tturner wrote:For those who have done the labs and read all of WAHHv2, how much lab time would you recommend? I'm getting ready to buy some but won't be able to buy more if I run out.
Here's a breakdown of the labs. The number in parenthesis is the number of objectives in that lab, and some of those are further divided in multiple sub-objectives.
01 - Mapping the application (4)
02 - Using automation (4)
03 - Bypassing client-side controls (3)
04 - Attacking authentication (8 )
05 - Attacking session management (3)
06 - Attacking access controls (3)
07 - Basic SQL injection (2)
08 - More SQL injection (8 )
09 - Attacking data stores (14)
10 - Attacking back-end components (12)
11 - Logic flaws (4)
12 - Cross-site scripting (7)
13 - Attacking other users (23)
Keep these few caveats in mind:
- The amount of time it takes to go through an exercise will obviously vary a great deal based on experience
- With some exercises, there's no obvious way to know that it's been completed. It's possible for you to feel pretty good about where you're at but then discover another interesting item 15 minutes later
- You need to use your allotted time in one-hour increments. You may not feel like moving on to the next item with only 5-10 minutes remaining, so you might want to factor in a few extra hours for padding
Based on what I saw while browsing through the exercises, I think most people are going to average over one-hour for each section. 15-20 hours would probably be a fairly aggressive pace for most people, and many will probably be the most comfortable in the 20-30 hour range, if not higher.
Alternatively, more advanced users may want to get a smaller block of hours (i.e. 10) and skip the exercises they don't feel would be worth their time. You can pick-and-choose what to do; you don't need to go in order.
I'm personally expecting to put 25-30 hours into this because I have OCD and want to be thorough. I'm competent with most web technologies, but I haven't spent a great deal of time focusing on offensive tools and techniques.
I assume you only have one shot at purchasing hours because your company is paying for it and you need to get a PO issued. For people that aren't required to purchase everything thing at once, there's no penalty for purchasing hours in small increments. Most people would probably be more comfortable with purchasing 3-5 hours at a time.
If I had to purchase everything at once, I'd go for a little more than I was expecting to use. At $7/hr, you're not going to waste a significant amount of money unless your estimate ridiculously off.
The day you stop learning is the day you start becoming obsolete.