You could refer to my blogpost at
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
It's basically a listing of all vulnerable web applications, specifically
created for learning web application security.
Hope you'll find it usefull.
To keep silent when you can say something wise and useful is as bad as
keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.)
On Sun, Mar 27, 2011 at 4:04 AM, H Morrow Long morrow.long@yale.edu wrote:
There is an open source (SourceForge) project sponsored and run by Maven
Security which has integrated many of the tutorial web security lessons and
tools into one package -- Web Security Dojo.
See: http://www.mavensecurity.com/web_security_dojo/
You download a VirtualBox or VMware virtual machine (both are available via
the above URL) and then start up the VM (Ubuntu-based I believe).
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Paul
Johnston
Sent: Friday, March 25, 2011 6:32 AM
To: Webappsec Group
Subject: [WEB SECURITY] Training web app pentesters
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Send them to http://EnigmaGroup.org http://enigmagroup.org/ they have over
170 hacking challenges on their site and plenty of articles and forum help
for the self learner.
On Sat, Mar 26, 2011 at 9:24 PM, Wasim Halani wasimhalani@gmail.com wrote:
You could refer to my blogpost at
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
It's basically a listing of all vulnerable web applications, specifically
created for learning web application security.
Hope you'll find it usefull.
To keep silent when you can say something wise and useful is as bad as
keeping on propagating foolish and unwise thoughts. -- Imam Ali (p.b.u.h.)
On Sun, Mar 27, 2011 at 4:04 AM, H Morrow Long morrow.long@yale.eduwrote:
There is an open source (SourceForge) project sponsored and run by Maven
Security which has integrated many of the tutorial web security lessons
and
tools into one package -- Web Security Dojo.
See: http://www.mavensecurity.com/web_security_dojo/
You download a VirtualBox or VMware virtual machine (both are available
via
the above URL) and then start up the VM (Ubuntu-based I believe).
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Paul
Johnston
Sent: Friday, March 25, 2011 6:32 AM
To: Webappsec Group
Subject: [WEB SECURITY] Training web app pentesters
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
01000001 01110101 01110011 01101111 01101101 01100101 00110001