Jump to content

Where to learn web application security?


Anonymous123
 Share

Recommended Posts

There are so many attack vectors, you can take it one subject at a time.

try and learn xss, it might be the most basic exploit...

executing arbitrary code, how to manipulate user input fields and inject new code into the vulnerable web application...

Sqli is a powerful bug that still exist but is a more advanced attack.... the concept is the same as xss...

Do you know any scripting languages?

Link to comment
Share on other sites

Owasp is a decent enough place to start. Check out if a near-local chapter has any meetings anytime soon and just attend. They're, at least in my experience, free to attend and quite a few knowledgeable people show up so you can just ask 1:1 to people what where and how things get done.

Do be careful about phrasing your questions as directly as you did here. Because it's (of course) very difficult to find problems with websites that will reward you for finding them. The simple flaws should by now have been covered. You know about that Stagefright bug that was found which affected 950 million phones worldwide? The guy that reported it would've gotten $1000 for it but he talked them up to $1337.(source for the $1337 figure) The guy that sold that Flash 0-day to Hacking Team got about $30000 so that might give you some perspective.

Bottom line: You should do this sort of thing because you _enjoy_ it. If you're in it for the money and have no issue being considered a selfish bastard unworthy of tasting the sole of my boot when I'm stomping on you, sell your as-yet undiscovered method of exploitation to the highest bidder.

In the larger view of things, going to OWASP meetings is generally a smart thing to do if you want to find a career in pentesting, security and even software development. Shit like that looks good on your resume. And you genuinely can learn quite a bit from it aswell as greatly expand your professional network, which could in turn allow you to survive as a self-employed engineer. Or you could just be that guy who find some massive flaw in something, tells the world about it and gets a run at the speaker circuit where you show off what you found. People get paid for that too you know (though rarely by OWASP and not that much by others). What it always ends up with is that you become better known to the public at large - which of course helps you get employed and can land you valuable and rewarding long-term friendships. Just don't be a dick because, naturally, word of that travels really fast in those networks aswell...

Link to comment
Share on other sites

Offensive Security offer a number of security training courses for varying areas of penetration testing. https://www.offensive-security.com/information-security-training/

If you want Web related/application security specific classes they offer a Live course, but it's usually someting they offer at BlackHat or Defcon. If you want to go at your own pace, their Pentesting with Kali course is a good starter that covers a bit of everything.

Even if you know your way around Linux, their courses are still pretty demanding. I'll warn you now though, their courses are not simple point and click multiple choice review questions. You pass or fail based on actual hands-on hacking skills, so if you learn by doing, their courses would be a real challenge.

Link to comment
Share on other sites

My experience with the Offensive Security exams is that they aren't the best place to get started, but more aimed towards the more experienced. (which I think enhances their value).

Cybrary is a great place to start though. Can't recommend them enough!

Link to comment
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • 9 months later...

It's a wiki so for casual browsing it's pure shit.

I use it the same way I use wikipedia - google something with site:owasp.org and take it from there.

Link to comment
Share on other sites

4 hours ago, cooper said:

It's a wiki so for casual browsing it's pure shit.

I use it the same way I use wikipedia - google something with site:owasp.org and take it from there.

You tried any of their guides?

The content seems thorough but just very hard to find and jump to a particular topic and it's written like a fucking research paper format instead of a linear PDF.

Link to comment
Share on other sites

I record the OWASP presentations that are given periodically in .NL and I go to their monthly meetings. If I want to know about something I ask one of the people present there about it which thankfully saves me from having to dive into that too much.

And in all honesty, half their stuff IS a research paper. The other half is someone scratching a personal itch. Since there's often little interaction between projects and/or next to zero effort is spent to bring stuff together to make a coherent whole. A lot of stuff tries to be language-agnostic, which makes it hard to apply something to your project because it may use a word to describe something for which, in your language, a word exists but because it only exists in your language they won't use it because they want to reference the abstract technology underpinning it rather than the implementation, which is identified by that word.

Yes, it's painful and yes, it would help if they did it differently. The upshot is that it's a wiki and some open source projects. If you want to change things you're welcome to put in the effort for that.

Link to comment
Share on other sites

I'm cheap, just use http://samurai.inguardians.com/, and something like http://www.dvwa.co.uk/. Trick is learn the basics from watching videos and reading documentation, along with experimenting. Once you've got a reasonable grasp of the subject, you can normally find a mentor in the community, as long as you aren't annoying.

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...