.

Web Hackers Handbook labs?

<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Tue Feb 28, 2012 9:51 am

Re: Web Hackers Handbook labs?

ajohnson wrote:With some exercises, there's no obvious way to know that it's been completed. It's possible for you to feel pretty good about where you're at but then discover another interesting item 15 minutes later

Great writeup. Regarding the above - are the objectives for each exercise clearly defined? I've seen some labs where the goals are somewhat ambiguous but the answer is not.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 28, 2012 11:11 am

Re: Web Hackers Handbook labs?

DragonGorge wrote:Great writeup. Regarding the above - are the objectives for each exercise clearly defined? I've seen some labs where the goals are somewhat ambiguous but the answer is not.


It varies based on the objective. Doing things like bypassing client-side controls or SQLi are going to be pretty obvious because they either work or they don't. On the other hand, tasks like manually mapping the application are really only limited by your imagination and can take awhile before you feel like you've gone through all the possible avenues. While they do provide a few hints to guide you along, I didn't see any sort of scoring or grading that lets you know how well you did.

Keep in mind that was my experience after only an hour; I may be totally off with my time estimates. I'll definitely write a full review once I've gone through everything, but that will probably be towards the end of March. I have my OSWP scheduled for 3/11, so my WAHH2 progress will be slow until that is done.
The day you stop learning is the day you start becoming obsolete.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 29, 2012 4:36 pm

Re: Web Hackers Handbook labs?

I would recommend using at least 5 hours on the first 4 labs. (Use them in hourly sessions, take a break after 1 hour.) Some of the tasks in these, can be quite time consuming, and if you don't have infinite credits I suggest making a "max time spent"-rule on the different objectives, e.g, 10-30 minutes each, as you can easily use more with some of them. (I wouldn't suggest using more than 60 minutes on one objective (within a specific lab), not even on the hard ones, which you can always come back to later on.)

Currently I'm also going through the labs, while taking notes, including how much time I spend. If you get stuck on one objective for a longer period, move to the next and try that instead.

The first two labs, can be completed in a relatively short amount of time, but lab 3 and 4, requires a bit more work, especially if you haven't tried out all the features in Burp Suite (free) yet, such as bruteforcing which I hardly ever do. I did learn something new, which I had to "instant-research", which was ViewState.

I had seen it before, but I didn't know exactly how it worked as I've mostly tested PHP sites where it doesn't exist. (So in that sense, it was interesting, especially to test ASP(x) scripts which is not something I do often. Of course the attack methodologies are almost the same, but there are a few key differences that are important.)

Note / Edit: Keep in mind there's ~330 objectives in total. At least from what I read, didn't count it myself. So if you plan on using 10 minutes on each objective, that's 3300 minutes, aka 55 hours. I would like to note, that some tasks will be very easy (e.g., 1-5 minutes), and others will be a lot harder (e.g., 10-15 minutes or more, there's a few I didn't finish as I was unsure whether my answers were right or not).  :)
Last edited by MaXe on Wed Feb 29, 2012 4:39 pm, edited 1 time in total.
I'm an InterN0T'er
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Tue May 22, 2012 10:26 am

Re: Web Hackers Handbook labs?

xXxKrisxXx wrote:Hi Cotica,

Welcome to EthicalHacker.net. The solutions can actually be found below for edition 2:
Spoiler Alert.

If you were interested in labs where you can practice the material that is in the book itself, look into www.mdsec.net. There's an active thread here about it.

Anyone else having difficulties with the WAHH/MDSec.net website?

Seems like anything you do there either leads to the "Buy Training Lab Credits" or "Page cannot be found".

Edit: Never mind - it turned out to be something weird with the site & Google Chrome.
Last edited by DragonGorge on Tue May 22, 2012 1:55 pm, edited 1 time in total.
Previous

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software