Posts

PortSwigger's Server-Side Vulnerabilities Path: What the Labs Don't Tell You (And Why Rana Khalil's Videos Fill the Gap)

Image
  To start learning BurpSuite I embarked on the PortSwigger Server-side vulnerabilities path (for Apprentice level). You would think this would be a course for absolute beginners. Yes and no. Let me break it down. What you need to know: First , it would be helpful if you took an Intro to Cybersecurity course so you understand the terminology they are talking about. ·         Path traversal ·         Access Control ·         Authentication ·         Server-side request forgery (SSRF) ·         File upload vulnerabilities ·         OS command injection ·         SQL injection Are the areas covered in this path. They do give some information, but it’s more an overview of a topic than an in-depth explanation. Second , watc...
Post a Comment
Read more

How I'm Translating QA Test Planning to Security Test Cases

Image
  My tech writing led to manual QA testing and now I’m transitioning into offensive security. When I was doing manual QA testing there was some overlap with security testing, however, solid security testing includes threat-informed testing . This means reasoning about: ·        what to attack and ·        why I translated my QA testing background into a security threat matrix. I learned what went right, what went wrong, and I was introduced to threat modeling frameworks which provide a more structured approach to identifying and tackling security risks. Why Should Security Testing Be Its Own Thing? QA asks “does it work as designed?” I created test plans to ensure that features and software follow requirements and I hunted for issues. My findings were mainly for devs to fix bugs, errors, defects, etc. Now how do I prepare to test if someone wants to take advantage of vulnerabilities in the software? This is the secu...
Post a Comment
Read more