Blog
Oct 8, 2019
Understanding the Fundamentals of Securing Web Applications
Web application security can be a rewarding career path. However, the web application security space, and cybersecurity industry as a whole, lives in a constant state of change. An unrelenting curiosity and passion for lifelong learning is mandatory for anyone seeking to specialize in this niche. Here are some fundamentals to help you pursue these skills.
7 min read
Securing Web Applications by Continously Learning
Securing web applications lives in a constant state of change. An unrelenting curiosity and passion for lifelong learning is mandatory for any individual seeking to specialize in web application security. New application exploits emerge every day and the landscape is regularly adjusting.
“Change is challenging. And security is like a moving target, so make sure you are able to deal with and work through frequent changes.” – anonymous
However, new vulnerabilities don’t emerge out of thin air. New exploits leverage previous methodologies and vulnerabilities, while iterating on areas that weren’t previously successful. In this sense, cyber threats are both rapidly evolving but also reliant on previous attack techniques. To keep up with the constant change, web application security professionals must research the latest threats, trends, and technologies.
Technical curiosity, whether it’s an interest in a new software, exploit, tool, language, or platform, is key for any individual looking to looking to specialize in web application security assessments. It can be exercised by following industry experts, staying on top of breaking news, undergoing professional training, and networking with professionals.
Industry professionals recommend reading one or two new pieces of web app security content daily. That content could focus on a new bug, mitigation strategy, or security policy. To help get you started, we’ve compiled a list of our favorite reading resources:
- OWASP Top 10 Web Application Security Risks: A list of the most current and notorious web application vulnerabilities — created by the Open Web Application Security Project. They’re a go-to resource for web application security.
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws: A library of insightful knowledge, you’ll find yourself consistency referring back to the principles and techniques outlined in this handbook.
- Web Security Academy by PortSwigger: From the creators of Burp Suite. The PortSwigger Web Security Academy is full of valuable resources, including labs, tutorials, and exploit documentation.
- Damn Vulnerable Web Application (DVWA): A web app full of vulnerabilities to exploit. Students use it to learn the art of web application security.
Programming Prerequisites
To specialize in securing web applications, you need to be experienced in writing and reading multiple programming languages. The bulk of your time will be spent analyzing source code (HTML, CSS, JavaScript, PHP, ASPX), fuzzing inputs, and manipulating requests between the application and server.
Although familiarity with traditional application development concepts are helpful, formal education in computer science is not required. Being able to quickly navigate unknown frameworks, languages, and code are paramount skills for a web application speciality.
You should also have a decent comfort level with Linux, as you’ll need to understand the Linux Filesystem Hierarchy Standard, execute scripts, install new packages, and configure tools within Kali Linux.
Download Kali Linux
Released in March of 2013 and previously known as BackTrack, Kali Linux is a Debian-based Linux distribution designed specifically for penetration testing and security auditing. Developed and funded by Offensive Security, Kali hosts several hundred tools which are geared towards various information security tasks.
To be proficient with Kali Linux, you’ll need a strong foundation in Linux. Kali Linux is not a recommended distribution if you’re unfamiliar with Linux or are looking for a general-purpose Linux desktop distribution for development (if you’re unfamiliar with Linux, you may consider Ubuntu or Mint).
If you’re new to Kali Linux, there are two free resources to take advantage of. “Kali Linux Revealed: Mastering the Penetration Testing Distribution”, available as a free downloadable PDF, is a great introductory read. After reading this book, you’ll be able to:
- Use the Kali OS proficiently
- Automate, customize and pre-seed Kali Linux Installs
- Build, modify, and host Kali packages and repositories
- Create, fork and modify simple Kali packages
- Customize and rebuild your Kernel
- Deploy Kali over the network
- Create Kali appliances such as the Kali ISO of Doom
- Manage and orchestrate multiple installations of Kali
- Build and customize Kali ARM images
- Create custom pentesting devices
Another free resource is the Kali Linux Revealed course, which serves as an extension of the book. The course uses the book as a foundational roadmap to teach students a deep understanding and use of the Kali Linux operating system. Upon successful completion of the course, students will receive their Kali Linux Certified Professional (KLCP) certification.
Individuals with this certification have the skills, knowledge and abilities to put Kali Linux to use as advanced power users, capable of creating highly customized and secure deployments. In addition, the KLCP certification provides foundational knowledge for any information security professional – allowing them to use it as a solid base in their career. The certification exam can be scheduled and purchased through VUE Testing centers around the world.
Common Types of Web Attacks
Whether it’s a Local File Include, SQL Injection, or a Brute-Force attack, hackers are always learning new and creative ways to circumvent even the most fortified web applications. The most common types of web attacks include the following:
- Local File Include (LFI): manipulating a web application execute a local file stored on the server
- Remote File Include (RFI): manipulating a web application to download & execute a file that isn’t stored on the local server — via HTTP or FTP request
- Brute force: an attackers attempt to gain access to a web application by testing hundreds of thousands of username and password combinations
- Cross Site Scripting (XSS): attackers inject client-side scripts into web pages viewed by other individuals (important to note the end-user is typically the target of these attacks, not the web application)
- SQL Injections: attacker use malicious SQL code to manipulate the database to access and/or display typically sensitive (customer data, business secrets, etc)
- Cross-Site request forgery: attackers use credentials cached in a victim’s browser to execute a malicious HTTP request
Hackers will commonly chain together a series of vulnerabilities into a single exploit vector to further compromise a web app. For example, a hacker could export a web application config file with credentials using LFI, gain a shell on the system by leveraging a RFI vulnerability, and then attack the system or database before setting up an exploit for client side attacks on users who access the web app in the future.
Sign up as a Bug Bounty Hunter
If you haven’t already, sign up and create an account with a service that pays bug hunters to identify and document bugs. A quick Google search will yield many options. Businesses pay services to list their website/web application and invite users to securely and safely test their web applications and systems for bugs.
Not only will you potentially get paid for the bugs you find, but you’ll also be able to access their internal guides and resources for bug hunters looking to develop their skills in a real world situation. What’s better than learning and getting paid to do it? This is valuable experience early web application testers can stick on their resume.
Get Professionally Trained and Certified
Using free resources and consuming technical content is a critical habit to maintain. However, the vast majority of employers look to training and certifications as the premier indicator of a capable candidate.
Learn the foundations of securing web applications with Foundational Web Application Assessments with Kali Linux (WEB-200). Learners who complete the course and pass the exam will earn the OffSec Web Assessor (OSWA) certification and will demonstrate their ability to leverage web exploitation techniques on modern applications. This course teaches learners how to discover and exploit common web vulnerabilities and how to exfiltrate sensitive data from target web applications. Learners that complete the course will obtain a wide variety of skill sets and competencies for web app assessments.
Advanced Web Attacks and Exploitation (WEB-300) is an advanced web application security course that teaches the skills needed to conduct white box web app penetration tests. Learners who complete the course and pass the exam earn the OffSec Web Expert (OSWE) certification and will demonstrate mastery in exploiting front-facing web apps. To view topics covered in the course, please refer to the WEB-300 Syllabus.
Each student receives access to a virtual penetration testing lab where the techniques learned in the course can be practiced in a safe and legal environment.
A Checklist for Next Steps
If you apply yourself, pursuing a specialty in securing web applications can be lucrative. Web application security is a special niche of penetration testing, and unfortunately, there’s not a ton of formal training or educational content about it.
If you’re a penetration tester aiming to specialize in web application security assessments, use this checklist as a benchmark:
- Be constantly learning and consuming new content
- Gain experience with multiple programming languages
- Familiarity with Kali Linux — consider taking the KLCP course or reading the free e-book
- Sign up for a bug bounty program
- Get professionally trained and certified by completing the WEB-200 or WEB-300 course
If you have any questions or comments, tweet us at @OffSecTraining.
Free Download: Web Application Security guide
Cybersecurity leader resources
Sign up for the Secure Leader and get the latest info on industry trends, resources and best practices for security leaders every other week
Latest from OffSec
Enterprise Security
How to Use Assessments for a Skills Gap Analysis
Discover how OffSec’s Learning Paths help organizations perform skills gap analyses, validate expertise, and strengthen cybersecurity teams.
Nov 19, 2024
4 min read
Enterprise Security
The Human Side of Incident Response
Effective incident response requires decision-making, adaptability, collaboration, stress management, and a commitment to continuous learning.
Nov 8, 2024
5 min read
OffSec News
Master Incident Response with Hands-On Training in IR-200: Foundational Incident Response
OffSec is excited to announce the immediate availability of a new course: IR-200: Foundational Incident Response.
Oct 29, 2024
4 min read