пʼятниця, 4 липня 2014 р.

Де тренувати знання в тестуванні (публікація Б)

Where to train your QA engineers in Security for FREE?

With rapid increase of web applications in the internet the question about their security becomes more and more critical. It is difficult to learn and practice Web application security. Not everyone who is dealing with security testing has environment with web applications like online computer store or online banks that can be used to scan for vulnerabilities. Additionally, security professionals has the need to test tools against environment with known vulnerabilities to ensure that they are working properly. All this activities have to be done on legal environment without breaking the law. And this is one of the main stoppers in training process.

Security communities in all over the world took this facts into account and prepared a lot of great stuff, online environments, vulnerable applications that can run locally to learn and practice Web application security. 

Security Compass prepared free online course based on TOP 10 Web application vulnerabilities for 2013 year according to Open Web Application Security Project (OWASP). This course is available on their web site. The easiest step-by-step guideline for students is available on Computer Security Student website.

OWASP Mutillidae II Project provides free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. It has several tasks on each vulnerability from OWASP TOP 10 list. Currently the 2.0.7 version of Mutillidae is available.

OWASP WebGoat project prepared by OWASP Community was designed to teach web application security lessons. It is easy to run and practice. Students are able to login application with different accounts, get description on each lesson and if needed obtain lessons solutions. The difference with previous project is that it contains lessons dedicated not only to break security but also to fix vulnerabilities providing secure code.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. This project is very similar to Mutillidae as here you have no concrete tasks to solve but you have scripts with common vulnerabilities:
  • Brute Force
  • Command Execution
  • CSRF
  • File Inclusion
  • SQL Injection
  • SQL Injection (Blind)
  • Upload
  • XSS reflected
  • XSS stored
The newest version is 1.0.8

A Codelab by Bruce Leban, Mugdha Bendre, and Parisa Tabriz Web Application Exploits and Defenses provides platform that can be accessed online or installed locally. Here are tasks for both black box and white-box testing. This codelab shows how to exploit existing web application vulnerabilities and how to defend against these attacks.

OWASP prepared The Broken Web Applications (BWA) Project that produces a Virtual Machine running a variety of applications. Some of them were described earlier:
  • OWASP WebGoat (Java)
  • OWASP ESAPI Java SwingSet Interactive (Java)
  • OWASP Mutillidae II (PHP)
  • OWASP RailsGoat (Ruby on Rails)
  • OWASP Bricks (PHP)
  • Damn Vulnerable Web Application (PHP)
  • Ghost (PHP)
  • Magical Code Injection Rainbow (PHP)
And many more. Resources are located here.

There are online vulnerable Web sites from Acunetix, which are used by the company to show their demo test:
To train XSS attacks specialists interested in security can use following sites:
Challenges available there vary from easy level to non-trivial tasks.

Capture The Flag (CTF) security competitions probably are the most interesting for security specialists. Tasks are available online and don’t need additional software. And there is clear goal – get the flag. One of the projects is Hack This Site with set of challenges. Another CTF project from Enigma Group also has set of missions that are available here. Here security specialists and enthusiasts can try their skills competing with other teams.

These resources are available for free and cover a lot of fundamental aspects that security testers need. Of course, that is not full list of resources for practicing Web application security but it is more than enough to full your time with interesting activity.

Немає коментарів:

Дописати коментар