.

Web Hackers Handbook labs?

<<

n3r

User avatar

Jr. Member
Jr. Member

Posts: 95

Joined: Wed Sep 28, 2011 1:06 am

Location: paris

Post Fri Jan 06, 2012 3:52 pm

Re: Web Hackers Handbook labs?

Hi, just my feedback about the mdsec lab.
As i've bought the book 3 month ago i've decided for this new year to buy 5 hours of training lab.

Right now i've spent only two hours in the lab and i have done the 3 first modules, Mapping the Application, Using Automation and Bypassing Client Side Controls.

You have to read the book first because there is no explanation in the lab, only exercises, exercises and exercises...
One negative point is that there is no answer so if you don't find how to do it then you can't have any advices from the lab but on the other hand it makes you working harder to find the solution.

The 3 modules i've done aren't so difficult and you can find a lot of advices in the WAHH, i don't know if it's gonna be the same thing for the other one.

n3r
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Mon Jan 09, 2012 1:42 am

Re: Web Hackers Handbook labs?

Thanks n3r.  From what you say, it seems like the labs might not be as expensive as I thought.  I'm planning to try the labs once I finish the book (but I just started), so let me know your overall thoughts once you finish them all.
Sec+, eCPPT
<<

ggeorge

Newbie
Newbie

Posts: 3

Joined: Tue Feb 21, 2012 1:13 am

Post Tue Feb 21, 2012 1:24 am

Re: Web Hackers Handbook labs?

Hi All!

I interested in web application security.
I try to do MDSec labs. But I can't find solution for specific exersices.
Does anyone help me?

P.S. I can help you too.

Thanks!
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Tue Feb 21, 2012 10:23 am

Re: Web Hackers Handbook labs?

ggeorge wrote:Does anyone help me?


Yes, Google and e.g., SecurityTube  :) No offense intended of course ;D

Update: I also just saw the demo. It says the examples from the book works there too, so I recommend you use the book.
Last edited by MaXe on Tue Feb 21, 2012 10:29 am, edited 1 time in total.
I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 21, 2012 10:27 am

Re: Web Hackers Handbook labs?

Also, it helps if you have specific questions. i.e. "In this scenario, how could I leverage this vulnerability to do x, y, and z."

On a relate note, I purchased this book the other day, and I intend to go through all the labs. I'll definitely post a review once I'm done, but it may be six weeks or so with everything else I have going on :-\
The day you stop learning is the day you start becoming obsolete.
<<

ggeorge

Newbie
Newbie

Posts: 3

Joined: Tue Feb 21, 2012 1:13 am

Post Wed Feb 22, 2012 1:37 pm

Re: Web Hackers Handbook labs?

Yes.
I have problem with all three cases in "incomplete validation of credentials".
I try removing last character, changing the case of a charater and add special characters - such as .$)(/.But I can't find any problem with validation of password.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Feb 22, 2012 3:58 pm

Re: Web Hackers Handbook labs?

ggeorge wrote:Yes.
I have problem with all three cases in "incomplete validation of credentials".
I try removing last character, changing the case of a charater and add special characters - such as .$)(/.But I can't find any problem with validation of password.


Did you try the examples from the book? The website says they will work there, so I guess they should.
I'm an InterN0T'er
<<

ggeorge

Newbie
Newbie

Posts: 3

Joined: Tue Feb 21, 2012 1:13 am

Post Thu Feb 23, 2012 12:53 am

Re: Web Hackers Handbook labs?

Did you try the examples from the book? The website says they will work there, so I guess they should

Hmmm...I can't find any examples in my book.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Feb 23, 2012 10:30 am

Re: Web Hackers Handbook labs?

Did you read the entire Web Application Hacker's Handbook first and second edition?  ;D

Note: If you did, you may be required to "think outside the box", which e.g., vulnerability researchers have to do when they sometimes discover 0days within functions that seems secure at first look.
I'm an InterN0T'er
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Feb 24, 2012 12:13 am

Re: Web Hackers Handbook labs?

For those who have done the labs and read all of WAHHv2, how much lab time would you recommend? I'm getting ready to buy some but won't be able to buy more if I run out.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Feb 24, 2012 8:25 am

Re: Web Hackers Handbook labs?

tturner wrote:For those who have done the labs and read all of WAHHv2, how much lab time would you recommend? I'm getting ready to buy some but won't be able to buy more if I run out.


If you're asking me, no idea sorry  ;D But generally speaking, depending on how many challenges are available, 30-60 minutes per challenge if they're not like super easy, is probably what I'd recommend. If you're good, you can probably do most of the challenges in 15-30 min., or less, but as I haven't done their labs yet, not sure.

I guess that I could attempt to do them for fun, and see how far I can get, just to try it out  :)
I'm an InterN0T'er
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Feb 24, 2012 9:31 am

Re: Web Hackers Handbook labs?

I bought 8 hours the other day, but I haven't had a chance to do anything with them yet. I'll poke around a bit this weekend and see if I can estimate how much it would take total.
The day you stop learning is the day you start becoming obsolete.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Feb 26, 2012 5:54 pm

Re: Web Hackers Handbook labs?

tturner wrote:For those who have done the labs and read all of WAHHv2, how much lab time would you recommend? I'm getting ready to buy some but won't be able to buy more if I run out.


Here's a breakdown of the labs. The number in parenthesis is the number of objectives in that lab, and some of those are further divided in multiple sub-objectives.

01 - Mapping the application (4)
02 - Using automation (4)
03 - Bypassing client-side controls (3)
04 - Attacking authentication (8 )
05 - Attacking session management (3)
06 - Attacking access controls (3)
07 - Basic SQL injection (2)
08 - More SQL injection (8 )
09 - Attacking data stores (14)
10 - Attacking back-end components (12)
11 - Logic flaws (4)
12 - Cross-site scripting (7)
13 - Attacking other users (23)

Keep these few caveats in mind:
  • The amount of time it takes to go through an exercise will obviously vary a great deal based on experience
  • With some exercises, there's no obvious way to know that it's been completed. It's possible for you to feel pretty good about where you're at but then discover another interesting item 15 minutes later
  • You need to use your allotted time in one-hour increments. You may not feel like moving on to the next item with only 5-10 minutes remaining, so you might want to factor in a few extra hours for padding

Based on what I saw while browsing through the exercises, I think most people are going to average over one-hour for each section. 15-20 hours would probably be a fairly aggressive pace for most people, and many will probably be the most comfortable in the 20-30 hour range, if not higher.

Alternatively, more advanced users may want to get a smaller block of hours (i.e. 10) and skip the exercises they don't feel would be worth their time. You can pick-and-choose what to do; you don't need to go in order.

I'm personally expecting to put 25-30 hours into this because I have OCD and want to be thorough. I'm competent with most web technologies, but I haven't spent a great deal of time focusing on offensive tools and techniques.

I assume you only have one shot at purchasing hours because your company is paying for it and you need to get a PO issued. For people that aren't required to purchase everything thing at once, there's no penalty for purchasing hours in small increments. Most people would probably be more comfortable with purchasing 3-5 hours at a time.

If I had to purchase everything at once, I'd go for a little more than I was expecting to use. At $7/hr, you're not going to waste a significant amount of money unless your estimate ridiculously off.

HTH
The day you stop learning is the day you start becoming obsolete.
<<

Seen

User avatar

Full Member
Full Member

Posts: 137

Joined: Mon Aug 30, 2010 1:05 am

Post Mon Feb 27, 2012 12:32 pm

Re: Web Hackers Handbook labs?

Thanks ajohnson, your post was very informative.  I'm planning on starting the labs after I finish the entire book.  I'm almost finished with chapter 5 so that might be a while.
Sec+, eCPPT
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Feb 27, 2012 2:36 pm

Re: Web Hackers Handbook labs?

Thanks dynamik, that's exactly what I needed.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
PreviousNext

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software