the reluctant tester

Perpetual learner of the craft of Software Testing,Servant Leadership and creating better Teams

Starter pack on Penetration/Security Testing for newbies

As an experienced Tester, recently I have been endeavouring to grow my Penetration & Security Testing skills.

As with any new skill-set the journey can get overwhelming very quickly , because of the vast number of concepts, new terminologies, lack of dedicated mentorship and research sources .

Based on my learning and explorations over the past few months in the Pen Testing & Cyber Security realm, I am putting together a table a learning goals and resources that i hope will help Testers start out on their journey in Pen Testing .

Not by any stretch this is a replacement for real world project experience or structured certification training like OSCP , but is rather aimed as full-time Test Professionals, who on the side are interested in learning about security challenges & Pen Testing for Web,Network and Mobile apps.

Learning goal/research topicResources
What are some of the most common security weaknesses out there?OWASP Top 10
How can you inspect HTTP requests/responses, view source code, manipulate cookies etc using Chrome Dev tools ?
Why is Kali Linux so popular for Pen Testing practitioners ? How can you install Kali Linux using Virtual Box ?
Set up your own instance of Kali Linux and if you are new to Linux , handy to go through this –>
Where can you find apps that are deliberately vulnerable ?
The common Pen Testing approach for all tool sets below is –
You have a machine + OS ( like Kali Linux) to be your “attacker” machine, i.e. from where to run the tools to find weaknesses in the “target” machine or a machine hosting the vulnerable app.
How do you scan a web app for vulnerabilities ? Start with ZAP proxy –
Application of ZAP proxy to detect common weaknesses in Web apps
then explore Nessus –
What does everyone rave about Burpsuite ?
What capabilities does it provide to perform scanning and penetration attacks ?
Starting with Burpsuite ->

OWASP Top 10 detection using Burpsuite –>
this is quite intense, but well worth the learning
What is Network reconnaissance ?
Which is a beginner’s tool to scan your network for gathering information ?
Watch this series of excellent tutorials on Nmap from YouTuber – Hackerspoilt
Are there any tools solely focussing on trying to exploit sql databases ?
Yes, SQLMap is one that is preinstall on Kali Linux , that you can use to try & penetrate a vulnerable website
How to get started with Android Pen testing ? Understand Android architecture and how Android apps are built ?

Use one of the traffic sniffing tools ( e.g Burp Suite proxy) to intercept traffic from an Android app

This is intense again , but going through these tutorials really helped me get a understanding common Android vulnerabilities and how to detect them ?

How do you reverse engineer apk files and study application code for static verification ?APK tool and JADX GUI are two reverse engineering tools that i used

Are there any “Security as a Service” type of scanners for apps ? I explored and played with 3 –

Python based and you have to install it locally

Ostor Lab – A cloud based service where you can upload your app and run vulnerability scans on it

Immuni Web – Another cloud based service

Other tools that I have come across but have not used yet
Infection Monkey – Simulates breaches & attacks on your Network
Going deeper into Mobile Application Security

This book by the OWASP Team is excellent and has great hands on material
Self Training and hacking practice platforms I have primarily used TryHackMe and their paid service , found it will worth the 10 $ per month that they charge

There is another one, I have have come across but not used yet –

One response to “Starter pack on Penetration/Security Testing for newbies”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

About Me

I’m Sunjeet Khokhar

An experienced People Leader,Practice Lead  and Test Manager .

I am driven by the success of people around me, am a keen student of organisational behaviour and firmly believe that we can be better craftspeople by being better humans first.

CoNNECT with Me

%d bloggers like this: