The OWASP top 10 is very well know by every ethical hacker out there and for good reason. It describes the top 10 vulnerabilities as they occur "In the wild" as we say, where we refer to production environments. This means that the OWASP top 10 has been described into extreme detail but nowhere in a way that makes it practical. Whether you are a developer, pentester or bug bounty hunter, i believe this course will help all of us as the OWASP top 10 is described very vague and it's time to break the fog banks!
There are several good resources available on which we base this course and that can be found freely on the internet but what this course aims to do is translate those concepts into every day useful and actioneable items to help improve your skillset.
The top 10 basically consinsts of the following vulnerabilities as of the 2017 version:
- Broken authentication
- Sensitive data exposure
- Broken Access control
- Security misconfigurations
- Insecure Deserialization
- Using components with known vulnerabilities in them
- Insufficient logging and monitoring
Whew!! Is it me or was that a wild ride with a range of different vulnerabilities? They talk about anything from Insecure Deserialization to Broken Access control and even Insufficient logging and monitoring. Now i don't know about you but i think it's time we tackle this insane freakshow of vulnerabilties and tame them into a beautiful set of wiki pages that any developer or tester can refer back to if they want to secure or test an application.
My name is Wesley Thijs and i am an avid ethical hacker with a passion for seeing people grow and finding their unique advantage. I've been training people for a long time in many different disciplines. It all started out with a simple performance testing training on JMeter which consisted of a basic and advanced module but i quickly got the opportunity to go Paris to earn my expert certificate in neoload which allowed me to perform the neoload certified proffesional.
After i moved to another job the trainings stopped for a while but the itch to see people develop their true potential continued. I started training people in 1-on-1 conversations on programming but i also developed a craving for ethical hacking which evolved into 1-on-1 trainings for bug bounties and eventually my bug bounty courses. Now i've trained over 25 000 amazing hackers on all my platforms combined which makes me incredibly proud besides my best option -The rat pack boot camp where I talk to my students on a private discord server and we do collabs on a regular basis.
It was recently my goal to achieve the top 20 leaderboard on Intigriti and i did just that. Within the very short span of a few months i had worked my way up to the top and i was taken into the group of amazing hackers that all helped me and were ready for noobs like me at any time. The funny things about this whole journey is that it actually started at hackerOne where i reported some bad reports (like most beginners do) and i got negative karma which disabled my ability to report on the program i was on but i knew i had something because i reported a stored XSS and it was a duplicate. I moved on to intigriti and reported about 25 bugs in the span of 3 months which netted me a few extra salaries but i do realise i am no NahamSec or JHaddix. These guys are gods in what they do and that is exactly why i wanted to be different.
Where others user their toolbelts in the bug bounty business, i developed my own unique hunting methodology which i designed to avoid duplicates and net me results. I exclusively hunt on older programs. I let the others pick out the low hanging fruit and the not so low hanging fruit after which i come in with my hunting skillset. I am QA test lead as a dayjob and I use that experience to hack. I know where errors often occur, it's my job and it would be bad if i did not. I hunt on the spots where it hurts the most and i am The XSS Rat. I deliver you bullshit free courses that help you put things you learned into practice.