Training, training, and more training. That's what the past week has felt like. Up until now, I hadn't really tried to use things like Burp Suite or the Metasploit Framework. Now I just wish I had gotten my feet wet with both of these tools sooner.
The biggest problem is that I have the theory of web application penetration testing down (at least on a basic level), but have little to no experience with actually doing it. I have practiced with manually exploiting SQLi and XSS vulnerabilities but, as I am quickly learning, these are skills that are trivial at worst and complementary at best. In reality, there are a plethora of tools at my disposal built into my Kali Linux virtual machine. I've never been very good about using these sorts of "helper" tools. In many ways I'm a fundamentalist when it comes to this sort of stuff. Seriously, in my math classes, sometimes I would take the time to derive and proof formulas before using them. I digress. The baseline is that I need to familiarize myself with Metasploit and Burp Suite. These "helper" tools are more essential than anything. A computer can ultimately do the grueling job of sifting through TCP logs and HTML requests better than I can manually.