WebApp Sec mailing list archives
Re: looking for advanced web hacking course
From: Tim Greer <chatmaster () charter net>
Date: 11 Nov 2003 21:44:54 -0800
On Tue, 2003-11-11 at 20:37, Bill Pennington wrote:
While I agree with the principal thoughts behind Tim's assertions I do believe that you can get pretty far with 2-3 days of training. Full Disclosure - I have given a 2 day Web Application Hacking class at BlackHat Seattle '03. I will leave it to any students that want to speak up as to how useful they thought it was. I am no longer offering this class, less anyone think I am pitching here. --- Bill Pennington, CISSP, CCNA Chief Technology Officer WhiteHat Security Inc. http://www.whitehatsec.com
This is sort of ironic and I have no idea what skill level you are or anything about you as a person, but the company in your signature is probably one of the biggest examples pertaining to some of my more cynical comments on this security list (without naming names). Now, that's not to say that you personally are one of those people and maybe yourself (and possibly others) at said company are (more) qualified, but I have major issues with the owners proclaimed qualifications. I have seen the presentations, etc. and find them to be wholly empty and hype. Again, that's not to say yours are and I didn't intend to post this to offend you--please don't take it the wrong way--it's nothing personal, but this is just the very sort of thing that I am personally offended by seeing promoted. I don't mean you, your post or your outline of what you meant. I hope you understand that, although I'm sure if you mentioned it or asked you'd receive a story and just be told the opposite from the opposite side, as well as assumed motivating factors that allegedly compel me to have said what I did--that is wrong. Back to the subject at hand though, I'm not sure what someone can get. It's certainly possible someone can get something out of it, but it depends on what it is, if it's something new, etc. Obviously the interest and drive you outlined is a major part of how far someone may go in this aspect, and I agree with that. However, I don't know how good a few hours of a crash course will help. I suppose that depends on the person. However, I'm afraid that programming knowledge is required to really excel at this. Perhaps not in every language out there, but to understand how things work, why and the concepts behind them. You can not understand the concepts fully, if you lack the knowledge and experience. So, when all is said and done, you can try and teach someone the concepts behind the attack, but that will be limited to what they can do and how they grow in that regard, until they understand the programming design concepts that only programming can teach you. Certainly once someone understands these concepts in one or a couple of languages, they can apply the same tests to programs coded in other languages, since the same logic applies, but it's considerably helpful. Of course, these depends on what type of concepts you're discussing. For silly things like XSS, it will work across a lot of scripts to test it--you can do that all day and never really be doing anything important or discovering anything new or interesting. However, if you want to understand how to really exploit services and tools and programs that are vulnerable in more interesting and involved ways and not silly things, then programming and understanding is vital. Otherwise, and ultimately (and the issue I have with said company--I don't want to go on about that though), is it's rehashing the same silly thing using the same type of attack concepts, but just for different programs or scripts. This doesn't accomplish much, but recycling the same logic and having nothing new, interesting nor educational come of it. Popping in XSS attacks into a hotlink, image link or whatever else over and over in different services for different scripts just shows a lot of the same stupid, careless mistakes being made by different people in different scripts. That gets boring. The heart of the matter and interesting and important aspects are more involved than what those can display and those are what people need to keep in mind. Certainly these more trivial things can play a role to some degree, but don't really cover anything new and only affect the most careless developers. Anyway, sorry to ramble myself, but I'm a bit bitter about a lot of things I see out there and claims made by companies and it's just wasting everyone's time. I'm hopeful you are the exception and the general attitude and politeness (lack of rudeness and arrogance) in your own post leads me to believe that's the case--I'm happy to say. So, again, nothing personal at all toward you in my earlier comments. And, as always, topics of this nature greatly depend upon each individual's own opinion. However, all said and done, no one can teach someone how to be a skilled person at compromising applications anymore than they can teach someone to be a great artist--though they can certainly help guide them and provide a working foundation of knowledge and concepts--that I can agree with. -- Tim Greer <chatmaster () charter net>
Current thread:
- looking for advanced web hacking course Pheebee Buffe (Nov 11)
- Re: looking for advanced web hacking course Tim Greer (Nov 11)
- RE: looking for advanced web hacking course Glyn Geoghegan (Nov 13)
- RE: looking for advanced web hacking course Tim Greer (Nov 13)
- Re: looking for advanced web hacking course Bill Pennington (Nov 13)
- Re: looking for advanced web hacking course Tim Greer (Nov 13)
- Re: looking for advanced web hacking course The Crocodile (Nov 13)
- RE: looking for advanced web hacking course Glyn Geoghegan (Nov 13)
- Re: looking for advanced web hacking course minime (Nov 13)
- Re: looking for advanced web hacking course A.D.Douma (Nov 13)
- Re: looking for advanced web hacking course Mr. Rufus Faloofus (Nov 14)
- Re: looking for advanced web hacking course Jarmo Joensuu (Nov 14)
- Re: looking for advanced web hacking course A.D.Douma (Nov 13)
- <Possible follow-ups>
- RE: looking for advanced web hacking course latte1 (Nov 13)
- RE: looking for advanced web hacking course Cuthbert, Daniel (Nov 13)
- RE: looking for advanced web hacking course Filip Maertens (Nov 13)
- RE: looking for advanced web hacking course Zhou, Joe [CC] (Nov 13)
- RE: looking for advanced web hacking course Keifer, Trey (Nov 13)
(Thread continues...)
- Re: looking for advanced web hacking course Tim Greer (Nov 11)