilities, you can try to use Acunetix or Nessus.

On the Internet I came across this article from colleagues from Digital Security on this topic, I recommend checking it out.

Overall…

Don’t give up

Try to fully immerse yourself in what you are studying.

Study everything systematically

Actively use Google and look for information on all unclear points

When you realize that you are ready to look for a job, don’t be afraid to go for interviews.

Happiness, health, good luck, may the web offensive be with you =)

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *