Learning Web Security

Viewing 11 reply threads
  • Author
    Posts
    • #6661
      tor0
      Participant

      I’m beginning to learn web security such as how sites are vulnerable to xss, how it works, how to prevent xss, sql injection and how to prevent sql injection, etc.

      I come from a systems administration background but I want to learn more about web security.

      My initial thought was to start off learning Javascript. For that, I am reading from w3schools.

      I’m also learning more about Linux with CentOS, permissions, file structure, etc.

      Afterwards, I’d like to know PHP and Apache.

      Is the above a good approach to learning some of the basics. Is w3schools a good resource for learning Javascript?

    • #41410
      Anonymous
      Participant

      w3schools  is great for the basic stuff like how to code Html,php,asp,sql so on a good book is the web application hackers handbook a new version is coming out soon.

      There are also lots live CD that you can run in vm and try and attack like OWASP

      I would start with basic stuff like HTML then move on to rather PHP or ASP then MYSQL

    • #41411
      MaXe
      Participant

      Try to search a bit harder, as there’s a billion tutorials on the Internet, and this question has been asked many times before. There’s many sites like this with good information, such as but not limited to the links below.

      The Beginners Guide to XSS:
      http://www.xssed.com/article/31/The_Beginners_Guide_to_XSS/

      Various tutorials:
      http://forum.intern0t.net/web-hacking-war-games/
      http://forum.intern0t.net/offensive-guides-information/
      http://forum.intern0t.net/general-hacking-discussions/

      Finding Vulnerabilities in PHP Scripts by SirGod:
      http://forum.intern0t.net/offensive-guides-information/1382-finding-vulnerabilities-php-sirgod.html

      Exploit-DB Blogs about Web Application Security:
      http://www.exploit-db.com/category/maxe/

      There’s a lot of courses about how to learn Web Application Security, as this is what you want to learn. Check out OWASP’s website as well.

      First, learn: HTML, CSS, JavaScript (basics).
      Then: PHP or ASP (or JSP or any other web language, I recommend PHP as it’s easier to learn and a lot of web applications are written in this language, however most corporate ones are not written in PHP.)
      When you feel comfortable with these languages: Download some random web apps, those that are not widely used as these are often more secure, then try to review the code for bugs like XSS. (Unsanitized input.)

      You can also just fuzz any input field you find, within the web app you download.

      In addition to the links above, there’s also YouTube (w00t), SecurityTube, and various providers of infosec courses as well such as: eLearnSecurity, SANS, LearnSecurityOnline, and so forth.

      If you want something to practice on, try WebGoat for starters. (There’s other projects similar to this, and there’s even a nice thread in one of these sections on this website, that was recently updated with pretty much almost all such projects.)

      Enjoy!

    • #41412
      tor0
      Participant

      Thanks for that very thorough post MaXe. I looked into some XSS last night just to get a feel for how it’s done and how to prevent it.

      Currently, I’m learning some basic Javascript and will then move into PHP. Going to try out some LAMP and possibly just keep track of my progress with a blog.

      You’ve provided some great links that should keep me busy for a while.

      Thanks for the help everyone! I like how open people are on this forum.

    • #41413
      tturner
      Participant

      I’d also highly recommend learning at least rudimentary SQL (and how to fingerprint databases and understand the differences in strategy when you are attacking MySQL vs Oracle vs MSSQL. There’s no xp_cmdshell in MySQL for example but you can create it more or less with INTO OUTFILE.) Also, remote code execution aside, databases are usually where the data lives and you need to know how to get at it or you will have a really hard time building SQL queries in your injection strings.

    • #41414
      impelse
      Participant

      @tturner wrote:

      I’d also highly recommend learning at least rudimentary SQL (and how to fingerprint databases and understand the differences in strategy when you are attacking MySQL vs Oracle vs MSSQL. There’s no xp_cmdshell in MySQL for example but you can create it more or less with INTO OUTFILE.) Also, remote code execution aside, databases are usually where the data lives and you need to know how to get at it or you will have a really hard time building SQL queries in your injection strings.

      LOL….

      Guys, please do not tell a lot of information, I remember when I was new in some area and some people begin to tell me all the things I need to leard, and bla and bla and bla… At the end, I asked myself: How will I learn all this?

    • #41415
      MaXe
      Participant

      tor0: After learning PHP, or during that, learn some basic SQL and then progress into a bit more advanced queries. Not before, there’s no reason to. (In essence, SQL queries are not as hard as they may seem, see example below.)

      SELECT piece FROM cake WHERE size < mouth;

      It’s pretty much as simple as that, and after seeing that phrase in a book, it made a lot more sense to me  ;D

    • #41416
      Anonymous
      Participant

      This is another good site that should help you with lots of the basic stuff…

      http://www.thenewboston.com/

    • #41417
      tor0
      Participant

      Lots of great advice here. I’ve gone over some Javascript but will take a deeper dive to really get to know it which I am then moving on to PHP which will lead me to the SQL area.

      I think this is a good start for a foundation.

    • #41418
      bigapple
      Participant

      I personally don’t think so, but thats just my opinion. I would recommend reading books on Javascript. But w3schools should get you a great start at the very least, so its a good place to begin.

    • #41419
      MaXe
      Participant

      @bigapple wrote:

      I personally don’t think so, but thats just my opinion. I would recommend reading books on Javascript. But w3schools should get you a great start at the very least, so its a good place to begin.

      You’re right that a book from e.g. O’Reily is probably better than W3Schools when it comes to learning JavaScript, but knowing only this language and HTML is not Web Application Security, it’s like the warm (and nice smelling) air on top of a pizza.  ;D

    • #41420
      tturner
      Participant

      Best way to learn web application security is to build some web apps and try to break them and then use that knowledge to improve the security. If you can’t build the app or understand the logic behind it then you will probably fail at securing them.

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?