[WEB SECURITY] Training web app pentesters

Ausome1 ausome1 at gmail.com
Sat Mar 26 22:17:40 EDT 2011


Send them to http://EnigmaGroup.org <http://enigmagroup.org/> they have over
170 hacking challenges on their site and plenty of articles and forum help
for the self learner.

On Sat, Mar 26, 2011 at 9:24 PM, Wasim Halani <wasimhalani at gmail.com> wrote:

> You could refer to my blogpost at
> http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
> It's basically a listing of all vulnerable web applications, specifically
> created for learning web application security.
>
> Hope you'll find it usefull.
>
> Regards,
> ---
> Wasim Halani
> http://securitythoughts.wordpress.com
> http://twitter.com/washalsec
> ----------
> To keep silent when you can say something wise and useful is as bad as
> keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.)
>
>
> On Sun, Mar 27, 2011 at 4:04 AM, H Morrow Long <morrow.long at yale.edu>wrote:
>
>> There is an open source (SourceForge) project sponsored and run by Maven
>> Security which has integrated many of the tutorial web security lessons
>> and
>> tools into one package -- Web Security Dojo.
>>
>> See: http://www.mavensecurity.com/web_security_dojo/
>>
>> You download a VirtualBox or VMware virtual machine (both are available
>> via
>> the above URL) and then start up the VM (Ubuntu-based I believe).
>>
>> - Morrow
>>
>>
>>
>> -----Original Message-----
>> From: websecurity-bounces at lists.webappsec.org
>> [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of Paul
>> Johnston
>> Sent: Friday, March 25, 2011 6:32 AM
>> To: Webappsec Group
>> Subject: [WEB SECURITY] Training web app pentesters
>>
>> Hi,
>>
>> I have some guys who I need to train to be web app testers. Initially to
>> work under the supervision of an experienced tester.
>>
>> I realise there are a number of courses we could send them on, but these
>> are quite competent guys and I think they can get a long way with a
>> self-study approach.
>>
>> I've got them working through WebGoat at the moment. My general
>> impression is that this is not a bad start, although some lessons are
>> better than others. One particular criticism though is that it's too
>> easy really. For example, you learn about simple cross-site scripting,
>> but not more subtle attack vectors, e.g. injection into attributes, URL
>> encoding, etc.
>>
>> I've also got them reading the OWASP testing guide. Although, at over
>> 300 pages, reading this from start to finish is not for the feint
>> hearted - it's more useful as a reference.
>>
>> So, does anyone here have suggestions of material to use for this. I
>> know there are many vulnerable apps like WebGoat; are there some that
>> are a bit more difficult for the tester?
>>
>> Regards,
>>
>> Paul
>>
>> --
>> Pentest - When a tick in the box is not enough
>>
>> Paul Johnston - IT Security Consultant / Tiger SST
>> Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
>>
>> Office: +44 (0) 161 233 0100
>> Mobile: +44 (0) 7817 219 072
>>
>> Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
>> Registered Number: 4217114 England & Wales
>> Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>>
>> _______________________________________________
>> The Web Security Mailing List
>>
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>>
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>> websecurity at lists.webappsec.org
>>
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>


-- 
01000001 01110101 01110011 01101111 01101101 01100101 00110001
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110326/ba57af0f/attachment.html>


More information about the websecurity mailing list