.

to be a professional web-application pentester?

<<

mesho

Newbie
Newbie

Posts: 24

Joined: Tue Aug 10, 2010 8:01 am

Post Tue Aug 10, 2010 8:16 am

to be a professional web-application pentester?

hello guys,

in order to be a professional penetration tester for web application i know that i must learn HTML, JavaScript, PHP, ..etc

for PHP is the PHP manual on php.net sufficient or i should pick a book to learn the language very well and program with it?

because i really hate programming in PHP.
but i'm insist to be a professional in discovering/exploiting PHP Bugs such as:
SQL Injection / Remote File Inclusion / Path Disclosure, and a lot more.

thanks,
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 10, 2010 11:34 am

Re: to be a professional web-application pentester?

Do you already know another programing language VERY WELL? If it is the case, understanding PHP should be enough. But if this is your first language, I suggest your learn Java or C# first. They are more structured and you will learn to code "properly". PHP will be very easy after one of these two. Again, this is only if you don't have much programing experience.

Add CSS, XML, XML Schema, SOAP (including WSDL), Java and C# to this list!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

mesho

Newbie
Newbie

Posts: 24

Joined: Tue Aug 10, 2010 8:01 am

Post Tue Aug 10, 2010 12:39 pm

Re: to be a professional web-application pentester?

i already know the basics of C, so i think shifting to other languages will be easy but my question is that is it enough for pen-tester to read the manual of a language like PHP from the main PHP site, or he need to buy some books and hard-coded with PHP in order to find vulnerabilities inside PHP web application.

in brief, if i want to penetrate a PHP Web application do i need to be an expert programmer on PHP or reading manual and know how things work will get the job done?
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Tue Aug 10, 2010 12:44 pm

Re: to be a professional web-application pentester?

Well personally speaking, I suggest having some level of hands-on programming experience with PHP really helps when you compare it with just reading the manuals and understanding the concepts.

There is a "real" difference in doing things and reading things :)
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 10, 2010 1:40 pm

Re: to be a professional web-application pentester?

@mesho, when you do a web app pentest for a client that has a PHP based web site, it depends if you are doing a black box or a white box test.

With a black box test, you are basically coming from the internet with no knowledge of the application. You will only know that PHP is used by looking at the framework from the outside. But you won't see PHP code.

The white box test gives you access to everything, including the source code. So a quality pentest/vulnerability analysis requires you to audit the source code. You have to understand PHP pretty well in order to do that...

I hope this answer your questions
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

mesho

Newbie
Newbie

Posts: 24

Joined: Tue Aug 10, 2010 8:01 am

Post Tue Aug 10, 2010 1:50 pm

Re: to be a professional web-application pentester?

thanks guys for your answers,

i think to learn most-used web application languages from books and try to master it will be really pain for a penetration tester that's why I'm asking if the online material (manuals) for a specific language will be sufficient in order to audit the source code for that language. of course if that person already a programmer!

so what do you think fellows?
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 10, 2010 2:02 pm

Re: to be a professional web-application pentester?

I personally like to write an "Hello World" program then I follow a book to learn the basic stuff.  After 5-7 chapters in a book, I go back coding my own stuff. Once I hit a wall, I google to find my answers.

Basically, the important thing is to learn. So if a book is your thing, go for it. If you prefer videos (I do!) then do that. But if you prefer trials/errors, it isn't bad either as long as you learn from "nice" code.

For PHP, I propose you download a PHP framework and start reading the code in it. Try to follow the trace of a login from HTML/CSS to PHP and SQL. Usually, framework code is well written. If you don't understand something, Google is your friend!  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Aug 10, 2010 2:12 pm

Re: to be a professional web-application pentester?

My two cents on this... Focus on "the core." Web application is more than LAMP (Linux Apache MySQL PHP). What will end up happening is, you will focus furiously on PHP and that's all you'll be good at testing. What happens when you move into an AJAX environment? Most large companies use SOAP/AJAX/etc., more than they use LAMP set-ups. LAMP setups from my experience tend to be the lower hanging fruit often used by companies with limited to no budget. E.g., name me one financial company using a LAMP environment for their infrastructure. One insurance company. Etc.,

If you *choose* to learn PHP, unless you want to become a PHP programmer, learn the basics of PHP SECURITY related material (the core of what you need, how it works). Same goes for AJAX. You'd need to set out to be an expert Java programmer, expert XML programmer to truly understand it however, this doesn't stop you from learning the core.

So if you're going to do this professionally, go with where the money is. AJAX. Otherwise, one could look back to say Perl when "Mason" was "the next big thing" or Python, Ruby, etc., as for blackbox/whitebox, I'll add another another two cents... Aim for a blackbox test.

In a whitebox test, you WILL run into staff that assume a security assessment/audit/pentest is being done and WILL lay blame: "That pentester will cost me my job!" and they'll end up trying to defend against you. This gives them a false sense of security since they'll implement measures against you, while missing the overall point.

If you HAVE TO or the client CHOOSES to have a whitebox/crystal/grey/etc., then you'd want to work with the admins to let them know exactly what you're going to do, and you're not there to pull punches but solely show what an attacker can potentially do.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Aug 10, 2010 2:52 pm

Re: to be a professional web-application pentester?

sil's comment about requesting a blackbox test is one that I rely on, a LOT.  I find that, many times, if the IT / security staff are aware of the testing, then they throw up protections that aren't normally there, or 'start' reviewing logs more closely, when the idea of pentests is to clearly show areas, not only in system security, but often times, in security 'posture' as well. 

While there's not necessarily a need to 'point out' that XYZ person doesn't watch the logs closely, in your report (and you could assure XYZ you wouldn't do that, IF you were asked / forced to do whitebox, etc,) you could use it as a way of promoting add-on products or services to the environment, that could make XYZ's job easier, such as something like Novell's Sentinel Log Manager, or various other products, which help to perform the tasks AND show a cost / time savings that benefits the company, and would allow XYZ to work on other projects to better the security posture.  This way, you've shown them value, both in noting that things could otherwise have gone overlooked, as well as providing them with an alternative solution, which could yield you more work down the road, because you've shown you truly WANT to better them, not just spend your time doing more 'auditing' type work, etc.

Goes a long way towards your viability, in your customers' eyes.

Now, there's absolutely no reason NOT to accept the other types of engagements (whitebox, etc,) as he noted, if they're relevant, or if that's the true request from the folks engaging your services. 

Also, as sil and others said, you don't have to be a guru programmer in any given programming / web application language.  In fact, if you understand the basic principles and concepts behind what each does, and have SOME knowledge to work from, then you can go a long way in web-app pentesting.  Just get comfortable with the basics of many of the languages, to where you're content to dig up example code (and understand it) if needed, during your projects and learning.  And yes, as sil pointed out, AJAX is the  'big boy on the block' right now, so it definitely wouldn't hurt to spend more time in the Java / XML realm, etc., if you've got it.  And SOAP is right there with it, from the environments I've dealt with.

On the flip side, if you want to become a pentesting tool developer, knowing how to code in Ruby and Python goes a long way, as well, as many of the frameworks and such are written in those languages.  But even then, you MUST have understanding of the other languages, or writing exploits in Ruby or Python still isn't going to be an easy task...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 10, 2010 9:38 pm

Re: to be a professional web-application pentester?

@sil and @hayabusa: I guess we have different clients. I am more and more involved BEFORE a new web application is released. Developers and team leads that I work with are happy to see me arrive. Most of the time, they say: "I know nothing about security, can you teach me how you find these things?". It's not really a pentest, but it is in a way.

I start right after they are done coding and I do all my stuff during the testing phase. The more stuff I find, the happier the developpers because they know they won't get busted once the app is in prod. But I am careful not to stress their clients...

All that to say, I do about 50% of vulnerability assessments, 30% of "security through SDLC" and 20% pentest of existing web apps.

And I have a fraction of the experience sil and hayabusa have!!!  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Aug 10, 2010 10:04 pm

Re: to be a professional web-application pentester?

@H1tM0nk3y - I bet you sell yourself short on that experience thing!  (Maybe not, as I don't personally know you, but just saying...)  I follow your thoughts on this, and from your perspective, I see why you feel that way.  Heck, if my clients and situations were the same, I'd very likely have given similar advice and perspective on this.  ;D

I also think that, for me anyway, I learn much the same as you (I prefer to learn through experience, with my own coding and lots practice, as I read, rather than simply following through an entire book / course, first.  I get to a point where I understand enough to start jumping in more head first, and go for it.  ...and I also love video training!)  So believe me when I say, we're not THAT different.  In fact, when I said 'sil and others', I was putting some of what you said in, by inference, as well.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Aug 11, 2010 5:35 am

Re: to be a professional web-application pentester?

@hayabusa - The fact that we spend so much time on EthicalHacker.net means we are not that different!  ;)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

mesho

Newbie
Newbie

Posts: 24

Joined: Tue Aug 10, 2010 8:01 am

Post Wed Aug 11, 2010 6:35 am

Re: to be a professional web-application pentester?

thanks all for the great explanations,  ;)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Wed Aug 11, 2010 7:07 am

Re: to be a professional web-application pentester?

H1t M0nk3y wrote:@hayabusa - The fact that we spend so much time on EthicalHacker.net means we are not that different!  ;)




No doubt!  Well, in my case, anyway, it helps that in my primary job, I work from a VOP (home) office, and while doing my day-to-day, I often just leave EH-Net running in the background, and glance at it, on my second screen, periodically, to see if anything new / 'interesting to me' has been posted.

That, and the primary folks here understand and think as we do, so it certainly makes for more enlightening conversations throughout the day!  (Not the "Same ol', same ol'"  :P )
Last edited by hayabusa on Wed Aug 11, 2010 7:09 am, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Aug 11, 2010 7:43 am

Re: to be a professional web-application pentester?

@H1tM0nk3y - when the availability is possible to stick around at a client for the full development life-cycle of a product, then I'm all for it however I'll quote: "Would you rather push out the next release or spend time patching the current one?" (Rev. Bill Blunden - The Rootkit Arsenal).

Companies don't care to spend on Fortify, Klocwork, beStorm, etc., and even if they did, the developers most of the times won't get it and even if they *do* get it, they're often under tight deadlines to push out the "next release."

There are plenty of instances that I can quote to prove a point but I'll choose one; the talk of the town right now. Tavis Ormandy's Help Center disclosure (http://seclists.org/fulldisclosure/2010/Jun/205) To be outright blunt, many people have failed to look at the reality of it all, they don't care to, it doesn't mean anything to them, they'd rather point the finger for their own issues than fix them:

hcp:// has been broken a few times over the years, for example:

- http://seclists.org/bugtraq/2002/Aug/225, Delete arbitrary files using Help and Support Center
- http://www.microsoft.com/technet/securi ... 3-044.mspx, HCP memory corruption by Dave Litchfield.


How can a company keep making the same repetitive mistakes. It's pure negligence and it shows the lack of investment in security in the SDLC. So it's one thing (wishful thinking) to have the luxury of implementing security controls at the development phase (phase 2 of the SDLC) and its completely another implementing it in the initiation phase (phase 1 of the SDLC) (ref: http://csrc.nist.gov/groups/SMA/sdlc/index.html). As it stands right now, the practicality of coming in as a pentester from the ground up (phase 1) would be a waste of time. At phase 2 it would be a waste of time in fact, until it's a product, it's a waste of time. This does not mean a company should have its workers tapping away at the keyboards releasing whatever it is their producing "right here right now", then coming back after it's deployed to find holes.

At the initiation phase, programmers, project managers, etc., need to think outside of the frameworks and step into reality:

Current reality
PM: "We're making a program that will allow people to chat with each other"
Developer: "We can make it transfer files and send icons!"
PM: "We have two months to get this done"


Ideal reality:
PM: "We're making a program that will allow people to chat with each other"
Developer: "We can make it transfer files and send icons however we need to be careful as to avoid having people spoof, inject code"
Other Developer with Security Experience: "Definitely... We need to test the code along the way with protocol fuzzers, application fault injection programs, etc., to make sure no one steals or subverts the application"
PM: "You're right, the last thing we need is a corporation being compromised because we didn't check. We could look like fools and lose $N amount of money"
PM: "Other_Developer, work with Developers to make sure we put out a rock solid program. We have two months to get it done and I want further testing even after it's released"

If you're the "corporate pentester" then it will work for you however, doing contract work (hired gun pentesting) you're better off as a company paying to train your developers to understand security. Getting it before it even goes into the mainstream. It's more cost-effective to fork out say 10,000.00 to pay for your programmers to take courses at places like Immunity, Dino Dai Zovi's courses, Alex Sotirov's courses where your developers will come out understanding "security risk" from the programmers point of view, than it is to fork out millions in "patching the current one."

But alas, reality is what reality is and companies would rather spend money on deflection - marketing away security holes (http://www.sophos.com/blogs/gc/g/2010/0 ... t-zeroday/) - than they would on training. Companies have it backwards and don't care to change this stance (marketing versus training versus implementing security). It's much easier and cost effective to spend a couple of thousand in damage control than it is to put out clean code. At the end of the day, blame the consumer though, for continuously buying buggy software and thinking that "they're seeing history" is good news.

Microsoft has never in its history released 14 patches on a single patch Tuesday, making August 10th, somewhat of a non celebratory record.
http://www.coated.com/microsoft-patch-tuesday-patches/
Next

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software