.

Start into Web Application Security

<<

birdofbeauty11

Newbie
Newbie

Posts: 7

Joined: Sat May 14, 2011 9:27 am

Post Tue Jan 15, 2013 12:38 am

Start into Web Application Security

Hi,

I am trying to enter into the web application security field. I am somewhat overwhelemed because I have A LOT of vulnerable web applications (OWASP Broken Web Apps, OWASP Security Shepherd, PenTestLab), and I also enrolled in eLearnSecurity and PenTestLab.

My question is, for those in this field, what where your first steps? I clearly have a lot of information (see paragraph above), but I feel like I am not using my time in the most effective manner.

Also, I have a blog passionforpentesting.wordpress.com. I am trying to revitlize the blog again this year, and my goal is to have it as an interactive place for people who want to enter this field. If you can please go to the site (I must warn you in advance the posts are pretty bare), and give suggestions that would be great!

I should re-iterate I REALLY want to transition over to this field, as I am a Application Developer now. This isn't a hobby that I will drop in two months, I've been trying to get into this field for over 2 years, and it seems I am always meet with a brick wall...

Thanks!
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Jan 15, 2013 10:15 am

Re: Start into Web Application Security

Go get the web application hackers handbook and read it cover to cover. You'll get an idea of "where to look and what to look for" when testing web apps.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jan 15, 2013 11:26 am

Re: Start into Web Application Security

Hi birdofbeauty11 and welcome to the forum.

I have more or less the same problem as you. I am a Java system architect who is working very hard to transition into information security.

For me, I find it tough to only do web application pentests. Because other then for huge companies, there isn't enough web apps to justify a full time employee.

In addition, hacking web apps usually requires at least some knowledge of the OS and the network.

I am still mainly working in web apps development, but I do all the security of the apps around me. So I spend about 15% of my time on security. I also train the other developers.

So that's where I am at.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Tue Jan 15, 2013 11:39 am

Re: Start into Web Application Security

While I agree that you should (will) be spending a lot of time researching about web pentesting over your career (especially at the beginning), if you want a place to start you should check out WebGoat (https://www.owasp.org/index.php/Categor ... at_Project).

Not only is this an exploitable image that is geared towards web applications, it's designed for all levels of expertise. The additional advantage is it'll let you know if you really want to pursue the field of web pentesting - if you can handle web goat for more than a week of exercises (WITHOUT looking up the answers), you'll probably be fine in the field.  ;D
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

birdofbeauty11

Newbie
Newbie

Posts: 7

Joined: Sat May 14, 2011 9:27 am

Post Tue Jan 15, 2013 11:17 pm

Re: Start into Web Application Security

Thanks everone for responding!

I'm glad that I am not in this boat alone. (0:

Just a quick note, I do have the "Web Application Handbook" (all 600+ pages of it), but haven't had a chance to sit down and read it. I am more of a hands-on type of learner, so that is why I wanted to start poking around some vulnerable apps.

Grendel wrote:While I agree that you should (will) be spending a lot of time researching about web pentesting over your career (especially at the beginning), if you want a place to start you should check out WebGoat (https://www.owasp.org/index.php/Categor ... at_Project).

Not only is this an exploitable image that is geared towards web applications, it's designed for all levels of expertise. The additional advantage is it'll let you know if you really want to pursue the field of web pentesting - if you can handle web goat for more than a week of exercises (WITHOUT looking up the answers), you'll probably be fine in the field.  ;D


To answer the block above, I guess I am not cut out for Web App security. I have WebGoat and it is not intuitive to me at all. I often find myself VERY confused when trying to work on the exercises because the instructions do not seem very clear to me. I try to do the exercises without BurpSuite or OWASP ZAP because I want to gain the actually learning without relying on the tools.

Also, to piggy-back, what other areas of security are you guys (or gals) looking at? The reason I picked web app security was because it seemed the most interesting to me, with network security being in second.

I just feel like I am putting WAY too much pressure on myself.

Please respond when able.

Thanks.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Jan 15, 2013 11:43 pm

Re: Start into Web Application Security

I personally haven't used WebGoat, but I've heard many people state it is not intuitive. He may have been referring more to patience, persistence, and perseverance. Web app testing can be frustrating as hell...

Regarding WAHH, there are corresponding labs at mdsec.net. They're not free, but $7/hr is entirely affordable. I just wish you didn't have to use one-hour blocks all at once since it would be nice to try an exercise or two and then get back to reading. 

Mutillidae might be a better staring place for you: http://www.irongeek.com/i.php?page=muti ... asp-top-10

There are also over 80 videos that walk you through various tasks: http://www.irongeek.com/i.php?page=vide ... mutillidae

I think things will become intuitive for you quickly enough, especially if you have a development background.
The day you stop learning is the day you start becoming obsolete.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Jan 16, 2013 9:16 am

Re: Start into Web Application Security

I try to do the exercises without BurpSuite or OWASP ZAP because I want to gain the actually learning without relying on the tools.

So you know birdofbeauty11, many WebGoat exercises requires a web proxy. You don't need to use the burpsuite, but you need a web proxy at the minimum...

WebGoat is not always easy, but I really like it. I found it to be too "cheezy" for teaching people new to security (they think it doesn't represent a real life scenario), but I have learned a lot by looking at... the answers.

I want to back to it again and this time, not look at the answers at all. But this is nevertheless a great tool !
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

birdofbeauty11

Newbie
Newbie

Posts: 7

Joined: Sat May 14, 2011 9:27 am

Post Wed Jan 16, 2013 8:39 pm

Re: Start into Web Application Security

ajohnson wrote:I personally haven't used WebGoat, but I've heard many people state it is not intuitive. He may have been referring more to patience, persistence, and perseverance. Web app testing can be frustrating as hell...

Regarding WAHH, there are corresponding labs at mdsec.net. They're not free, but $7/hr is entirely affordable. I just wish you didn't have to use one-hour blocks all at once since it would be nice to try an exercise or two and then get back to reading. 

Mutillidae might be a better staring place for you: http://www.irongeek.com/i.php?page=muti ... asp-top-10

There are also over 80 videos that walk you through various tasks: http://www.irongeek.com/i.php?page=vide ... mutillidae

I think things will become intuitive for you quickly enough, especially if you have a development background.


Thanks for the response. I am trying to learn for free. LOL. I already signed up for eLearnSecurity. I need to build myself up, before I will attempt the exercises in WAHH.
<<

birdofbeauty11

Newbie
Newbie

Posts: 7

Joined: Sat May 14, 2011 9:27 am

Post Wed Jan 16, 2013 8:43 pm

Re: Start into Web Application Security

H1t M0nk3y wrote:
I try to do the exercises without BurpSuite or OWASP ZAP because I want to gain the actually learning without relying on the tools.

So you know birdofbeauty11, many WebGoat exercises requires a web proxy. You don't need to use the burpsuite, but you need a web proxy at the minimum...

WebGoat is not always easy, but I really like it. I found it to be too "cheezy" for teaching people new to security (they think it doesn't represent a real life scenario), but I have learned a lot by looking at... the answers.

I want to back to it again and this time, not look at the answers at all. But this is nevertheless a great tool !


Thanks for the response! I will try to use WebGoat with a proxy. I have OWASP ZAP proxy installed on my computer. I will try that.

I will try Mulltidae first, and build myself up.

Can you explain what you did to get started in web application security or computer security, period.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Thu Jan 17, 2013 9:03 am

Re: Start into Web Application Security

Can you explain what you did to get started in web application security or computer security, period.

Personally, I study really hard to be the best (or close to) in my city. Then I go to ISSA, OWASP, etc meetings in my area to make contacts. I also did a few Capture the flag (CTF) competitions.

I believe that if you are very good at something AND paople know you exist, then you will find work.

But nothing's easy...
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Jan 18, 2013 9:44 am

Re: Start into Web Application Security

In case you haven't, check out my web app sec blog series: www.exploit-db.com/category/maxe/&nbsp; ;D

The best way to learn web app sec, is to learn a language such as PHP (knowing HTML, CSS and basic Javascript is elementary), and then understand why these bugs exist, how they look code-wise, and how to fix them. That way you can patch bugs, find 0days more easily, and know more. Or even create your own web app sec labs, which I've done for a few on a project basis sometime ago.

Take a look at this thread:
http://forum.intern0t.org/offensive-gui ... irgod.html
I'm an InterN0T'er

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software