In the world of hacking, the right tools can make all the difference. However, when you’re just starting out, it’s crucial to understand the fundamentals before leaning on these automated solutions.
When learning how to attack web applications, automated tools are very attractive. They can quickly find and exploit vulnerabilities and even suggest how to fix them. You run a command with a few parameters and you get the flag. However, depending only on these tools without understanding how attacks work can hinder your growth as a hacker. This post explains why you should focus on manual learning before using tools.
I (@snyff) recently tweeted about learning to attack JWT and jwt_tool:
As much as I appreciate jwt_tool, please don't use it to learn how to hack JWT.
— Louis Nyffenegger (@snyff) April 30, 2024
You have the perfect opportunity to learn crypto-engineering and a lot of fascinating vulnerability classes.
Don't deprive yourself from this invaluable learning experience!
This idea applies to a lot of areas in cybersecurity. Tools like SQLmap, SAMLRaider and jwt_tool just to name a few, are powerful, but they shouldn’t be your first choice when learning. Instead, they should be used to save time after you have a solid understanding of the basics. If you use these tools without understanding the underlying attacks, you will miss out on important learning.
The automation provided by these tools is extremely convenient, but it can also stop you from learning the essential skills needed to understand and manually exploit these vulnerabilities:
- Incomplete Understanding: If you rely on tools, you miss the learning process. For example, if you use SQLmap without understanding how SQL injections work, you won’t know how to create an attack payload, identify different types of SQL injections, or understand database error messages.
- Tool Limitations: What happens if the tool fails? Tools are not perfect and can miss vulnerabilities or fail to exploit them. If you haven’t learned the manual techniques, you’ll be stuck when the tool doesn’t work.
- Advanced Exploitation: Many tools handle only basic or well-known techniques. Understanding the fundamentals allows you to create advanced and custom exploits that can bypass protections tools might not account for.
- What if the tool doesn’t support a specific attack or technology? You’ll need to revert to manual exploitation. Without manual skills, you’re back to square one. However, if you know how to do it manually, this becomes a minor hurdle rather than a major roadblock.
The knowledge and attack patterns you will discover by doing manual testing and exploitation can be applied to other technologies that may not have a tool yet.
To become good at hacking, it’s important to embrace manual learning. Here are some steps to guide you:
- Learn the Basics: Start by learning the basic principles of the vulnerabilities you are targeting. Read about SQL injection, JWT vulnerabilities, XSS, CSRF, and more.
- Practice Manually: Practice finding and exploiting vulnerabilities manually. Build your own labs or use platforms like PentesterLab, whatever works best for you. This hands-on experience is extremely valuable.
- Analyze Tools: Once you understand the basics, look at how tools like Sqlmap and jwt_tool work. Examine the payloads they create and the methods they use to exploit vulnerabilities. This can give you insights into advanced techniques and automation.
- Develop Your Own Tools: Try writing your own scripts to automate parts of the exploitation process. This will deepen your understanding of the attacks and improve your programming skills.
Learning to hack is a journey, not a race.
Don’t rush the process. Take the time to enjoy the learning experience and explore the fascinating world of hacking. Understanding the details of attacks not only makes you a better hacker but also helps you create more secure systems.
By understanding the fundamentals and practicing manual exploitation, you build a strong foundation that tools can then enhance. Enjoy the journey and strive for a deeper understanding to become a more effective and versatile hacker.
Happy Learning and Happy Hacking!
