A review of PentesterLab, a site dedicated to teaching web application security through hands-on exercises.
PentesterLab is a platform which provides both online and offline labs designed to teach the art of web application pentesting and web security. The site offers a number of free exercises and a subscription-based PRO package which gives access to over 200+ private exercises.
I took advantage of the discounted PRO subscription as part of the 2018 Black Friday offer and have been using the site throughout the last year. As Black Friday 2019 is imminent, I thought it would be useful to share my thoughts for anyone who might be considering signing up.
There are no essential pre-requisites, although a basic understanding of HTTP will be useful. The exercises are predominantly browser-based, but you will also need to utilise a variety of tools such as BurpSuite and WireShark to complete certain sections throughout. Frequent use of the linux command-line goes without saying - the Unix section will get you up to speed in no time. Scripting knowledge is not essential, but will be beneficial as you progress through the badges. For info, the walkthrough videos contain a lot of Ruby code, but the concepts can be adapted for other languages.
At the time of writing, PentesterLab is comprised of 16 'badges', each containing a mixture of exercises that vary in difficulty from Easy to Hard. The badges cover a wide range of web security topics, such as:
- Cross-Site Scripting (XSS)
- SQL Injection
- XML attacks
- Directory Traversal
- File Upload attacks
- Authentication and Authorization
...and plenty more to choose from, including some of the latest CVE's.
A certificate of completion is available for each badge once you have completed all exercises within that section.
Exercises within each badge contain high-quality, detailed course material that provide an introduction to the subject, details of the vulnerability and how to exploit this. To mark an exercise as complete you must obtain and submit a flag as proof of completion. There are some slight variations on how exercises are marked as complete, but I don't want to give too much away. You are free to work through the exercises in whichever order you choose. If you get stuck on a particular exercise then you can simply move on and return to it later. The time to complete each exercise will vary depending on your experience and existing knowledge.
Walkthrough videos (with subtitles) are available for plenty of exercises, but not all of them. However, additional videos and subtitles are being added on a monthly basis to backfill any gaps. It's always good to do additional research yourself to learn more about each topic and then try to complete the exercise before referring to the walkthrough. My only issue with the videos is that the audio is sometimes a little low on certain walkthroughs, but you cannot fault the content itself, which is explained clearly and is easy to understand.
I should also point out that you can always drop an email to support if you are struggling with an exercise, payload etc. I reached out a couple of times and always received a quick response with useful hints to point me in the right direction, without actually spoiling the exercise itself.
Unfortunately, it is not possible to download the course material or videos, although some exercises do contain a downloadable ISO file that can be used to setup a VM and practice offline.
The site is updated on a monthly basis with new exercises and video walkthroughs constantly being added. The balance between the two can vary, but will definitely keep you returning each month. It's worth mentioning that the site itself had a redesign earlier this year and is a massive improvement on the old layout. It now feels a lot easier to navigate and track your progress throughout the exercises within each badge. The homepage also contains a 'Hacktivity' summary - this details the number of exercises you have completed each day/week/month and is a useful way to see your progress at-a-glance.
You will receive a monthly email detailing the updates that have been pushed out over the past month, but you should also keep an eye on the @PentesterLab Twitter feed for early access to these exercises, a variety of interesting blog posts and to engage with other PentesterLab members.
PentesterLab is an excellent starting point for anyone that wishes to learn web application pentesting and web security through hands-on, real-world examples. It covers everything you need. If you are looking to get started with Bug Bounty programs then you will also want to sign up for the PRO subscription, as this is fantastic value for what you will learn throughout and it will pay for itself when you find that first bug!
At the time of purchase I had very little experience in web security, but this site has been an incredible learning resource. I would highly recommend looking through the free exercises to get a taste of what is on offer and also check out the bootcamp page which is also incredibly useful. You won't be disappointed.
PS - don't forget to claim your free stickers after signing up!
Sign up (referral link): PentesterLab PRO
Please feel free to contact me via Twitter and thanks for reading.