Resources for Learning Web Application Security

I put together a list of resources for practicing and learning web security assessment techniques.  The list is far from complete, but has a few resources that I have found useful for improving my web app assessment skills.


Webseclab is without a doubt the best platform out there for learning recent web attacks; it covers client-side attacks and AJAX: an area many other practice tools miss.  It is designed to be used in an instructor-led environment (Stanford U,) and since you can’t download a professor you will have to figure out what the lesson was on your own—the instructions are pretty sparse.  Here are some of the topics covered:
  • Attacking authentication using JavaScript
  • Several different attacks using XHR
  • Using Firebug to bypass JavaScript input validation.
  • Browser denial-of-service using JavaScript
  • Attacking cross-origin resource sharing
  • Cross frame leaking (IMHO a really neat attack.)
  • Clickjacking.
  • Attacking hidden and hashed (brute-force) values to bypass weak authorization schemes.
  • Cross channel scripting.
  • Cross site scripting
  • Cross site request forgery
  • SQL Injection
Getting through all this is pretty challenging, it took me a couple of weeks to figure out all of the solutions!  There are a few bugs (which may have been fixed since I last looked at it in 2010) which, required me to root the VM to fix.  Despite the three or so exercises with bugs, this is definitely the best platform for learning blackbox web security assessment techniques.  I was tempted to use a bunch of my tools on the exercises, but it really is best to just stick with the copy of Firefox. and associated plugins provided in the VM. Here are a few hints that might help with potential problems:
  • Using the VM requires setting up an account on the webseclab internet site.  Try the “test” class.
  • You can’t run this in VMWare, use Oracle’s VirtualBox.
  • Read the Cross Channel Scripting paper
  • For XCS exercises Get root access to the VM (don’t know how?  Maybe security isn’t for you.):
    • enable anonymous login in /etc/vsftpd.conf
    • Rotate Apache logs, re-enable logging in /etc/apache2/sites-enabled/000-default
  • The last problem of session exercises requires you to delete the PHPSESSID cookie sent by the attacker web server—I think this is a bug, but it can be worked around.
  • The version of FireBug included in the FireFox browser needs updating—setting breakpoints in it won’t work properly until you update (YMMV, this is my experience).
  • You should read up on HTTP access control for cross-origin sharing, these are some major changes to the browser’s cross origin security restrictions.
  • Read this ClickJacking paper.
  • Blackhat 2010 paper that includes a chapter on Cross Frame Leaking.
  • You really need to know the Document Object Model inside and out, and how JavaScript interacts with it; W3Schools is a really good reference.
I’ll leave the rest up to you.  If you get through them let me know, some of these were really difficult.  Yes, I saved my answers to all of the problems, no, you can’t have them.

dojo security

The MavenSecurity page has plenty of information on Dojo Here is an excerpt from their page showing what is included in the VM: Targets include:
  • OWASP’s WebGoat
  • Google’s Gruyere
  • Damn Vulnerable Web App
  • Hacme Casino
  • OWASP InsecureWebApp
  • w3af’s test website
  • simple training targets by Maven Security (including REST and JSON)
Tools: (starred = new this version)
  • Burp Suite (free version)
  • w3af
  • sqlmap
  • arachni *
  • metasploit
  • Zed Attack Proxy *
  • OWASP Skavenger
  • OWASP Dirbuster
  • Paros
  • Webscarab
  • Ratproxy
  • skipfish
  • websecurify
  • davtest
  • J-Baah
  • JBroFuzz
  • Watobo *
  • RATS
  • helpful Firefox add-ons
That’s almost every security test-application you can download.  This VM is great, it used to take hours getting all of these together, and will definitely be my VM of choice when I need to teach others how this stuff works.  They have both VMWare and VirtualBox versions available.

Live Websites to attack …

These websites are put up by vendors selling web vulnerability scanners for testing their software.  You will need to check with each one to see if it is acceptable to attack their website with anything other than their scanner software, but here is the list of sites I know about. • • • • • • •