┌──(insider@thread)-[~]
└─$ cat summary.txt

7 years experience

You get a lot of people who sometimes are like a pen test is just a checkbox exercise. And to some it is, but that's not a bad thing.

What do you do?

I test web applications to understand if there's any flaws that an attacker could exploit to gain access to things they shouldn't.

What information are you given?

Generally speaking, you have white box, grey box, and black box tests.

Black box you’re given very little. A login and maybe a walk through of how to use the application. The idea being that you know nothing about the internal structure.

Then there’s white box where you essentially know everything. You’re given the code, you are told what the underlying infrastructure looks like, and there's open communication if you need more information.

Grey box is the middle bit. You get some information, but not all. I usually find those are code reviews. You get given the code, which is a lot of information, but you don't always see everything, and you don't always play with the actual application itself.

What would usually be done ?

Black box realistically. I do wish that it was more widely supported to supply code.

Why do you think that is the case?

I think there's two parts to it.

Sometimes clients don't understand what you might need from them or we’re not making that clear. Testers don't often have those conversations because it can be difficult for them get the test through.

The second part is it can also make clients feel a little uncomfortable. Clients often don't want to share code and are protective over it.

What do you think is the most effective?

For most clients, you just need to not be the lowest hanging fruit. A black box will get them everything that they need.

Favourite technique?

I love broken password reset requests. It’s a really easy to understand and it’s a really easy thing to miss if you’re a developer. You’re not always thinking about it, but there’s a great range of ways it can be broken.

An attacker can reset the password on an account and get access to it. I have seen examples where the only thing you need to reset the password is a link that contains the user’s email address.

What is something you rely on day to day?

I have a long list of notes that I refer back to and it has everything I need. A good example is my cross site scripting POCs. It’s a huge list of things for me to try. I know they work and I have seen get around certain filters.

How did you get into web app testing?

I started on service desk and then moved into a patching roll within the same company. From there, I joined a new company, that took me on with my background of vulnerability management, as a junior tester. I think that’s a very different path. A lot of web app testers start as developers.

I started with no web app knowledge apart from how to use the internet. Hack the box and that kind of thing. I did a lot of shadowing. And after about three months, I did a pen test. It was a lot of Googling things trying to figure out how things worked. From that I was learning on the job and was full-time testing.

Are there any misconceptions about web app testing?

People think you don’t have to have good people skills. You absolutely do. Not only are you trying to work with clients, you do talk to them. It’s not just emails and reports. Clients will ask you on calls why you didn’t find a vulnerability and ask for an explanation.

Do you have any difficult conversations?

You get those conversations where the test has been done last year and they didn't fix something, and you do test and don't find whatever it was. You get people who are like “why didn't you find it?”, “weren't you doing your job well enough?”

There are also people that refuse to accept when you've raised something. They might argue it’s not a real vulnerability because of X, Y, and Z. Usually they don't understand our perspective in that when we’re doing a pen test, especially black box testing, we don't know X, Y, and Z.

We've got the application in front of us and we report on what we see. A good example is “We have a WAF and we have these protections” but that doesn't change our report.

Do you think a WAF should be turned off for testing?

It's an interesting question because arguably their WAF is probably one of the biggest protections they have on their application. But WAF circumvention is a thing, and we don't have time on a pen test to sit there and try and work our way past a WAF to understand what is actually a vulnerability. So in my opinion, you should be through the WAF, because we are assessing the application, not how good your WAF is.

How does your role improve security?

You get a lot of people who think pen tests are just a checkbox exercise. And to some it is, but that’s not a bad thing. Occasionally you do find things that the client didn’t know about and genuinely are a huge problem and they need to get fixed.

I think the bigger reason it helps is because a lot of a lot of systems require a pen test. PCI DSS requires a pen test, trying to get certain accreditations requires a pen test. To pass, this essentially means not getting highs or critical findings.

Those requirements make sure web apps are not complete rubbish and don’t have glaring holes on them. And I think that’s the part that actually improves security.