[WEB SECURITY] Training web app pentesters

Andre Gironda andreg at gmail.com
Sun Mar 27 16:56:51 EDT 2011

On Sat, Mar 26, 2011 at 6:26 PM, Steve Pinkham <steve.pinkham at gmail.com> wrote:
> On 03/25/2011 06:32 AM, Paul Johnston wrote:
>> So, does anyone here have suggestions of material to use for this. I
>> know there are many vulnerable apps like WebGoat; are there some that
>> are a bit more difficult for the tester?

My suggested starting point is VirtualBox + owaspbwa.googlecode.com
but tweak it's /etc/php5/apache2/php.ini
display_errors = On
error_reporting = E_ALL | E_STRICT
register_globals = On
allow_url_fopen = On
allow_url_include = On

My favorite is the Burp Pro tool and the PortSwigger Ltd "Web
Application Hacker's Handbook: Live Edition" training, but these have
a cost to them. The other expensive classes that I think could
probably be valuable are the ones offered by Aspect Security.

If you are sticking with free tools -- WATOBO, WhatWeb, inspathx,
Fiddler2 (with Watcher and x5s), wcsa.googlecode.com,
securetomcat.googlecode.com, OWASP Code Crawler, PHP RIPS,
AppCodeScan, Eclipse with LAPSE+, and VisualStudio (Trial) with
CAT.NET -- are you best bets. For consolidation of testing data, both
The Dradis Framework and Gremwell MagicTree can be essential,
especially when combined with Metasploit and nmap. I'll occasionally
use SHODAN, OpenVAS, or standalone tools like Josh Abraham's Fierce
when leveraging network penetration-testing data for my web
application penetration-testing efforts (most of this stuff is covered
in Chris McNab's Network Security Assessment, Second Edition book).
There are some interesting tools for exploitation and
post-exploitation besides just Metasploit (which always seems to be
integrating with other tools like sqlmap, fimap, XSSF, etc), and I
tend to like Havij, Cain, hashkill (and hashkiller.com, unrelated),
lfi_sploiter.py 1.2, lfimap, Yokoso, etc.

I prefer the Chrome Browser for application testing these days
(although I do not generally use it as my normal day-to-day browser),
but I run it with --disable-metrics --disable-metrics-reporting
--disable-databases --disable-ipv6 --disable-sync
--disable-sync-bookmarks --disable-nacl --disable-plugins. I also use
the following Extensions: Edit This Cookie, EXIF Viewer, Form Fuzzer,
KB SSL Enforcer, Proxy Switchy, Smooth Gestures (with File Protocols),
and Snap Links Lite.

Here's my "top 5" books:
1) The Art of Software Security Assessment
2) The Web Application Hacker's Handbook
3) Hunting Security Bugs
4) SQL Injection Attacks & Defenses
5) The ModSecurity Handbook

But if you're addicted to reading, then you also might want to check
out: Web Application Obfuscation:
'-/WAFs..Evasio?n..Filters//ale?rt(/Obfuscation?/)-', Beginning
ASP.NET Security (already mentioned), Ajax Security, Pro PHP Security:
>From Application Security Principles to the Implementation of XSS
Defenses, Seven Deadliest Web Application Attacks, 24 Deadly Sins of
Software Security: Programming Flaws and How to Fix Them, Hacking: The
Next Generation, SQL Server Forensic Analysis, Web Security Testing
Cookbook: Systematic Techniques to Find Problems Fast, Web 2.0
Security - Defending AJAX, RIA, AND SOA, Hacking Exposed Web 2.0: Web
2.0 Security Secrets and Solutions, Hacking Exposed Web Applications
Third Edition, and How to Break Web Software: Functional and Security
Testing of Web Applications. I feel that each of these books is unique
enough to cover something of interest.

Besides all of the authors and technical reviewers of the above books,
it's also good to follow the work of Cory Scott, Jim Manico, Chris
Schmidt, Mario Heiderich, Gareth Hayes, Pete Herzog, Brian Holyfield,
Bernardo Damele, Ferruh Mavituna, Roberto Salgado, Tate Hansen, Ryan
Barnett, and the work of SAMATE, OWASP, WASC, ISECOM, and

I am looking forward to the new release of Web Security Dojo, but
currently prefer OWASPBWA. There is a lot out there to learn in web
app pen-testing, so it's best to stick to a game plan. I believed I
outlined the more important ones in my email, but others will have
their own likes and dislikes (which I think are often biased or
misguided). In this thread, it is clear that the authors of several
virtual machine learning environments want to push their own projects,
which is fine -- but it's really only convenient to have 1-2 guest VMs
running on your local laptop/desktop at any given time. I also think
that too many projects and tools take away the focus that is necessary
during the learning process.

Another example is this recent blog post --
-- where the author suggests too many tools. For example, I don't
think that SQL Inject Me, ZAP, HackBar, Burp Suite Free Edition,
Tamper Data, Nikto/Wikto, Samurai WTF, FoxyProxy, W3AF, skipfish, or
Websecurify are really worth any discussion. I do not suggest using
Firefox as a testing platform: Chrome supports more efficient support
of DOM inspection and other performance optimizations.

I would say that mastery in WhatWeb, inspathx, and SHODAN will lead to
better early analysis efforts when pre-supposing black-box, or zero
knowledge testing (especially during the recon stage). The reason is
that the underlying platform and framework analysis should be
performed -- the pen-tester should learn how to create his or her own
idea of what Apache/IIS/nginx, PHP/ASP.NET/Tomcat configuration, etc
parameters and tweaks exist. The tester should be able to identify
existing open-source components in target web applications. Then, the
tester should download those components and find vulnerabilities in
them under the elicited configuration environment.


More information about the websecurity mailing list