[WEB SECURITY] Training web app pentesters
Paul Johnston
paul.johnston at pentest.co.uk
Fri Mar 25 06:32:14 EDT 2011
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
More information about the websecurity
mailing list