Like I mentioned at the end of last weeks post, I moved away from HackTheBox this week and studied on the PentesterLab site. This is a relatively new service that focuses on web application penetration testing, providing a wide range of systems that can be used to practice exploiting specific vulnerabilities. With approximately 200 exercises currently available grouped into modules or badges, there is plenty of things to learn from the PentesterLab platform.
In the one week I used PentesterLab, I completed the 60 exercises that make up the Essential Badge. This is the largest badge on the platform, and is designed to be a crash-course of the most common web vulnerabilities.
The topics covered by the Essential Badge are as follows:
Server Side Request Forgery
Server Side Template Injection
As you can see, the Essential Badge covers a pretty exhaustive list of web application vulnerabilities. In my opinion, there are pros and cons to this. Having a wide range of vulnerabilities makes sense for what is an introductory badge, but at times the content does feel thinly spread. Some of the above categories only had a couple of exercises, and weren’t really enough to get a comprehensive understanding of that vulnerability. However, PentesterLab does have other modules to cover each of these in greater depth, so this isn’t really a criticism of the platform overall as opposed to this standalone badge itself.
PentesterLab also does a great job at diversifying the way it delivers its content. The main way to learn is through hands on exercises, but there is also written course content to describe the vulnerabilities and present different ways on how to exploit them. For those who sign up for a PRO account, there are also video tutorials available for every exercise. When used together, it makes it very easy to understand these complex, technical vulnerabilities. One small gripe I did have with the content is the general lack of consistency and polish that I expect from a paid service. The audio levels on the videos often fluctuate wildly, and the written course content is either far too detailed or not detailed enough. Furthermore, the user interface of the website can be fairly confusing, and I often had to hunt around the site to find the material I was looking for. However, the hands on, practical exercises are the main selling point of PentesterLab, and I cannot fault them for the way they’ve created these. All of the practical exercises work flawlessly, and even better they can all be completed directly within your browser – regardless of your operating system, browser choice or the selection of external tools you have available. For people like myself who prefer hands-on learning, these exercises alone are enough to consider giving PentesterLab a try.
With all that said, I ultimately wouldn’t recommend this for people chasing the OSCP certification. Web application penetration testing is only a small section of the course, and the content covered by PentesterLab is mostly out of scope. For anyone wanting to really improve on their web application testing skills, PentesterLab would be an amazing resource that you should definitely look into. But for me, I think I got enough out of the Essential Badge for now and I won’t be coming back to it until after I’ve passed the OSCP. Once I do though, I’ll most certainly be back to complete more badges and really improve my web application testing skills.
Thanks for reading,