.

Where should I start

<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Mar 05, 2010 9:15 am

Where should I start

I am really interested in this field, and I would like to study more about it, in order be able to do penetration testing on it.
Unfortunatelly my company doesn't want to pay for any certification. My boss says that I have enough certifications and I need more experience (he is 50% right, but I already had all my certifications when I came to them, so they just want to profit of my hard work and my personal money spent on education).

So, my actual plan is to start with "The web application hackers handbook" and to use websec dojo's live cd. Is this enough in order to have a good start, or there are other books to start with?

I mention that I don't have programming skills in the web field, only some C++.

Thank you!
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Mar 05, 2010 9:32 am

Re: Where should I start

Learning to program in some web-based programming languages definitely wouldn't hurt, at least it would help if you could read and understand it. The book you mentioned is a good read. Additionally you might take a look at the WebGoat Project, which should keep you occupied for quite a while.
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Fri Mar 05, 2010 9:33 am

Re: Where should I start

While you don't have to learn any web programming to be a web app pen tester, you will have to learn some to be a good one.  The resources that you have listed are good, but I might try to go ahead and start working on picking up some php, javascript, etc.  

So.. good web resources:
RSnake has some great resources.  Check them out at http://ha.ckers.org/ .  Specifically check out the XSS Cheat Sheet.  I go back and reference it from time to time when folks have mostly gotten data validation done correctly but have missed something.


Samurai WTF: Samurai Web Testing Framework can be found at  http://samurai.inguardians.com/ .  This live cd distribution has many of the tools that you will want to become familiar with.  This is a pretty lightweight distribution with great tools, and is a great start

I'm sure others will post more :)
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Mar 05, 2010 9:36 am

Re: Where should I start

Another place you might take a look at if you haven't already, is the Web App Lab Setup tutorial at securityaegis. Currently I am getting a 'Not Found Error', but it would be here.
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Fri Mar 05, 2010 9:59 am

Re: Where should I start

First off, I think the answer your manager gave you is an asshat managers answer.  A manager should be supportive of an employees desire to certify/educate.

What exactly do you do for your company?  Does the certification directly relate to your job?  If so, it would be an easier sell... but anyway...

I think you might find some great resources from OWASP, http://www.owasp.org.

Good luck!
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Mar 05, 2010 10:16 am

Re: Where should I start

Thank you guys. I started already the webgoat project. I already visited all the websites you mentioned in your posts, so I'll keep myself busy for a while.

@unsupported: I am working as security analyst for a small security consulting company. When they hired me (4 month ago) they told me that I'll do penetration testing, general security consulting and many more. But I have no work to do, and this bothers me. I came to this company to do a lot of things in order to became a better professional. But... I was wrong. So I am studying a lot of things regarding security (penetration testing, governance, risk analysis, I even started to do wargames - first level, and many more).
I study penetration testing because I like that it makes your brain work and I consider that it is of outmost importance in order to protect a company.
The problem is that my boss didn't gave me any path to follow, any particular field in which he'll need me. And this is very frustating.

Thank you guys for the advices.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Fri Mar 05, 2010 11:31 am

Re: Where should I start

Here's a couple more links that might be useful! (If you haven't taken a look into them yet)

Damn Vulnerable Web App:
http://dvwa.co.uk/

And maybe even look into LearnSecurityOnline's, "So You Want To Be A Web App Pentester" course. It looks like a good price.

http://www.learnsecurityonline.com/offerings/courses/224-so-you-wanna-be-a-webapp-pentester

-Cheers
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Fri Mar 05, 2010 1:41 pm

Re: Where should I start

xXxKrisxXx wrote:
And maybe even look into LearnSecurityOnline's, "So You Want To Be A Web App Pentester" course. It looks like a good price.

http://www.learnsecurityonline.com/offerings/courses/224-so-you-wanna-be-a-webapp-pentester

-Cheers


I saw the course and it really has a good price, but I didn't saw any review of it. Maybe I'll convince the sponsor (wife) and I'll do it. Then I'll do a review if there isn't another one here.

Thanks!
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Sun Mar 07, 2010 7:17 pm

Re: Where should I start

Well.. me again.

As I mentioned in one post I had a lot of free time at my job, because they don't have many contracts (they are a consulting company). And it wasn't only me, there were more guys that did almost nothing. But because I was the last one employed I got fired Friday. This wasn't fair because I have quit my previous job only because they promised me that I'll have a lot of things to do and I'll learn a lot by doing contracts under the supervision of someone more experienced. But the reality was different. 

So, now I have a lot of free time. My dilemma is if I should continue with studying penetration testing (by myself only) or I should go on another direction.

I know that there are many opportunities in firewalls field, but I don't have experience and knowledge (even if I am able to study them). Also, I really don't like this domain, it is not suitable with my personality and way of thinking.

So my problem, should I continue and study hard for the next few months penetration testing (network, web application and system) or I should change the field just to be able to have more chances to find a decent job.

Besides pentesting I will improve my knowledge in risk analysis and project management.

Thank you!
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Mar 07, 2010 7:34 pm

Re: Where should I start

Sorry to hear the bad news alucian.  On the bright side of things, it seems like the job market is picking up.  I can' tell you which direction you should pursue, only you can determine that.  However, since you have prior consulting experience, you can consider search for a company that does some penetration testing, but it is not their only source of revenue.  In today's market, it really helps to be balanced. 
~~~~~~~~~~~~~~
Ketchup
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Sun Mar 07, 2010 8:07 pm

Re: Where should I start

@ Ketchup

This was the type of company I was working for, only that it was very small, 10 employees. Also, most of the companies wants to hire you as a consultant and send you to do contracts. They only want to make money on you, not to train you at all.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Mar 08, 2010 2:39 am

Re: Where should I start

That's not the best news, indeed. As Ketchup already stated, I too think that only oneself can decide where to head. As you have written that your field of interest is penetration testing, then personally I would continue in this direction, even if it might be hard. I probably wouldn't go into firewalls, if I am not really interested in them. But then again there could be some other factors etc., and everything could look different.

I wish you the best luck.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software