Web Security Testing - Fundamentals

1. Overview

Create a near-free pathway of learning:

  • Web Application Risks & Vulnerabilities
  • Web Application security testing
  • Networking fundamentals
  • Basics of system administration
  • Scripting & Automation
  • Secure Programming Practices

Through, web application attacking and defending.

2. Fundamentals Pathway

  • Take some of the free courses / labs
    • Take notes on the tools & processes
    • At the end of each, make your own list of commands/tools you would run and what is useful about them
  • Read through the Foundations section in OWASP Developer Guide (draft)
    • Which, if any, of the OWASP Top 10 does the command/tools above attempt to exploit?
      • i.e. sqlmap would most likely be used to perform an AO3:2021 Injection.
    • Of the commands/tools that attempt to exploit one of the OWASP Top 10, which of the CIA triad would be impacted and how?
      • i.e. sqlmap attempts to compromise Confidentiality, however the brute force nature could also impact Availability.
  • Setup up Juice Shop (either Docker or from source)
  • Attacking your Juice Shop App
    • Plan out your attack (what steps are you going to take, what information do you need to take those steps? what kind of output/results would lead to something else?)
    • Start walking through the steps you outlined, adapting as needing, creating notes at the same time
    • Write out what worked, what you expected to work but didn't, and what else you would have tried to test with more time/knowledge
    • Based on what worked, what vulnerabilities did you discover? what was impacted on the CIA triad?

3. Conclusion

By the end of the pathway, you should have a rough draft of a web app pentest report. Congrats! Additionally, you've started documenting your own methodology and where your strengths and weaknesses are. From here we will begin to dive into the underlying technology and protocols, then move on to some basic defensive measure, finally wrapping up with some source code evaluation.

4. Resources

Free Courses / Paths

Low Cost Courses

Date: 2024-01-30 Tue 00:00

Author: Russell Brinson

Created: 2024-01-30 Tue 22:49