Empowering Junior Testers - Strategies for Uncovering Critical Vulnerabilities in Web Applications
This presentation was released at the first ever BSides Exeter!
Are you a new or aspiring penetration tester attempting to navigate the seemingly endless stream of complex new information and struggling with crippling imposter syndrome at every turn? Then let me be the first to tell you, “You are one of us”. I am yet to meet a fellow tester who hasn’t in the past, or even presently, felt this way and I’d like to attempt to help you discover your own confidence as a tester, by sharing my experiences as a junior tester as I attempted to hunt down my first critical bugs.
Junior testers are too often in a battle with their own self-doubt, endlessly attempting to find their first big, critical bug that will finally allow them to prove to themselves that they have what it takes. In this session, I’ll walkthrough two real-world case studies from my first two years as a penetration tester, that had massive critical impacts. I’ll cover the story of how these vulnerabilities were discovered, how I escalated the impact of the vulnerabilities to their maximum potential and crucially, what tools and techniques enabled me as a junior tester, to discover these vulnerabilities in applications that had already passed through multiple other testers’ crosshairs.
Along the way, we’ll explore how a trivially exploitable access control bypass was left undiscovered in Microsoft Azure’s API Management developer portal, and how infamously challenging vulnerability classes like HTTP Request Smuggling can be tamed to achieve massive application-wide impacts.