How curiosity led a PHP programmer to web hacking and a collaborative pentest community of technology tinkerers.
Jesus Arturo Espinoza Soto joined the Cobalt Core, our highly-experienced, geographically-diverse community of pentesters, in 2019. He is one of the 250+ pentester worldwide who has helped Cobalt secure over 2000 assets.
We had a chance to hear from him to learn more about his pentester origin story and what he enjoys about being a part of Cobalt’s pentest community.
Pentester Origin Story: How did you get into security?
JES: I first started with programming as a hobby because I wanted to create a game. When I asked around on online forums they told me that it was best to start from the basics of web or desktop languages which was how I got to know PHP. In my research, I stumbled upon a website that I wanted to download but realized that it was not possible to download the code from the server side, or it was not so simple.
So I decided to leverage the old trusty friend, Google. I found out that to download the code from another website I needed to access the server. And that's when I was introduced to web hacking. That being said I didn’t end up downloading the code but that triggered my curiosity around web hacking. At that time there wasn’t as much information as there is now but forums were quite popular. Combined with what I knew about web programming I was able to learn about pentesting topics and practice day-by-day.
I’ve been doing pentesting professionally for the past 4 years but learning pentesting was always more of a hobby for me. In the city where I live I could not get a job in this so I went into computer technical support. Later on, I started getting into bug bounty to make some extra money which eventually led me to pentesting at Cobalt.
What I love about pentesting is that once you enter pentesting you can't leave (in a good way!). Technology continuously advances and pentesting allows you to advance with it. I find it fun and exciting because I never stop learning.
What motivates you when it comes to pentesting?
JES: Learning about new technologies is my passion and Cobalt gives me the chance to learn from other pentesters. The teamwork dynamic of Cobalt is like no other and allows me to level up my pentesting experience. I am motivated by the community and my passion for the work. Everyday it’s my dream job!
What does a good pentest engagement look like?
JES: The best pentest engagement is when the whole team works together– when the pentester is collaborative and the customer is available to answer questions. That’s when the magic happens and this makes the engagement enjoyable.
What are the top 3 traits that a pentester should possess to be successful on Cobalt?
JES: For me I think it comes down to curiosity, teamwork, and humility. You must be curious, ask yourself everything and think about what could go wrong so that it can be solved. As mentioned above collaboration and teamwork is very important. Communication and working together always makes for a better engagement. Finally, humility, knowing that you are not always right and listening to others. This can be hard but it will make you better and help you grow!
How do you organize yourself during a pentest? How do you manage your time and avoid burnout?
JES: Managing your time, knowing how many hours you are going to spend on a pentest each day, and reading up on documentation helps a lot with overall organization. In terms of avoiding burnout, it’s important to take breaks between sleeping hours. Personally, I find spending time with family helps reset my mind and allows me to think differently.
What kind of targets excite you the most? Do you have a favorite vulnerability type?
JES: I like targets that make me think. My preferred type of vulnerability is SQL injections as they have a big impact. That being said they are less common to find these days so I also like to look for missing access control which also has a great impact on web applications.
How do you learn about different security concepts?
JES: Normally I go to Twitter, it is the largest source of technological information on security. You can find everything there, and if I want to deeper into a specific topic, Google is your best friend!
How do you conduct research and recon for a pentest?
JES: I like to see how the application works, reading the documentation helps a lot during this step. It’s important to understand the technology so that you can gain a better sense of where to start. Usually, programmers make "common mistakes" like IDOR, authorization problems, Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection, more than once. So if an error is found in the application it will probably show up more than once, so be thorough and look around!
What are your go-to tools?
JES: I would say that my most used tools include Burp Suite, Nmap, SQLMap, and JADX. While tools are important during a pentest, understanding how a vulnerability works is more important because you can often exploit them when the tool does not. In my experience, manual testing is more out of the box.
What do you enjoy the most about being a part of the Cobalt Core?
JES: The community is great! They are always available to help and support you. The combination of teamwork and support gives it a feeling of a second home. It also allows you to grow as a person an important and often overlooked feature that is very important in hacking communities.
What advice would you offer to someone who is interested in getting into pentesting?
JES: Hack to learn. Learn a vulnerability, go deeper, and test it out in real scenarios until you feel satisfied, then move onto your next vulnerability. Being patient and persevering is not easy but it pays off in the end.
What do you wish every company/customer knew before starting a pentest?
JES: A pentest is all about engagement and participation. Know that as pentesters, we are excited and eager to work with you to find things and help make your application more secure. So please be willing and ready to work and communicate with us so that we can have a great pentest experience.
What do you like to do outside of hacking?
JES: I tend to relax with relatively normal activities: being with my family, trying new restaurants, watching movies, and listening to music.
What are your short term and long term goals?
JES: In the future, I’d like to get more certifications. Certifications are a way I showcase my security knowledge. But I in the end everything you know about security is demonstrated in practice "on the battlefield” – happy pentesting!