Environment: Kali Linux on Apple Silicon

Reconnaissance: dirb vs gospider

Penetration Testing Methodology

Path Traversal: Developer Perspective

Burp Suite: Intercepting and Modifying Requests

Week 1 Summary I hold a bachelor's degree in IT Security and have spent two years building fullstack web applications with React and Node.js. The theoretical foundation is solid but security is a field where hands-on practice is non-negotiable. This series documents my structured transition into offensive security, real tools, real environments, real findings. Week one focus: environment setup, reconnaissance tooling, and web application vulnerabilities. Running security tooling on an M1 MacBook requires some deliberate setup. Native ARM support for many tools is still inconsistent, so I provisioned a Kali Linux VM using UTM a solid QEMU-based virtualisation option for Apple Silicon. One issue worth documenting is that UTM can produce a black screen on initial Kali boot due to display driver initialisation. The fix involves adjusting the display settings before first launch. Not a blocker, but it costs time if you don't know to expect it. With Kali running, I configured Burp Suite as an intercepting proxy with Firefox routing all traffic through it. This is the standard web application testing setup, traffic interception, modification, and analysis in one workflow. Two tools, two philosophies for mapping a target's attack surface. dirb performs dictionary-based brute-force enumeration, systematically requesting common paths to discover directories and files that aren't publicly linked. One practical note: Virtual hosting means www and the bare domain can resolve differently on the server side. Always specify explicitly. gospider takes a crawler-based approach following all discoverable links from the target and mapping the visible surface. Where dirb finds what's hidden, gospider maps what's exposed. In practice, both belong in a recon workflow. Effective penetration testing follows a structured engagement model: All engagements are governed by a Rules of Engagement document the formal agreement defining scope, permitted techniques, and legal boundaries. No document, no test. Path traversal is a well understood vulnerability with a high detection rate in the wild, precisely because developers with no security background don't think about it at implementation time. The attack vector: applications that accept a filename or path as a URL parameter can be manipulated using ../ sequences to escape the intended directory. Common vulnerable parameters: ?file=, ?path=, ?page=, ?template=, ?doc=, ?load= /etc/passwd is typically the first read target. It confirms exploitability and enumerates system users. From a developer's perspective, any route that accepts a user-controlled path without strict sanitisation and allowlisting is a potential vector. The core insight Burp Suite makes visceral: HTTP requests are not immutable. Every parameter, header, and body value that leaves the browser can be intercepted and rewritten before reaching the server. This is obvious in theory. Seeing it in practice — modifying a live request mid-flight and observing the server's response — makes the implications concrete in a way that reading about it does not. Week 2: OWASP Top 10 in depth, XSS labs on PortSwigger Web Security Academy. Documenting a structured transition from fullstack development into IT security. Background: BSc IT Security, 2+ years MERN stack. Follow the series at verbitski.dev. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse