Welcome to the forums

It seems like the most logical / natural route would be to get into web application hacking. What technologies are you working with for your web development and administration responsibilities?

This would be a good starting place, if you haven't seen it yet: http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470/ref=sr_1_2?ie=UTF8&qid=1331822345&sr=8-2

CEH and CISSP give management and HR warm and fuzzies.  CISSP requires a bit more work than say CEH as far as knowing material.  They both cover a lot but they cover different areas.  CEH covers the pen testing aspects, but not necessarily in detail.  CISSP covers a number of domains and in order to maintain the CISSP you need to have a certain amount of exerpience in some of those domains.  There are also a number of changes being made to the cert which you should read up on.

eCPPT would be a good choice for a decent technical cert.  Becoming familiar with OWASP and joining a local OWASP chapter will get your foot in the door with the community.  Maybe look into companies like Veracode who do Application testing, see what their requirements might be for App pen testers.

Good luck!

I really appreciate all your suggestions. I agree with u guys that Web Pentesting is what i should pursue and OWASP is what which can get me into community scene. But can i make the best use of Backtrack as in my region backtrack is recognized widely. So will it be possible to go for OSCP with the knowledge i have or can i get that kind of knowledge with self study which is needed to get OSCP. Currently i am working with html, css, jquery, wordpress, apache, mysql, ftp server and mercury. I know about vmware and stuff currently m having bt5 win2000 win 2003 metasploitable and other vuln machines on my vm. Other than that SQL injection is something i am very comfortable with.

Cheers

Not sure when, or if (though probably after BlackHat), Offensive Security will be releasing this in online form but this sounds like something that would interesting you:

OffSec Advanced Web Attacks

Don't forget to do some preliminary study and perhaps research, and if you haven't already checked out some of my blogs, check this out: http://www.exploit-db.com/category/maxe/

There's also tons of information here, but also on the InterN0T forums: http://forum.intern0t.org/forum.php and many others as well. Just be aware that not all guides are high quality guides, some are even incorrect and many, teaches you only the basics (of the basics sometimes), but InterN0T is a free and good place to start.

There's even threads about coding securely, how to identify the vulnerabilities in the code, e.g., in this thread: http://forum.intern0t.org/offensive-guides-information/1382-finding-vulnerabilities-php-sirgod.html (which was originally posted there, before it was distributed to all the other websites. Please keep in mind that it was SirGod who wrote this.)

You can also find really good proof of concept's and possibly guides by RGod aka RetroGod, and well, this is not one of the resources I have shared often, but this one will help you (and hopefully many others too) quite a lot: http://www.blackhatacademy.org/security101/Web_Exploitation

There's plenty of web labs, both open source and commercial. I haven't tried many web app labs, but MDSec Labs are very heavy, and you may want to study the "Web Application Hacker's Handbook Second Edition" first (I'd say it's almost a requirement, but also to get the best experience), and the first edition of this book may be good as well.

What is important to keep in mind, that the MDSec Labs has a lot of content, and extreme amounts of variations of the same attack (haven't seen this in other labs), but there aren't cool things like: http://www.exploit-db.com/vbseo-from-xss-to-reverse-php-shell/ , but there's a lot of nice things you can learn in there, including how to use Burp for a lot more tasks.

I did 4˝ Labs, and it was a nice experience. The first 2 labs were piece of cake, but fun to do. I am planning on doing the rest of the labs, before making a complete review with good "details" (not actual solutions of course, just how I think the labs are), and the price is not bad. I used 5 credits for those 4˝ labs, but I spent my time well and knew web app sec before playing in there.

So, with that being said, I hope you'll enjoy becoming a Penetration Tester, this is just the web app sec side, if you want to learn exploit development (for binary programs, etc.) then Corelan.be is one of the best places to go to.

If you want a nice overall, broad and deep certification, it's OSCP. I know you may think you'll save money on just doing OSCE, but that's very close to actual exploit development (such as 0days), and very targeted, so it is within pentesting, but it's not very broad compared to OSCP which is good for anyone 

SANS courses, if you don't pay yourself, go for them. If you do, start with Offensive Security, or eLearnSecurity (Even though they're heavily web app sec focused, at least their exam is).

That's some of my best recommendations I can give for now 

Almost anyone can sign up for OSCP, but they don't accept free e-mail providers, and some countries may be blocked from buying the courseware due to copyright laws in those countries, or because of previously leaked courseware from those countries.

OSCE has a challenge you have to pass, it's quite fun, but also a bit hard, especially if you're a beginner, then I wouldn't recommend spending too much time on it in case you get stuck.

But if you want to try it out one day: http://fc4.me/ (Just keep in mind it's for OSCE, not OSCP and it's meant to make sure you know enough before doing the course.) Doing the challenge doesn't force you to sign up for the course, so feel free.

I'm sure that you can sign up for OSCP without much trouble, keep in mind they have "slots" due to they don't put too many students in their labs at the same time, so plan ahead as you may have to wait a month before you can enter their labs.

I tried http://fc4.me/ and after spending few mins I was only able to find the JS files embedded with the page, Whats inside the page makes me confuse i got an idea that the password is encrypted but i was unable to decrypt it. So yea it means i am still a newbie ..

Agoonie, yes now i am doing the same i am researching about it from my work. When i get free time i am planning to go for a pen-test as my company don't want me to do that i will just go for it and once I will find something very vulnerable will show them the report to make them aware how important it is. Other than that the book which I think will be very helpful if i will buy one is http://www.amazon.com/BackTrack-Assuring-Security-Penetration-Testing/dp/1849513945

What do u guys think about this Book? is it ok for a newbie to jump into it. I will appreciate all the Ehackers suggestions...