23

This question was asked here on Programmers Exchange, but it was suggested I ask here as well since most of the experts would likely hang out on IT Security exchange instead.

I find this to be equivalent to undercover police officers who join a gang, do drugs and break the law as a last resort in order to enforce it. To be a competent security expert, I feel hacking has to be a constant hands-on effort. Yet, that requires finding exploits, testing them on live applications, and being able to demonstrate those exploits with confidence. For those that consider themselves "experts" in Web application security, what did you do to learn the art without actually breaking the law? Or, is this the gray area that nobody likes to talk about because you have to bend the law to its limits?

  • 2
    @hal10001, welcome to the site! I copied the text from the original question. Though in principle, cross-posting is discouraged and might have been better off asking the mods there to migrate it. – AviD Jun 28 '11 at 09:43
  • 4
    the really good hackers never leave a trace, "it isn't illegal if you don't get caught" –  Jun 27 '11 at 14:43
  • 7
    This question has been merged with a question migrated from another StackExchange, but only after it has accumulated many answers and comments that have some gaps in their reasoning, but that already have received many positive votes from non-ITSecurity users. IT Security probably doesn't have a large enough group of participants to clean this up retroactively. (Since it was merged, there's no warning of the migration.) So, I'd warn all readers: don't assume that the vote numbers reflect the views of folks with a security background. This is a problem with migrating a question. – D.W. Jun 28 '11 at 14:04
  • 1
    @D.W. very good point - and of course the only answer we have as a community is to vote up the ones which are good. Things will pan out eventually if we all contribute. – Rory Alsop Jun 28 '11 at 14:22
  • Hey Guys, thanks for doing the work of merging this question. I appreciate the time taken to edit and place it in its proper place. –  Jun 28 '11 at 14:33
  • @Jarrod There's always a trace, and poor mistakes in your past can come back to bite you in the future. It's better to stay clean as much as possible. You'll end up with effectively the same knowledge either way. –  Jun 28 '11 at 15:21

14 Answers14

35

I don't work as a security consultant but I've worked with them (and with the police incidentally and your analogy is more cop show than reality) and none of them to my knowledge have spent time hacking illegally.

Hacking is only illegal if you don't have permission but there is no difference on a technical level (that is to say in terms of security) between a server you've got permission to hack and one you haven't. If you're working for or with a company then attempting to access their servers (with their prior written understanding and permission) is fine and no less real world experience than picking a random system.

Failing that there is no reason you can't set up your own hosted servers and attempt to compromise them - or buddy up, two of you each set up a server and the winner is the first one to find an exploit in the others system. That has the dual advantage of seeing it from both sides.

Jon Hopkins
  • 812
  • 1
  • 8
  • 7
  • 6
    Regarding your first point, isn't that like a chicken before the egg scenario? Nobody is going to give me permission to test their system or application security unless I have experience testing system and application security. Regarding your second point, I thought that might actually be the case, but it would require a personal financial investment of sorts to setup an environment worthy of testing. –  Jun 27 '11 at 14:45
  • 6
    @hal10001 - Many large companies have either a team of internal security testers or a couple of designated developers that test the security of internal development. You would normally gain experience in that sort of position for a while before becoming a security consultant "in the wild". – Justin Cave Jun 27 '11 at 14:51
  • 2
    @hal10001 - What Justin says. The normal route in is via network or server admin, learn to set things up before you learn how to pull things down. –  Jun 27 '11 at 14:52
  • 1
    @hal10001: The first step is to get the security certifications that identify you as knowledgeable in security. Second, get a job with a security/audit firm to get the hands-on experience. As you gain competency, you will be given larger budgets/resources to begin researching specific exploits in specific environments. Just as with any other programming related job - first get certified, then get experience. Other than that, don't get caught. –  Jun 27 '11 at 14:54
  • @Justin Cave: I'm finding these days a lot of these tests are actually farmed out to security/audit firms. I still see some local application of it, but the serious financial sites that I've seen have all had third party audit transparency. –  Jun 27 '11 at 14:56
  • 1
    @Joel - The final tests are farmed out. But most serious financial firms still have an internal security team that at least does the first pass of tests during the development effort to identify security holes. – Justin Cave Jun 27 '11 at 15:02
  • @Justin Cave: Oh absolutely the first round is done in-house, but the first round still isn't usually to the level OP is indicating. Development/first round testing hits the usual suspects or easily identifiable exploits, then it's farmed out for a conclusive audit. I've personally had to respond to such an audit with my first round results. It was fairly unfun. –  Jun 27 '11 at 15:14
  • @Joel - Right. But if you get some experience as an internal security tester hitting the usual suspects (SQL injection, cross-site scripting, etc.), that puts you in a reasonably good position to move on to the companies that do security audits full-time. – Justin Cave Jun 27 '11 at 15:23
  • @Justin Cave: Tru dat. –  Jun 27 '11 at 15:24
  • However, the thing with artificial practice hacking is that there is no human involved; it is often possible to break into a system with the aid of a confused sysadmin or the friendly webhost support staff and those human layers are sometimes the easiest way to break into real systems. A true security expert should take human nature into account, not just technical faults and flaws. – Lie Ryan Jun 27 '11 at 15:46
  • 1
    @Lie - If you're testing security for a company with permission you can (and should) do those things. Why couldn't / wouldn't you? –  Jun 27 '11 at 15:52
  • 2
    @Joel `"The first step is to get the security certifications that identify you as knowledgeable in security. Second, get a job with a security/audit firm to get the hands-on experience"` - this makes no sense. First get proof of knowledge, then gain the knowledge? And besides, in the security field the certs are less important than the expertise. – AviD Jun 28 '11 at 09:59
  • 1
    @AviD: I'm not sure how it doesn't make sense. It seems fairly obvious to me. This is not a chicken/egg scenario. By studying and achieving the requisite certs, it becomes simpler to get a job where the hands-on expertise is learned. I agree actual experience trumps certifications any day of the week, but just like a 4-year degree these days, the certs are the price of admission more than evidence of competence. –  Jun 28 '11 at 10:22
  • 2
    @Joel - ah, now I understand - you meant "*study* for certification, then get experience". Makes a little more sense... but still wrong. A. better ways to study, than learning to the test. B. Certs are not necessarily required, depending on the position. C. The certs that are well-regarded, require hands-on experience (e.g. 3 years for CISSP). – AviD Jun 28 '11 at 10:34
  • @AviD - In terms of experience though, no well regarded certification would get away with accepting experience breaking the law. –  Jun 28 '11 at 11:00
  • 1
    @Jon of course not, that is a faulty assumption in the question. It goes without saying - well, it *should*, but apparently doesn't... There are some good solutions for this, as you mentioned and are elaborated in other answers. – AviD Jun 28 '11 at 11:07
  • 2
    What this answer doesn't say is that learning pentesting may not be the most valuable way to spend your time. There seems to be aa perception that being a web security expert is all about knowing the coolest ways to hack a web site. That is a myth. – D.W. Jun 28 '11 at 14:06
  • @D.W. It has nothing to with a method being 'cool', just with it being a viable avenue of attack that needs to be taken into account from a design point of view. –  Jun 28 '11 at 15:18
11

The answer to that question is much like the answer to any "How do I become an expert at **" question... it ultimately boils down to time and experience.

For some specifics though, if college/university is an option look into programs dealing with Information Security, Computer Forensics, and Information Assurance.. all of those would give you a solid background for application security development.

Also, take a look into the specifics of these laws... for instance you can attack services/applications/systems on your own network legally in most places (assuming you own the equipment and network infrastructure being used). An open-sourced application too, where you have freedom to modify/reuse the code, would in most cases be open to vulnerability testing, as long as you weren't running the 'malicious' code on remote systems or sharing it.. but again, laws vary greatly by State/Country.

Reading, as always, is a good source... not just on 'security' itself, but general coding principals. A background knowledge is always an asset. Websites like "hackthissite.com" also give some hands-on guides and 'challenges' to do. Though, that one isn't really "application security" specific at all.

9

In addition to Jetti and Jon Hopkins' answers, there are also organizations and tools designed to teach the basics of web security. The Open Web Application Security Project (OWASP) comes to mind as a prime example of this.

OWASP has extensive documentation on their site about various security exploits and techniques, as well as how-tos for both creating secure software and finding exploits in existing software. They also produce a tool known as WebGoat, which is an insecure JEE application that you can host and learn about different techniques to damage or compromise web environments.

Thomas Owens
  • 1,052
  • 8
  • 9
  • Thank you for the WebGoat link. I knew about OWASP, but did not know about this project. That is very helpful. –  Jun 27 '11 at 15:13
  • +1 For mentioning OWASP. Great organization and website. –  Jun 28 '11 at 15:23
8

I also don't work in the security area, but there is nothing that prevents you from simulating the internet using a couple routers and switches on a home network with maybe the exception of some of the high price security hardware out there. Like Jon stated, you can easily setup IIS, Apache, or whatever web server you want on a home network. There are also some practice apps out there like Hacme bank that you can practice basic web vulnerabilities on.

Dylan
  • 241
  • 1
  • 2
  • 1
    Thank you for the Hacme Bank link. That is very useful to have for testing vulnerabilities. –  Jun 27 '11 at 15:14
7

First start by learning some theory. Start off with OWASP (the "bible" for webappsec), then browse around this site. I'm sure you will find numerous questions that would interest you...

Next find the issues in your own code...

Then, there are several "broken app" kits that you can use, for educational purposes.
For example, take a look at Starting with sandbox development. I'd used OWASP WebGoat for many years for giving training, but thanks to that question I found Google Gruyere, which I highly recommend for you.

Btw, I think you should also take a look at this question: What are the career paths in the computer security field? - I think it will help give you some direction.

AviD
  • 72,708
  • 22
  • 137
  • 218
  • To continue with the though of finding issues in your own code. Also find issues with code in open source projects, there is large support and people appreciate your contribution. As well break your own web apps, don't just stare at code, look at it like a hacker. As well there are plenty of groups that host web applications for testing purposes, aka they allow you to hack them. – Mike Soule Jun 28 '11 at 15:50
5

I'm troubled by the implication that in order to become a 'competent web application security expert' the easiest route is to break the law. I agree with @DKGasser, the general route to become an expert is similar in all fields. You need to learn, practice, discuss, and experiment.

Illegal activity is only likely to teach you is how to exploit poorly secured systems, and how to exploit very specific vulnerabilities. It is unlikely to teach you the theory behind secure systems.

There are lots of legal things you can do to explore web application security, starting with setting up your own home network with a webserver and attacking your webserver. You can even look at the webservers log in real time as you attempt various attacks. It is usually better to set up a wired two computer network with a attack computer and a target computer as the only machines on the experimental network, as this will prevent you from accidently attacking someone else.

Try different operating systems, different web servers, different application frameworks, different programming languages, etc. Set up a honeypot server and observer what attacks are attempted on it.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
this.josh
  • 8,843
  • 2
  • 29
  • 51
5

Spend a lot of time in-person with someone who is already a web application security expert.

atdre
  • 18,945
  • 6
  • 59
  • 108
5

I thought I'd chime in and point out that the police analogy is a little flawed if what you are looking for is education, versus detection. Granted my law enforcement experience is limited to an excessive love of Law & Order, but going with the cop show analogy - when police offers go under cover - it's generally the smart, experienced, stable guy who graduated with decent grades from the police academy. Not the summer intern. :)

Same thing for a penetration test (as John Hopkins describes) - companies are hired for pen tests based on corporate experience, the credentials of the individual engineers on the team, the professional reputation of everyone involved, and the cost and schedule proposed by the team. Just like you don't really want the crazy, unqualified cop to be the guy undercover, you don't hire a no-name, untrusted company to do your penetration testing.

The way to get to the point of being an individual on a pen test team?

It's the same almost any other career in engineering:

  • study the technology that allows and prevents security exploits - learn about as many areas of the security trade as you can - human factors, physical, network, software, operating systems, data protection, etc.

  • use academic institutions and professional certifications to establish credentials - some professional organizations also include a promise of ethics.

  • establish bonding as a way of providing additional reassurance of honesty - this is along the same lines of working as a lock smith.

  • work in the field in less high-risk jobs - security system development, system administration, IT security groups, risk management teams, etc.

  • do independent projects to get experience - like setting up a honey pot at home, or playing with security configurations on network gear.

  • get mentorship from someone more senior.

Just like undercover cops are a special group of police officers, who get special training, unique treatment and have particular credentials - penetration testers are a unique group of security professionals. The people I've met that do this type of work are often a similar personality type to the aggressive startup company programmer/architect/CTO type person - very smart, very driven, intensely focused on the state of the art, and quite intellectually aggressive. They generally come with very high level credentials and are very expensive.

I'm sure there are plenty of folks out there who are stupid and will try cracking into assets without corporate permission - but the folks I consider the real professionals in this area are too smart for that. They're aware of the laws in this domain, and they are too smart to jeopardize their careers by hacking on the side. A good pen tester knows that a portion of his high fee comes from the fact that the company is willing to trust him and if he does something on the side to break that trust, then he's out of a job and probably out of a career.

bethlakshmi
  • 11,656
  • 1
  • 28
  • 59
4

I think Jon Hopkins has a good point, there is no difference between illegally hacking and hacking something you were allowed to hack. As a teen I remember wanting to get into hacking (thanks to the wonderful movie Hackers) and there were sites that are setup that encourage people to hack into them for learning. I wish I could remember the sites, but I know they are out there and I'm sure they are still alive and well.

A few things to consider:

  • You may want to let your ISP know that you are doing this and that you have full consent. That way, if they see anything suspicious they don't cut off your service, or worse report you to authorities.
  • Actually hacking into a system isn't the only way to learn about security. Being able to recognize when code is insecure or other vulnerabilities is just as important.
  • There are quite a few people who are former hackers who are now running their own security companies, however they also had to spend time in Federal prison to get there. Kevin Mitnick is the first to come to mind but I know there are more. So be careful with the "gray area"
    • "no difference between illegally hacking and hacking something you were allowed to hack" - huh? How about the difference that, say, one is illegal and the other is legal? – D.W. Jun 28 '11 at 13:57
    • @Jetti - guessing you mean 'functionally - no difference'? – Rory Alsop Jun 28 '11 at 14:03
    3

    The difference is that if you want to become a security expert, then you need to know WHY things like exploits, buffer overflows and cryptography breaking works. You're not only going to be responsible for finding a hole, but knowing how to patch it properly, including software\network redesign.

    Attacks and exploits are published online. You could read up on the latest security patches for various systems then trying them on a local copy of that software on your own computer, virtualization would be great for this.

    Peter Smith
    • 370
    • 1
    • 9
    3

    This question is full of faulty premises and preconceptions.

    It is NOT TRUE that you have to break the law to learn to be a security expert, or that breaking the law is even particularly helpful in making you expert in this area. You seem to be assuming that the way to learn web security is to break the law, and that is simply not accurate.

    The question also seems to assume that being a web security expert is all about knowing the coolest ways to hack a web site, and so the best way to become a web security expert is to hack lots of web sites. That is not accurate, either.

    You'd get better answers if you asked how to learn to be a security expert, without making assumptions in advance about the form of answer.

    D.W.
    • 98,860
    • 33
    • 271
    • 588
    3

    Practicing on your own hardware is not illegal!

    Practicing with written permission is not illegal!

    I'm going to assume you already have sufficient background in technology to understand the basics. Given that, it is trivially easy to practice on your own hardware, and for a minimal investment you can rent virtual machines on an as-needed basis in order to practice on other platforms (e.g. Amazon EC2).

    There is an abundance of material with which to practice on your own hardware:

    • Get comfortable working with virtual machines. Being able to quickly bring up a new machine running a given OS in a given configuration is helpful for practicing (and repeating) certain skills. (It also allows you to make good bug reports since you'll be able to easily recreate a bug on a clean system.)
    • Keep a notebook -- or have some means of organizing material that you're learning. I use a combination of a (self-operated, private) wiki and bookmarking tools to keep track of things as I learn new material.
    • Follow mailing lists or forums like this site, bugtraq, etc. This lets you keep up with current and emerging attacks.
    • Learn about web application security in general. There are a number of good websites (e.g. OWASP) and books (e.g. The Web Application Hacker's Handbook, by Stuttard and Pinto). These references provide lists of tools and techniques that you can put into practice immediately. WAHH has exercises sprinkled throughout each chapter -- do these.
    • Learn about web infrastructure. High-end deployments will be much more sophisticated than what you can set up in your own lab. Load balancers, firewalls, caches, etc. These can either make life as a penetration tester harder (i.e. by acting as layered defenses) or easier (i.e. by introducing complexity and more attack surface).
    • Learn about internet infrastructure. Understand how DNS works, for example; what it's vulnerabilities as a system are and how it can be both secured and attacked.
    • Install some applications in your VM. E.g. LAMP with popular apps -- phpMyAdmin, phpBB, etc. Or IIS. Or tomcat. (Eventually, you'll want to practice on all of them! This will give you experience with a variety of platforms, languages, configurations, and different issues.)
      1. Leave them in the default configuration.
      2. Attack them. (DoS, intrusion, XSS, SQLi, firesheep, etc.)
      3. Secure them against those attacks.
      4. Goto 2.
    • Buddy up: find a partner with whom you can practice. For example, you can run "capture the flag" (CTF) exercises where you each set up a system and then attempt to infiltrate your partner's system. This gives you practice both in creating and maintaining a secure configuration and in penetration testing. (Just be careful where you set up your systems: I wouldn't recommend attacking your partner from your home; his ISP or your ISP might take a dim view of certain activities crossing their networks. And you probably don't want him attacking your home; your ISP may not like you attracting malicious traffic.)
    • If you have a budget for tools and books:
      • Maintain a reading queue or similar (e.g. wishlist on Amazon) for new books that you see recommended. When I see a book recommended more than 3 or 4 times, I put it in my reading queue.
      • You can pick up cheap hardware for practicing if you keep an eye on craigslist, freecycle, ebay, etc. VMs can do a lot, but having a few cheap PCs and a router are nice for practicing setting up a firewall-dmz-intranet with real hardware.
      • Having spare hardware also makes it easier to have a "LAN party" style CTF with your buddy. Configure a PC according to the rules of this week's game, grab a switch/router/etc, and join the party.
    • Get out and meet people. OWASP has chapters all over. Look on meetup for security-oriented meetings. (Or web-application-related meetings -- e.g. your local PHP or RoR meetup might occasionally have a session on security.)
      • These meetings are always looking for speakers. Learn enough about a niche topic, or create a new special-purpose tool or technique, or discover a new class of vulnerability related to the meeting's topic, or take some new technique you saw on bugtraq and make it relevant to the meetup, and prepare a "lightning talk". (If you enroll in a university course you'll often have to do this sort of thing.)
    • Get an entry-level job or internship. Find a mentor.

    There are a few websites and applications that are set up as exercises for hacking. I've found that these tend to be very introductory, but they're useful as beginner material:

    • hACME game
    • Hack This Site!
    • Try searching for "computer security wargame" or "capture the flag computer security".
    • Damn Vulnerable Web Application -- this is a web app that you can drop into one of your VMs; it is structured similarly to the hack sites mentioned above
    • Hackme Bank, Google Gruyere, OWASP WebGoat. (I haven't tried these yet, but have seen them recommended.)
    • Install a popular web framework with a lot of plugins. Wordpress comes to mind. (Ok, it isn't intended as practice for hacking, but it might as well be...)
      • Install it in a VM, install a handful of plugins, add some filler content.
      • Start with the basics, doing stuff "by hand". For example, install firebug in firefox, modify cookies, modify form fields, set breakpoints in javascript to alter client-side validation, etc. You can also use curl and other low-level tools to construct requests to bypass security. Doing it "the hard way" will give you a good understanding of what the tools are doing for you -- so that you understand their limitations and best application.
      • After you have a feel for what's going on under the covers (and you've managed to find and responsibly report a couple of security flaws), start learning the tools you've discovered in your reading and have recorded in your notebook.
      • You should be able to find a security weakness within a few hours of hacking on, say, Wordpress with a handful of plugins. I managed to find a 3 or 4 XSS, plus some other bugs, in 3 or 4 hours of testing some very popular WP plugins, without using much for tools beyond FF+firebug, chrome, and curl. If you watch bugtraq or other such lists, you'll get a feel for which applications will be good install and test.
    • Similarly for applications with a long history of security flaws. phpMyAdmin and BIND come to mind. (True, BIND is not a "web application", but it would make for interesting testing along a different sort of axis, and it's an important piece of infrastructure that your web application depends on.) Apache would be fair game too.

    Of course, all of this won't make you an expert, but you'll be on the road and at least have achieved "conscious incompetence" -- you'll know what the next steps are for you to increase your skill level.

    bstpierre
    • 4,888
    • 1
    • 21
    • 34
    1

    I think the first thing is to get some academic course. But it is not mandatory. And it is not sufficient, because you need to confront the real world. To get more experience you have two choice (coming to my mind)

    • Be part of a company which work in security: pen-testing, intrusion detection/prevention, disaster recovery. This will also teach you what company wants from security experts and give you a direction for what to learn.
    • Curiosity: build yourself a sandbox to test on your own (this should avoid you law breaking learning). Keep inform of security issue on the internet, what are trending topics, most exploited breaches. Use your sandbox to reproduce this and find how to counter it. In this area you will learn what company needs from security experts but are not aware of.
    M'vy
    • 13,053
    • 3
    • 48
    • 69
    • 1
      And to be honest, the majority of my pen testers did not have academic quals in computer security. Many did have a computing module or at least something in IT, but the core was for them to show they had an aptitude for understanding how things worked, or for working out ways to take something to pieces and rebuild it better... – Rory Alsop Jun 28 '11 at 14:06
    1

    There is a big difference to finding security holes and to exploiting those holes. Of course the former can still be illegal depending on what you are doing.

    Matt Wilko
    • 151
    • 5