Yoo Welcome to Issue #13 of Navigating Security.

🍃Quote of the week:

What To Expect 🫡

• 🤯There’s a lot more to Burp Suite than meets the eye - Tim Tome’s PBAT course

• 💻Build vulnerable labs, you’ll get better at hacking

• 📈How to get better at hacking - get out of your comfort zone

This Week’s YouTube Video:

⚠️ The newsletter is currently not sponsored

Burp Suite is amazing🤯

I recently took the PBAT training by Tim Tomes (author of Recon-ng, Py-scripter, and HoneyBadger v2) as part of the training provided at the NorthSec conference and as soon as we started I realized how much I did not know about Burp Suite.

I am not a complete noob when it comes to using Burp Suite, but the training made me realize how many vulnerabilities I potentially miss when testing web apps, how I can be more efficient when testing web apps, and how to ensure full coverage of the web application I am testing - especially when it comes to authorization issues.

On top of that, Tim is a pretty cool guy. One of his favorite things to rant about is how much Java sucks as a programming language. He didn’t ask me to say any of this, but if you ever want to level up your use of Burp Suite and learn some cool ways to dig deeper so that you don’t miss vulnerabilities, he is your guy.

• www.lanmaster53.com

• https://www.practisec.com/training/pbat/

Building Vulnerable Machines 💻

If you have not already watched the video above, I suggest you check it out after reading the rest of the newsletter.

Some of the main takeaways were the fact that building can be very beneficial to increasing your capacity as a penetration tester or red teamer. You do not need a vast amount of previous knowledge or experience to build, though it helps. You can pull ideas from other people’s resources and research.

Another one of my favorite takeaways from this chat was learning to write code. A vast amount of people say you don’t need to know how to write code if you want to be in cybersecurity, but this is only the case for roles in areas like GRC. If you want to be a pentester, a good one at it, you must learn how to code. At the end of the day it is just another opinion, do whatever you please 😂

If you want to get started with building vulnerable labs, PwnedLabs is taking community submissions. Build a couple of labs for them for the experience and to get some reputation points. You can also build for HTB as a side hustle since they pay for machine submissions. I think Offsec pays as well.

Breaking the learning plateau 📈

I recently watched a talk by Louis, the CEO and founder of PentesterLab about how to get better at hacking/research. A lot of what he mentioned seemed to describe me so it kinda hit me.

He mentioned doing the work even though it may get boring. It is not always the case that you are going to find cool bugs when doing a test or a code review or whatever the hell it is you do. A lot of the time the work and study might get boring, but you have to do it anyway. The people who get past the boring parts end up finding the higher-quality (impact + complexity) vulnerabilities and CVEs.

Dig deeper and get out of your comfort zone. Learn things you don’t necessarily want to learn as long as it is relevant - coding for example. A lot of people shy away from that, but it will only make you a better penetration tester at the end of the day.

A lot more was said, here is the link to the talk and other resources I found useful:

• How to get better at hacking: https://youtu.be/n7WSxIgeSHk?si=dn_BK_7a3XED6Wsn

• Beating the code review plateau: https://blog.pentesterlab.com/beating-the-code-review-plateaux-f4c2ec0b46ff

• A strategy to land your first pentest job: https://blog.pentesterlab.com/a-strategy-to-land-your-first-pentest-job-25209a351689

⏱️Incase you missed the previous issue, here you go:

Suggestions

Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.