Re: looking for advanced web hacking course

[Bill Pennington <billp () boarder org>]

While I agree with the principal thoughts behind Tim's assertions I do 
believe that you can get pretty far with 2-3 days of training.

Full Disclosure - I have given a 2 day Web Application Hacking class at 
BlackHat Seattle '03. I will leave it to any students that want to 
speak up as to how useful they thought it was. I am no longer offering 
this class, less anyone think I am pitching here.

I think the best web application testers (note I am talking about 
blackbox testing aka. Application Pen-Testing) are people that love to 
solve puzzles, peel away processes layer-by-layer and try to figure out 
how it all works. Then once you figure that out spend time trying to 
poke holes in it. Programing knowledge, while helpful, is not required 
in most cases. A basic willingness to learn, a good google'ing ability 
to fill in the gaps, and the perverse mindset to try to figure out what 
some over-caffeinated developer was trying to accomplish when they 
decided to ROT13 the username and password in a cookie :-) is all the 
is required to become a good application tester. Notice I said to 
become a good tester, experience is key to any good app. tester. There 
are no tools in existence that will find the logical flaws in web 
applications, must scanners have a hard enough time finding all the XSS 
and SQL Injection issues on a given site. Never let anyone selling a 
scanner tell you it is going it find all your web application security 
issues, it is simply not true.

As for training classes, while you will not learn how to perform SQL 
Injection on any DB platform for all Web App. languages you can learn 
the concepts behind SQL Injection, why it happens, what is actually 
going on in some simple examples, and how a developer might go about 
fixing it. The instructor can explain some of the issues they have 
discovered in the past and what the root causes of the issues where. 
After 2-3 days the student should be able to go back and have an 
excellent understanding of the types of issues they should be looking 
for, and a good list of terms and concepts that will help them track 
down any areas of knowledge they are sort on.

Wow see this is what happens when I have Vietnamese iced coffee at 
lunch! Sorry for rambling.


On Nov 11, 2003, at 7:01 PM, Tim Greer wrote:

> On Sat, 2003-11-08 at 07:36, Pheebee Buffe wrote:
> > All,
> >
> > Anyone know of good, hands-on advanced web hacking course?
> >
> > Regards.
>
> There is no such thing.  And if anyone claims otherwise, they are
> wanting your money.  This would encompass too much, you are basically
> going to need to learn how to program, learn where, how and why 
> exploits
> work.
> --
> Tim Greer <chatmaster () charter net>

---
Bill Pennington, CISSP, CCNA
Chief Technology Officer
WhiteHat Security Inc.
http://www.whitehatsec.com