[WEB SECURITY] Training web app pentesters

Wasim Halani wasimhalani at gmail.com
Sat Mar 26 21:24:08 EDT 2011


You could refer to my blogpost at
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
It's basically a listing of all vulnerable web applications, specifically
created for learning web application security.

Hope you'll find it usefull.

Regards,
---
Wasim Halani
http://securitythoughts.wordpress.com
http://twitter.com/washalsec
----------
To keep silent when you can say something wise and useful is as bad as
keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.)


On Sun, Mar 27, 2011 at 4:04 AM, H Morrow Long <morrow.long at yale.edu> wrote:

> There is an open source (SourceForge) project sponsored and run by Maven
> Security which has integrated many of the tutorial web security lessons and
> tools into one package -- Web Security Dojo.
>
> See: http://www.mavensecurity.com/web_security_dojo/
>
> You download a VirtualBox or VMware virtual machine (both are available via
> the above URL) and then start up the VM (Ubuntu-based I believe).
>
> - Morrow
>
>
>
> -----Original Message-----
> From: websecurity-bounces at lists.webappsec.org
> [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Paul
> Johnston
> Sent: Friday, March 25, 2011 6:32 AM
> To: Webappsec Group
> Subject: [WEB SECURITY] Training web app pentesters
>
> Hi,
>
> I have some guys who I need to train to be web app testers. Initially to
> work under the supervision of an experienced tester.
>
> I realise there are a number of courses we could send them on, but these
> are quite competent guys and I think they can get a long way with a
> self-study approach.
>
> I've got them working through WebGoat at the moment. My general
> impression is that this is not a bad start, although some lessons are
> better than others. One particular criticism though is that it's too
> easy really. For example, you learn about simple cross-site scripting,
> but not more subtle attack vectors, e.g. injection into attributes, URL
> encoding, etc.
>
> I've also got them reading the OWASP testing guide. Although, at over
> 300 pages, reading this from start to finish is not for the feint
> hearted - it's more useful as a reference.
>
> So, does anyone here have suggestions of material to use for this. I
> know there are many vulnerable apps like WebGoat; are there some that
> are a bit more difficult for the tester?
>
> Regards,
>
> Paul
>
> --
> Pentest - When a tick in the box is not enough
>
> Paul Johnston - IT Security Consultant / Tiger SST
> Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
>
> Office: +44 (0) 161 233 0100
> Mobile: +44 (0) 7817 219 072
>
> Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
> Registered Number: 4217114 England & Wales
> Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110327/010c0a72/attachment.html>


More information about the websecurity mailing list