Web App Pentesting

Any one do web application security or pen testing? I'm looking for some good resources in how to break into this area. There doesn't seem to be any good reference on how to go from being a system/network admin into security (aside from spending countless hours figuring out different tools and technologies one by one).

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

dynamik

NightShade03 wrote: »

(aside from spending countless hours figuring out different tools and technologies one by one).

That's any type of pen testing, and it never ends

OWASP
https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf

Damn Vulnerable Web App | Get Damn Vulnerable Web App at SourceForge.net
(the main site: http://www.dvwa.co.uk/ seems to be down at the moment)

Amazon.com: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (9780470170779): Dafydd Stuttard, Marcus Pinto: Books

Amazon.com: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (9780596514839): Paco Hope, Ben Walther: Books

GIAC Web Application Penetration Tester (GWAPT)

Pentest Labs: Web Application Edition Security Aegis

http://www.phreaknic.info/Videos/PN13/Brian_Wilson_&_Ryan%20Linn_-_Its_9AM_do_you_know_where_your_hashes_are_(PN13).avi

Samurai Web Testing Framework

It's also imperative that you understand HTML, Javascript, SQL, various web programming languages, etc.

broc

You might to have a look at that too:

skipfish - Project Hosting on Google Code

I haven't the chance to play with it much but it does seems to have some potential!

NightShade03

dynamik wrote: »

OWASP
https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf

Damn Vulnerable Web App | Get Damn Vulnerable Web App at SourceForge.net
(the main site: http://www.dvwa.co.uk/ seems to be down at the moment)

Amazon.com: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (9780470170779): Dafydd Stuttard, Marcus Pinto: Books

Amazon.com: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (9780596514839): Paco Hope, Ben Walther: Books

GIAC Web Application Penetration Tester (GWAPT)

Pentest Labs: Web Application Edition Security Aegis

http://www.phreaknic.info/Videos/PN13/Brian_Wilson_&_Ryan%20Linn_-_Its_9AM_do_you_know_where_your_hashes_are_(PN13).avi

Samurai Web Testing Framework

It's also imperative that you understand HTML, Javascript, SQL, various web programming languages, etc.

Thanks for the info. Own both the books and have read them plus the OWASP guide (they are good for references too). I'll have to look at DVWA and Pentest Labs haven't seen those yet. I'm pretty good with SQL, PHP, & HTML already....guess its time to suck it up and learn javascript

dynamik

Yea, JS is huge, especially for things like XSS. That's a must.

Sounds like you should start developing your own vulnerable apps and then exploiting them. That'll get you up to speed on both sides of the equation and help foster a deeper understanding of development and exploitation.

slinuxuzer

you might also want to check out Backtrack4 a version of linux builit and preloaded for the purpose of pentesting.

Also, check out the hacking exposed series they make a book specifically for Web app pentesting, I own most of their books and they are invaluable.

NightShade03

slinuxuzer wrote: »

you might also want to check out Backtrack4 a version of linux builit and preloaded for the purpose of pentesting.

Also, check out the hacking exposed series they make a book specifically for Web app pentesting, I own most of their books and they are invaluable.

I've used BT since version 2 def a great tool! I also have all the hacking exposed series as you said they are invaluable and a great resource to refer back too...thanks!

@dynamik - good suggestion I'll have to give that a go.

Paul Boz

Join hacker-centric message boards such as ethicalhacker.net and the backtrack forums.

earweed

dynamik wrote: »

Yea, JS is huge, especially for things like XSS. That's a must.

I was wondering if there were any relevant uses for JavaScript while I was learning it for a class at WGU. Good to see that I may actually have use for it in the future.