Are you interested in learning more about web application security but don’t know where to start? Maybe you’re just looking to get a foothold in the offensive security space. Or maybe you want to know how best to defend your own websites. Fear not! I have collated a few of my top web security resources, so you can start learning how to master web security.
What is Web Security?
As the name suggests, web security (or web application security, to be precise), is a domain of cybersecurity that primarily concerns websites. Understandably, it’s a big area of cybersecurity. How many websites have you visited today? How many of them required you to submit some form of information? How many of them processed private or sensitive information?
The short of it is that websites are so ubiquitous that it’s inevitable that they are common targets of cyberattacks. Therefore, being familiar with common vulnerabilities and how to defend against them is an important skill for any prospective cybersecurity expert, particularly those with an interest in offensive security (e.g. pentesting and red teaming).
So where can you start learning about web security? There are many amazing resources that are freely available, so I have selected some of my favourites that are also fairly beginner-friendly.
Recommended Resources
PortSwigger
My first recommendation when it comes to web security is always PortSwigger. They have a whole online academy dedicated to web security. All of their labs are free (you just need an account) and they have vast amounts of research and guides to help you learn about almost every type of web security vulnerability, ranging from classic SQL injection attacks to more complex web cache deception exploits. Moreover, every lab comes with at least one solution, so you can always check the write-up to make sure you’re on the right track. They are also the developers of BurpSuite, an industry-staple for web security audits. The Community edition of BurpSuite is entirely free and can be downloaded from their website. This version is automatically loaded onto most versions of Kali Linux as a default tool. The Enterprise and Professional versions offer greater functionality, such as the use of the Burp Collaborator and much faster Intruder attacks, but require a licence.
You can check out their latest research here, view their complete library of labs here and download the Community edition of BurpSuite here. They have also got a Discord server, which you can join.
The main downside of PortSwigger is that sometimes the labs can be very slow, or fail to load and require multiple refreshes. However, given the fact that the labs are all freely available and that they also have so many other resources available, I think it’s a small sacrifice to make.
OWASP
For those who are looking for defence mechanisms, or more detailed theory, OWASP is definitely an excellent place to start. OWASP, also known as the Open Worldwide Application Security Project, basically collects a metric tonne of information relating to web security. Want to know to secure a potential file upload vulnerability? They have a cheat sheet for it. Want to learn how to test for NoSQL injection? They have a guide for it. Want a comprehensive guide on how to thoroughly test a website? Check out the Web Security Testing Guide (WSTG). You get the idea. On top of having a large collection of resources across a diverse range of topics, OWASP is also responsible for the OWASP Top Ten, which is a report on the most critical security risks faced by web applications. A new report is released every few years, and it’s an excellent way to get a quick overview of the current threat landscape.
As well as having a lot of theory available, OWASP also has the Juice Shop, which is effectively a super vulnerable website that has a number of vulnerabilities from the OWASP Top Ten, as well as some other common vulnerabilities. It’s a great ‘sandbox-style’ environment to experiment in, though it is more open and sophisticated than PortSwigger’s labs, so it is better suited for those who have a moderate amount of web security experience.
MonSec
And of course, how could I not promote MonSec or rather, the blog posts I wrote for MonSec . As part of a push to update our website more often, I wrote a 12-part blog series on some of my favourite web vulnerabilities, largely inspired by PortSwigger’s labs and research. I tried to condense each vulnerability into an article which can be read in less than 10 minutes, so while it lacks detail, it’s a good resource to get a quick idea of the different classes of vulnerabilities, how they can be exploited and what some common defences are.
You can check out the posts here.
What’s Next?
Well, as the saying goes, you can take a horse to water but you cannot make them drink. Even if you have the best resources in the world, you still need to have the time and motivation to actually learn the material. The best way to learn web security, in my opinion, though I think many others will agree with me, is to simply do it. Don’t worry if it doesn’t make complete sense. Spin up a PortSwigger lab and have a crack at it. If you get stuck, go back to the theory or use the hints/solutions to guide you at the start. Once you’ve done a few of a given topic, you should become more familiar with how to exploit a given vulnerability. Not only that, but you’ll also start to learn a bit about how websites function, if you haven’t learn that already.
It can be difficult. There will be moments where you feel like doing nothing or a challenge feels insurmountable. But if you really are interested, and you really want to learn and master these skills, you can press on. Even if you can’t give it your 100%, you can still give it some of your effort. And this isn’t limited to web security, or even cybersecurity more broadly. It applies to any discipline or skill of your choice.
So stop reading this post and go out and actually do it! If you’re desperately stuck and don’t know where to start, I recommend doing the Apprentice SQLi, XSS, Clickjacking and CSRF labs in PortSwigger. For maximum hacker-power, you can listen to the Hacknet OST while you do it.
Happy hacking!
Banner image credit: Ilya Pavlov