.

[Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Apr 29, 2009 4:44 pm

[Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

Last month, a number of us EH-Netters attended SANS 2009. The is the first of a few reviews of SANS courses. Thanks for the time and effort, Ryan.

Permanent link: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking


Image

Applications are moving away from the desktop and onto the web.  With technologies like AJAX and Flash and the popularity of Mash-Ups and social networks, web application penetration testing is becoming increasingly important.  Pushes for penetration testing are being driven by compliance, regulation, and a desire to not end up on the evening news, so a quality web application penetration testing class has been long overdue.  SANS has stepped up to the plate and re-released SEC542 Web App Penetration Testing and Ethical Hacking as a 6-day course with stronger hands-on exercises and culminating with a final day where students perform a penetration test on the classroom network.  The original course was a 4-day version, but Kevin Johnson of InGuardians has updated and enhanced the content to contain many of the cutting-edge web application hacking techniques seen in the field today.

I recently had the opportunity to take the re-born SEC542 course in Orlando, Florida as part of the SANS 2009.  SANS 2009 was one of the larger yearly conferences that SANS offers with quality evening talks after classes which offered additional content for no additional cost. Some of SANS higher profile members presented fresh content ranging from Josh Wright's talk on the risks associated with using personal wireless devices such as the Nike +iPod titled "Privacy Loss in a Pervasive Wireless World" to Ed Skoudis' talk on cutting-edge tricks and techniques in "Secrets of America's Top Pen Testers."  The secondary benefit of the large conferences was the ability to network with instructors and peers.  There were frequent opportunities to hang out and talk with SANS instructors and other students after hours, with impromptu events such as full-contact mini-golf, dinner and karaoke.  It is commonly known that an event is what you want to make of it, and SANS 2009 came through in spades in providing an educationally rich environment. So if an attendee didn’t take advantage of networking with those in the industry, then it certainly wasn’t SANS fault.



Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

vijay2

Full Member
Full Member

Posts: 220

Joined: Wed Mar 28, 2007 6:22 am

Post Thu Apr 30, 2009 7:30 am

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

Nicely done Ryan ... hope to see you @ChicagoCon

VJ
GPEN GCFA GCIH CISSP CISA GSEC OSCP C|EH Security+
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Thu Apr 30, 2009 5:46 pm

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

I have been waiting patiently for this review. Thank you very much for such a detailed review. It is very  much appreciated Ryan.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Thu Apr 30, 2009 11:42 pm

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hack

I'm taking (and facilitating) this class in June and I am really looking forward to it!
twitter.com/timmedin | http://blog.securitywhole.com
<<

punkrokk

Newbie
Newbie

Posts: 21

Joined: Thu Aug 07, 2008 8:35 pm

Location: Rochester, NY

Post Fri May 01, 2009 3:25 pm

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hack

nice writeup Ryan!
-=punkrokk=-
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Mon May 04, 2009 12:25 pm

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

I'm interested in this course.

The review mentioned few times things like this:

A series of new tools were introduced throughout the day, each time discussing [b]basic usage and then utilizing the tool to discuss one of the principles of recon.[/b]

One can learn basics from the man of each tool. Or books like this

The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws

So what else does this course give other than basic tools usage? Concepts explanations (for example) which is done very well in the book above.

Please note I pay for the training, not my employer and I don't have huge budget so I want to make sure that I get the max. value for the money I spend.

Thanks
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Tue May 05, 2009 12:55 am

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

This is my take on it, not part of the review because this is very subjective and not really an objective look at the course, but, that is an excellent question, and I'm glad you asked. Most of the things that folks want to learn can be found in a book or online, whether it is calculus or hacking.  Knowing that you can use burp proxy to do web pen testing, and knowing that it has x y and z options does not tell you how, when, or where to apply it.

Part of the value of a course is the ability to ask questions and ask for direction.  Sure.. there are other venues where you can ask questions, but if you have the option of having hands on explanation on how to do something from a jedi master, then that is something valuable.  With other venues, your mileage may vary, and they will rarely show you what you are doing wrong in an interactive way where you can have immediate feedback and you can make sure you have a full understanding when you walk away.

I would say that the value of SANS courses lies partially in the tools that you learn, partially in the knowledge of how to implement them, and partially in the experiences that the teachers shares around real world usage and scenarios . What sets SANS aside from other teaching institutions is the real word experience and techniques for application of the tools.  The SANS instructors are not just instructors, they are practitioners as well.  Knowing not just what Paros proxy does, but knowing when to apply it vs Burp or WebScarab has a lot of value.  That sort of information you probably won't get from a webpage, you might get from a forum, but in most cases talking to Kevin Johnson will get you the right answer.

If I had unlimited time, there are lots of things that I'd like to learn. I could read the books, try to figure out the exercises, spend some time getting frustrated because something didn't work, and I'd eventually get it.  Why I like SANS, and why I keep going back, is because when I leave a SANS course I feel like I've had a MAC truck full of information driven into my head, with exercises to drive the information home, and when I go back to my office, I've got stuff that I can start doing.  It may not be at the same level as the instructor, but after each SANS class I've taken I've been able to build upon that knowledge immediately. 

On a personal note, I would have to say that SANS is a huge jump start.  When I took 504, I had some basic stuff that I was doing, and after 504, I had really kicked it up a notch.  I was using nmap more effectively, my metasploit fu was vastly improved, I started writing vbs scripts using wmic as soon as I got back to do incident response and all of that goodness.

After I took 560, I started writing my own metasploit additions, started playing with writing my own nmap NSE scripts, and had another huge jump from where I was after 504.  This may or not be typical, I don't know, but if you are reading man pages for your docs, I wouldn't say it's out of the question.  560 was another enlightenment for me, some of the things I'd been struggling with on my own were a lot more clear, and during the capture the flag on the last day.. walking away I just kinda got it.

With 542, I had played with BeEF some, I've used Paros and such, but much of the information was really driven home.After 542, I felt like I "got it" a lot better.  Many of the things that I'd been missing tool wise were now there, and a lot of aspects that I didn't really understand completely why they were bad and how to exploit them I had gotten a hands on demo with and had been able to talk to the instructor in depth about.  I'd never spent much time busting apart Flash applications and messing with them, but I sure as heck do now.  I'd never really spent much time comparing the minor differences between web pages when I gave them valid and invalid information to see what happens, but now I do, and I can do it more efficiently and quickly. 

Having this course through SANS is great, I hope that they do a higher level course with more ninja skills in it.  I definitely picked up some great stuff in the class, but there is a big focus on tools.  Looking through the course though, you go from evaluating web servers, to evaluating web code, to evaluating implementation, to evaluating applets, to evaluating logic.  I don't think that it's reasonable to be an expert in all of those after once class, but if you aren't already a full time web pen tester and doing all of these things, this will be a huge shove in the right direction for you.

If you are tight on cash, there are things that you can do to bring down the price of classes.  Things like the Mentor program, or offering to TA or host a class locally all can bring down the price of the course. 

Sorry of this is a little disjointed, I probably shouldn't be writing more than a sentence or two response after 1AM :)
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

d3l0n

Jr. Member
Jr. Member

Posts: 59

Joined: Sat Dec 27, 2008 6:48 pm

Post Tue May 05, 2009 11:38 pm

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

apollo,

Thanks much for answering my question! What you said makes a lot of sense. It made me consider taking this course soon.

I wonder how your writing will be before 12 am? ;)
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Wed May 06, 2009 8:32 am

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

We'll just say that Don is a great editor and leave it at that :)
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Wed May 06, 2009 2:03 pm

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

Apollo, that was great, I was thinking the same about to take any course of just keep reading the books.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Jun 23, 2009 7:51 am

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

I just took this class last week at SANSFire in Baltimore. I really enjoyed it. Fantastic content.
twitter.com/timmedin | http://blog.securitywhole.com
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Jun 30, 2009 10:54 pm

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

Submitted to digg. You know what to do:

http://digg.com/security/Review_SANS_SE ... al_Hacking

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Akolyte

User avatar

Newbie
Newbie

Posts: 2

Joined: Mon May 11, 2009 12:42 pm

Location: DC

Post Mon Jan 04, 2010 10:29 am

Re: [Article]-Review: SANS SEC542 - Web App Penetration Testing and Ethical Hacking

Has anyone here taken SANS 542?

I did the class OnDemand and am on the final CTF challenge.

Normally this is done in one day with a team but I'm working alone.
If anyone who took the class and give me some direction I'd appreciate it, please contact me.


Also, Has anyone taken the GWAPT test?  if so, how hard was it, how closely did it mirror the course contents, etc..

Thanks

Return to Linn

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software