Ninad Mathpati is a Cybersecurity Enthusiast and Hacker with an ethical mindset. He has been working as an Application Security Engineer for 5+ years with core interest in Web, Mobile Application Security, Network Security, API Security, Source Code Analysis, Thick Client Pentesting and Config Reviews.
Pentester Origin Story: How did you first get involved in pentesting?
I was in high school then, and I wondered if I could pass the IIT exam. Around this time, I started hearing about hacking. Since I lived in a hostel, it wasn't easy to learn. Because I didn't have a laptop or desktop PC, I spent a lot of time in internet cafes. I was always passionate about mind challenges and logic puzzles. To make myself a better pentester, I started learning web development. Pentesting websites were something I knew nothing about, but I had heard about it.
While studying at college, I spent time researching and reading InfoSec information on the internet. I did a lot of Googling, found the basics of bugs, and tried exploiting them, repeating this process until I could do it. In the end, I decided to pursue a career in information security after reading a bunch of writeups and attending many hacking workshops.
Pentesting helped me save up for a motorcycle, pay off a portion of my education loan, and go to Amsterdam.
My experience as a Pentester at Cobalt has been diverse, and I have worked on various pentesting projects for web, mobile, cloud, container, and desktop applications. All of these pentest engagements have given me new challenges and learning experiences.
What motivates you when it comes to pentesting?
I like puzzles. For a pentester, a patch is a puzzle; breaking that patch is what keeps me motivated. Nowadays, it feels like a hobby. It's all changing with technology. We all have seen how bugs have been present for a decade. This helps me challenge myself.
What do you feel makes a good pentest engagement?
A collaboration between pentesters and clients is the thing that makes an excellent pentest engagement. Pentesters should communicate the testing process with the customer during the test. This allows for everyone to have a clear understanding of goals and objectives. If a customer wants special attention to critical functions, the pentesters must know. Pentest engagements should conclude with a detailed report explaining all the vulnerabilities, their root causes, and how to fix them.
What kind of targets excites you the most? Do you have a favorite vulnerability type?
I can perform Web, Mobile, Cloud, Thick client, APIs, and Network pentests. I enjoy hacking web applications and APIs. I love checking access control issues, SQLi and XSS. By far, my favorite vulnerability is IDOR.
Where do you go to learn about different security concepts? Are there specific pages/handles you follow?
Twitter is one of the best ways I use to stay on top of the latest attacks, bypasses, and strategies. I follow some great minds of infosec on Twitter, including but not limited to James, nahamsec, Jason, stox, and project discovery. I also watch HackerOne's hacktivity and bugcrowd’s crowd stream to read the disclosed reports. If I have to tell any beginner how they can start the journey in application security, I recommend them to portswigger web academy.
How do you conduct research and recon for a pentest?
First, I review the documents and information provided to me to ensure that everything is clear and that all the materials are in place to start the assessment. During the first two days of a pentest, I gather as much information as possible through active and passive methods. Then I map the information with the target in scope and filter out anything that is not relevant. I have my automation ready to perform the recon on the target. For example, I gather all the endpoints from the JS files and try to map that with the URL provided in the engagement scope.
What are the go-to tools you leverage?
Burp Suite is my number one tool for testing web applications, just like most pentesters. Also, I use numerous extensions, such as Active Scan++, J2EEE, and Burp Bounty Pro, to optimize the results of the burp scanner engine. Nmap, Nuclei, and SQLmap are also part of my arsenal.
My favorite tool for performing mobile app pentest is Objection, and I particularly like Frida.
What advice would you offer to someone interested in getting into pentesting? What do you wish you had known before you started?
Become familiar with Linux, programming, web/API technologies, and networking basics. Familiarising with these topics will benefit learning in executing penetration testing. Continually learn new things to better yourself in both life and career. It is essential to keep learning new things to succeed in this profession.
It will always be a plus to gain a little knowledge about how applications deploy and how to script and code them.
What do you wish every company/customer knew before starting a pentest?
As a first step, it is crucial to clearly define what is on the test scope, which means you, as a customer, have to be able to communicate what is on the test scope and what is not on the test scope. The pentester will save time if you provide API documentation, application architecture, credentials, and dummy data. This will help the pentester to get the best results in less time. As part of the pentest engagement, it can also prove advantageous to engage the services of skilled security personnel from the customer team.
What do you like to do outside of hacking?
My top priority when not hacking the internet is spending time with my family. I am always working out at the gym as part of my daily routine, which is extremely important to me. It is not a secret that I am an avid Netflix user, so I am always interested in watching movies and web series. When I am not watching Netflix, sometimes I just want to ride my bike. My activities are merely a means of taking a break and allowing me to reset my mind.
What are your short-term and long-term goals?
At this point, I would like to find an opportunity to take one of the Offensive Security certs, such as OSCP or OSWP, soon. Furthermore, I would like to become more familiar with blockchain security.
Nevertheless, I want to dedicate the rest of my career to building my own company in the field of cyber security.
Apart from security, I look forward to traveling to all corners of the globe.