My Road to Pen Testing

To get started with OWASP top 10 I need an environment. I decided to write web application from scratch.
You can see the progress in github https://github.com/rapsacc/catbook.
I'm almost done with the basics.

About the catbook
I try to simulate social netwrork (think facebook). In there users can log in, comment, upload photos or text files, send messages and many more. This are the basic things. It's going to be written in PHP/MySQL.
I'm not going to teach programming in here.

Story of the catbook:

I need some sort of story to keep myself inside the scope other ways I will lose the focus.
So i come up with this.

„Hey buddy, i have heard that you are now into hacking right? Well i really need your help now. There is company called „Catbook“ and they are killing animals for fur. I have no evidence but there are no „lol cats“ and „long cats“ left in my country.

I need you to hack inside their system and get evidence. email me buddy@example.com“.

Security tester .. how awesome is that?

Well im not a security tester yet.
So i want to share my experience and how i study as i go along with this road.

So let's get started!

After little googling i find out common suggestions for becoming a hacker

Read security related books
Learn how to code
Learn how systems works
Follow the path (try to master 1 field per time)
Get certificated
Find a mentor
Practice, practice, practice

Well that's sounds easy ... or does it?

1. Read security related books
Thanks amazone for awesome selection of books

2. Learn how to code

Question is not "learn how to code". Question should be: how to learn (the right way).
If you ask why "how to learn (the right way)"... well imagine situation that you use nessus/OpenVAS..etc scanner and you find buffer overflow vulnerability. Do you know what does it mean? Can you explain it? or do you know how to fix it? It is not about pointing out mistakes, you should be able to help the client (he is paying for that service).

I'm not sure how your brain works but for me reading the manual is not enough. I need to get hands dirty. I need to code they way i fully understand what i am doing, because if i don't understand it fully then i am not in charge.

I did choose PHP/MySQL and javascript for the first language.
And i try to come up with with small tutorials/challenges in here once a week. Hopefully it helps me to push myself further.

3. Learn how systems works

I have planned to set up servers and guests for that purpose.
Planning to use Oracle VM VirtualBox and GNS3.
Idea is to simulate real world networks + attacker

4. Follow the path (try to master 1 field per time)

It is a nice advice.

Since i work as software tester already i start with website hacking.

5. Get certificated

I have read the program of many security testing courses. And i just don't believe that you can become a pen-tester after 2-5day course and of course the price is overkill. I strongly believe that first i should understand what i'm doing and then get certificated not other way around.

6. Find a mentor

I wish i could find a mentor...well i almost did, in New Zealand they have awesome community that people can actually find a mentor for free (http://www.in2security.org.nz/), but you need to live in there... so envy them. Well who knows maybe i get lucky and find a mentor.

7. Practice, practice, practice

This is hard one since it is illegal to hack systems without permission.

For brain teaser there are many websites out there what offer challenge.
To name few:

So for practice i start writing small application, so i could learn how to code, how to find the (XSS, SQL, ...etc) and how to fix them.

Note for the reader:

Dear stranger,

Everything in here is my opinion. I'm sorry if it hurt you somehow and i'm sorry for my bad grammar (English is not my first language). If you happened to notice mistakes on my posts then please let me know also .

My Road to Pen Testing

Monday, April 15, 2013

Let's create extremely vulnerable web application

Wednesday, March 13, 2013

Day 1