Start into Web Application Security

[birdofbeauty11]

Hi,

I am trying to enter into the web application security field. I am somewhat overwhelemed because I have A LOT of vulnerable web applications (OWASP Broken Web Apps, OWASP Security Shepherd, PenTestLab), and I also enrolled in eLearnSecurity and PenTestLab.

My question is, for those in this field, what where your first steps? I clearly have a lot of information (see paragraph above), but I feel like I am not using my time in the most effective manner.

Also, I have a blog passionforpentesting.wordpress.com. I am trying to revitlize the blog again this year, and my goal is to have it as an interactive place for people who want to enter this field. If you can please go to the site (I must warn you in advance the posts are pretty bare), and give suggestions that would be great!

I should re-iterate I REALLY want to transition over to this field, as I am a Application Developer now. This isn't a hobby that I will drop in two months, I've been trying to get into this field for over 2 years, and it seems I am always meet with a brick wall...

Thanks!

[cd1zz]

Go get the web application hackers handbook and read it cover to cover. You'll get an idea of "where to look and what to look for" when testing web apps.

[H1t M0nk3y]

Hi birdofbeauty11 and welcome to the forum.

I have more or less the same problem as you. I am a Java system architect who is working very hard to transition into information security.

For me, I find it tough to only do web application pentests. Because other then for huge companies, there isn't enough web apps to justify a full time employee.

In addition, hacking web apps usually requires at least some knowledge of the OS and the network.

I am still mainly working in web apps development, but I do all the security of the apps around me. So I spend about 15% of my time on security. I also train the other developers.

So that's where I am at.

[Grendel]

While I agree that you should (will) be spending a lot of time researching about web pentesting over your career (especially at the beginning), if you want a place to start you should check out WebGoat (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project).

Not only is this an exploitable image that is geared towards web applications, it's designed for all levels of expertise. The additional advantage is it'll let you know if you really want to pursue the field of web pentesting - if you can handle web goat for more than a week of exercises (WITHOUT looking up the answers), you'll probably be fine in the field. 

[birdofbeauty11]

Thanks everone for responding!

I'm glad that I am not in this boat alone. (0:

Just a quick note, I do have the "Web Application Handbook" (all 600+ pages of it), but haven't had a chance to sit down and read it. I am more of a hands-on type of learner, so that is why I wanted to start poking around some vulnerable apps.

While I agree that you should (will) be spending a lot of time researching about web pentesting over your career (especially at the beginning), if you want a place to start you should check out WebGoat (https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project).

Not only is this an exploitable image that is geared towards web applications, it's designed for all levels of expertise. The additional advantage is it'll let you know if you really want to pursue the field of web pentesting - if you can handle web goat for more than a week of exercises (WITHOUT looking up the answers), you'll probably be fine in the field. 

To answer the block above, I guess I am not cut out for Web App security. I have WebGoat and it is not intuitive to me at all. I often find myself VERY confused when trying to work on the exercises because the instructions do not seem very clear to me. I try to do the exercises without BurpSuite or OWASP ZAP because I want to gain the actually learning without relying on the tools.

Also, to piggy-back, what other areas of security are you guys (or gals) looking at? The reason I picked web app security was because it seemed the most interesting to me, with network security being in second.

I just feel like I am putting WAY too much pressure on myself.

Please respond when able.

Thanks.

[ajohnson]

I personally haven't used WebGoat, but I've heard many people state it is not intuitive. He may have been referring more to patience, persistence, and perseverance. Web app testing can be frustrating as hell...

Regarding WAHH, there are corresponding labs at mdsec.net. They're not free, but $7/hr is entirely affordable. I just wish you didn't have to use one-hour blocks all at once since it would be nice to try an exercise or two and then get back to reading. 

Mutillidae might be a better staring place for you: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

There are also over 80 videos that walk you through various tasks: http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae

I think things will become intuitive for you quickly enough, especially if you have a development background.

[H1t M0nk3y]

I try to do the exercises without BurpSuite or OWASP ZAP because I want to gain the actually learning without relying on the tools.

So you know birdofbeauty11, many WebGoat exercises requires a web proxy. You don't need to use the burpsuite, but you need a web proxy at the minimum...

WebGoat is not always easy, but I really like it. I found it to be too "cheezy" for teaching people new to security (they think it doesn't represent a real life scenario), but I have learned a lot by looking at... the answers.

I want to back to it again and this time, not look at the answers at all. But this is nevertheless a great tool !

[birdofbeauty11]

I personally haven't used WebGoat, but I've heard many people state it is not intuitive. He may have been referring more to patience, persistence, and perseverance. Web app testing can be frustrating as hell...

Regarding WAHH, there are corresponding labs at mdsec.net. They're not free, but $7/hr is entirely affordable. I just wish you didn't have to use one-hour blocks all at once since it would be nice to try an exercise or two and then get back to reading. 

Mutillidae might be a better staring place for you: http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10

There are also over 80 videos that walk you through various tasks: http://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae

I think things will become intuitive for you quickly enough, especially if you have a development background.

Thanks for the response. I am trying to learn for free. LOL. I already signed up for eLearnSecurity. I need to build myself up, before I will attempt the exercises in WAHH.

[birdofbeauty11]

I try to do the exercises without BurpSuite or OWASP ZAP because I want to gain the actually learning without relying on the tools.

So you know birdofbeauty11, many WebGoat exercises requires a web proxy. You don't need to use the burpsuite, but you need a web proxy at the minimum...

WebGoat is not always easy, but I really like it. I found it to be too "cheezy" for teaching people new to security (they think it doesn't represent a real life scenario), but I have learned a lot by looking at... the answers.

I want to back to it again and this time, not look at the answers at all. But this is nevertheless a great tool !

Thanks for the response! I will try to use WebGoat with a proxy. I have OWASP ZAP proxy installed on my computer. I will try that.

I will try Mulltidae first, and build myself up.

Can you explain what you did to get started in web application security or computer security, period.

[H1t M0nk3y]

Can you explain what you did to get started in web application security or computer security, period.

Personally, I study really hard to be the best (or close to) in my city. Then I go to ISSA, OWASP, etc meetings in my area to make contacts. I also did a few Capture the flag (CTF) competitions.

I believe that if you are very good at something AND paople know you exist, then you will find work.

But nothing's easy...

[MaXe]

In case you haven't, check out my web app sec blog series: www.exploit-db.com/category/maxe/ 

The best way to learn web app sec, is to learn a language such as PHP (knowing HTML, CSS and basic Javascript is elementary), and then understand why these bugs exist, how they look code-wise, and how to fix them. That way you can patch bugs, find 0days more easily, and know more. Or even create your own web app sec labs, which I've done for a few on a project basis sometime ago.

Take a look at this thread:
http://forum.intern0t.org/offensive-guides-information/1382-finding-vulnerabilities-php-sirgod.html