Training web app pentesters
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
You could give Damn Vulnerable Web App (DVWA) a go. But I am biased. :)
Ryan Dewhurst
blog www.ethicalhack3r.co.uk
projects www.dvwa.co.uk | www.webwordcount.com
twitter www.twitter.com/ethicalhack3r
On 25 March 2011 10:32, Paul Johnston paul.johnston@pentest.co.uk wrote:
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
There is an open source (SourceForge) project sponsored and run by Maven
Security which has integrated many of the tutorial web security lessons and
tools into one package -- Web Security Dojo.
See: http://www.mavensecurity.com/web_security_dojo/
You download a VirtualBox or VMware virtual machine (both are available via
the above URL) and then start up the VM (Ubuntu-based I believe).
- Morrow
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of Paul Johnston
Sent: Friday, March 25, 2011 6:32 AM
To: Webappsec Group
Subject: [WEB SECURITY] Training web app pentesters
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
On 03/25/2011 06:32 AM, Paul Johnston wrote:
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Web Security Dojo is a VM we built for our training classes, and others
have found it useful. It has tools, targets, and documentation all
pre-installed and configured.
Other similar projects are:
OWASP broken Web Applications - Just targets, but has a different
selection then Dojo with more old versions of real apps.
http://code.google.com/p/owaspbwa/
Ultimate Lamp - Old insecure open source software
http://ronaldbradford.com/blog/ultimatelamp-2006-05-19/
Moth - test environment for w3af, has their own test app and a few
broken apps. Built to use mod_security and/or PHP-IDS easily.
http://www.bonsai-sec.com/en/research/moth.php
I know there's other that escape me at the moment, but those are the
ones I've used on a regular basis.
Also, I've got a new version of Dojo cooking that should be out next
week with WAVSEP, ZAP WAVE, a bunch of ruby tools, and updates. WAVSEP
and ZAP WAVE were built as test environments for scanner tools, but have
more of the "fancy" cases of vulns to solve then the typical broken web
app. There's still not one best test app, which is why all the VMs have
a number of different apps to test with.
Hope that helps!
| Steven Pinkham, Security Consultant |
| http://www.mavensecurity.com |
| GPG public key ID CD31CAFB |
G'day,
as a trainer / teacher in this area. There are a couple of resources -
other than the brilliant materials on OWASP :') - that I have used / am
using.
There is a bunch of stuff across the IronGeek site (irongeek.com) that is
useful for intro work. "How to break web software" by Mike Andrews
(formerly of Foundstone, and then McAfee) and "The Web Application Hacker's
Handbook" (Stuttard and Pinto). As the people I am teaching are developers
(or are becoming developers) I also use "Beginning ASP.NET security" by
Barry Dorrans (from Microsoft UK) as well as the OWASP resources incl. and
esp. ESAPI and such.
Then there is a bunch of other stuff I have gathered in bits and pieces
over the years, including stuff from this list :)
Then there are all the little tools and nick-nacks like Firebug, Selenium,
ParosProxy, Netcat, httpprint, ssl-digger, telnet, and the list goes on...
Hopefully there is something to chew on :)
have fun,
.h
On Fri, 25 Mar 2011 10:32:14 +0000, Paul Johnston
paul.johnston@pentest.co.uk wrote:
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
Hi,
If they don't have hands on web application development experience, make
them develop some web applications. Then make them test and fix their own
applications.
I don't think someone can really understand the real case if he/she does
not know how a web application works, what might the code actually be like,
what should be done to fix the problem.
Regards
Serkan Özkan
On Fri, Mar 25, 2011 at 12:32 PM, Paul Johnston <paul.johnston@pentest.co.uk
wrote:
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
--
Pentest - When a tick in the box is not enough
Paul Johnston - IT Security Consultant / Tiger SST
Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
The OWASP broken web apps collection is also good in it combines quite a
few different applications.
I'm creating one called hackxor myself at the moment. It is a lot more
difficult than webgoat but it won't leave beta for the next week or two.
albino
-----Original Message-----
From: Paul Johnston paul.johnston@pentest.co.uk
To: Webappsec Group websecurity@webappsec.org
Subject: [WEB SECURITY] Training web app pentesters
Hi,
I have some guys who I need to train to be web app testers. Initially to
work under the supervision of an experienced tester.
I realise there are a number of courses we could send them on, but these
are quite competent guys and I think they can get a long way with a
self-study approach.
I've got them working through WebGoat at the moment. My general
impression is that this is not a bad start, although some lessons are
better than others. One particular criticism though is that it's too
easy really. For example, you learn about simple cross-site scripting,
but not more subtle attack vectors, e.g. injection into attributes, URL
encoding, etc.
I've also got them reading the OWASP testing guide. Although, at over
300 pages, reading this from start to finish is not for the feint
hearted - it's more useful as a reference.
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
Regards,
Paul
On Sat, Mar 26, 2011 at 6:26 PM, Steve Pinkham steve.pinkham@gmail.com wrote:
On 03/25/2011 06:32 AM, Paul Johnston wrote:
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
My suggested starting point is VirtualBox + owaspbwa.googlecode.com
but tweak it's /etc/php5/apache2/php.ini
display_errors = On
error_reporting = E_ALL | E_STRICT
register_globals = On
allow_url_fopen = On
allow_url_include = On
My favorite is the Burp Pro tool and the PortSwigger Ltd "Web
Application Hacker's Handbook: Live Edition" training, but these have
a cost to them. The other expensive classes that I think could
probably be valuable are the ones offered by Aspect Security.
If you are sticking with free tools -- WATOBO, WhatWeb, inspathx,
Fiddler2 (with Watcher and x5s), wcsa.googlecode.com,
securetomcat.googlecode.com, OWASP Code Crawler, PHP RIPS,
AppCodeScan, Eclipse with LAPSE+, and VisualStudio (Trial) with
CAT.NET -- are you best bets. For consolidation of testing data, both
The Dradis Framework and Gremwell MagicTree can be essential,
especially when combined with Metasploit and nmap. I'll occasionally
use SHODAN, OpenVAS, or standalone tools like Josh Abraham's Fierce
when leveraging network penetration-testing data for my web
application penetration-testing efforts (most of this stuff is covered
in Chris McNab's Network Security Assessment, Second Edition book).
There are some interesting tools for exploitation and
post-exploitation besides just Metasploit (which always seems to be
integrating with other tools like sqlmap, fimap, XSSF, etc), and I
tend to like Havij, Cain, hashkill (and hashkiller.com, unrelated),
lfi_sploiter.py 1.2, lfimap, Yokoso, etc.
I prefer the Chrome Browser for application testing these days
(although I do not generally use it as my normal day-to-day browser),
but I run it with --disable-metrics --disable-metrics-reporting
--disable-databases --disable-ipv6 --disable-sync
--disable-sync-bookmarks --disable-nacl --disable-plugins. I also use
the following Extensions: Edit This Cookie, EXIF Viewer, Form Fuzzer,
KB SSL Enforcer, Proxy Switchy, Smooth Gestures (with File Protocols),
and Snap Links Lite.
Here's my "top 5" books:
- The Art of Software Security Assessment
- The Web Application Hacker's Handbook
- Hunting Security Bugs
- SQL Injection Attacks & Defenses
- The ModSecurity Handbook
But if you're addicted to reading, then you also might want to check
out: Web Application Obfuscation:
'-/WAFs..Evasio?n..Filters//ale?rt(/Obfuscation?/)-', Beginning
ASP.NET Security (already mentioned), Ajax Security, Pro PHP Security:
From Application Security Principles to the Implementation of XSS
Defenses, Seven Deadliest Web Application Attacks, 24 Deadly Sins of
Software Security: Programming Flaws and How to Fix Them, Hacking: The
Next Generation, SQL Server Forensic Analysis, Web Security Testing
Cookbook: Systematic Techniques to Find Problems Fast, Web 2.0
Security - Defending AJAX, RIA, AND SOA, Hacking Exposed Web 2.0: Web
2.0 Security Secrets and Solutions, Hacking Exposed Web Applications
Third Edition, and How to Break Web Software: Functional and Security
Testing of Web Applications. I feel that each of these books is unique
enough to cover something of interest.
Besides all of the authors and technical reviewers of the above books,
it's also good to follow the work of Cory Scott, Jim Manico, Chris
Schmidt, Mario Heiderich, Gareth Hayes, Pete Herzog, Brian Holyfield,
Bernardo Damele, Ferruh Mavituna, Roberto Salgado, Tate Hansen, Ryan
Barnett, and the work of SAMATE, OWASP, WASC, ISECOM, and
http://pentest.cryptocity.net.
I am looking forward to the new release of Web Security Dojo, but
currently prefer OWASPBWA. There is a lot out there to learn in web
app pen-testing, so it's best to stick to a game plan. I believed I
outlined the more important ones in my email, but others will have
their own likes and dislikes (which I think are often biased or
misguided). In this thread, it is clear that the authors of several
virtual machine learning environments want to push their own projects,
which is fine -- but it's really only convenient to have 1-2 guest VMs
running on your local laptop/desktop at any given time. I also think
that too many projects and tools take away the focus that is necessary
during the learning process.
Another example is this recent blog post --
http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/
-- where the author suggests too many tools. For example, I don't
think that SQL Inject Me, ZAP, HackBar, Burp Suite Free Edition,
Tamper Data, Nikto/Wikto, Samurai WTF, FoxyProxy, W3AF, skipfish, or
Websecurify are really worth any discussion. I do not suggest using
Firefox as a testing platform: Chrome supports more efficient support
of DOM inspection and other performance optimizations.
I would say that mastery in WhatWeb, inspathx, and SHODAN will lead to
better early analysis efforts when pre-supposing black-box, or zero
knowledge testing (especially during the recon stage). The reason is
that the underlying platform and framework analysis should be
performed -- the pen-tester should learn how to create his or her own
idea of what Apache/IIS/nginx, PHP/ASP.NET/Tomcat configuration, etc
parameters and tweaks exist. The tester should be able to identify
existing open-source components in target web applications. Then, the
tester should download those components and find vulnerabilities in
them under the elicited configuration environment.
Cheers,
Andre
I would suggest
- http://google-gruyere.appspot.com/ (Google's hands-on tutorial on web defense)
- http://code.google.com/edu/security/index.html (Google's further video tutorials on the topic)
Best regards,
David
--
David Rajchenbach-Teller
CSO, MLstate
On Mar 27, 2011, at 10:56 PM, Andre Gironda wrote:
On Sat, Mar 26, 2011 at 6:26 PM, Steve Pinkham steve.pinkham@gmail.com wrote:
On 03/25/2011 06:32 AM, Paul Johnston wrote:
So, does anyone here have suggestions of material to use for this. I
know there are many vulnerable apps like WebGoat; are there some that
are a bit more difficult for the tester?
My suggested starting point is VirtualBox + owaspbwa.googlecode.com
but tweak it's /etc/php5/apache2/php.ini
display_errors = On
error_reporting = E_ALL | E_STRICT
register_globals = On
allow_url_fopen = On
allow_url_include = On
My favorite is the Burp Pro tool and the PortSwigger Ltd "Web
Application Hacker's Handbook: Live Edition" training, but these have
a cost to them. The other expensive classes that I think could
probably be valuable are the ones offered by Aspect Security.
If you are sticking with free tools -- WATOBO, WhatWeb, inspathx,
Fiddler2 (with Watcher and x5s), wcsa.googlecode.com,
securetomcat.googlecode.com, OWASP Code Crawler, PHP RIPS,
AppCodeScan, Eclipse with LAPSE+, and VisualStudio (Trial) with
CAT.NET -- are you best bets. For consolidation of testing data, both
The Dradis Framework and Gremwell MagicTree can be essential,
especially when combined with Metasploit and nmap. I'll occasionally
use SHODAN, OpenVAS, or standalone tools like Josh Abraham's Fierce
when leveraging network penetration-testing data for my web
application penetration-testing efforts (most of this stuff is covered
in Chris McNab's Network Security Assessment, Second Edition book).
There are some interesting tools for exploitation and
post-exploitation besides just Metasploit (which always seems to be
integrating with other tools like sqlmap, fimap, XSSF, etc), and I
tend to like Havij, Cain, hashkill (and hashkiller.com, unrelated),
lfi_sploiter.py 1.2, lfimap, Yokoso, etc.
I prefer the Chrome Browser for application testing these days
(although I do not generally use it as my normal day-to-day browser),
but I run it with --disable-metrics --disable-metrics-reporting
--disable-databases --disable-ipv6 --disable-sync
--disable-sync-bookmarks --disable-nacl --disable-plugins. I also use
the following Extensions: Edit This Cookie, EXIF Viewer, Form Fuzzer,
KB SSL Enforcer, Proxy Switchy, Smooth Gestures (with File Protocols),
and Snap Links Lite.
Here's my "top 5" books:
- The Art of Software Security Assessment
- The Web Application Hacker's Handbook
- Hunting Security Bugs
- SQL Injection Attacks & Defenses
- The ModSecurity Handbook
But if you're addicted to reading, then you also might want to check
out: Web Application Obfuscation:
'-/WAFs..Evasio?n..Filters//ale?rt(/Obfuscation?/)-', Beginning
ASP.NET Security (already mentioned), Ajax Security, Pro PHP Security:
From Application Security Principles to the Implementation of XSS
Defenses, Seven Deadliest Web Application Attacks, 24 Deadly Sins of
Software Security: Programming Flaws and How to Fix Them, Hacking: The
Next Generation, SQL Server Forensic Analysis, Web Security Testing
Cookbook: Systematic Techniques to Find Problems Fast, Web 2.0
Security - Defending AJAX, RIA, AND SOA, Hacking Exposed Web 2.0: Web
2.0 Security Secrets and Solutions, Hacking Exposed Web Applications
Third Edition, and How to Break Web Software: Functional and Security
Testing of Web Applications. I feel that each of these books is unique
enough to cover something of interest.
Besides all of the authors and technical reviewers of the above books,
it's also good to follow the work of Cory Scott, Jim Manico, Chris
Schmidt, Mario Heiderich, Gareth Hayes, Pete Herzog, Brian Holyfield,
Bernardo Damele, Ferruh Mavituna, Roberto Salgado, Tate Hansen, Ryan
Barnett, and the work of SAMATE, OWASP, WASC, ISECOM, and
http://pentest.cryptocity.net.
I am looking forward to the new release of Web Security Dojo, but
currently prefer OWASPBWA. There is a lot out there to learn in web
app pen-testing, so it's best to stick to a game plan. I believed I
outlined the more important ones in my email, but others will have
their own likes and dislikes (which I think are often biased or
misguided). In this thread, it is clear that the authors of several
virtual machine learning environments want to push their own projects,
which is fine -- but it's really only convenient to have 1-2 guest VMs
running on your local laptop/desktop at any given time. I also think
that too many projects and tools take away the focus that is necessary
during the learning process.
Another example is this recent blog post --
http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/
-- where the author suggests too many tools. For example, I don't
think that SQL Inject Me, ZAP, HackBar, Burp Suite Free Edition,
Tamper Data, Nikto/Wikto, Samurai WTF, FoxyProxy, W3AF, skipfish, or
Websecurify are really worth any discussion. I do not suggest using
Firefox as a testing platform: Chrome supports more efficient support
of DOM inspection and other performance optimizations.
I would say that mastery in WhatWeb, inspathx, and SHODAN will lead to
better early analysis efforts when pre-supposing black-box, or zero
knowledge testing (especially during the recon stage). The reason is
that the underlying platform and framework analysis should be
performed -- the pen-tester should learn how to create his or her own
idea of what Apache/IIS/nginx, PHP/ASP.NET/Tomcat configuration, etc
parameters and tweaks exist. The tester should be able to identify
existing open-source components in target web applications. Then, the
tester should download those components and find vulnerabilities in
them under the elicited configuration environment.
Cheers,
Andre
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org