TCM Security’s Post

🎄✨ Christmas came early! 🌟 Just unwrapped an exciting gift 🎁 – diving into the Web Application Pentesting path on TryHackMe This course is packed with essential skills for aspiring penetration testers, covering: 🔒 Authentication Attacks: From brute force to OAuth vulnerabilities and multi-factor authentication 🛡️ 💉 Injection Attacks: SQL, NoSQL, XXE, LDAP, and more! 🩸 🛠️ Advanced Server-Side Attacks: Insecure deserialization, file inclusions, and prototype pollution 🧩 🌐 Advanced Client-Side Attacks: XSS, CSRF, CORS, and DOM-based attacks 🕵️♂️ 📡 HTTP Request Smuggling: Deep diving into HTTP/2, WebSockets, and desync techniques 🚛 This journey promises to build solid skills in security assessments and web vulnerability exploitation. The TryHackMe platform never fails to deliver engaging, hands-on learning for cybersecurity enthusiasts. 🔐 Excited to learn, grow, and get closer to becoming a top-notch ethical hacker! 💻🔍 #CyberSecurity #WebApplicationPentesting #TryHackMe #EthicalHacking 🎁

I highly recommend TryHackMe learning paths for everyone looking to get into IT in general but especially Cybersecurity and System Administration. Everything from the Cybersecurity 101 learning paths to individual application use has a lot of useful information for all levels of users.

Huge news from TryHackMe! Can’t wait to dig into the materials knowing what these learning paths can offer. I started my pentesting journey with THM and at that time there was only the junior path. This addition will surely help new, aspiring pentesters and bug bunty hunters hone their skills. Keep up the good work THM!

🔗 Why Bug Chaining is a Game-Changer in Bug Bounty! Chaining vulnerabilities can turn a small bug into a critical one, and I learned this first-hand during my bug bounty journey. Here’s a quick story: While testing a stream-on-demand web app, I found HTML injection on the profile page. My injected name was reflected as an <h1> tag. But instead of stopping there, I decided to chain it. I used an <a href> tag to create a hyperlink with an XSS payload. When clicked, it executed the XSS and exposed the cookie in a popup. What started as an HTML injection ended up as a stored XSS! Steps to I followed to chain HTML Injection to Stored XSS: 1️⃣ Find HTML injection (e.g., reflected input inside <h1> or other tags). 2️⃣ Inject an <a href> tag with a malicious XSS payload as the link. 3️⃣ Trigger the link to execute the payload (e.g., steal cookies via document.cookie). 4️⃣ Confirm that the payload is stored (making it a stored XSS). This is why chaining bugs matters—it multiplies the impact and makes it harder to ignore! #BugBounty #BugChaining #HTMLInjection #XSS #WebSecurity #EthicalHacking #PenTesting #CyberSecurity #InfoSec #BugHunter

My latest Medium article, 'OWASP Juice Shop: Exploring Juice Shop – A TryHackMe Walkthrough to Identify and Exploit Common Web Application Vulnerabilities,' is out! In this article, I walk through OWASP Juice Shop, one of the most popular web application security training platforms. By leveraging the TryHackMe platform, I explore various vulnerabilities that web applications often face and demonstrate how to identify and exploit them effectively. If you're interested in hands-on hacking tutorials and understanding common vulnerabilities like SQL Injection, XSS, and more, then this article is for you! Check it out and feel free to share your thoughts or questions. Let's learn together and build more secure web applications! #CyberSecurity #OWASP #JuiceShop #TryHackMe #WebAppSecurity #EthicalHacking Prince Amah Hacktales

🏅🏅 I have completed the new path Web Application Pentesting from TryHackMe.🏅🏅 This is a well-structured path to web pentesting, a highly demanded skill, especially in bug bounty hunting. It will be also good to have path regarding API security. There 5 Modules in this path: 🏆 Authentication 🏆 Injection Attacks 🏆 Advanced Server-Side Attacks 🏆 Advanced Client-Side Attacks 🏆 HTTP Request Smuggling At the end of each Module there is challenge / CTF to practice your knowledge. I recommend it to anyone who want to learn more about web applications Pentesting, the last challenge El Bandito is also very interesting one. You can join this path here: https://lnkd.in/dzik5knn #tryhackme #webapplication #Pentesting

I'm happily announcing that I've earned a Web App Hacking Certificate! From TCM Security "Practical Bug Bounty". The course was heavily--and when I say heavily, I mean HEAVILY--focused on all kinds of web application attacks, exploitations, and bypassing techniques(that the devil himself didn't think about!). It's focused on Bug Bounty Hunting--you can guess it from the name of the certificate, duh!--to build you to the point where you're ready to dive into this competitive realm and practice your newly gained skills in the real world! I want to thank the great great great instructors of this incredible certificate. Heath Adams was like the official guy in a well-tailored suit who talked about all the official stuff like agreements, rules, and engagement. He also touched on the topics of recon/scanning and automation, which were critical and essential. Alex Olsen is the devilish mind behind all the cool attacking techniques and exploitation payloads. He delivered the material smoothly and shortly, which made it all simple to understand and follow. Also, he is the one who built the labs from scratch! Jonah Burgess is a professional cool guy and he talked about the Bug Bounty programs and how to stay compliant and abide by the the rules of each program, which is the most important thing before conducting any further actions. Since it's non-technical, some might find it boring or wanna skip it. But It wasn't boring at all, he made me feel the essence of being professional, well-mannered when communicating with Triagers, and cool-headed in case of dispute. I wanna thank you all for the time & effort you've put into this. And I hope you hear my great successes in the future!

Just finished the OWASP Juice Shop room, at TryHackMe! The Juice Shop web app really helped me learn more about web vulnerabilities and how to exploit them. This hands on practice has definitely boosted my knowledge of web security. Highlighted the need for security practices in app development. Key Points to Remember;  Recognizing and dealing with web vulnerabilities.  Getting practical experience in exploiting these vulnerabilities to see their impact.  Emphasizing coding techniques to prevent issues. A shoutout to TryHackMe, for providing such a learning platform and kudos to OWASP for creating an educational app. #CyberSecurity #WebSecurity #OWASP #JuiceShop #TryHackMe #Infosec #LearningJourney #ContinuousImprovement

As of my 5th day (27th may 2024 - 31st may 2024) as an INTERN at digiALERT, we covered a lot about OWASP TOP 10, web penetration testing with a lot of hands-on practice. Day 1- On our first day, we dived headfirst into web-based penetration testing. We diligently executed various SQL injection commands on test websites. To bolster my arsenal, I experimented with SQLMap, an open-source automated penetration testing tool, amplifying our efficiency and effectiveness in uncovering vulnerabilities. Day 2- We began with a rapid review of the previous day's lessons and started today's session with brute force technique for login across multiple test websites using the BurpSuite tool. Additionally, we delved into understanding CA certificates, taking the proactive step of installing BurpSuite CA certificates in an external browser and subsequently attempted capturing data for further analysis. Day 3- We selected a random test site featuring a PHP login system and engaged in a series of attempts utilizing multiple payloads to circumvent its security measures. we deepened our understanding of cookies and explored the concept of cookie hijacking. Using "cookieeditor" extesion, we exported cookie details, imported them into another browser,and successfully bypassed the login mechanism. Day 4- Today's session commenced with bWAPP (A vulnarable web application),where we meticulously tested for vulnerabilities including HTML injection, SQL injection, XSS, and directory traversal. In our exploration, we experimented with various automated pentest tools such as the built-in BurpSuite tool, Acunetix, as well as additional tools like Nikto and Nmap. We delved into the concept of packet sniffing, deploying tools like Bettercap to sniff data packets. we examined real-world instances of parameter tampering, exemplified by scenarios like the Kapruka website(Srilankan shopping platform) and a cryptobid guessing game, alongside elucidating examples of CSFR. I'm eagerly anticipating the upcoming lessons on Android pentesting! #penetrationtesting #OWASPtop10 #burpsuit #cookiehijacking #parametertampering #SQLmap #CSFR #cybersecurity

OWASP juice shop from OWASP® Foundation is another great tool for practicing web application hacking. TryHackMe gives the best practices with it to master the OWASP top 10 tools. With both theoretical and practical knowledge I've gained from TryHackMe. What is the next step to dive into web application hacking? Any suggestion?