Re: [WEB SECURITY] learning hacking techniques

[Steve Pinkham <steve.pinkham@xxxxxxxxx>]

DVWA is another good target to learn off of.

If you're looking for an easy way to get started, you can use samurai 
WTF for tools and online targets or moth.

Also, we've started a training project called Web Security Dojo which is 
a VM image with tools, targets, and most importantly documentation 
installed.  It doesn't have as many tools as Samurai, but it has what we 
consider the best in class of tools that are useful for learning web app 
testing.

As for documentation, OWASP's testing guide is the best free resource I 
know of for learning, and Portswigger's Web Application Hackers Handbook 
is the best I've found at any price.

Hope that helps!

Steve
Vance, Michael wrote:
> Miguel-
>
> The Open Web Application Security Project (OWASP, http://www.owasp.org) is your friend.  They have a ton of information on any Web App vulnerability you could ask for.  Their main page on XSS is http://www.owasp.org/index.php/Cross_Site_Scripting_Flaw.  They also have links to other resources.
>
> OWASP also maintains a "practice" environment called WebGoat (http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project).
>
> The other "classic" vulnerable Web App is Hacme Bank, maintained by Foundstone.  It can be found here: http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
>
> Good luck!
>
> -Michael
>
> -----Original Message-----
> From: Miguel González Castaños [mailto:miguel_3_gonzalez@xxxxxxxx] 
> Sent: Friday, November 20, 2009 12:09 PM
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] learning hacking techniques
>
> Hi,
>
>   I'm starting a course in computer security and I see that that there 
> are some websites like hacklabs that can be used for learning hacking 
> techniques. However, it seems the registration process doesn't work.
>
>   I'm looking in general for:
>
>   - any clear free documentation about hacking techniques, not only 
> teaching concepts but giving you examples.
>  
>   - any website or any sandbox (maybe a virtual appliance)  where you 
> can practice those concepts.
>
>  In particular:
>
>  - I'm looking for documentation of how to do a XSS attack. It's part of 
> my course (a company course) and the truth is that the documentation is 
> not very clear.
>
> Thanks in advance
>
> Miguel
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
> This E-Mail has been scanned for viruses.
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA


--
 | Steven E. Pinkham                      |
 | Security Researcher, Maven Security    |
 | http://www.mavensecurity.com           |
 | GPG public key ID CD31CAFB             |

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA