June 1, 2021

Why is penetration test subfield of web security instead of network security?


I mean look at this cool hacking car stuff.

Why is it web security? I thought web security is boring and only about websites.



Who says all Pentesting is a subfield of web security testing?

In general, there *is* a lot of web pentesting, even if just for initial access, but once you get past a webserver, it’s all network. Many of those web techniques won’t help with lateral transfer, or getting AD, etc.

I suspect this stems from the bug bounty work which is primarily focused on web, and CTFs (also highly skewed to web), and the available “vulnerable VMs” (also mostly web because setting up a full enterprise network in VirtualBox takes time and effort).

Then there is the car book you show. It might have a simple web interface at some point, but you’re looking at something more akin to industrial control than a website. Throw in some Bluetooth exploitation and firmware reversing/expl and you’re far away from “web security testing”.

It sounds like whoever made that statement didn’t do a full survey of the industry we’re in. (My 2c)

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.