Reddit reviews The Tangled Web: A Guide to Securing Modern Web Applications
We found 21 Reddit comments about The Tangled Web: A Guide to Securing Modern Web Applications. Here are the top ones, ranked by their Reddit score.
Most current information you are going to want to read online. There is no substitute for that. The books I'm currently reading through are:
The Web Application Hacker's Handbook 2nd Ed
The Tangled Web
Metasploit: The Penetration Tester's Guide
Webbots, Spiders and Screen Scrapers
NoStarchPress fanboy all the way :)
Keep in mind, though, that the technical requirements are only half of being employable. You also need to be a good employee, who can work with the client and keep them satisfied. For those, I recommend:
True Professionalism
Trusted Advisor
The dark side has lot of facets, it depends on what you want to achieve.
If you are already working on web applications and web in general, then you may want to start with the Web Application Hackers Handbook by Dafydd Stuttard and Marcus Pinto.
This is a very valid book and with your existent knowledge it will be a very interesting read: i may also advise you to read The Tangled Web by Michal Zalewski, this instead will give you a very in-depth look of browsers' quirks and their inner working, quirks you'll learn to exploit.. for science!
Then there is the world of binary reverse engineering and exploitation, my preferred literature on this is Hacking: the art of exploitation: keep in mind that the techniques there may be outdated, but the reasoning and much of the concepts are still valid. It's a very specific book with very detailed information and you are required to know a bit of assembler, C and very low-level stuff.
Happy hunting and good luck!
If you liked that, I strongly suggest reading Michael Zalewski's (author or this trick) book The Tangled Web; there are entire chapters on what quircks there are in HTML parsing (some stuff you can't even believe that it's accepted by the browsers).
> Supponiamo che uno (anzi, più di uno visto che siamo tutti componenti di un LUG) voglia iniziare a smanettare un po' in quest'ambito, che cosa consigli?
di farlo :)
> Mettere su un webserver e iniziare a tentare di bucarlo con gli exploit conosciuti può essere una buona idea oppure è meglio prima procedere con altro?
Tutto fa brodo (mi', ventesimo proverbio, mi sto biscardizzando :). Però per prima cosa devono essere chiare le problematiche agli strati più bassi: boot da media esterno, forensics "malevola" (accesso al fs, reset delle password, estrazione delle password, trojanizzazione dell'OS, ..), MITM e i suoi derivati, poi nmap e network/service discovery come se piovesse, analisi di tutti i servizi esposti, poi "finalmente" potete dedicarvi anche alla parte (web) applicativa.. :)
Ci sono moltissimi "playground" per divertirsi ed imparare, sia come vm da scaricare che contest, crackme & co. online, alcuni al volissimo:
(copio & incollo dal sorgente che usiamo per generare la documentazione che distribuiamo a corsi & co, spero mantenga la formattazione - non è aggiornatissimo):
Esercizi
Elenco di applicazioni vulnerabili che possono essere utilizzate per imparare/approfondire le vulnerabilità nelle applicazioni web:
Elenco di applicazioni vulnerabili da altri siti:
Libri consigliati
Metodologie e check-list
Cheat sheets
> Da esperto di sicurezza, hai qualche consiglio su qualche "giochino" da far vedere in conferenze e relazioni per sensibilizzare le persone sull'argomento? Attualmente noto che fa molta presa questo iter (che è più sensazionalistico che altro):
> creo una rete wifi aperta senza dir loro nulla e aprendo wireshark
> durante la conferenza loro ovviamente la utilizzano senza pensarci troppo
> a fine conferenza mostro loro quante cose avrei potuto prelevare se solo avessi voluto
Ehm.. sarà anche sensazionalistico, ma lo faccio spesso anche io, con anche la parte di MITM sui certificati in automatico. Anche phishing/malware via mail, magari con split screen (cosa fa l'utente, cosa si vede sul "back-end"), con uno dei vari tool che ci sono metasploit, beef o con banali 10 righe di (linguaggio di scripting web a tua scelta).
IMO, these books are the best ones for web pentesting:
The Web Application Hacker's Handbook
The Tangled Web
OWASP Testing Guide v4
That's a good setup you have going on, honestly. If you're looking for more resources, I can think of a few resources to supplement what you're already reading/doing
The Tangled Web - https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
SQL Injection Attacks and Defense - https://www.amazon.com/gp/product/1597494240
Hacking Exposed: Web Application - https://www.amazon.com/HACKING-EXPOSED-WEB-APPLICATIONS-Edition/dp/0071740643/
https://pentesterlab.com/bootcamp - At this point, you can probably filter out what's relevant to you or not, this will map out other topics related to what you need to know, and may fill in any gaps you have at this point.
OWASP - https://www.owasp.org/index.php/Main_Page [Borderline vital to web app exploitation, Highly recommend if you haven't explored this site yet]
Now, the books and study materials are nice and all, but the most important thing is practical experience, and I see you've identified that by engaging yourself in DVWA. A few additional hands on labs you could dive into are vulnhubs that target the web (Broken Web Applications Project by OWASP is a must):
https://www.vulnhub.com/?q=Web&sort=date-asc&type=vm
Wargames (Overthewire / Smashthestack):
http://overthewire.org/wargames/natas/
SecurityInnovation (canyouhack.us):
http://canyouhack.us/ - It will start off with web challenges, feel free to stop when it starts getting into binary exploitation. What you've learned up to this point should carry you through the web application portion of this challenge, although some lateral thinking is required, which is also a skill you'll need for the GWAPT.
Google-Gruyere - https://google-gruyere.appspot.com/
Since you stated that you were going through the WAHH book, the labs over at mdsec may be a good investment for you at this point to follow along (although not exactly required if you properly use the resources above)
http://mdsec.net/labs/
https://www.wechall.net/challs - Again, filter out what you need to practice here. Lots of good challenges for multiple different areas of study.
CTF's: Be on the lookout for CTF's on http://ctftime.org and put a focus on the web challenges. These challenges will encourage lateral thinking like the securityinnovation challenge.
http://shell-storm.org/repo/CTF/ is an archive of older CTF's if you're having a hard time finding upcoming CTF's with good web exploitation sections. In my opinion, CSAW is especially good when it comes to web challenges, but check most of them out if you get time.
Another recommendation to you is to develop a decent understanding of how a web application is structured. It becomes easier to visualize how to attack a web application, when you can engineer one. So I will recommend that you learn:
HTML/CSS - don't spend way too much time on this, codecademy should suffice here
Javascript: The source of the client side exploits you will find in the future. Get your feet wet in javascript via codecademy, and progress further.
PHP: Source of the majority of server side exploits you will find (RFI/LFI, SQL Injection, etc). As with javascript, get your feet wet through codecademy, and try to progress further from there.
SQL: Important to know for SQL Injection. PHP is responsible for the implementation that leads to SQL Injection, but you should really know SQL to actually manipulate the DBMS to your needs.
With the web languages I listed, the end goal for you, should be to identify vulnerable source code, as well as being able to intentionally develop vulnerable source code, and fix it.
At this point, you should be relatively comfortable with the concepts covered in the GWAPT, however if not, take a look at the bulletin/syllabus of the actual exam, and individually research each topic.
http://www.giac.org/certification/web-application-penetration-tester-gwapt
Looking at the syllabus for the actual course that maps to GWAPT may provide some insight as well.
https://www.sans.org/course/web-app-penetration-testing-ethical-hacking
Hope I was able to help. Best of luck to you, and if you have any questions, feel free to let me know.
As far as engineering practices are concerned: Clean Code, Clean Architecture. A secure app/arch is one that is well understood long after you've stopped working on it.
DefCon has a reading list:
https://www.defcon.org/html/links/book-list.html
If you're looking for a starting point, I'd suggest The Tangled Web. Web/browser security tends to be a good high-level starting point.
You asked for books, but I'd highly suggest participating in some CTFs.
web development is hard. This is not because it's retarded and unspecified, but because I am doing intellectually challenging innovative work every time I complete the rituals to work around CSRF and clickjacking, and setup some cross domain policy, maybe throw in 10K lines of CSS, etc, to make a chat app.
The Tangled Web
The Web Application Hackers Handbook
Application Security:
Web Security:
Secure Systems
Have you read https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886 already?
After going through the OWASP materials already mentioned, read through Michal Zalewski's The Tangled Web.
Good news is that you've got the educational creds to have a solid foundation for a future career. Now it's time to build the background or at least skillset to prove that you're dedicated to the field. An internship is helpful but you're going to need a lot more than helpdesk. I'd focus on finding a small consulting firm or getting in with IT at a company but treading carefully to not take on a title that states 'help desk.'
Showing that you have raw talent is the most important. Demonstrating skills such as learning python or spinning up your own secure server in Softlayer, AWS, or another provider is a massive resume booster and it shows you mean business. I'm not saying that you should sink a bunch of cash, but figure out a small server that you can use, secure, and play around with it over a period of a few months. There's a wealth of information you can pull from just 'doing' without having direct work experience.
Help desk can be a trap, so avoid that and go the networking route or sys-admin path by learning Unix. Help desk seldom leads to better roles in that it's catered to keep you trapped in tier 1 - 2 IT hell. Take it from me as someone who learned quickly that it's a dead end if you want to progress your career.
Hope this comment helps. In an attempt to help you find some good resources I'll post a few below.
Start to Python
https://learnpythonthehardway.org/book/
Secure AWS:
https://benchmarks.cisecurity.org/tools2/amazon/CIS_Amazon_Web_Services_Foundations_Benchmark_v1.0.0.pdf
Helped me get my CCNA:
Read up on GNS3 LAB, it's not supported by Cisco so I wont officially endorse, however you can Google and learn about this on your own.
https://www.freeccnaworkbook.com/
http://www.9tut.com/ - study before your test.
KB for general security. There's a lot out there but this is an easy start.
https://www.cybrary.it/
For learning application security, you'll need to know burp. I'd take a look at this link, and then see if you like what you're reading, do the right thing and go buy this from Amazon if you continue down this path.
https://leaksource.files.wordpress.com/2014/08/the-web-application-hackers-handbook.pdf
If you learn BURP or Python, you should own this book:
https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
Hacking: The art of exploitation
The Web Application Hackers Handbook
The Tangled Web: A Guide To Securing modern Web Applications
The Hacker Playbook 2
The Hacker playbook 3
Black Hat Python: Python Programming for Hackers and Pentesters
If you are looking for books, there are:
The Basics of Web Hacking by Mike Shema
Hacking Webapps by Mike Shema
and The Tangled Web by Michal Zalewski
Check around Udemy, edx, and all those other sites that offer free online courses. Also I know lots of schools, MIT included, put their full courses (lectures, assignments, syllabus, etc) online for anyone to access. Search around and work through the books. Find a good online community to go to if you ever have questions or need advice.
Here are some helpful links:
http://pentest.cryptocity.net/careers/
http://www.cs.cmu.edu/~gilpin/tutorial/
http://www.felipemartins.info/2011/05/pentesting-vulnerable-study-frameworks-complete-list/#.Tw8OEFfXbuI.twitter
http://www.netstumbler.com/2011/12/21/so-you-want-to-be-a-security-consultant/
http://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
http://www.computer-colleges.com/blog/2009/diy-ciss-degree-100-open-courses-on-computer-information-systems-and-security/
Here are a couple to consider. My apologies if the formatting sucks. I'm on mobile.
The Web Application Hacker's Handbook 2nd Ed
The Tangled Web
The Tangled Web: A Guide to Securing Modern Web Applications
24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them
PHP Security Cheat Sheet
It's the standard reference for web application testing. I'm a security consultant who spends a significant portion of my time reviewing web applications and we hand WAHH to every junior who comes on board, while intermediate/senior testers brush up on it periodically alongside the OWASP Testing Guide.
Once you're comfortable with the material in WAHH, also check out The Tangled Web: A Guide to Securing Modern Web Applications which starts to look into browser mechanics and their impact on web application security.
http://www.amazon.com/Cybersecurity-Cyberwar-Everyone-Needs-Know%C2%AE/dp/0199918112
http://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886/
You're right that there's no easy answer, but I think reading The Tangled Web is a good place to start.