lilibyte

Prerequisite Skills to Studying Web Security
2021-07-24
security

I just wrote this for the /cyb/ threads on /g/ and figured I'd post it here as well. This is, of course, "you get what you pay for" advice and ultimately just my opinion and not to be taken too seriously.


The best thing you can do for yourself at this stage is expose yourself to many different topics and obtain a surface-level understanding of them. Hacking isn't a single skill, but rather exhausting as many possibilities as you can think of to accomplish a given task. Understand how systems are built before attempting to break them.

Use Library Genesis to search for the books mentioned. Yes it's safe. If you don't trust it then use a VM and scan the downloads for viruses.
http://libgen.rs/

> Linux

Start with "The Linux Command Line" by William Shotts. It will take you from nothing to competent. This book should be enough for you to do the OverTheWire Bandit challenges which you can think of as a sort of rite of passage.
https://overthewire.org/wargames/bandit/

If you are inclined, you can follow this up with "How Linux Works" by Brian Ward for some recap as well as a deeper dive into some more sysadmin focused topics that are just touched on in TLCL. Web security is basically just an application of DevOps so these are important things to understand. It will also offer you an extremely high-level introduction into how the kernel itself works which should be all you need if you are just going into web security.

If you want to really apply your Linux knowledge to a final lab then consider following the Linux From Scratch project:
https://www.linuxfromscratch.org/lfs/
It will have you build a Linux system from source so you'll encounter everything there is to know on the user's end and how the filesystem is laid out. It's just a book. Don't convince yourself you wouldn't be able to do it.

> Scripting/Python

My personal recommendation is to start with Python because it's such an incredible "Swiss Army knife" for hacking oriented tasks.

I like "Python Crash Course" by Eric Matthes because it's really two books in one: the first half is a typical beginners textbook, and the second half is three "real-world" projects: data visualization, game development, and web development. These may not seem directly relevant, but in the interest of exposing yourself to new things, what this should accomplish is demystifying software development so you have an idea as to how the systems you will be attacking are created, as well as the ability to look through a software project and understand how and why it is laid out the way it is.

If you'd like to follow that up with another book to drill in the concepts and to provide another teaching style and set of exercises, consider reading "Learn Python 3 the Hard Way" by Zed Shaw.

Python's most valuable feature is its thorough standard-library. Python 3 Module of the Week, or the reference textbook equivalent "Python 3 Standard Library by Example" by Doug Hellmann presents libraries sorted in categories that will be helpful in aiding you to create your own scripts to accomplish tasks instead of relying on niche and archaic hacking tools you may find on github.
https://pymotw.com/3/

Here are some websites that you can use for more coding exercises. You don't need to be as skilled as a software developer, but you should be able to brute force your way through easy to medium challenges without issue.
https://edabit.com/
https://www.codewars.com/
https://leetcode.com/
https://projecteuler.net/

Remember you can always seek guidance in /cyb/ or /dpt/.

> Networking

Unless you are planning to go into a network-related job you really don't need to go that deep into networking. "Computer Networking: A Top-Down Approach" by James F. Kurose and Keith Ross will teach you everything you should know. It has a "focus on security" throughout the book and an entire chapter on network security. I would urge you not to read this cover to cover but instead to be diligent in determining what parts will help you in the immediate future; namely the application layer.

Additionally, it has highly valuable WireShark packet analysis labs and Python network programming labs. If either of those things interests you enough to read additional material on them, consider "Practical Packet Analysis" by Chris Sanders and "Foundations of Python Network Programming" by Brandon Rhodes and John Goerzen.

> A Path Forward

At this point you have a solid foundation for beginning security oriented research. "The Web Application Hacker's Handbook" by Dafydd Stuttard and Marcus Pinto is a great starting point because it's the only book around that really teaches attack methodology. At the same time, start doing as many CTF challenges as you can. The knowledge and experience you gain from doing one will lead to the next one.

Sec+ and PenTest+ certification study guides can be used as a check list for what you "should know" as a beginner from the industry's perspective. PenTest+ in particular will give you insight into non-technical aspects of pentesting that aren't talked about as much. Note that this is not an endorsement of those certifications; I'm only suggesting that you read the study guides.

Possibly the most important skill is quickly thinking through and solving problems. You should be capable of intelligently researching a challenge you aren't understanding.

If you want more fundamentals to grind then here are some sub-topics that could be useful to you in doing CTFs:

Web Scraping:

Web Development

These were chosen to introduce you to as many different technologies as possible, not because they are the best path to learning webdev. If that's what you want to do, get better resources from /wdg/.

And as always, consult the installgentoo wiki for resources on computer science and more advanced programming.
https://wiki.installgentoo.com/wiki/Programming_resources