Options
Web App Pentesting
NightShade03
Member Posts: 1,383 ■■■■■■■□□□
in Off-Topic
Any one do web application security or pen testing? I'm looking for some good resources in how to break into this area. There doesn't seem to be any good reference on how to go from being a system/network admin into security (aside from spending countless hours figuring out different tools and technologies one by one).
Comments
-
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□NightShade03 wrote: »(aside from spending countless hours figuring out different tools and technologies one by one).
That's any type of pen testing, and it never ends
OWASP
https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
Damn Vulnerable Web App | Get Damn Vulnerable Web App at SourceForge.net
(the main site: http://www.dvwa.co.uk/ seems to be down at the moment)
Amazon.com: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (9780470170779): Dafydd Stuttard, Marcus Pinto: Books
Amazon.com: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (9780596514839): Paco Hope, Ben Walther: Books
GIAC Web Application Penetration Tester (GWAPT)
Pentest Labs: Web Application Edition Security Aegis
http://www.phreaknic.info/Videos/PN13/Brian_Wilson_&_Ryan%20Linn_-_Its_9AM_do_you_know_where_your_hashes_are_(PN13).avi
Samurai Web Testing Framework
It's also imperative that you understand HTML, Javascript, SQL, various web programming languages, etc. -
Optionsbroc Member Posts: 167You might to have a look at that too:
skipfish - Project Hosting on Google Code
I haven't the chance to play with it much but it does seems to have some potential!"Not everything that counts can be counted, and not everything that can be counted counts.” -
OptionsNightShade03 Member Posts: 1,383 ■■■■■■■□□□
OWASP
https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
Damn Vulnerable Web App | Get Damn Vulnerable Web App at SourceForge.net
(the main site: http://www.dvwa.co.uk/ seems to be down at the moment)
Amazon.com: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (9780470170779): Dafydd Stuttard, Marcus Pinto: Books
Amazon.com: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (9780596514839): Paco Hope, Ben Walther: Books
GIAC Web Application Penetration Tester (GWAPT)
Pentest Labs: Web Application Edition Security Aegis
http://www.phreaknic.info/Videos/PN13/Brian_Wilson_&_Ryan%20Linn_-_Its_9AM_do_you_know_where_your_hashes_are_(PN13).avi
Samurai Web Testing Framework
It's also imperative that you understand HTML, Javascript, SQL, various web programming languages, etc.
Thanks for the info. Own both the books and have read them plus the OWASP guide (they are good for references too). I'll have to look at DVWA and Pentest Labs haven't seen those yet. I'm pretty good with SQL, PHP, & HTML already....guess its time to suck it up and learn javascript -
Optionsdynamik Banned Posts: 12,312 ■■■■■■■■■□Yea, JS is huge, especially for things like XSS. That's a must.
Sounds like you should start developing your own vulnerable apps and then exploiting them. That'll get you up to speed on both sides of the equation and help foster a deeper understanding of development and exploitation. -
Optionsslinuxuzer Member Posts: 665 ■■■■□□□□□□you might also want to check out Backtrack4 a version of linux builit and preloaded for the purpose of pentesting.
Also, check out the hacking exposed series they make a book specifically for Web app pentesting, I own most of their books and they are invaluable. -
OptionsNightShade03 Member Posts: 1,383 ■■■■■■■□□□slinuxuzer wrote: »you might also want to check out Backtrack4 a version of linux builit and preloaded for the purpose of pentesting.
Also, check out the hacking exposed series they make a book specifically for Web app pentesting, I own most of their books and they are invaluable.
I've used BT since version 2 def a great tool! I also have all the hacking exposed series as you said they are invaluable and a great resource to refer back too...thanks!
@dynamik - good suggestion I'll have to give that a go. -
OptionsPaul Boz Member Posts: 2,620 ■■■■■■■■□□Join hacker-centric message boards such as ethicalhacker.net and the backtrack forums.CCNP | CCIP | CCDP | CCNA, CCDA
CCNA Security | GSEC |GCFW | GCIH | GCIA
pbosworth@gmail.com
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/ -
Optionsearweed Member Posts: 5,192 ■■■■■■■■■□Yea, JS is huge, especially for things like XSS. That's a must.No longer work in IT. Play around with stuff sometimes still and fix stuff for friends and relatives.