[WEB SECURITY] Training web app pentesters

David Rajchenbach-Teller David.Teller at mlstate.com
Mon Mar 28 02:12:33 EDT 2011

I would suggest
- http://google-gruyere.appspot.com/ (Google's hands-on tutorial on web defense)
- http://code.google.com/edu/security/index.html (Google's further video tutorials on the topic)

Best regards,

  David Rajchenbach-Teller
  CSO, MLstate

On Mar 27, 2011, at 10:56 PM, Andre Gironda wrote:

> On Sat, Mar 26, 2011 at 6:26 PM, Steve Pinkham <steve.pinkham at gmail.com> wrote:
>> On 03/25/2011 06:32 AM, Paul Johnston wrote:
>>> So, does anyone here have suggestions of material to use for this. I
>>> know there are many vulnerable apps like WebGoat; are there some that
>>> are a bit more difficult for the tester?
> My suggested starting point is VirtualBox + owaspbwa.googlecode.com
> but tweak it's /etc/php5/apache2/php.ini
> display_errors = On
> error_reporting = E_ALL | E_STRICT
> register_globals = On
> allow_url_fopen = On
> allow_url_include = On
> My favorite is the Burp Pro tool and the PortSwigger Ltd "Web
> Application Hacker's Handbook: Live Edition" training, but these have
> a cost to them. The other expensive classes that I think could
> probably be valuable are the ones offered by Aspect Security.
> If you are sticking with free tools -- WATOBO, WhatWeb, inspathx,
> Fiddler2 (with Watcher and x5s), wcsa.googlecode.com,
> securetomcat.googlecode.com, OWASP Code Crawler, PHP RIPS,
> AppCodeScan, Eclipse with LAPSE+, and VisualStudio (Trial) with
> CAT.NET -- are you best bets. For consolidation of testing data, both
> The Dradis Framework and Gremwell MagicTree can be essential,
> especially when combined with Metasploit and nmap. I'll occasionally
> use SHODAN, OpenVAS, or standalone tools like Josh Abraham's Fierce
> when leveraging network penetration-testing data for my web
> application penetration-testing efforts (most of this stuff is covered
> in Chris McNab's Network Security Assessment, Second Edition book).
> There are some interesting tools for exploitation and
> post-exploitation besides just Metasploit (which always seems to be
> integrating with other tools like sqlmap, fimap, XSSF, etc), and I
> tend to like Havij, Cain, hashkill (and hashkiller.com, unrelated),
> lfi_sploiter.py 1.2, lfimap, Yokoso, etc.
> I prefer the Chrome Browser for application testing these days
> (although I do not generally use it as my normal day-to-day browser),
> but I run it with --disable-metrics --disable-metrics-reporting
> --disable-databases --disable-ipv6 --disable-sync
> --disable-sync-bookmarks --disable-nacl --disable-plugins. I also use
> the following Extensions: Edit This Cookie, EXIF Viewer, Form Fuzzer,
> KB SSL Enforcer, Proxy Switchy, Smooth Gestures (with File Protocols),
> and Snap Links Lite.
> Here's my "top 5" books:
> 1) The Art of Software Security Assessment
> 2) The Web Application Hacker's Handbook
> 3) Hunting Security Bugs
> 4) SQL Injection Attacks & Defenses
> 5) The ModSecurity Handbook
> But if you're addicted to reading, then you also might want to check
> out: Web Application Obfuscation:
> '-/WAFs..Evasio?n..Filters//ale?rt(/Obfuscation?/)-', Beginning
> ASP.NET Security (already mentioned), Ajax Security, Pro PHP Security:
> From Application Security Principles to the Implementation of XSS
> Defenses, Seven Deadliest Web Application Attacks, 24 Deadly Sins of
> Software Security: Programming Flaws and How to Fix Them, Hacking: The
> Next Generation, SQL Server Forensic Analysis, Web Security Testing
> Cookbook: Systematic Techniques to Find Problems Fast, Web 2.0
> Security - Defending AJAX, RIA, AND SOA, Hacking Exposed Web 2.0: Web
> 2.0 Security Secrets and Solutions, Hacking Exposed Web Applications
> Third Edition, and How to Break Web Software: Functional and Security
> Testing of Web Applications. I feel that each of these books is unique
> enough to cover something of interest.
> Besides all of the authors and technical reviewers of the above books,
> it's also good to follow the work of Cory Scott, Jim Manico, Chris
> Schmidt, Mario Heiderich, Gareth Hayes, Pete Herzog, Brian Holyfield,
> Bernardo Damele, Ferruh Mavituna, Roberto Salgado, Tate Hansen, Ryan
> Barnett, and the work of SAMATE, OWASP, WASC, ISECOM, and
> http://pentest.cryptocity.net.
> I am looking forward to the new release of Web Security Dojo, but
> currently prefer OWASPBWA. There is a lot out there to learn in web
> app pen-testing, so it's best to stick to a game plan. I believed I
> outlined the more important ones in my email, but others will have
> their own likes and dislikes (which I think are often biased or
> misguided). In this thread, it is clear that the authors of several
> virtual machine learning environments want to push their own projects,
> which is fine -- but it's really only convenient to have 1-2 guest VMs
> running on your local laptop/desktop at any given time. I also think
> that too many projects and tools take away the focus that is necessary
> during the learning process.
> Another example is this recent blog post --
> http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/
> -- where the author suggests too many tools. For example, I don't
> think that SQL Inject Me, ZAP, HackBar, Burp Suite Free Edition,
> Tamper Data, Nikto/Wikto, Samurai WTF, FoxyProxy, W3AF, skipfish, or
> Websecurify are really worth any discussion. I do not suggest using
> Firefox as a testing platform: Chrome supports more efficient support
> of DOM inspection and other performance optimizations.
> I would say that mastery in WhatWeb, inspathx, and SHODAN will lead to
> better early analysis efforts when pre-supposing black-box, or zero
> knowledge testing (especially during the recon stage). The reason is
> that the underlying platform and framework analysis should be
> performed -- the pen-tester should learn how to create his or her own
> idea of what Apache/IIS/nginx, PHP/ASP.NET/Tomcat configuration, etc
> parameters and tweaks exist. The tester should be able to identify
> existing open-source components in target web applications. Then, the
> tester should download those components and find vulnerabilities in
> them under the elicited configuration environment.
> Cheers,
> Andre
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list