Confessions of a Web Security Student

Web Security has always been a favorite of mine…oh the thrill of uploading a webshell, controlling a browser through xss, thinking about all the possibilities from credential theft to social engineering, keylogging, clickingjacking, bypassing two factored vpn, complete server compromise…Exploiting web application flaws is left only to your imagination.

For TLDR: SKIP TO BULLET POINTS

For me it started with a University coursework: dabbling with XSS,SQLI,CSRF for the first time…then moving on to blogs, webgoat, a free Coursera course, reading blogs, pentester academy, back to reading blogs, working with web application scanners, reading web hackers handbook, a pluralsight course, back to reading even more blogs.

I learned a lot without dropping any serious dough for professional course on the topic, and in hindsight I can without hesitation say there is enough open source material on the topic that even some of the paid courseware or subscriptions through work I took advantage of (pluralsight, pentester academy) were not strictly needed. It’s even gotten to the point where some of these open source materials have been dockerized (yeah for DOCKER!). If you have never used docker before please stop reading this and try a docker tutorial instead (your mind blown-then come back ).

So the point is… there is a lot of free or inexpensive material to understand the fundamentals of the OWASP top 10 and DOCKER IS AWESOME! Okay so I could have easily learned the material through other means, but at the same time I can also say there is a value for convenience ~ how long do you want to stay on something that doesn’t work and isn’t going to work, especially in the perspective of a student? In a vacuum, someone who’s serious about web security should be able to undergo the necessary self-learning to understand the fundamentals and will need the motivation and commitment to master much more complex theory and application of web security. But life is not in a vacuum; we all have our own circumstances, aspirations, and anxieties. Because of this (and other reasons) our time and income is valuable and scarce, so we are always searching for how to spend it .

And for this reason you may decide in a more structured learning path for yourself. A subtle point you may have picked up on by now is that I’ve been harping about Web Security, but I’ve actually only mentioned the exploitation of web vulnerabilities. And there is a very significant difference! Exploiting web vulnerabilities is great fun but it does not intrinsically provide much of any Business Value- zero, nada!

You need to increase the security posture of your organization or in a narrower scope the security posture of your vulnerable application. This involves a) manually testing and reporting a flaw in a reproducible way (including the fix) or b) having a tool test for a flaw and hope it can present the finding in a reproducible way and accurately describe the flaw (if it exists) and how to remediate it. Either way, a key feature of this process is the FIXING!! Part. This is where most instruction the Web Security market falls short…
I recently took eLearnSecurity’s Practical Web Defense Course and while I hesitate to recommend anyone drop their personal income on security training because of our rich information sharing community (SHOUT OUT TO OWASP)… I’d much rather have you take this course than drop 7G’s (not exaggerating) on SANS Web Pen Testing course. In fact, I’m certain you would learn more. And this is not me bagging on SANS; I love SANS, I’ve taken a couple of their courses but they are in the business of taking other businesses for a you know what. And that’s totally cool, but you should only let that happen to you employer when it comes to their Defense/Forensic oriented course offerings. In my opinion, their offensive courses will not have a justifiable return to you or your employer compared w/ competitors or even experience gained through free or relatively free community events (ctfs/talks/blogs/vlogs/books/etc.).

And this is partly because in my “opinion” their opening courses (SEC 542 and 560) while fun and thorough, won’t give you the hands on experience to understand subtle nuances (ex. How a AJAX request can interact with CORS to produce CSRF vector maybe with clickjacking mixed in on a specific browser). There’s no way they are going to go that deep or have time to try out that stuff in a 5 days of lecture nor do they expect you to uncover this in your lab activities which are designed to highlight major themes of their lecture. My biggest gripes would be that while their theory is excellent, you will need a lot of hands on time in the code and configurations to understand nuances about certain web vulnerabilities and how to actually fix them in code. SANS generally gives you the easy route of everything preconfigured with commands ready to be copy/pasted which is great for a 5 day conference and in most applications is okay since you can go back and review the inner details on your own, but for Web Security you really want to work enough with your vulnerable application that you understand every piece of application and business logic because you spent so much time fixing it. 542 specifically never really touches the "fixing" part of Web Security.

Whether you go down the path of a pen testing or not Web Security can be a very useful skill. Penetration testing is one potential path in someone’s Security Career and it may not be for everyone nor is it necessarily harder or easier than another role in Security (try defending against a real incident). But regardless, there is a definite need for folks who can work with web pen test findings or findings from an application scanner and understand and come up with a fix for them.

Personally, I like variety. For example, hypothetically I could deploy a honeypot, organize a project, write some logstash configuration, do we web application scan, create a dashboard, search for incidents, deploy a web labyrinth, test an open source tool, and bounce ideas against team members all in a week–for me that is awesome fun. And then the next week we can do something TOTALLY different! Point is, there is so much to do in cyber security that you don’t have to go down the path of a pentester to have a good time or have a large impact – it just depends on what you end up liking the most (maybe like me everything ). For those of you somewhat new to the field, trying a little bit of everything is a good starting place .

Now onto the course review (eLearnSecurity Practical Web Defense) in bullet points:

Pros:
- Really only course I’ve come across that has a huge focus on fixing in the code after the finding not just high-level recommendation on use sanitization function or use bind variable…
- Really good coverage of material (covers most of OWASP testing guide which is a lot), much more than just standard OWASP top 10, there about 16 modules each one quite big. For example: Session, Authorization, and Authentication are each their own module so you will also focus on critical testing that go beyond the flashy stuff
- Author is involved with OWASP community tools, knows what’s up
- A lot of hands on experiences (labs + exam). I would say there’s about 120 hours of total lab work (I passed the exam but felt I couldn’t quite get through all the lab or exam, and I gave it a really good go)
- Plenty of lab time and opportunity to tinker with apache/php configs, security tools such as burp, browser types/versions and their tools & plugins, wireshark etc.
- Culminate with requiring student to identify and create POC exploit for a vulnerability, fix it w/o breaking the application, separately create a virtual patch via ModSecurity that does not break any business/security functionality of the application. Then repeat this 40+ times w/o breaking any previously fixed part of the application

Cons:
- Videos are far too long and should be broken into subparts to keep students engaged (I found myself skipping most of the video tutorial and just doing lab on my own to save time)
- Some minor stuff that doesn’t quite work as you would expected or missing instruction/credential (but to be expected with the sheer amount of lab material and code provided). I never really reached out to support so possible user error or easy resolution.
- Doesn’t quite have the rhetoric of something like a SANS course where every sentence or joke is well thought out to deliver the maximum engagement from the audience (students). You have been provided all the materials and virtual environments but you are on your own for motivation and enjoyment of course (somewhat Offensive Security style).
- Like most web security courses, it will focus on one language in this case php which is highly vulnerable. This is good and bad. Good for ease of learning, but also bad because web security is very language specific; in practice, you will need to teach yourself the best way to defend against X in Y language (this is something community is kind of lacking).

Full Disclosure: I received access to this course because of a previous contest held by eLearnSecurity and this review/blog of Web Security education is an entry in an upcoming contest. However, I think you will find that the above is my honest, unbiased opinion