This topic contains 25 replies, has 11 voices, and was last updated by 
hayabusa 8 years, 12 months ago.
-
Posts
-
Hi,
I will soon be ready to take a Web Application penetration testing course. My goal is to learn in-depth web app security. I have been a web app developer for 10 years and I have been in the security field for about 2 years now. So I am looking for an intermediate/advance course. I am looking on courses dedicated on web apps.
Also, I pay everything from my own pocket, so I am looking for the best value.
So far, I found:
- SANS 542: Web App Penetration Testing and Ethical Hacking (GWAPT) – $4000 with the exam
- InfoSec Institute: Learn to Pen Test and Secure Web Apps – $3825
- BlackHat: The Web Application Hacker’s Handbook – Live Edition – $1895 (late registration)
- BlackHat: Web Application (in)Security – $1895 (late registration)
Do you know about other courses? Which one would you suggest?
-
Hi H1t M0nk3y,
A colleague currently is in the 3rd week of the GWAPT course and he is not satisfied with the level of the course so far.
Regarding the other courses, I have no references.
-
Don’t forget the LearnSecurityOnline’s course “So You Wanna Be A Web App Pentester” course. It’s by far the cheapest on the list. I’d love to hear some reviews on it.
http://www.learnsecurityonline.com/offerings/courses/224-so-you-wanna-be-a-webapp-pentester
-
@mambru Did you colleague say why he is not satisfied with the GWAPT course? I am curious why…
@xXxKrisxXx Thanks, I did forget about it! In the course description, they say:
How Is The Course Delivered & What Do You Get
All of the courseware will be delivered in PDF format– 5 sets of powerpoint slides in PDF format
– 1 document (103 page course document) in PDF format
– 1 web app tools install walkthrough document
– 4 lab documentsI wonder what is the difference with this course and, let say, buying 6 or 7 books…
I think I am gonna take it. For $300, you can’t go wrong. I will write a review as soon as I am done, probably late in September.
-
Also, there is eLearnSecurity. Web application is one of the three main focuses included in the course (System and Network security is also included). It is pretty in depth and is fairly cheap @ $599 (until the end of July). You also get a discount being an EH-Net member.
-
-
-
I’m currently taking it, and I find it rather informative with in depth descriptions and good examples of tool usage. I haven’t finished all modules yet due to being busy, but the material never expires and you can start the certification process whenever you’re ready.
You can also read the review here:
http://www.ethicalhacker.net/content/view/307/24/ -
Thanks secureseven.
In the review, they said:
We contacted Armando, and he told us that there will be a completely stand-alone Web Application course on its way containing much more web hacking fu. In the meantime he is working on adding w3af into the VA section.
I will be looking forward to this!!! ;D
-
I’m currently taking the eLearnSecurity course too but you’ve got to remember he’s looking for a more predominant focus in web application attack course. While the web application attacks section is the best section compared to other sections, it’d have slides in the course that H1t M0nk3y would most likely know (this just judging from the certifications in his signature). Essentially he’d put out the money for the course to be mainly interested in the web application section and for the certification you have to pentest a vulnerable web-app.
Heorot’s 3DCPT also looked pretty interesting:
http://heorot.net/3dcpt/Fixed: Typo
-
You are right xXxKrisxXx, I am really looking at a course dedicated on web app pentesting.
Heorot’s 3DCPT looks indeed quite interesting, however:
Students must have successfully completed the Nidan Certified Penetration Tester course before they can attend the 3DCPT course.
I wonder if we really have to take the other course first… :-[
-
@mambru wrote:
Hi H1t M0nk3y,
A colleague currently is in the 3rd week of the GWAPT course and he is not satisfied with the level of the course so far.
Regarding the other courses, I have no references.
I recently did the course and I felt it served as a very good introduction to the world of web application pen testing. @mambru wrote:
@mambru Did you colleague say why he is not satisfied with the GWAPT course? I am curious why…
He says the technical level is far too low. Also, both instructors (Kevin Johnson & Set Misenar) spend too much time in simple things, while other important aspects are almost skipped.
That wasn’t my experience. I will admit that there were areas where I would have preferred if more information was provided. But then that happens in almost ALL courses. I was fairly satisfied with the technical content.
-
@dark_knight Yeah maybe it’s a good introductory course, this guy is already a GPEN and has quite some experience doing PTs
-
@mambru and @dark_knight: I appreciate your comments!
I think I will go through some books instead for the next few months. I haven’t seen anything convincing so far. Again, I pay everything myself and before putting $4000 on a course + travel or pay $500 for a bunch of PDFs, I may as well read a few books!
I am pushing right now! 😉
I will go through a few books on web app pentests and I will see. I may then by a GWAPT practice exam and see where I stand. I did that for GSEC and finally passed the exam without the course!
Thank you everyone for your comments!
-
Start with The Web Application Hacker’s Handbook then. It’s probably the best book out there for web app hacking.
-
Thanks Equix3n-
I bought it about 2 months ago and didn’t have time to open it. I will start with this one.
-
@mambru wrote:
@dark_knight Yeah maybe it’s a good introductory course, this guy is already a GPEN and has quite some experience doing PTs
When I did the GWAPT I already had the GPEN along with my other certs. And I still found the course to be quite good. However I did not have the practical experience in the field of web app pentesting. Hence my reason for doing the course.
In fact I am just now building those hours. So my thoughts on the course are against that background.
-
They tried to cast a wider net with this course. So as Dark_Knight mentioned, he had little practical exp with web app and thus enjoyed it. Others that have a solid foundation already may feel like the first couple days or so or boring. If you have vast experience and looking for a ninja course, GWAPT may not be for you.
Be sure to check out Ryan Linn’s review of the course right here on EH-Net:
http://www.ethicalhacker.net/content/view/254/24/
Hope that helps,
Don -
Thanks Don for the link to the review.
This course looks like pretty a pretty good one. It’s hard to get methodology from a book, and SANS are usually good on that regard.
-
I am very much a beginner, but would certainly recommend the WAHH (Web Application Hackers Handbook). I am still reading the practicing the “hack steps” from each chapter but think they are great. Most of you guys are probably aware of these, but these are the web apps I have been practicing on:
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning
http://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
-
@H1t M0nk3y wrote:
I think I will go through some books instead for the next few months. I haven’t seen anything convincing so far. Again, I pay everything myself and before putting $4000 on a course + travel or pay $500 for a bunch of PDFs, I may as well read a few books!
H1t … If you’re going to choose a course, I suggest definitely investing in some books before forking out money for a course. For the most part, you can teach yourself SQL injection which is the VAST majority of what most classes will cover.
Let’s have a realistic view of what’s involved with “pentesting” webservers shall we?
Your machine –> Interact –> Webserver
Your machine –> post or pull data –> Webserver
What is your goal here. To either push your data or exfiltrate THEIR data. How do you accomplish this. SOAP, AJAX, etc., what you’re learning is how to subvert an application which is something you can teach yourself.
Foundstone has HACME bank, OWASP has their webserver, etc., the commonality is understanding how data interacts between your machine and the server. For this, you could create VMWare images to accomplish the same. So think “Damn Vulnerable Linux”
Now what’s involved with truly understanding this (web application) and why may some of these courses fail…
So you set out to do one of these course and they’re going to rehash SQL injection of some form – since this is the most popular form of attackers compromising and ex-filtrating data… What are you paying for in these courses? How about you set up your own W2X server running a CMS or other application and tinkering on your own. There are plenty of videos and content freely available which would save you big bucks in the long run. Think out of the box. Many applications are available for demos. When I discovered vulnerabilities in SAP, Oracle, it was done through demos. I downloaded Oracle’s Beehive server, tinkered with it, fuzzed it to shreds (beStorm, Klocwork, etc). Something you will almost ALWAYS have to do on your own anyway.
For SQL injection training, etc., I want to say look up Joe McCray’s Advanced SQL content (http://www.youtube.com/watch?v=WkHkryIoLD0) you could teach yourself on your own. Its all about you taking a moment to understand what it is your trying to accomplish. In this case, I point to the above. You either want to post or pull. Teach yourself how to do so normally… Subverting it is a matter of creativity.
Now… If I DID have to choose a course, I’d go with IACRB’s and the reason for this is because I know who teaches the content and I know what they do for a living. Most have written the books you will read anyway, secondly, most have HANDS on experience during their day jobs at places like Northrop Grumman, ETC.. You don’t necessarily need to fork out 4K at IACRB (InfoSec Institute), if they’re quoting you that let me know and I will get them to lower your price. Also, you don’t necessarily need to be on-site although you will learn a lot more in-person. Then again, IACRB just made this class… I forgot they don’t have the online class yet.
Here are some books I would get (preferrably used… save the money)
http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/ref=sr_1_1?ie=UTF8&s=books&qid=1280005643&sr=1-1
http://www.amazon.com/Deadliest-Application-Attacks-Syngrass-Deadlest/dp/1597495433/ref=sr_1_3?ie=UTF8&s=books&qid=1280005643&sr=1-3
http://www.amazon.com/Professional-Pen-Testing-Applications-Programmer/dp/0471789666/ref=sr_1_6?ie=UTF8&s=books&qid=1280005643&sr=1-6
http://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597494240/ref=sr_1_10?ie=UTF8&s=books&qid=1280005643&sr=1-10
-
Sil… Again, I couldn’t thank you enough!
I am thinking exactly the same way as you do. I have always learn things by myself and again in this case, the wise thing for me to do is to continue doing just that.
I have already played with 75% of all the tools and targets you have mentionned in your email. In addition, I am only missing one book out of the list you provided at the bottom! All I need to do now is to read, understand and apply!!!
BTW, I was sitting at Def Con last year and watch Joe McCray make his presentation on Advanced SQL Injection! The world is small…
Thanks Sil, I will be reading in the next months!!!
-
Also, give a thorough look to the OWASP website. They’ve some good stuff which is freely available like OWASP teting guide http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents among others http://www.owasp.org/index.php/Category:OWASP_Project
-
I know i’m resurrecting an old thread, but having taken all the courses that have been mentioned in this thread i can offer the following:
GWAPT has a great methodology, but it does lack in some of the technical areas. It covers the domains of app testing, the best and most current tools, intros to scripting languages, and lots of application theory. it gives you all the tools you need to move forward in appsec testing if you’ve never done it or are primarily a network ninja. It’s an introductory level class.
Elearn’s module on webapp hackery is impressive, its technical detail is more in depth, and it covers some one-off tools that i now enjoy using in my app tests. I’d say its a intro to medium level class. Armando is still planning on doing the stand alone course on webapps, i don’t know the timeline on that though.
Joe’s “So you wanna be a webapp pentester” is good. It’s an intro to moderate level class. It has a little on the basics, and ton more on specifics of exploiting certain DBMS’s, etc. Very similar to his free talk on SQL injection. After seeing him at blackhat and taking his Advanced Penetration Testing class i know he is close to finishing a complete revamp of all his courses… and if they are anything like the one i took, they will be excellent. More on that soon.
Dafydd and Marcus’s Two day Blackhat class is by far the most “Ninja” class i’ve taken so far. They expect you to have gone through the Web Application hackers handbook and have a solid grasp of whats what in the appsec vuln landscape. The majority of the class (depending on what kind of group you take it with) is bashing your head against different filters and flaws. It’s painful but awesome. The only problem with that is that the class is only 2 days. I could have easily soaked up Dafydd and Marcus’s knowledge for week. Dafydd and Marcus have some new stuff on the horizon which i will be writing about in the near future.
Forgive my absence, new baby on the way and con season have rendered me forum-useless.
-
Thanks Jhaddix!
I was going for “So you wanna be a webapp pentester” since his talks at Defcon this year and last year were very interesting.
Once I am done with it, I will look at “Dafydd and Marcus”.
Thanks again, very interesting stuff…
-
@jhaddix wrote:
Forgive my absence, new baby on the way and con season have rendered me forum-useless.
Always nice to see JHaddix poke his head back out, from time to time! ;D Babies are fun, dude… I’ve been through 4, so I understand the sudden ‘disappearance’, between that and the “con’s”
You must be logged in to reply to this topic.
