[WEB SECURITY] Training web app pentesters

harry at woodward-clarke.com harry at woodward-clarke.com
Sun Mar 27 00:20:42 EDT 2011


as a trainer / teacher in this area. There are  a couple of resources -
other than the *brilliant* materials on OWASP :') - that I have used / am

There is a bunch of stuff across the IronGeek site (irongeek.com) that is
useful for intro work. "How to break web software" by Mike Andrews
(formerly of Foundstone, and then McAfee) and "The Web Application Hacker's
Handbook" (Stuttard and Pinto). As the people I am teaching are developers
(or are becoming developers) I also use "Beginning ASP.NET security" by
Barry Dorrans (from Microsoft UK) as well as the OWASP resources incl. and
esp. ESAPI and such.

Then there is a bunch of other stuff I have gathered in bits and pieces
over the years, including stuff from this list :)

Then there are all the little tools and nick-nacks like Firebug, Selenium,
ParosProxy, Netcat, httpprint, ssl-digger, telnet, and the list goes on...

Hopefully there is something to chew on :)

have fun,


On Fri, 25 Mar 2011 10:32:14 +0000, Paul Johnston

<paul.johnston at pentest.co.uk> wrote:
> Hi,
> I have some guys who I need to train to be web app testers. Initially to
> work under the supervision of an experienced tester.
> I realise there are a number of courses we could send them on, but these
> are quite competent guys and I think they can get a long way with a
> self-study approach.
> I've got them working through WebGoat at the moment. My general
> impression is that this is not a bad start, although some lessons are
> better than others. One particular criticism though is that it's too
> easy really. For example, you learn about simple cross-site scripting,
> but not more subtle attack vectors, e.g. injection into attributes, URL
> encoding, etc.
> I've also got them reading the OWASP testing guide. Although, at over
> 300 pages, reading this from start to finish is not for the feint
> hearted - it's more useful as a reference.
> So, does anyone here have suggestions of material to use for this. I
> know there are many vulnerable apps like WebGoat; are there some that
> are a bit more difficult for the tester?
> Regards,
> Paul

More information about the websecurity mailing list