1. Read and follow public information and web security information and news.
2. Be a script kiddy and learn how those scripts run in a safe environment.
3. Write lots of code with validation and preventative measures. i.e. form validation to prevent SQL injections
4. Submit reports to the Common Vulnerabilities and Exposures system.
5. Try them on existing companies with bug bounty systems like Reginaldo Silva did. Remote code executions provide nice payouts but remember to strike the proper balance between ethics, moral, and common sense behavior. Also, try to be upfront about the vulnerabilities presented.
6. If it's at an in house company then make sure they already have a risk assessment and security features and protocols in place for if security is breached. This article mentions steps to take before undergoing a pentest: https://www.cybersecdefense.com/information-security-testing-continuum/
2. Be a script kiddy and learn how those scripts run in a safe environment.
3. Write lots of code with validation and preventative measures. i.e. form validation to prevent SQL injections
- SQL injections - prepared statements, mysqli_real_escape_string()
- Cross site scripting(XSS) - preventing injected scripts from running on websites i.e. choose to interpret user content as stuff like < instead of <
- Cross Site Request Forgery (CSRF) - prevent using one time tokens in forms
4. Submit reports to the Common Vulnerabilities and Exposures system.
5. Try them on existing companies with bug bounty systems like Reginaldo Silva did. Remote code executions provide nice payouts but remember to strike the proper balance between ethics, moral, and common sense behavior. Also, try to be upfront about the vulnerabilities presented.
6. If it's at an in house company then make sure they already have a risk assessment and security features and protocols in place for if security is breached. This article mentions steps to take before undergoing a pentest: https://www.cybersecdefense.com/information-security-testing-continuum/
