In 2022 alone I’ve performed about 20 pentests so far (as of early May). A large majority of them involve application security.
My current methodology is heavily manual. I don’t do much perimeter and network testing, unless specifically required so. Thus, recon and automation are not part of the core of my current methods.
A large part of my testing involves using Burp Suite, analyzing requests and responses, looking for access control issues, input validation issues, rate limiting issues, authorization and business logic issues, and code review. Then, if time permits I do a bit of OSINT and perimeter testing.
I don’t just blindly test anything and everything because that’s the recipe for testing nothing (failure). I follow my own written methodology, as well as following a few key resouces that I’m going to mention here. All of them are free resources.
Application Security Cheatsheet - by 0xn3va
Hacktricks - by Carlos Polop
Pentest Book - by six2dez
Additionally, there are two amazing free resources by OWASP that I rely heavily on because a lot of my testing is in accordance with OWASP.
Web Security Testing Guide (WSTG) - by OWASP
Cheat Sheet Series - by OWASP
Important to point out is that not only do I use them while actively testing, but since they are so comprehensive and frequently updated, I also study from them and review them outside of testing, in my time alloted to studying and leveling up my skills.
If you’re a pentester and have similar resources, share them below please.
I have some open spots for coaching and consultations in cyber, machine learning and web application super-fast development with nocode (like I did with Alterai.me - from idea to product in less than 30 days). No coding experience is required. You can contact me by replying to this email or DM on Twitter @cristivlad25.
Also, feel free to reach out on Twitter with thoughts about what I said here or to tell me what I can do to help you grow in any way, shape, or form.
Cheers, Cristi
If you want to get updates on stuff I’m doing, you can subscribe here:
Thank you!