Re: [WEB SECURITY] Beginner in Security world...

[Robert Portvliet <robert.portvliet@xxxxxxxxx>]

Here's list of some resources I had put together, a good portion of it
is probably covered in the Phoenix OWASP list, but here it is anyway:


Vulnerable WebApps:

GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

MOTH - http://www.bonsai-sec.com/en/research/moth.php

Damn Vulnerable Web App - http://www.dvwa.co.uk/

Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm

Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm

Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm

Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm


Videos & webcasts:

OWASP Appsec NYC 2008 -
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference

Caught in the web series - http://www.coresecurity.com/content/ondemand-caught

Invasion of the browser snatchers series -
http://www.coresecurity.com/content/on-demand-snatchers

Advanced SQL injection -
http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection

Websec 101 - http://www.foundstone.com/us/websec101.asp

Hackme Bank & Hackme Travel videos-
http://www.foundstone.com/us/resources-videos.asp


Tools -

Samurai Web Testing Framework (Live CD which contains most tools
needed to perform web assesment) - http://samurai.inguardians.com/


Methodologies

OWASP Testing Guide -
http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf


Cheat Sheets -

SQL Injection Cheat Sheet -
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet

SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/

SQL Injection Cheat Sheets sorted by DB -
http://pentestmonkey.net/index.php?option=com_content&task=category&sectionid=9&id=24&Itemid=1

XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html

Web App Assesment Cheat Sheet -
http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf


Books:

Web Application Hackers Handbook - http://portswigger.net/wahh/


Whitepapers & slides-

OWASP article on Web application penetration testing -
http://www.owasp.org/index.php/Web_Application_Penetration_Testing

Advanced SQL injection -
http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

Best of web application penetration testing tools -
http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf

(The next two papers are a little old, but still quite useful)

Advanced SQL Injection in SQL Server -
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

(More) Advanced SQL Injection in SQL server -
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf



On Wed, Dec 30, 2009 at 2:01 PM, Andy Steingruebl <steingra@xxxxxxxxx> wrote:
>
>
> On Wed, Dec 30, 2009 at 10:59 AM, Seba <seba@xxxxxxxxx> wrote:
>>
>> Well, there is this FAQ which could need some refreshing but already
>> covers a lot of ground. http://www.owasp.org/index.php/OWASP_AppSec_FAQ
>> Either work on this one or start a new one based on it?
>> Seba
>
> I was more thinking of an FAQ that would have pointers purely to other
> information sources.  Things like lists of app scanners, static analysis
> tools, where to learn the basics of appsec, etc.
>
> - Andy
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA