Looking to learn web application testing, any pointers?

[natedmac]

Hello,

I am looking at pursuing a career into the security field, I have a few years of admin on both the Windows/Network side and comfortable with linux and learning more everyday with it. But as I continue to pursue my CISSP and other security training I see more and more talk about application and web application security.

I want to start off by saying I have a decent grasp and conceptual knowledge of OS level attacking, and exploiting a machine on that level. However what i have a problem with and lack a good understanding as I am trying to learn more about security is web application/code/XSS and being able to break the code. I am not looking at cracking a compiled .exe file reverse engineering those, that will be coming later.

I have been playing around with and looking at Damn Vunerable and what they have on there iso for web vulnerabilities and using what little knowledge to try and gain what access i can, but unfortunately haven't found any good reads/tutorials on this. I have seen some of the different tools that are out there, but I would rather gain a good conceptual grasp of the underlying methods and how the attacks work before I would want to look at using a tool to do something with it.

Any guidance or a point in the write direction to learn more would be appreciated.

Thanks
natedmac

[lupin]

If you dont already know them, first learn about HTML, Javascript and the HTTP protocol. Run up a web server, create a few basic web pages and check the source of some already existing ones, make some requests from your web server using a browser and also a command line client like wget. Capture some packets in Wireshark to see how the web requests work, especially with regard to how different objects (html pages, images, scripts, style sheets, videos, etc) are requested from the web server using the HTTP protocol. Check the logs of the web server to see what has happened and also try and use an intercepting proxy like Burp, WebScarab or Paros to intercept and modify web requests once you see how they work.

Next, check out this page at the IronGeek site. WebGoat is probably the application from this page that you want to try first, its a great tutorial based introduction to the various classes of web vulnerabilities. Then test your skills breaking into these applications. WebGoat should show you how, the rest can be used as practice.

Check out the various web tools in BackTrack. Follow some tutorials on their use.

Have a good read of the OWASP site, especially the Testing Guide. See if you can use the Testing Guide to test one of the insecure web applications from the IronGeek site.

If you need more information the book "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" is also a good reference.

Also keep in mind that cracking an executable doesnt have anything to do with web application penetration testing.

Good luck.

[m-1-k-3]

there are some nice webapp pentesting environments available. I've build a small collection with the links to their websites on my blog: Webapp Pentest Trainingsumgebung [Update] | www.s3cur1ty.de

If you find some others feel free to post it here

hf
m-1-k-3

[natedmac]

Lupin,

Thank you for the response.

I understand that cracking an executable has nothing to do with web pen-testing. I was just stating that in there so that it wasnt confused if someone read what i was trying to do.

I will definitely be using what you have said and playing with it more. One area that i definitely need the work in is my javascript and coding in general. Thank you again for the response and I am sure I will have a few more questions as this goes on.

Thanks

[shamwave]

It's good you are actually trying to learn why exploits work vice how to use tools to do the work for you. There's a reason most security researchers and consultants tell newcomers to RTFM when it comes to exploits.

A quick tip is to learn the best practices, and figure out why they are recommended (like in football, know your enemy's defenses, and you'll have a better offense).

After you are fairly versed in the RFC's/Best Practices, check out

HTML Code:

http://www.offensive-security.com/metasploit-unleashed/

, It will help put 2+2 together. The Metasploit Framework doesn't totally obscure whats going on, so you'll have a good sense of what is happening behind the scenes.

Good luck,

SW

[thorin]

Maybe I'm missing something but I fail to see how a metasploit course is going to help him with Web Application testing.

That being said, I suggest you checkout:
- the Open Web Application Security Project (OWASP), they have a testing guide and other docs/projects that will be of use.
- WebGoat is a leaning app/tutorial for Web App security.
- SANS has a web applicaiton security course that might be of interest to you (GWAPT if I recall correctly)

Check:
Deliberately Insecure Web Applications For Learning Web App Security (WebGoat, BadStore, Hacme, SecuriBench, WebMaven)

[lupin]

Check:
Deliberately Insecure Web Applications For Learning Web App Security (WebGoat, BadStore, Hacme, SecuriBench, WebMaven)

I actually linked to that in my post above

The SANs GWAPT course looks pretty cool, however as with other SANs courses its a little pricey. Worth the money if work pays for it though.

[thorin]

I'm trying to get work to pay for my GWAPT this year

For the OP this might help as well:
Category:OWASP Insecure Web App Project - OWASP

[natedmac]

Thank you guys so much for the posts.

With a new position I just took for a small company I will be required to ensure both the OS/Network level of security plus I will be working along side our development team to ensure application security. I wont be doing full audits immediately nor probably ever on the code, but it is something I need to be aware of and how to audit it.

[thorin]

Here's another one that might be handy:
OWASP Broken Web Applications – Excelent Learning Tool | Dragos Lungu Dot Com