A Pentesters Guide - Part 5 (Unmasking WAFs and Finding the Source)
In this article I am going to detail a non-exhaustive overview of bypassing WAFs by
About NaviSec
NaviSec is a veteran and minority owned cyber security company with a focus on high quality, right-sized solutions and client relationships. Our team works 24/7 to protect and assist our partners in navigating the unknown waters of cyber security.
Founded in 2015 as Sequoia Cyber Solutions, NaviSec has grown from a bootstrap startup to an established player in the cyber security space. Seamless integration, scalability, and customization are critical in our approach to protecting each client’s unique business assets. One-size-fits-all solutions are not in our vocabulary.
NaviSec empowers businesses to make bold decisions with clarity and peace of mind. Each of our three core services can be customized to fit the structure, goals, and regulatory compliance needs of the modern enterprise. The NaviSec portfolio includes Delta offensive security services, Sentry defensive security services, and the Atlas Security Operations Center (SOC).
Job Description
A successful offensive security engineer at NaviSec Delta should possess a deep understanding of both information security and computer science. They should understand basic concepts including computer networking, web and native application functionality, operating system functionality, cloud services, corporate network environments and operations.
This role is technical and challenging with opportunities to work in some of the most exciting areas of security consulting on projects that have a meaningful impact across nearly all industries.
An offensive security engineer will be expected to perform penetration tests with little oversight, across a range of disciplines, such as web application security, wide scope internal networks, external networks and running and tracking phishing campaigns.
At NaviSec Delta, you’ll be faced with complex problem-solving opportunities and hands-on technical opportunities on a daily basis. We help our clients protect their most sensitive and valuable data through comprehensive offensive security assessment, providing a tailored approach to each client, knowing that a one-size fits all approach does not often satisfy the client’s needs.
You will be expected to develop and maintain your own offensive automation via scripts, shell aliases or whatever means you see fit!
You are expected to quickly assimilate new information as you will face new client environments on a weekly or monthly basis. You will be expected to understand all the threat vectors to each environment and accurately assess them. You will get to work with some of the best offensive engineers and operators in the industry, allowing you to develop new skills as you progress. Are you up to the challenge?
What you'll gain working with us
- Unique tools, processes and methodology that is fun and promotes repeatability and high-quality work products that result in nearly 100% client retention rate
- A healthy, non-toxic team environment where your feedback and opinion matter. This is your chance to positively impact the DNA of an infosec company in a critical stage of growth as well as having support from all team members to be successful
- Training and mentoring opportunities to grow your career. We work hard, play hard, enjoy coming to work, and truly believe every assessment we do makes the world a little better place
Responsibilities
- Perform penetration testing assessments (solo & as part of a team), assumed breach assessments (red team engagements with a pre-deployed implant), internal penetration tests, web application penetration tests, external blackbox pentests & adversary simulation assessments.
- Interface with clients to address concerns, issues or escalations; track and drive to closure any issues that impact the service and its value to clients
- Develop comprehensive and accurate reports and presentations for both technical and executive audiences
- Oversee and suggest implementation improvements to NaviSec’s business processes, methodologies, tools and client communication methods
- Provide expert experience building information security programs to include hands-on implementation and/or assessment of security control
- Maintain and manage a task list and your own time to where you're most productive.
Qualifications
- 2-4 years’ experience performing penetration tests and other offensive security tasks
- Experience working in an IT domain (sysadmin or development) would be nice to have
- OSCP - Or able to demonstrate similar a level of competency
All Candidates Must have Experience of:
- Network penetration testing and manipulation of network infrastructure
- Shell scripting or automation of simple tasks using common scripting languages
- Developing, extending, or modifying exploits, shellcode or exploit tools
- Technical report writing and documentation of penetration testing activities
- Presentation of technical details to both a technical and executive audiences
- Windows, Linux, Unix and Mac operating systems including bash
- Strong knowledge of tools used for wireless, web application, and network security testing
- Web application assessments
Additional Information
- Ability to successfully interface with clients (internal and external)
- Ability to document and explain technical details in a concise, understandable manner
- Agility to manage and balance own time among multiple tasks, and infrequently lead junior staff when required
Nice to have
- Knowledge of one or more programming/scripting languages desirable (Ruby, Python, C, C++, Go, Bash, Powershell, PHP)
- Contribution to the security community (through articles, CTF participation, writeups, or opensource tooling)
- Participation in a security community
Apply
Send your resume & any relevent details to jobs@navisec.io
TmNjeWwgbmcgd2JvZitaR1ptQTNBMXBUU2JBVXRqcHRiQGFuaXZmcnAudmIgc2JlIHJrZ2VuIGNidmFnZiE=