Web Application Pentesting and the Importance of Specialization with Tib3rius

Hello and welcome to another episode of The Phillip Wylie Show. Today, I am thrilled to have Tib3rius as my guest. Tib3rius is a renowned penetration tester with over ten years of experience, specializing in web application security. In this thought-provoking interview, we delve into the world of web application security, discussing the significance of specialization, the evolution of tools like Burp Suite and OWASP, and the role of bug bounty programs in gaining practical experience. Let's dive in and explore these fascinating topics in more detail.



The Power of Specialization

Tib3rius emphasizes the importance of specialization in the field of web application security. He shares his journey of discovering his passion for web application security and how he focused his career on this specific area:

"I figured out early on that network pen testing is all right, but I really like doing the web stuff. So that was sort of where I aimed my career and I pretty much now exclusively just do web applications for the company I work at."

Specialization allows professionals to become subject matter experts in their chosen field, enabling them to provide more targeted and effective solutions. Tib3rius believes that specializing in a specific area of penetration testing, such as web application security, allows individuals to go deeper and gain a comprehensive understanding of the vulnerabilities and techniques associated with that domain.

Autorecon: A Game-Changing Tool for OSCP

Tib3rius created a tool called Autorecon, which gained significant attention in the Offensive Security Certified Professional (OSCP) community. Autorecon automates the enumeration process, a crucial step in penetration testing. Tib3rius explains the motivation behind creating Autorecon:

"One of the things, obviously you're not allowed to automate exploitation on the OSCP, but you were always allowed to automate enumeration. So that's like the initial port scanning and service scanning and everything… I decided, you know what, I'm just going to build my own and kind of just merge the features of all of those into one. And that became autorecon."

Autorecon proved to be a valuable tool for OSCP candidates, as it streamlined the enumeration process and saved time. Tib3rius cautions against using Autorecon for real-world networks, as it is specifically designed for OSCP and CTF boxes. However, its success in the OSCP community highlights the need for efficient and effective enumeration tools in the field of web application security.

The Evolution of Web Application Testing Tools

The conversation shifts to the evolution of web application testing tools, with a focus on Burp Suite and OWASP. Tib3rius shares his thoughts on the recent separation of OWASP's ZAP tool from the organization:

"I think that's a good move… I don't necessarily think they're going in the right direction… I think what started with good intentions just… they almost became too big and they just have too much stuff going on. And as a result, I think projects have just kind of collapsed a little."

Tib3rius expresses his concerns about the direction OWASP is taking and the dilution of its projects. He believes that the focus should be on quality rather than quantity. The separation of ZAP from OWASP may provide an opportunity for the tool to receive more dedicated attention and potentially secure funding for further development.

The conversation then turns to Burp Suite, a widely used web application testing tool. Tib3rius highlights the power of Burp Suite's Intruder tool for fuzzing and emphasizes the importance of extending the tool's capabilities through scripting and coding:

"If you can stick to one tool and if you can extend that tool in various ways to accommodate your needs, I think that's probably better than just spreading yourselves over a bunch of them."

Tib3rius also mentions his own experience in developing Burp Suite extensions, particularly for reporting purposes. He created an extension to streamline the reporting process by removing unnecessary headers and truncating cookies, ultimately improving the efficiency of the pen testing workflow.

The Limitations of the OWASP Top Ten

The discussion then shifts to the OWASP Top Ten, a widely recognized list of web application vulnerabilities. Tib3rius shares his perspective on the evolution of the OWASP Top Ten and its current state:

"What I think happened is people just started taking it as hey, these are ten vulnerabilities we can say we're testing for… And then that slowly convinces everybody, well, the OWASP Top Ten is what people should test. Not just… these are the most common. It's not these are all of them."

Tib3rius believes that the OWASP Top Ten has lost its original purpose and has become a catch-all category for various vulnerabilities. He suggests that pen testers should go beyond the OWASP Top Ten and explore a broader range of vulnerabilities to ensure comprehensive testing.

Balancing Vulnerability Testing and Exploitation

The conversation delves into the balance between vulnerability testing and exploitation during penetration testing. Tib3rius provides insights into the factors that influence the decision to focus on exploitation:

"It really depends on the scope of the test… The problem is Pen test, like cybersecurity, is a huge field… I just don't think anyone can realistically keep up if they were doing absolutely everything… I think specialize in something and learn that thing and learn it well and you'll be fine."

Tib3rius highlights the importance of understanding the scope of the test and the goals of the client. While exploitation can provide valuable insights and demonstrate the severity of vulnerabilities, it is essential to prioritize time and resources effectively to ensure comprehensive testing.

Gaining Practical Experience through Bug Bounty Programs

Bug bounty programs have gained popularity as a means for individuals to gain practical experience in web application security. Tib3rius shares his thoughts on the value of bug bounty programs:

"I know for sure bug bounty stuff definitely counts for experience… The fact that you'll have so much experience actually testing real applications is a good way to go."

Bug bounty programs provide individuals with the opportunity to test real-world applications and discover vulnerabilities. Tib3rius highlights the case of a recent hire who gained extensive bug bounty experience and was able to secure a position based on that practical knowledge.

Conclusion and Future Outlook

In conclusion, Tib3rius's insights shed light on the importance of specialization in web application security. By focusing on a specific area, professionals can become subject matter experts and provide targeted solutions. The evolution of tools like Burp Suite and the separation of OWASP's ZAP tool highlight the need for continuous improvement and dedicated attention to ensure the effectiveness of web application testing. The limitations of the OWASP Top Ten emphasize the importance of exploring a broader range of vulnerabilities. Balancing vulnerability testing and exploitation requires a thorough understanding of the scope and goals of the test. Finally, bug bounty programs offer a valuable avenue for gaining practical experience in web application security.

As the field of web application security continues to evolve, professionals must adapt and specialize to stay ahead of emerging threats. By embracing specialization and continuously expanding their knowledge and skills, professionals can make significant contributions to the field and ensure the security of web applications in an increasingly interconnected world.