Do pentesters use OWASP techniques and do web app bug bounty hunters use pentesting techniques?

1

TryHackMe

I'm new to this and I started learning about bug bounties last year with hackerone.com and portswigger.net. Now I'm shifting gears and learning about pentesting on tryhackme.com and in the future hackthebox.eu. It looks like bug bounty hunters usually work on a platform like hackerone and get paid per each finding and how severe it is; and pentesters can find work on Linkedin like a contractor and get paid for their time, and with that they need credibility for the employer via a few certs like from CompTIA. I'm also noticing that with pentesting, I'm using tools like Kali linux that I never heard of with bug bounties, scanning networks and trying to connect through backdoors and gain full control over the system, whereas with web apps I'm writing SQL injections in the URL bar of my browser or in Burpsuite, not really ever touching the system behind the website but the database and website itself. But it does sound more severe to have full RCE on a linux server than just to execute scripts that get reflected to other users of a website, but what's the difference in severities if either one has the potential to steal passwords and credit cards. Sorry for all this build up to my question, but here it is. Will these two worlds that I'm learning about ever come together down the line for me as a pentester, and for anybody getting into it for that matter? I miss writing scripts and injections that I learned about on portswigger.net, I hope there will come a time when I have to use it as a pentester. And vice versa, would it benefit a web app bug bounty hunter (what a mouthful) to learn stuff like netcat? Or would that be outside of the usual scope of a bug bounty...

#Training & Education #Education #Online Learning 370 social mentions

2

Burp Suite

I'm new to this and I started learning about bug bounties last year with hackerone.com and portswigger.net. Now I'm shifting gears and learning about pentesting on tryhackme.com and in the future hackthebox.eu. It looks like bug bounty hunters usually work on a platform like hackerone and get paid per each finding and how severe it is; and pentesters can find work on Linkedin like a contractor and get paid for their time, and with that they need credibility for the employer via a few certs like from CompTIA. I'm also noticing that with pentesting, I'm using tools like Kali linux that I never heard of with bug bounties, scanning networks and trying to connect through backdoors and gain full control over the system, whereas with web apps I'm writing SQL injections in the URL bar of my browser or in Burpsuite, not really ever touching the system behind the website but the database and website itself. But it does sound more severe to have full RCE on a linux server than just to execute scripts that get reflected to other users of a website, but what's the difference in severities if either one has the potential to steal passwords and credit cards. Sorry for all this build up to my question, but here it is. Will these two worlds that I'm learning about ever come together down the line for me as a pentester, and for anybody getting into it for that matter? I miss writing scripts and injections that I learned about on portswigger.net, I hope there will come a time when I have to use it as a pentester. And vice versa, would it benefit a web app bug bounty hunter (what a mouthful) to learn stuff like netcat? Or would that be outside of the usual scope of a bug bounty...

#Security #Web Application Security #Security Monitoring 12 social mentions

3

HackerOne

I'm new to this and I started learning about bug bounties last year with hackerone.com and portswigger.net. Now I'm shifting gears and learning about pentesting on tryhackme.com and in the future hackthebox.eu. It looks like bug bounty hunters usually work on a platform like hackerone and get paid per each finding and how severe it is; and pentesters can find work on Linkedin like a contractor and get paid for their time, and with that they need credibility for the employer via a few certs like from CompTIA. I'm also noticing that with pentesting, I'm using tools like Kali linux that I never heard of with bug bounties, scanning networks and trying to connect through backdoors and gain full control over the system, whereas with web apps I'm writing SQL injections in the URL bar of my browser or in Burpsuite, not really ever touching the system behind the website but the database and website itself. But it does sound more severe to have full RCE on a linux server than just to execute scripts that get reflected to other users of a website, but what's the difference in severities if either one has the potential to steal passwords and credit cards. Sorry for all this build up to my question, but here it is. Will these two worlds that I'm learning about ever come together down the line for me as a pentester, and for anybody getting into it for that matter? I miss writing scripts and injections that I learned about on portswigger.net, I hope there will come a time when I have to use it as a pentester. And vice versa, would it benefit a web app bug bounty hunter (what a mouthful) to learn stuff like netcat? Or would that be outside of the usual scope of a bug bounty...

#Cyber Security #Ethical Hacking #Bug Bounty As A Service 17 social mentions