.

Learning Web Security

<<

tor0

User avatar

Newbie
Newbie

Posts: 3

Joined: Fri Jul 29, 2011 12:05 pm

Post Fri Jul 29, 2011 5:28 pm

Learning Web Security

I'm beginning to learn web security such as how sites are vulnerable to xss, how it works, how to prevent xss, sql injection and how to prevent sql injection, etc.

I come from a systems administration background but I want to learn more about web security.

My initial thought was to start off learning Javascript. For that, I am reading from w3schools.

I'm also learning more about Linux with CentOS, permissions, file structure, etc.

Afterwards, I'd like to know PHP and Apache.

Is the above a good approach to learning some of the basics. Is w3schools a good resource for learning Javascript?
<<

millwalll

Post Sat Jul 30, 2011 5:24 pm

Re: Learning Web Security

w3schools  is great for the basic stuff like how to code Html,php,asp,sql so on a good book is the web application hackers handbook a new version is coming out soon.

There are also lots live CD that you can run in vm and try and attack like OWASP

I would start with basic stuff like HTML then move on to rather PHP or ASP then MYSQL
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun Jul 31, 2011 10:10 am

Re: Learning Web Security

Try to search a bit harder, as there's a billion tutorials on the Internet, and this question has been asked many times before. There's many sites like this with good information, such as but not limited to the links below.

The Beginners Guide to XSS:
http://www.xssed.com/article/31/The_Beg ... de_to_XSS/

Various tutorials:
http://forum.intern0t.net/web-hacking-war-games/
http://forum.intern0t.net/offensive-guides-information/
http://forum.intern0t.net/general-hacking-discussions/

Finding Vulnerabilities in PHP Scripts by SirGod:
http://forum.intern0t.net/offensive-gui ... irgod.html

Exploit-DB Blogs about Web Application Security:
http://www.exploit-db.com/category/maxe/

There's a lot of courses about how to learn Web Application Security, as this is what you want to learn. Check out OWASP's website as well.

First, learn: HTML, CSS, JavaScript (basics).
Then: PHP or ASP (or JSP or any other web language, I recommend PHP as it's easier to learn and a lot of web applications are written in this language, however most corporate ones are not written in PHP.)
When you feel comfortable with these languages: Download some random web apps, those that are not widely used as these are often more secure, then try to review the code for bugs like XSS. (Unsanitized input.)

You can also just fuzz any input field you find, within the web app you download.

In addition to the links above, there's also YouTube (w00t), SecurityTube, and various providers of infosec courses as well such as: eLearnSecurity, SANS, LearnSecurityOnline, and so forth.

If you want something to practice on, try WebGoat for starters. (There's other projects similar to this, and there's even a nice thread in one of these sections on this website, that was recently updated with pretty much almost all such projects.)


Enjoy!
I'm an InterN0T'er
<<

tor0

User avatar

Newbie
Newbie

Posts: 3

Joined: Fri Jul 29, 2011 12:05 pm

Post Sun Jul 31, 2011 1:47 pm

Re: Learning Web Security

Thanks for that very thorough post MaXe. I looked into some XSS last night just to get a feel for how it's done and how to prevent it.

Currently, I'm learning some basic Javascript and will then move into PHP. Going to try out some LAMP and possibly just keep track of my progress with a blog.

You've provided some great links that should keep me busy for a while.

Thanks for the help everyone! I like how open people are on this forum.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Sun Jul 31, 2011 10:21 pm

Re: Learning Web Security

I'd also highly recommend learning at least rudimentary SQL (and how to fingerprint databases and understand the differences in strategy when you are attacking MySQL vs Oracle vs MSSQL. There's no xp_cmdshell in MySQL for example but you can create it more or less with INTO OUTFILE.) Also, remote code execution aside, databases are usually where the data lives and you need to know how to get at it or you will have a really hard time building SQL queries in your injection strings.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Mon Aug 01, 2011 9:45 am

Re: Learning Web Security

tturner wrote:I'd also highly recommend learning at least rudimentary SQL (and how to fingerprint databases and understand the differences in strategy when you are attacking MySQL vs Oracle vs MSSQL. There's no xp_cmdshell in MySQL for example but you can create it more or less with INTO OUTFILE.) Also, remote code execution aside, databases are usually where the data lives and you need to know how to get at it or you will have a really hard time building SQL queries in your injection strings.


LOL....

Guys, please do not tell a lot of information, I remember when I was new in some area and some people begin to tell me all the things I need to leard, and bla and bla and bla... At the end, I asked myself: How will I learn all this?
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Aug 01, 2011 11:46 am

Re: Learning Web Security

tor0: After learning PHP, or during that, learn some basic SQL and then progress into a bit more advanced queries. Not before, there's no reason to. (In essence, SQL queries are not as hard as they may seem, see example below.)

SELECT piece FROM cake WHERE size < mouth;

It's pretty much as simple as that, and after seeing that phrase in a book, it made a lot more sense to me  ;D
I'm an InterN0T'er
<<

millwalll

Post Mon Aug 01, 2011 12:29 pm

Re: Learning Web Security

This is another good site that should help you with lots of the basic stuff...

http://www.thenewboston.com/
<<

tor0

User avatar

Newbie
Newbie

Posts: 3

Joined: Fri Jul 29, 2011 12:05 pm

Post Tue Aug 02, 2011 2:03 pm

Re: Learning Web Security

Lots of great advice here. I've gone over some Javascript but will take a deeper dive to really get to know it which I am then moving on to PHP which will lead me to the SQL area.

I think this is a good start for a foundation.
<<

bigapple

Newbie
Newbie

Posts: 8

Joined: Thu Aug 18, 2011 12:07 pm

Post Thu Aug 18, 2011 12:13 pm

Re: Learning Web Security

I personally don't think so, but thats just my opinion. I would recommend reading books on Javascript. But w3schools should get you a great start at the very least, so its a good place to begin.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Aug 18, 2011 12:35 pm

Re: Learning Web Security

bigapple wrote:I personally don't think so, but thats just my opinion. I would recommend reading books on Javascript. But w3schools should get you a great start at the very least, so its a good place to begin.


You're right that a book from e.g. O'Reily is probably better than W3Schools when it comes to learning JavaScript, but knowing only this language and HTML is not Web Application Security, it's like the warm (and nice smelling) air on top of a pizza.  ;D
I'm an InterN0T'er
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Thu Aug 18, 2011 12:59 pm

Re: Learning Web Security

Best way to learn web application security is to build some web apps and try to break them and then use that knowledge to improve the security. If you can't build the app or understand the logic behind it then you will probably fail at securing them.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software