Yes, source code audit is within the scope.
But with 60 000 lines of code, where should I start?

BTW, I am a web developer, so I understand the code well.

Wow!

I knew about half of them, but I am very happy to see this list too!
I think you can also get DefCon's capture the flag server images and answers from their web site.

Hi,

I currently have to perform a security evaluation of a web site. The server itself (OS) and the network are not in the scope because my client has no power over them. However, they can change the web server configuration and since they're the ones developing the web application, they can modify it.

So, my task is to do a security evaluation of the web application and the web server. Where do I start?

I have completed the reconnaissance phase. I suspect some XSS and SQL Injection vulnerabilities. But if I really want to do a good job and produce a very complete report, with the ad-hoc way I am doing this, I am afraid of missing some stuff...

I have looked a 3 books on the subject and browsed the OWASP web site, but I just can't seem to find a good methodology for pentesting web apps.

Any suggestions?

Thanks
 

BTW, CEH won't teach you much about XSS, SQL Injection or anything "deep". Since this certification covers many, many topics, they just can't go deep.

So while you are required to know about XSS and SQL Injection for example, the course won't make you an expert in blind SQL Injection...

So my advise is do it for yourself, not for your resume. CISSP already covers the basic, so you don't need another one. But if your goal would have been PenTesting, It would be entirely different...

I passed the CEHv6 exam a week ago after failing my first attempt in November.

For my first try, I studied the CEHv5 materials thinking it would be ok. In fact, by using the "Official Certified Ethical Hacker Review Guide" (as pointed out on EC-Council web site), I though that by understanding very, very well the content of this book, I would be fine.

But, the CEHv6 exam is a new one. I have discovered AFTER I only got 65% on my first attempt that CNDA and CEH use the same exam. On the EC-Council web site, you can read:


http://www.eccouncil.org/certification/certified_network_defense_architect.aspx

So, my understanding is that there are way more questions about system admin, Active Directory and so on in the CEHv6 than in the CEHv5. And don't gt me wrong, I have studied like hell for my first attempt (learning about 220 tools, virus, worms, etc!). But I only got about 37 questions about what I studied th most...  

Anyway, if you download the CEH course brochure (PDF under the resource tab on their web site) and you understand them well, you should be ok.

Don't bother learning tons of port numbers for virus, trojans and worms, it is not worth it for the exam (countless hours of my life that will never come back...).

Good luck!

PS: It was sweet to past it the second time around...  

The only person I know is CISSP, but he is more interested in management than in pentesting...

I will have to do it alone. 

I have a big report to write and as soon as I am done, I will start the course.

On the Offensive Security web site, they have a course starting pretty much every week. I will probably start on Feb 21st.

Also, I know there's already a very good review of the course on this site by Ryan Linn, but if someone is interested, I could start a new thread an discuss about my experience (but without spoilers, of course).

I am verrrrry eager to start it!

Thanks for the answers!

I have already asked people at Offensive Security and you can buy extra lab time for $200/month.

But I will follow your advise What90 and I will take the 60 days. I also agree with you that a certification is not about getting a piece of paper, but the process of acquiring it. I was talking to a friend recently and we realized that studying for a certification makes you learn useful stuff that you wouldn't have looked at otherwise (mainly for lack of interest). But having a broad understanding of your field makes you a better security professional.

All that to say my goal is to do all exercises. I am paying this course from my own pocket and I certainly want to get the most out of it.

So my next question: did some of you complete all the extra exercises?

Thanks again for all your comments!

Humm,

That's indeed pretty interesting. Thanks for the link. I was thinking of getting only a month of lab time, but I will probably go for 2 months right away.

We may end up taking the course at about the same time! I should be ready to take it in about 6 or 8 weeks. I have a few things to do before (pentesting a web app).

But thanks, your comments made sense!

Hi,

I am trying to get ready for the OSCP course and certification. I have a pretty good idea what the course is about. But before registering for the course, I was thinking of playing more with the basic tools (Metasploit and many tools found in Backtrack), so I could get the most of the OSCP course material.

I have hacked the first two De-Ice live cds in my lab and I would like to hack all the other challenges (remaining De-Ice and Hackerdemia live cds) that I can find before I start the course. This way, I could get the most of the course.

If you have done OSCP, would you say it's a good idea or the course really gives you all you need?

Thanks

I am glad you are saying this, because OSCP was the next one for me!

Hey guys,

I myself just successfully passed the C|EH exam yesterday! 

But my question is: many people says that C|EH is "the first step" or a "good start". But what is the next step?

I guess it depends where you want to go. I myself am a web application architect and after 10 years developing java webapps, I started to realize more and more that 98% or web developers don't have a clue about security (and this is sooooo true!). But my goal is to switch to PenTesting in a few years and I study every night to reach my goal.

So, other than a lot of work, what would be the next cert/course for someone who wants to pursuit his career as a:

1) PenTester (GPEN?)
2) CISO (CISSP?)
3) Web App security tester (GWAPT)
4) Other

Thanks and great site!

Thanks Ketchup,

But what about developing Java applications on Palms and Blackberries? We always have access to the source code. They can change the OS, but the JRE enables us to still run our code I think).

But regardless, what application would you like to see?

I was wondering...

Pretty much everyone has a Blackberry or an iPhone these days. After a little search on Google, I couldn't find many information security applications for these devices. There is MiniStumbler, but pretty much all the other apps are for securing the smart phone itself.

So, what security-related application would you like on a smart phone? A sniffer, port scanner, WEP cracking tool, an IDS, a "netcat-like" tool? They would obviously be less powerful then their stand alone counterpart, but I wouldn't mind some of these tools on my Blackberry...

Let me know what you think!