Web App Fundamentals

Understanding the Fundamentals of Web Application Security

Always be Learning

The web application security space, and the cybersecurity industry as a whole, lives in a constant state of change. An unrelenting curiosity and passion for lifelong learning is mandatory for any individual seeking to specialize in web application security. New application exploits emerge every day and the landscape is regularly adjusting.

“Change is challenging. And security is like a moving target, so make sure you are able to deal with and work through frequent changes.” – anonymous

However, new vulnerabilities don’t emerge out of thin air. New exploits leverage previous methodologies and vulnerabilities, while iterating on areas that weren’t previously successful. In this sense, cyber threats are both rapidly evolving but also reliant on previous attack techniques. To keep up with the constant change, web application security professionals must research the latest threats, trends, and technologies.

Technical curiosity, whether it’s an interest in a new software, exploit, tool, language, or platform, is key for any individual looking to looking to specialize in web application security assessments. It can be exercised by following industry experts, staying on top of breaking news, undergoing professional training, and networking with professionals.

Industry professionals recommend reading one or two new pieces of web app security content daily. That content could focus on a new bug, mitigation strategy, or security policy. To help get you started, we’ve compiled a list of our favorite reading resources:

Programming Prerequisites

To specialize in web application security assessments, you need to be experienced in writing and reading multiple programming languages. The bulk of your time will be spent analyzing source code (HTML, CSS, JavaScript, PHP, ASPX), fuzzing inputs, and manipulating requests between the application and server.

Although familiarity with traditional application development concepts are helpful, formal education in computer science is not required. Being able to quickly navigate unknown frameworks, languages, and code are paramount skills for a web application speciality.

You should also have a decent comfort level with Linux, as you’ll need to understand the Linux Filesystem Hierarchy Standard, execute scripts, install new packages, and configure tools within Kali Linux.

Download Kali Linux

Released in March of 2013 and previously known as BackTrack, Kali Linux is a Debian-based Linux distribution designed specifically for penetration testing and security auditing. Developed and funded by Offensive Security, Kali hosts several hundred tools which are geared towards various information security tasks.

To be proficient with Kali Linux, you’ll need a strong foundation in Linux. Kali Linux is not a recommended distribution if you’re unfamiliar with Linux or are looking for a general-purpose Linux desktop distribution for development (if you’re unfamiliar with Linux, you may consider Ubuntu or Mint).

If you’re new to Kali Linux, there are two free resources to take advantage of. “Kali Linux Revealed: Mastering the Penetration Testing Distribution”, available as a free downloadable PDF, is a great introductory read. After reading this book, you’ll be able to:

  • Use the Kali OS proficiently
  • Automate, customize and pre-seed Kali Linux Installs
  • Build, modify, and host Kali packages and repositories
  • Create, fork and modify simple Kali packages
  • Customize and rebuild your Kernel
  • Deploy Kali over the network
  • Create Kali appliances such as the Kali ISO of Doom
  • Manage and orchestrate multiple installations of Kali
  • Build and customize Kali ARM images
  • Create custom pentesting devices

Another free resource is the Kali Linux Revealed course, which serves as an extension of the book. The course uses the book as a foundational roadmap to teach students a deep understanding and use of the Kali Linux operating system. Upon successful completion of the course, students will receive their Kali Linux Certified Professional (KLCP) certification.

Individuals with this certification have the skills, knowledge and abilities to put Kali Linux to use as advanced power users, capable of creating highly customized and secure deployments. In addition, the KLCP certification provides foundational knowledge for any information security professional – allowing them to use it as a solid base in their career. The certification exam can be scheduled and purchased through VUE Testing centers around the world.

Common Types of Web Attacks

Whether it’s a Local File Include, SQL Injection, or a Brute-Force attack, hackers are always learning new and creative ways to circumvent even the most fortified web applications. The most common types of web attacks include the following:

  • Local File Include (LFI): manipulating a web application execute a local file stored on the server
  • Remote File Include (RFI): manipulating a web application to download & execute a file that isn’t stored on the local server — via HTTP or FTP request
  • Brute force: an attackers attempt to gain access to a web application by testing hundreds of thousands of username and password combinations
  • Cross Site Scripting (XSS): attackers inject client-side scripts into web pages viewed by other individuals (important to note the end-user is typically the target of these attacks, not the web application)
  • SQL Injections: attacker use malicious SQL code to manipulate the database to access and/or display typically sensitive (customer data, business secrets, etc)
  • Cross-Site request forgery: attackers use credentials cached in a victim’s browser to execute a malicious HTTP request

Hackers will commonly chain together a series of vulnerabilities into a single exploit vector to further compromise a web app. For example, a hacker could export a web application config file with credentials using LFI, gain a shell on the system by leveraging a RFI vulnerability, and then attack the system or database before setting up an exploit for client side attacks on users who access the web app in the future.

Sign up as a Bug Bounty Hunter

If you haven’t already, sign up and create an account with a service that pays bug hunters to identify and document bugs. A quick Google search will yield many options. Businesses pay services to list their website/web application and invite users to securely and safely test their web applications and systems for bugs.

Not only will you potentially get paid for the bugs you find, but you’ll also be able to access their internal guides and resources for bug hunters looking to develop their skills in a real world situation. What’s better than learning and getting paid to do it? This is valuable experience early web application testers can stick on their resume.

Get Professionally Trained and Certified

Using free resources and consuming technical content is a critical habit to maintain. However, the vast majority of employers look to training and certifications as the premier indicator of a capable candidate.

Advanced Web Attacks and Exploitation (AWAE) is the top web application security and penetration testing training, developed by Offensive Security. Through a unique combination of hands-on and classroom-based learning, AWAE condenses the time it takes for students to successfully learn about the complex tools, techniques, and approach that sophisticated cyber-criminals use to create advanced exploits. To view topics covered in the course, please refer to the AWAE Syllabus.

Each student receives access to a virtual penetration testing lab where the techniques learned in the course can be practiced in a safe and legal environment.

Upon successful completion of the course and certification exam, students will officially become an Offensive Security Web Expert (OSWE), which demonstrates mastery of exploiting web applications. An OSWE certification is invaluable to any individual pursuing a career in web application security.

A Checklist for Next Steps

If you apply yourself, pursuing a specialty in web application security assessments can be lucrative. Web application security is a special niche of penetration testing, and unfortunately, there’s not a ton of formal training or educational content about it.

If you’re a penetration tester aiming to specialize in web application security assessments, use this checklist as a benchmark:

  • Be constantly learning and consuming new content
  • Gain experience with multiple programming languages
  • Familiarity with Kali Linux — consider taking the KLCP course or reading the free e-book
  • Sign up for a bug bounty program
  • Get professionally trained and certified by completing the AWAE course and receiving your OSWE certification

If you have any questions or comments, tweet us at @OffSecTraining.

Download the infographic

New call-to-action

Free Download: Web Application Security guide