Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Road to Web Application Security Share/Save - My123World.Com!

  1. #1
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4

    Road to Web Application Security

    Hello friends,

    Here I'm posting the process I followed to learn web application security and I thing this will help many new comers who wanted to do their carrier in web application security. Thanks to Prashant Uniyal for inspiring me to write this post.

    NOte: I'm drunk so please excuse any spelling mistakes or anything

    First and most important thing in web application security is to understand the web application. If you don't know how web application works, you better do not touch it (for testing).

    So first mission is to learn web applications. So start with developing something in any web development language. What I followed was PHP. It's easy to understand and there are good resources available. Following are the courses I recommend about learning PHP web development. I followed the same. Both are from lynda.com:
    PHP with MySQL Essential Training
    PHP with MySQL Beyond The Basics

    Both of these will courses will give you enough knowledge about Web Server, MySQL Database, Interaction of web application with backend database, dynamic SQL queries, etc, etc. This knowledge will also help you to do source code analysis at later stage.

    Next phase is more interesting to everyone. It's breaking the web application. The above courses has exercise to build Content Management System (CMS). Try to break it with your knowledge of hacking web applications. The advantage is that if you know a little knowledge on web application security, you will note few vulnerabilities while developing the application. This is helpful when you report any vulnerability during web app pentest. You give better remediation than the standard one if it's PHP. You can follow OWASP testing guide to test this application. This will cover testing process and you will have a ready to use target application which is different than WebGoat.

    I'll recommend to make a report for all the vulnerabilities you found during assessment. This will be helpful in next stage. Follow standard format of vulnerability assessment report template which can be found at vulnerabilityassessment.co.uk. A standard vulnerability report (technical) should have vulnerability title, severity, vulnerable parameter/URL, PoC and finally recommendations.

    So now you developed the application, you broke it. Next is to patch all the findings. This stage will put you in the developers shoes. Try to patch all the vulnerabilities with the help of external sources other than your own understanding like OWASP developers guide or resources from Internet.

    When you complete patching, start breaking again. This is like re-validation where you check the patch developed by developers doesn't introduced any new vulnerabilities or the patch applied is not sufficient.

    Till this you will be having a good knowledge on application development and testing for security vulnerabilities. Also experience of patching them. Now you should try to find vulnerabilities in the applications developed by other developers. The best place to find open source PHP applicaitons is sourceforge.net. Try to target new applications, applications whose development has stopped years back, etc. If you choose these applications, there are better chances to find vulnerabilities rather than trying on hard targets like wordpress, joomla. This will give is encouragement and confidence about security testing (We are Humans and we need boosting a lot).

    Try to follow 2 approaches: first blackbox where you download the application, installs and test without looking at source page. The next will be source code auditing which help you to review your own coding knowledge with security knowledge to identify maximum vulnerabilities. You can refer OWASP code review guide as well.

    After dozens or more application review, you will be ready to audit tough targets. Find vulnerability, report it to vendor and after patch, disclose it on exploit-db.

    Hope you will find this interesting and helpful. Comment this post if you have any suggestions or queries.

    Cheers,
    AMol NAik

  2. #2
    Awesome post...!! Just the way it is meant to be..a road to start with
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

  3. #3
    Thanks for sharing your experience mate...... very nice....

  4. #4
    Great post Amol . IMHO Web Application Hackers Handbook could also serve as a nice reference for beginners.

  5. #5
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    Hey firesail,
    Web Application Hackers Handbook is a good start as well but the book is more about testing the web applications. It is necessory to have a web development experience to become a good web application pentester. Otherwise you will land up executing test cases without understanding the concept and when there is a slight different scenario, you'll find yourself lost.

    AMol NAik

  6. #6
    @ amolnaik4

    Nice share of your experience's and approach.

    Can you just post the URL link for the PHP&MSQL (PHP with MySQL Essential Training,PHP with MySQL Beyond The Basics) from lynda.com.[I guess its a paid site].

    Just wanted to share another URL which has some good tutorials on programming(Android,PHP,HTML,JavaScript,JAVA,VB.NE T,C,C++,C#,Ruby).

    Tutorials

    Thanks,
    STMH

  7. #7
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    Hey stmh,

    As you know, those vidoes from lynda.com are paid, we do not share anything like that. Surely Google can help you to find other options to download those tutorials.
    Link you provided seems good. Thanks for sharing.

    AMol NAik

  8. #8
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    This is the second and last part of "Road to Web Application Security". This is a short part with more work for individuals.

    Note: Not drunk this time

    Ok, so once you mastered PHP, you will have fair knowledge on web applications. As you look at the world, there are 3 major web languages used: PHP, ASP.Net & Java. I encourage you to learn these as well which will help your carriar to grow with understanding of multiple platforms and you will be qualified to do "Source Code Reviews". Most job openings for code reviews expects ASP.Net & Java. Learn security coding practices in these languages which again enhances your recommendations in vulnerability report.

    Next move is to keep yourself updated with latest happenings in web security. My choice for this is Twitter. Create a account with Twitter and start following web application security consultants and researchers who has done well. Following links will help you to use twitter & list of few researchers:

    Joining The Information Security Community on Twitter
    Twitter Social Networking Among Information Security People
    50 More InfoSec Nuts To Follow On Twitter
    My Twitter Infosec List | danielmiessler.com

    Now a days, web application has moved towards client-side technologies. Things like JavaScript, jQuery, Ajax and other client-side technologies are heavily used to create interactive and attractice web applications. It is necessory to have knowledge about these as well to understand web application and finding vulnerabilities related to these technologies.

    At this stage, you should start attending security conferences, meet new people, talk about problems & solutions, share experiences, start your own blog and start researching. Good research will give you a chance to talk about it at security conferences.

    That's too much talking. Now "Stop Wishing and Start Working".

    Suggessions, comments, clarifications are welcome. Let me know if I miss anything (talking to you experienced ppl )

    Cheers,
    AMol NAik

  9. #9
    nice post man keep it up.............

  10. #10
    @amolnaik4

    Thanks for your precious suggession's.......they mean a lot to me.

    Just some more thing's, i just wanted to know :

    1) What is the procedure/approach you follow when doing a WebApp-pentest's.
    2) There are some web-application's which start with a login page....so what is your or a best pentester's approach of going around the scenario.
    (Is Bruteforcing the only method)
    3) How do you do a pentest on a thick application's.(Is reverse engineering done in this case).

    Hope you would answer these questions.

    And thanks once again......your roadmap has made my persuite for knowledge in Web-Application simpler and encouraging.

    Thanks,
    STMH

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •