The best way to really understand application security is to learn about the issue and then perform the attacks yourself. You could go through the trouble of building your own vulnerable testing application or you could use one that has already been built specifically for that purpose. Here are a few to check out:
OWASP's Webgoat
Language: Java
Lesson format with hints and detailed solutions
Google's Jarlesburg
Language: Python
Lessons? Don't know, haven't tried it. Feedback please!
OWASP's Broken Web Application Project
A vmware image of multiple vulnerable web apps designed for testing and learning. The VM image is complete with necessary tools for immediate attacking fun
The only tool you will need is a web proxy and a browser:
Burp, WebScarab, or Fiddler
-Michael Coates
1) Burp Suite Professional
ReplyDelete2) Fiddler2 + Casaba Watcher + Casaba x5s
3) Google Ratproxy patched with MSF WMAP patches
4) Run Netsparker Community Edition in crawl-only mode through Fiddler2 and Google Ratproxy. Make sure that you know how to configure Watcher/x5s/ratproxy with domains/subdomains and are using the proper settings/cli-flags
5) Run MSF WMAP
For the browser, I would use BlackSheep
ReplyDeletehttp://rgaucher.info/blacksheep/
But Websecurify could be promising...
Websecurify Advanced is as capable as Burp perhaps even more in some situations.
ReplyDeleteHi Michael,
ReplyDeleteI too had recently listed a few vulnerable apps for learning web app security.you can check it out here:
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/
Michael,
ReplyDeleteI can vouch for your Webgoat suggestion that you used in our courses. I still revisit the application from time to time :)
Dre, thanks for the suggestions.