Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Looking to learn web application testing, any pointers?

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    3

    Default Looking to learn web application testing, any pointers?

    Hello,

    I am looking at pursuing a career into the security field, I have a few years of admin on both the Windows/Network side and comfortable with linux and learning more everyday with it. But as I continue to pursue my CISSP and other security training I see more and more talk about application and web application security.

    I want to start off by saying I have a decent grasp and conceptual knowledge of OS level attacking, and exploiting a machine on that level. However what i have a problem with and lack a good understanding as I am trying to learn more about security is web application/code/XSS and being able to break the code. I am not looking at cracking a compiled .exe file reverse engineering those, that will be coming later.

    I have been playing around with and looking at Damn Vunerable and what they have on there iso for web vulnerabilities and using what little knowledge to try and gain what access i can, but unfortunately haven't found any good reads/tutorials on this. I have seen some of the different tools that are out there, but I would rather gain a good conceptual grasp of the underlying methods and how the attacks work before I would want to look at using a tool to do something with it.

    Any guidance or a point in the write direction to learn more would be appreciated.

    Thanks
    natedmac

  2. #2
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Web application scenarios

    If you dont already know them, first learn about HTML, Javascript and the HTTP protocol. Run up a web server, create a few basic web pages and check the source of some already existing ones, make some requests from your web server using a browser and also a command line client like wget. Capture some packets in Wireshark to see how the web requests work, especially with regard to how different objects (html pages, images, scripts, style sheets, videos, etc) are requested from the web server using the HTTP protocol. Check the logs of the web server to see what has happened and also try and use an intercepting proxy like Burp, WebScarab or Paros to intercept and modify web requests once you see how they work.

    Next, check out this page at the IronGeek site. WebGoat is probably the application from this page that you want to try first, its a great tutorial based introduction to the various classes of web vulnerabilities. Then test your skills breaking into these applications. WebGoat should show you how, the rest can be used as practice.

    Check out the various web tools in BackTrack. Follow some tutorials on their use.

    Have a good read of the OWASP site, especially the Testing Guide. See if you can use the Testing Guide to test one of the insecure web applications from the IronGeek site.

    If you need more information the book "The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws" is also a good reference.

    Also keep in mind that cracking an executable doesnt have anything to do with web application penetration testing.

    Good luck.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  3. #3
    Moderator
    Join Date
    Jan 2010
    Posts
    167

    Default Re: Looking to learn web application testing, any pointers?

    there are some nice webapp pentesting environments available. I've build a small collection with the links to their websites on my blog: Webapp Pentest Trainingsumgebung [Update] | www.s3cur1ty.de

    If you find some others feel free to post it here

    hf
    m-1-k-3

  4. #4
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    3

    Default Re: Looking to learn web application testing, any pointers?

    Lupin,

    Thank you for the response.

    I understand that cracking an executable has nothing to do with web pen-testing. I was just stating that in there so that it wasnt confused if someone read what i was trying to do.

    I will definitely be using what you have said and playing with it more. One area that i definitely need the work in is my javascript and coding in general. Thank you again for the response and I am sure I will have a few more questions as this goes on.

    Thanks

  5. #5
    Just burned his ISO shamwave's Avatar
    Join Date
    Jan 2010
    Location
    22405
    Posts
    9

    Default Re: Looking to learn web application testing, any pointers?

    It's good you are actually trying to learn why exploits work vice how to use tools to do the work for you. There's a reason most security researchers and consultants tell newcomers to RTFM when it comes to exploits.

    A quick tip is to learn the best practices, and figure out why they are recommended (like in football, know your enemy's defenses, and you'll have a better offense).

    After you are fairly versed in the RFC's/Best Practices, check out
    HTML Code:
    http://www.offensive-security.com/metasploit-unleashed/
    , It will help put 2+2 together. The Metasploit Framework doesn't totally obscure whats going on, so you'll have a good sense of what is happening behind the scenes.

    Good luck,

    SW

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Maybe I'm missing something but I fail to see how a metasploit course is going to help him with Web Application testing.

    That being said, I suggest you checkout:
    - the Open Web Application Security Project (OWASP), they have a testing guide and other docs/projects that will be of use.
    - WebGoat is a leaning app/tutorial for Web App security.
    - SANS has a web applicaiton security course that might be of interest to you (GWAPT if I recall correctly)

    Check:
    Deliberately Insecure Web Applications For Learning Web App Security (WebGoat, BadStore, Hacme, SecuriBench, WebMaven)
    Last edited by lupin; 02-10-2010 at 10:41 AM. Reason: Merging..
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Looking to learn web application testing, any pointers?

    I actually linked to that in my post above

    The SANs GWAPT course looks pretty cool, however as with other SANs courses its a little pricey. Worth the money if work pays for it though.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  8. #8
    Just burned his ISO
    Join Date
    May 2010
    Location
    Indiana
    Posts
    4

    Default Re: Looking to learn web application testing, any pointers?

    Quote Originally Posted by thorin View Post
    Maybe I'm missing something but I fail to see how a metasploit course is going to help him with Web Application testing.

    That being said, I suggest you checkout:
    - the Open Web Application Security Project (OWASP), they have a testing guide and other docs/projects that will be of use.
    - WebGoat is a leaning app/tutorial for Web App security.
    - SANS has a web applicaiton security course that might be of interest to you (GWAPT if I recall correctly)

    Check:
    Deliberately Insecure Web Applications For Learning Web App Security (WebGoat, BadStore, Hacme, SecuriBench, WebMaven)

    I would recommend checking out the OSSTMM (ISECOM - Making Sense of Security) too!
    Id recommend it be first on the list.. but im biased

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Looking to learn web application testing, any pointers?

    I'm trying to get work to pay for my GWAPT this year

    For the OP this might help as well:
    Category:OWASP Insecure Web App Project - OWASP
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #10
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    3

    Default Re: Looking to learn web application testing, any pointers?

    Thank you guys so much for the posts.

    With a new position I just took for a small company I will be required to ensure both the OS/Network level of security plus I will be working along side our development team to ensure application security. I wont be doing full audits immediately nor probably ever on the code, but it is something I need to be aware of and how to audit it.

Page 1 of 2 12 LastLast

Similar Threads

  1. Browser collection for testing client sides
    By m-1-k-3 in forum Experts Forum
    Replies: 6
    Last Post: 02-19-2010, 07:32 PM
  2. I need to learn a couple of things
    By rc0101 in forum Beginners Forum
    Replies: 5
    Last Post: 01-26-2010, 11:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •