Hands-On Web Hacking

The best way to really understand application security is to learn about the issue and then perform the attacks yourself.  You could go through the trouble of building your own vulnerable testing application or you could use one that has already been built specifically for that purpose.  Here are a few to check out:

OWASP's Webgoat
Language: Java
Lesson format with hints and detailed solutions

Google's Jarlesburg
Language: Python
Lessons? Don't know, haven't tried it. Feedback please!


OWASP's Broken Web Application Project
A vmware image of multiple vulnerable web apps designed for testing and learning. The VM image is complete with necessary tools for immediate attacking fun



The only tool you will need is a web proxy and a browser:
Burp, WebScarab, or Fiddler
 


-Michael Coates

TLS Podcast Available Now

I've been talking a lot about SSL/TLS recently.  If you haven't already, please check out the slides from my talk at Thotcon on SSL Screw Ups.

Just the other day OWASP released the 2010 Top 10. In addition, the OWASP podcast series released a slew of podcasts on the Top 10 items.  Included in this release was my talk on OWASP Top 10 item 9 "Insufficient Transport Layer Protection".  This podcast closely follows the OWASP Transport Layer Protection Cheat Sheet which was created as a single source of TLS knowledge and recommendations.


Listen now!

Note: This was recorded a few months back before I made the big switch to Mozilla.  Just a heads up to avoid confusion.

-Michael Coates

Thotcon Slides - SSL Screw Ups

Here are the slides from Friday's Thotcon presentation on SSL. Great conference! Enjoy the slides.

Download PDF

-Michael Coates