Hello All,

I recently entered the wonderful world of Web App hacking. I already read some books such as the Web Application Hacker's Handbook.

My problem now is that I don't know where to go from here? What is the next step? I think that you guys will be able to point me in the right path to become a professional web app pentester.

Thanks :)

Just to elaborate, I've also attempted to work on WebGoat but the FIRST lesson was HTTP Splitting and kinda shocked me as a new comer to web app pentesting. I wish there was a more methodological approach than the one I'm taking (Which is trying random things and picking up bits and pieces)

Im a seasoned programmer and have over 10 years of IT experience, all I need is some guidance into the proper direction and I'll be on my way :)

Wow 250 views and not a single reply. You guys really love to help don't you :(

First off that might have been some crawler or search engine...

Second, why don't you just take a look what was going on in other similar threads here. Check all those tutorials and videos available for people starting.

Third, get yourself a job where you can practice what you've learned.

Fourth, sorry you didn't learn to think for yourself... (SCNR) ;-)

5th - you ever hear of this little conference called DefCon? You know, it's the one where all the people interested in security like to attend.. there's a slight chance a lot of people were there and were not glued to their computers waiting for you to ask a question..

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

same with me. new to web app sec. my primary area of expertise is linux administration, authentication & data security with baisc programming knowledge. any good book to strat with ?

The webapp hackers handbook is pretty good. There are loads of intentionally vulnerable webapps out there, just experiment with those (hell I made one myself but it isn't for beginners). See the list at
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
And remember you can practise on google/mozilla/facebook/paypal/microsoft if you don't go full disclosure on them.