Penetration Testing mailing list archives
RE: Hacking and Building Web Applications
From: "Swaminathan, Balaji" <Balaji.Swaminathan () kla-tencor com>
Date: Thu, 7 Jan 2010 17:40:53 +0530
HI, Can you please brief me on why it is not advisable to frame and hack our own applications? Why I am concerned here is, I guess it will help me understand the code behind the logic to some moderate extent and hence and facilitates the code review process. Please advise. Also any best testing methodology look into...? Regards, Balaji Swaminathan .M -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Morgan Reed Sent: Tuesday, January 05, 2010 6:26 PM To: Swaminathan, Balaji Cc: pen-test () securityfocus com Subject: Re: Hacking and Building Web Applications On Tue, Jan 5, 2010 at 02:16, Swaminathan, Balaji <Balaji.Swaminathan () kla-tencor com> wrote:
Just started learning abt penetrating Web applications since last 1 month which is going to be my part of job shortly. To start with, I am basically not from the programming background. So spending time in learning them starting with Javascript, ASP, SQL, PHP etc (assuming that I am going in the correct way). But the chances of testing the Web Apps will not be much more due to the constraints put forward by my client. So I am planning to build some web apps (probably vulnerable....!) on my own and trying to hack into it. From the testing point of view, I am going through OWASP 2007 standards and some by SANS. I feel the OWASP methodology to be pretty self-explanatory, easier and good in concept wise. Also I am following Web Applications Hacker's Handbook, which also seems to be a good source.
Writing and exploiting your own Web Applications is not likely to provide a particularly good outcome learning wise. Go look at the following. The Hacme series of web applications from Foundstone <http://www.foundstone.com/us/resources-free-tools.asp> Damn Vulnerable Linux also has a number of exploitable web applications <http://www.damnvulnerablelinux.org/> ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Pentesting lab chr1x (Jan 04)
- <Possible follow-ups>
- RE: Pentesting lab Swaminathan, Balaji (Jan 04)
- Re: Pentesting lab s3c.b3n (Jan 04)
- RE: Pentesting lab Elliot Fernandes (Jan 04)
- RE: Pentesting lab Swaminathan, Balaji (Jan 04)
- RE: Pentesting lab Elliot Fernandes (Jan 05)
- Hacking and Building Web Applications Swaminathan, Balaji (Jan 05)
- Re: Hacking and Building Web Applications Morgan Reed (Jan 06)
- RE: Hacking and Building Web Applications Swaminathan, Balaji (Jan 11)
- Re: Hacking and Building Web Applications Morgan Reed (Jan 11)
- Re: Hacking and Building Web Applications J. Bakshi (Jan 06)
- RE: Hacking and Building Web Applications Swaminathan, Balaji (Jan 11)
- Re: Pentesting lab charles watathi (Jan 06)
- Re: Pentesting lab s3c.b3n (Jan 11)
- Re: Pentesting lab s3c.b3n (Jan 11)
- Re: Pentesting lab s3c.b3n (Jan 11)