Web App Pentesting
NightShade03
Member Posts: 1,383 ■■■■■■■□□□
in Off-Topic
Any one do web application security or pen testing? I'm looking for some good resources in how to break into this area. There doesn't seem to be any good reference on how to go from being a system/network admin into security (aside from spending countless hours figuring out different tools and technologies one by one).
Comments
That's any type of pen testing, and it never ends
OWASP
https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
Damn Vulnerable Web App | Get Damn Vulnerable Web App at SourceForge.net
(the main site: http://www.dvwa.co.uk/ seems to be down at the moment)
Amazon.com: The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (9780470170779): Dafydd Stuttard, Marcus Pinto: Books
Amazon.com: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast (9780596514839): Paco Hope, Ben Walther: Books
GIAC Web Application Penetration Tester (GWAPT)
Pentest Labs: Web Application Edition Security Aegis
http://www.phreaknic.info/Videos/PN13/Brian_Wilson_&_Ryan%20Linn_-_Its_9AM_do_you_know_where_your_hashes_are_(PN13).avi
Samurai Web Testing Framework
It's also imperative that you understand HTML, Javascript, SQL, various web programming languages, etc.
skipfish - Project Hosting on Google Code
I haven't the chance to play with it much but it does seems to have some potential!
Thanks for the info. Own both the books and have read them plus the OWASP guide (they are good for references too). I'll have to look at DVWA and Pentest Labs haven't seen those yet. I'm pretty good with SQL, PHP, & HTML already....guess its time to suck it up and learn javascript
SE Notebook
Sounds like you should start developing your own vulnerable apps and then exploiting them. That'll get you up to speed on both sides of the equation and help foster a deeper understanding of development and exploitation.
Also, check out the hacking exposed series they make a book specifically for Web app pentesting, I own most of their books and they are invaluable.
I've used BT since version 2 def a great tool! I also have all the hacking exposed series as you said they are invaluable and a great resource to refer back too...thanks!
@dynamik - good suggestion I'll have to give that a go.
SE Notebook
CCNA Security | GSEC |GCFW | GCIH | GCIA
[email protected]
http://twitter.com/paul_bosworth
Blog: http://www.infosiege.net/