Re: looking for advanced web hacking course

[Tim Greer <chatmaster () charter net>]

On Tue, 2003-11-11 at 20:37, Bill Pennington wrote:
> While I agree with the principal thoughts behind Tim's assertions I do 
> believe that you can get pretty far with 2-3 days of training.
>
> Full Disclosure - I have given a 2 day Web Application Hacking class at 
> BlackHat Seattle '03. I will leave it to any students that want to 
> speak up as to how useful they thought it was. I am no longer offering 
> this class, less anyone think I am pitching here.
>
>
> ---
> Bill Pennington, CISSP, CCNA
> Chief Technology Officer
> WhiteHat Security Inc.
> http://www.whitehatsec.com

This is sort of ironic and I have no idea what skill level you are or
anything about you as a person, but the company in your signature is
probably one of the biggest examples pertaining to some of my more
cynical comments on this security list (without naming names).  Now,
that's not to say that you personally are one of those people and maybe
yourself (and possibly others) at said company are (more) qualified, but
I have major issues with the owners proclaimed qualifications.

I have seen the presentations, etc. and find them to be wholly empty and
hype.  Again, that's not to say yours are and I didn't intend to post
this to offend you--please don't take it the wrong way--it's nothing
personal, but this is just the very sort of thing that I am personally
offended by seeing promoted.  I don't mean you, your post or your
outline of what you meant.  I hope you understand that, although I'm
sure if you mentioned it or asked you'd receive a story and just be told
the opposite from the opposite side, as well as assumed motivating
factors that allegedly compel me to have said what I did--that is wrong.

Back to the subject at hand though, I'm not sure what someone can get. 
It's certainly possible someone can get something out of it, but it
depends on what it is, if it's something new, etc.  Obviously the
interest and drive you outlined is a major part of how far someone may
go in this aspect, and I agree with that.  However, I don't know how
good a few hours of a crash course will help.  I suppose that depends on
the person.  However, I'm afraid that programming knowledge is required
to really excel at this.  Perhaps not in every language out there, but
to understand how things work, why and the concepts behind them.  You
can not understand the concepts fully, if you lack the knowledge and
experience.

So, when all is said and done, you can try and teach someone the
concepts behind the attack, but that will be limited to what they can do
and how they grow in that regard, until they understand the programming
design concepts that only programming can teach you.  Certainly once
someone understands these concepts in one or a couple of languages, they
can apply the same tests to programs coded in other languages, since the
same logic applies, but it's considerably helpful.  Of course, these
depends on what type of concepts you're discussing.  For silly things
like XSS, it will work across a lot of scripts to test it--you can do
that all day and never really be doing anything important or discovering
anything new or interesting.  However, if you want to understand how to
really exploit services and tools and programs that are vulnerable in
more interesting and involved ways and not silly things, then
programming and understanding is vital.

Otherwise, and ultimately (and the issue I have with said company--I
don't want to go on about that though), is it's rehashing the same silly
thing using the same type of attack concepts, but just for different
programs or scripts.  This doesn't accomplish much, but recycling the
same logic and having nothing new, interesting nor educational come of
it.  Popping in XSS attacks into a hotlink, image link or whatever else
over and over in different services for different scripts just shows a
lot of the same stupid, careless mistakes being made by different people
in different scripts.  That gets boring.  The heart of the matter and
interesting and important aspects are more involved than what those can
display and those are what people need to keep in mind.

Certainly these more trivial things can play a role to some degree, but
don't really cover anything new and only affect the most careless
developers.  Anyway, sorry to ramble myself, but I'm a bit bitter about
a lot of things I see out there and claims made by companies and it's
just wasting everyone's time.  I'm hopeful you are the exception and the
general attitude and politeness (lack of rudeness and arrogance) in your
own post leads me to believe that's the case--I'm happy to say.  So,
again, nothing personal at all toward you in my earlier comments.  And,
as always, topics of this nature greatly depend upon each individual's
own opinion.  However, all said and done, no one can teach someone how
to be a skilled person at compromising applications anymore than they
can teach someone to be a great artist--though they can certainly help
guide them and provide a working foundation of knowledge and
concepts--that I can agree with.
-- 
Tim Greer <chatmaster () charter net>