Event
Join cybersecurity experts from Slack, Riot Games, EY and more at our upcoming roadshow. 

Pentester Spotlight: Apoorva Jois; Do you want to build or break?

Do you want to build or break? That's the million-dollar question that got Core Pentester Apoorva Jois interested in hacking. She walked us through her journey as a Pentester on the younger side of the industry.

Pentester Origin Story: How did you first get involved in pentesting? 

Once I graduated and was figuring out what to do in life, I was fortunate enough to speak to many people in different fields and understand more about other work streams. While speaking to one of them, the word “break” caught my attention on the question,” Do you want to build or break?” We started talking about security and how we can make a difference. Then I went home, researched many things, and started my first online course.  This helped me find my passion, and it was only later that I understood that hacking is not so simple and this field is a different ball game.

What motivates you when it comes to pentesting? 

My primary source of inspiration comes from the fact I am fascinated by this intersection of security and technology, which comes together. It makes me want to learn more, gain more skills, and break some stuff.

What is it like being on the younger side of the industry? 

I am extremely fortunate and grateful that I found my passion early in my career. Since there are so many incredible hackers in the community and the field is so vast and constantly evolving, it feels overwhelming at the same time too. I keep reminding myself with a positive attitude to be consistent and keep learning daily. I am happy to be here and having a good time so far 😀

What do you feel makes an excellent pentest engagement?  

A successful pentest engagement involves collaboration, active communication, and teamwork. Additionally, it is super beneficial when the client is engaged and highlights the crucial areas you must prioritize during pentesting.

What kind of targets excites you the most? Do you have a favorite vulnerability type?

I like switching things up and enjoy a combination of targets depending on the situation. Sometimes I prefer straightforward, and it's easier to find issues. Other times I like complex, challenging, and new targets that force me to step outside of my comfort zone and need me to learn something new or think outside the box to tackle it. I love working on targets with critical business use-cases and understanding the security controls and measures in place and if I can bypass them. My favorite vulnerability types are SSRF, RCEs, and Business Logic issues with high impact.

Where do you go to learn about different security concepts? Are there specific pages/handles you follow? 

Anytime I'm learning a new topic, I start by searching for existing information on google. I look for blog posts, how-to articles, and mind maps if any are available. I list all the pertinent links, bookmark them, and review them one at a time. I create my notes and checklists. I next scan Twitter to see if any new information is available and note them down.

Furthermore, I look for any available open source tools, vulnerable applications, or online labs relevant to that topic. I also like Portswigger’s website a lot to learn about new and different kinds of vulnerabilities. I do a few online labs frequently, such as PentesterLab and HackTheBox. I follow John Hammond, ippsec, The Cyber Mentor, and Bug Bounty Reports Explained channels on YouTube to stay updated.

How do you conduct research and recon for a pentest?

I start by understanding what type of application it is and what its business-specific use-cases are.  I review the documentation provided and, if available, the APIs. After that, I look at the login pages, the type of authentication/authorization in use, and the underlying technologies. I prefer to employ mostly manual methods with a few automated techniques. For recon, I use a lightweight Burp Scanner with fuzzer integration, parameter fuzzing, Nuclei, JSFinder, Secret Finder, and Dirserch with customized wordlists.

What are the go-to tools you leverage?

I primarily use Burp Suite Pro with a few extensions. I also use Nmap, ffuf, dirsearch, and sqlmap depending on the use cases.

What advice would you offer to someone interested in getting into pentesting? What do you wish you had known before you started?

The fact that cybersecurity is a very vast field that attempts to research, explore, understand different domains and identify your specific area of interest. Compared to when I first started, all the materials needed to begin in the field are widely available today. Lastly, remember not to doubt yourself; be patient, and you got this!

What do you wish every company/customer knew before starting a pentest? 

The customer should know the pentesting process and provide all the necessary documentation. It is incredibly beneficial when the customer specifies the key areas and critical functionalities to focus on. Additionally, it is a plus if the client has been more open, supportive, and non-restrictive throughout the testing period.

What do you like to do outside of hacking?

Aside from hacking, I enjoy traveling, exploring new places, and trying out new restaurants. Every quarter, you will see me backpacking. I love to attend concerts and have many of them planned for the year. I'm also a movie buff.

What are your short-term and long-term goals? 

In terms of short-term goals, my friend and I are working on a research topic and hope to present it at various conferences. I also intend to complete a few certifications that I have in mind. For long-term goals, I want to continue learning daily, improve myself, and acquire more skills.

Cobalt Core Secret Sauce CTA Image 2022

Back to Blog
About Shelby Matthews
Shelby Matthews is a Community Content Associate at Cobalt. She works on content created for the Cobalt Core and content that is about them. More By Shelby Matthews
Pentester Spotlight: Matt Buzanowski, From US-Army to Red Teaming
Matt Buzanowski started his career in the US Army and now works with the Red Team he started and grew at a Fortune 100 company. Matt has been a member of the Core since 2017
Blog
Jun 29, 2022
Pentester Diaries: Full-time Freelance Pentesting
This episode of Pentester Diaries is about the benefits of being a full-time freelance pentester. I sat down with Core Pentesters Harsh Bothra and Parveen Yadav to talk about their daily lives and how they manage to be a full-time freelancer.
Blog
Sep 14, 2022