I have observed that people often lost their path when they start learning security. They have many questions like “How do I start learning security?” or “where to start learning and deep-diving into web application security?”. Which book to refer to or which course to enroll etc. etc. In this blog, I will share my experience. I will cover most of the things that I did when I started my career in cybersecurity. This blog mainly focuses on offensive web application security basics.
I have not attended any training course nor I have gone through any books to learn about web application security. It was my choice not to read books, as I personally do not like reading books. There are many good books available which you can read. I started my career as a developer so I had experience with web applications and know how it works(anyways it’s optional). Not all are developers in the security domain but surely it’s an addon.
Few things that one needs to start with:
1) Basics of web application
- How it works
- HTTP/HTTPS etc etc.
2) Good observation skill
3) Willingness to find problems in someone’s work (I guess most of us has this :P)
4) Little bit of BurpSuite (or any other web request interception tool)
5) Lots of practice and patience
1) Basics of web application
It is important to know what you are testing. Without knowing a combination of clutch and gear one cannot drive a bike/car 😛 (what a lame example :D). It is necessary to know how a web application works before you start testing it. If you are aware of basic details like cookies, session, HTTP/HTTPS, storage, etc. it will be very easy to test the application and find bugs.
2) Good observation skill
For finding bugs it is necessary to have good observation skills. You need to keep looking at the behavior of the application and find out any changes when you are testing it. This skill will only increase by practice.
3) Finding problems
Willingness is the major factor that plays a role here. If you are not willing to test and easily give up things, then you are on wrong track. I have observed that many are by nature problem finders. “Khane me namak kum he :P” or “Tera code snippet nahi chal raha he ya to error aa raha he :D” are common problems found by people. But in a web application, you won’t find “Namak”, but surely you will find technical/business logic bugs.
One of the many tools available in the market by which you can intercept a request, change the required part and send it. Not only intercept, but there are also many functionalities provided by this tool. You can learn it using its community version and start testing the application.
Note: I am not promoting this tool, it’s just easy to learn. You can use any tool which can intercept the request/response to test the application.
5) Practice and Patience Pays off
“Sabar ka fal meetha hota he”, at last, you need patience, It really required lots of practice and patience as it is not like “Le mere friend ka FB/Insta/Gmail hack karde :P” or it is not like what we watch in movies 😛
You need to keep finding security loopholes on each and every request. Go through the whole application.
Now, how I started…
Vulnerable applications are a good starting point to start learning and practicing. I started understanding from OWASP and in parallel, I made my hands dirty on a vulnerable web application, “Mutillidae”. This application is built based on OWASP top 10 and covers points very well. Make sure to take each vulnerability at a time to learn and practice. DO NOT MIX all the vulnerabilities. For eg. in the initial phase if you choose to start with SQL injection, learn A-Z of it and practice properly.
After completion of Mutillidae, I started with SQLi Labs to enhance SQL injection skills. It is really a nice application to practice SQL injection attacks and covers different types of it. I practiced almost all exercises without using any scanner. Why did I add this point? Coz I have seen many of them who learns just to detect SQLi and then start a scanner on it. No offense in running a scanner but to understand how SQL injection works it is recommended to have it manually.
After enhancing my skills in SQL, I moved to one more vulnerable application which is similar to Mutillidae i.e bWAPP. It is a similar application that covers OWASP top 10. Again to practice and enhance the skills.
The list of vulnerable applications is long and there are an ample number of vulnerable applications available to practice and enhance the skills. Some of them are mentioned in reference links.
Note: The links might contain a mixture of web, mobile, and network vulnerable applications.
Mitigation is also important because once you report a bug, the first thing you will be asked is “What should I do to fix this?”. I started going through mitigations and fixed code which helped me to understand how to fix the vulnerability. I went through the code from the vulnerable application and identified the affected areas from the code. This helped me in learning secure code review.
Once I was confident, I switched from developer to security domain and started testing the application. In addition to that, in my free time, I started with bug bounty which helped me in understanding the wide variety of applications and technologies deployed.
Learn – Practice – Patience – Repeat
After learning the basics you can start with other vulnerabilities like SSRF, SSTI and so on which might not be included in vulnerable applications.
Some Vulnerable Applications:
Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Get in touch with us. Click on the get started button below.