.

Web App Hacking

<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Aug 14, 2008 8:55 am

Web App Hacking

Anybody have a recommendation for a training class and/or book on Web App Hacking?

I was think about buying
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Thu Aug 14, 2008 9:36 am

Re: Web App Hacking

SANS has a 4-day class

Security 542 Web Application Penetration Testing In-Depth

I have heard good reviews of this class

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

only_samurai

Newbie
Newbie

Posts: 6

Joined: Tue Aug 12, 2008 3:40 pm

Post Thu Aug 14, 2008 9:40 am

Re: Web App Hacking

There are some good books and classes out there, but I've never personally used them. In my opinion, the best way to pick this stuff up is to start coding in a web-language and while you are working on building web-applications, be reading about security. This method won't take you in-depth, but will build a solid baseline to build on top of.

Just my two cents.
-samurai
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Aug 14, 2008 12:32 pm

Re: Web App Hacking

Samurai,
I agree. I'm trying to build up my skillset in this area, beyond just scanning and exploiting.

VJ,
Are there any instructors that standout? Just wondering as my past experience with SANS was heavily dependent on the which instructor you got. For example, the smaller SANS events usually don't get the A Team.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Thu Aug 14, 2008 1:32 pm

Re: Web App Hacking

For SANS, Kevin Johnson is the man:

Kevin Johnson is a Senior Security Analyst with Intelguardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for Fortune 100 companies, and in his spare time contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E. (the Basic Analysis and Security Engine) project. The BASE project is the most popular web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, teaching both the Incident Handling and Hacker Techniques class and the Web Application Security class. He has presented to many organizations, including Infragard, ISACA, ISSA and the University of Florida.


The InfoSec Institute also has some really good web app guys with Jeremy Martin:

Jeremy Martin, Cyber Warfare Instructor, is a Senior Security Researcher that has focused his work on Red Team penetration testing, Computer Forensics, and Cyber Warfare.  Starting his career in 1995 Mr. Martin has worked with fortune 200 companies and Federal Government agencies, receiving a number of awards for service.  Jeremy is a published author, teaches, and speaks at security conferences around the world.  Current projects include vulnerability analysis, threat profiling, exploitation automation, anti-forensics, and reverse engineering malware. He is active in the Information Security/Assurance world and is the current President for the Open Information Systems Security Group (OISSG) while sitting on the Board of Directors for Denver’s Infragard chapter.  Jeremy is also an active member of the Business Espionage Controls & Countermeasures Association.


...and sometimes Andres Andreu, author of Professional Pen Testing for Web Applications (In fact this is the course textbook):

Andres Andreu, CISSP-ISSAP, GSEC currently operates neuroFuzz Application Security LLC, and has a strong background with the U.S. government. He served the United States of America in Information Technology and Security capacities within a “3-Letter” federal law enforcement agency. The bulk of his time there was spent building the IT Infrastructure and working on numerous intelligence software programs for one of the largest Title III Interception Operations within the continental U.S. He worked there for a decade and during that time he was the recipient of numerous agency awards for outstanding performance.

He holds a bachelor’s degree in Computer Science, graduating Summa Cum Laude with a 3.9 GPA from the American College of Computer and Informational Sciences. Mr. Andreu specializes in software, application, and Web services security, working with XML security, TCP and HTTP(S) level proxying technology, and strong encryption. He has many years of experience with technologies like LDAP, Web services (SOA, SOAP, and so on), enterprise applications, and application integration.


Hope this helps,
Don
Last edited by don on Thu Aug 14, 2008 1:34 pm, edited 1 time in total.
CISSP, MCSE, CSTA, Security+ SME
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Aug 14, 2008 1:37 pm

Re: Web App Hacking

I will second Don's recommendation of the "Professional PenTesting for Web Applications" book by Andres Andreu.

Additionally, I also have a copy of the book you have referenced, "Web Application Hackers Handbook" and highly recommend that as well. This is a great hands-on complement to something like the OWASP testing guide, including side-notes for step-by-step instructions.
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Aug 14, 2008 2:17 pm

Re: Web App Hacking

Cool, thanks for the info. I will checkout both of those books at the store to figure out which one to buy online.

Is that Webgoat thing on the OWASP site decent?
<<

mad_irish

User avatar

Newbie
Newbie

Posts: 17

Joined: Thu Aug 14, 2008 7:45 am

Post Thu Aug 14, 2008 2:54 pm

Re: Web App Hacking

WebGoat is pretty solid, but for my money I'd recommend cruising the vulnerability announcements for well known web apps and installing vulnerable versions and exploiting them yourself.  Many of the most popular web systems have vulnerable versions at some point.  Installing them and figuring out how to exploit the vulnerability is, I think, a lot more worthwhile than poking at a training application.  Of course, you've got a lot more overhead installing and configuring applications that you may not intend to use other than as an exploitation experiment.  Just my $.02.  Getting familiar with tools like Paros and the Firefox Tamper Data plugin will go a long way towards getting you up to speed also.
<<

only_samurai

Newbie
Newbie

Posts: 6

Joined: Tue Aug 12, 2008 3:40 pm

Post Thu Aug 14, 2008 3:33 pm

Re: Web App Hacking

I personally don't like projects like WebGoat. The pre-fabricated exploit environments always seem a little too fake for my tastes and I find that many of the exploits you work with in them are either overly basic or purely theoretical. Meaning, you either do something you already know or you are working with something that you'll almost never see in practice.

I would completely agree with finding a vulnerable piece of software and using that. An open-sourced CMS or something like PHPBB would be good to work with. Set-up on some of these is very quick and easy and then would let you work with actually exploiting the code.

Just my thoughts...
-samurai
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Fri Aug 15, 2008 5:50 am

Re: Web App Hacking

OleDB,

As Don mentioned, for SANS Kevin Johnson is the man.

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

Mansa

Newbie
Newbie

Posts: 2

Joined: Fri Aug 15, 2008 7:09 pm

Post Sat Aug 16, 2008 8:55 am

Re: Web App Hacking

vijay2 wrote:SANS has a 4-day class

Security 542 Web Application Penetration Testing In-Depth

I have heard good reviews of this class

VJ


Regarding the SANS classes, how big are the classes and do they have a classroom feel or more of a seminar feel?
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Sat Aug 16, 2008 10:18 pm

Re: Web App Hacking

Depending upon the conference and popularity of class and instructor, the class can be between 25 to 60 people.

Hope that helps

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

Mansa

Newbie
Newbie

Posts: 2

Joined: Fri Aug 15, 2008 7:09 pm

Post Thu Aug 21, 2008 5:43 pm

Re: Web App Hacking

vijay2 wrote:Depending upon the conference and popularity of class and instructor, the class can be between 25 to 60 people.

Hope that helps

VJ


Whoa, up to 60 people.  Who are the other reputable training providers out there?
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Wed Aug 27, 2008 9:25 am

Re: Web App Hacking

Also, between SANS and the Infosec Institute, which one has more hands-on activities? And do either use Core-Impact and/or Canvas during the class?

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software