Coding is an art, the science of penetration testing wouldn’t be fortunate without coding practices and learning programming languages. When you are a web application penetration tester, you’d be required to know certain level of web frameworks, their working, the standards they work upon and what programming languages they are deployed as. In order to understand web application coding, one must spend time on learning them prior to practicing application analysis and penetration testing. This alone covers a great aspect to knowing the application better, understanding how the application interacts with provided resources and how the application would behave if certain level of payloads were sent to the web application. Without having at-least certain level of programming practices under belt and claiming oneself hacker, with an attempt to deduce application security and hence failing thereafter and hopping up a report for the application to be secure could fetch you the below demonstrated image in literal terms.
To avoid this, I had been compiling vulnerable code, basic coding practices a web application penetration tester must be familiar with and a set of standard code with their frameworks here in this blog. I intend to maintain the blog with latest posts on coding practices and give a themeline for the same because that’d probably inspire a lot of web hackers coming years to first go through the concepts and then apply there hands onto computer security, data security, network security, or application security as wished by the party. Next, I would also love to dedicate this page to those who had been previously wondering if they need programming skills and coding practices in order to conduct a web application penetration test or generally any kind of penetration testing. To be honest, one does need to practice and have a basic understanding of the application you;d be dealing with. Having said that the applications one would be dealing with comes with rich varieties of probable frameworks used to deploy such an application and the back-end programming language and the scripting language used. In order to really penetrate into the application, basic understanding of the written ‘code’ must be guessed, understood and analyzed first. Most ‘ethical’ hacking organizations (I wouldn’t mention them tho) deliver content without making the enrolled students go through a programming curriculum. It’s been a taboo since the emergence of the ‘ethical’ hacking market. People take it as it is delivered and never question back and care only for the certifications achieved. To really demonstrate this, I had compiled some of the screenshots which I’d like to share in order to deliver the factsheets of this post: