7

Can anyone suggest good resources to learn about vulnerabilities in and attacks on web sites, in a hands-on way, for someone with limited programming experience?

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • Possible duplicate of http://security.stackexchange.com/questions/13543/which-ctf-penetration-test/13546#13546 ? I'm posting my answer here too anyway. – user1301428 Apr 08 '12 at 08:37
  • Or this.. http://security.stackexchange.com/questions/3592/what-hacking-competitions-challenges-exist/12866#12866 Either way, both links are helpful to this question. – cutrightjm Apr 08 '12 at 22:03
  • This is a good resource (free video course by Troy Hunt): http://info.varonis.com/web-security-fundamentals – Rob Sobers Jan 21 '16 at 02:41

6 Answers6

9

OWASP has a couple of very interesting resources of this kind:

  • Hacme Bank: a banking application built with some vulnerabilities for you to find and try to exploit
  • The WebGoat Project: web application with several vulnerabilities. Every possible attack is explained in a specific lesson, so that you can concentrate on one technique at the time
user1301428
  • 1,947
  • 1
  • 23
  • 29
9

I suggest you start by developing dynamic websites that involve a database, using HTML/CSS, a client side programming language (like JavaScript), and a dynamic language (PHP is a popular choice). To fully understand web security attacks, you need first to get familiar with the client/server architecture, and the way a dynamic language interacts with a database to retrieve/insert/modify data.

Once you grasp the basics of dynamic web development, you can start learning about attacks. The OWASP Guide Project is a great resource and a reference for experienced web penetration testers as well as newcomers. For hands-on training, just google for a vulnerable web application and you'll find many deliberately vulnerable apps to safely and legally practice against. DVWA is a good starting point.

The next step is learning about tools. I advise you not to use these until you fully understand the different attacks (XSS, SQLi, CSRF, RFI/LFI, XST, etc) and how to manually perform them. For a concise list of open source tools to use when assessing a web application, you can check this previous answer of mine.

lisa17
  • 1,968
  • 7
  • 21
  • 43
4

Sans has a Web Penetration Testing and Ethical Hacking: Capture the Flag class you might be interested at https://www.sans.org/security-training/web-penetration-testing-ethical-hacking-capture-flag-day-6-13632-cid

There are some capture the flag sites that you might learn from using

A larger list can be found at http://captf.com/practice-ctf/

Phillip Nordwall
  • 1,024
  • 9
  • 13
2

I think that you ability to understand attacks of software is limited by your ability to create software. For people with limited programming experience interested in "web security" I would tell them to write a web application. It can be simple, but they need to know how it works from the developers point of view before they can understand how it can be manipulated to do tasks it wasn't designed to do.

rook
  • 47,004
  • 10
  • 94
  • 182
2

this vulnerable web application will help you understand OWASP top 10 and the good thing is that it is challenging Mutiliade

P3nT3ster
  • 867
  • 7
  • 10
  • Irongeek actually provides a bunch of vulnerable web apps, each on different platforms. Mutiliade is just one of them. Find them all here: http://www.irongeek.com/i.php?page=security/deliberately-insecure-web-applications-for-learning-web-app-security – Justin C May 15 '12 at 14:55
1

I know that there are sites like HackThisSite that take a hands on approach to teaching security. You can check those out. Once you have a fundamental understanding of the common exploits, doing a lot of reading (including this site!) can also help a lot.

Oleksi
  • 4,839
  • 2
  • 20
  • 26