lilibyte

Prerequisite Skills to Studying Web Security
2021-07-24 (2023-08-07)
security

I just wrote this for the /cyb/ threads on /g/ and figured I'd post it here as well. This is, of course, "you get what you pay for" advice and ultimately just my opinion and not to be taken too seriously.

UPDATE 08/2023: When I wrote this a couple years ago, the threads were dying and I was trying to contribute something to aid in sustaining them. That did not work what-so-ever, but to my own surprise someone has been successfully reviving the /cyb/ + /sec/ generals. Godspeed!

/cyb/ is dead. Long live /cyb/!


DOCUMENT VER 1.3
WRITTEN 2023-08-06
TITLE "Prerequisite Skills to Studying Web Security"

The best thing you can do for yourself at this stage is expose yourself to many different topics and obtain a surface-level understanding of them. You could say a goal of this document is casting a wide but shallow net of topic exposure. Deeper knowledge will build on these foundations at a pace you will find for yourself along the way. Resources have been chosen to put an emphasis on repeating topics to drill them in without being too dry. I would encourage you to follow any rabbit holes you might fall down in the process, because doing so gives you an opportunity to better map out how computers work and ideally their security and threat landscape.

Hacking isn't a single skill, but rather exhausting as many possibilities as you can think of to accomplish a given task. Understand how systems are built before attempting to break them. In other words, it's an application of a set of fundamental skills and first principles.

The order of topics isn't that important, but was chosen intentionally. For example, by starting with Linux you give yourself an opportunity to use it as an environment for learning Python and networking. Networking will include Python programming, and Python may expose you to some networking. Ultimately, you should just choose your own adventure to avoid burn-out.

Use Library Genesis to search for the books mentioned. Yes it's safe. If you don't trust it then use a VM and scan the downloads for viruses.
http://libgen.rs/

> Linux

Start with "The Linux Command Line" by William Shotts. It will take you from nothing to competent. This book should be enough for you to do the OverTheWire Bandit challenges which you can think of as a sort of rite of passage.
https://overthewire.org/wargames/bandit/

If you are inclined, you can follow this up with "How Linux Works" by Brian Ward for some recap as well as a deeper dive into some more sysadmin focused topics that are just touched on in TLCL. Web security is basically just an application of DevOps so these are important things to understand. It will also offer you an extremely high-level introduction into how the kernel itself works which should be all you need if you are just going into web security.

If you want to really apply your Linux knowledge to a final lab then consider following the Linux From Scratch project:
https://www.linuxfromscratch.org/lfs/
It will have you build a Linux system from source so you'll encounter everything there is to know on the user's end and how the filesystem is laid out. It's just a book. Don't convince yourself you wouldn't be able to do it.

> Scripting/Python

My personal recommendation is to start with Python because it's such an incredible "Swiss Army knife" for hacking oriented tasks.

I like "Python Crash Course" by Eric Matthes because it's really two books in one: the first half is a typical beginners textbook, and the second half is three "real-world" projects: data visualization, game development, and web development. These may not seem directly relevant, but in the interest of exposing yourself to new things, what this should accomplish is demystifying software development so you have an idea as to how the systems you will be attacking are created, as well as the ability to look through a software project and understand how and why it is laid out the way it is.

If you'd like to follow that up with another book to drill in the concepts and to provide another teaching style and set of exercises, consider reading "Black Hat Python, 2nd Edition" by Justin Seitz and Tim Arnold. This may give you insight into practical script writing and basic hacking tool development. Ideally, this will also keep you motivated and focused on your end goals if you are getting bored by theory.

Python's most valuable feature is its thorough standard-library. Python 3 Module of the Week, or the reference textbook equivalent "Python 3 Standard Library by Example" by Doug Hellmann presents libraries sorted in categories that will be helpful in aiding you to create your own scripts to accomplish tasks instead of relying on niche and archaic hacking tools you may find on github. That being said, a massive collection of good community created Python tools and libraries already exists as well, and some resource lists on finding those follows.
https://pymotw.com/3/
https://github.com/Hack-with-Github/Awesome-Hacking
https://github.com/vinta/awesome-python
https://www.awesomepython.org/
https://github.com/carpedm20/awesome-hacking
https://github.com/enaqx/awesome-pentest
https://github.com/jekil/awesome-hacking#python
https://hackersonlineclub.com/python-tools/

Here are some websites that you can use for more coding exercises. You don't need to be as skilled as a software developer, let alone a competitive programmer, but you should be able to brute force your way through easy to medium challenges without issue.
https://edabit.com/
https://www.codewars.com/
https://leetcode.com/
https://projecteuler.net/
https://adventofcode.com/

Remember you can always seek guidance in /cyb/ or /dpt/.

> Networking

Unless you are planning to go into a network-related job you really don't need to go that deep into networking. "Computer Networking: A Top-Down Approach" by James F. Kurose and Keith Ross will teach you everything you should know. It has a "focus on security" throughout the book and an entire chapter on network security. I would urge you not to read this cover to cover but instead to be diligent in determining what parts will help you in the immediate future; namely the application layer.

Additionally, it has highly valuable WireShark packet analysis labs and Python network programming labs. If either of those things interests you enough to read additional material on them, consider "Practical Packet Analysis" by Chris Sanders and "Foundations of Python Network Programming" by Brandon Rhodes and John Goerzen. You may want to do your own research on more recent books on those topics.

> A Path Forward

At this point you have a solid foundation for beginning security oriented research. "The Web Application Hacker's Handbook" by Dafydd Stuttard and Marcus Pinto is a great starting point because it's the only book around that really teaches attack methodology. At the same time, start doing as many CTF challenges as you can. The knowledge and experience you gain from doing one will lead to the next one.

Sec+ and PenTest+ certification study guides can be used as a check list for what you "should know" as a beginner from the industry's perspective. PenTest+ in particular will give you insight into non-technical aspects of pentesting that aren't talked about as much. Note that this is not an endorsement of those certifications; I'm only suggesting that you read the study guides.

Possibly the most important skill is quickly thinking through and solving problems. You should be capable of intelligently researching a challenge you aren't understanding.

If you want more fundamentals to grind then here are some sub-topics that could be useful to you in doing CTFs:
* Web scraping with Python
* Web architecture (back-end: data, servers; front-end: APIs, DOM, browsers)

And as always, consult the installgentoo wiki for resources on computer science and more advanced programming.
https://wiki.installgentoo.com/wiki/Programming_resources

> Epilogue

Historically, the advice in old /cyb/ threads was focusing on getting an OSCP certification. Here's the outline on what this document would have been about if it were written maybe 5-10 years ago:

https://cyberpunked.org/

"Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman used to be commonly recommended, along with the pdf study guide by Tulpa Security: "Tulpa’s PWK Prep Guide"
https://web.archive.org/web/20180324181134/https://tulpa-security.com/2016/09/19/prep-guide-for-offsecs-pwk/

An anon on /biz/ who became known as "OSCP anon" on /g/ started a short-lived /rpg/ - Remote Pentester General that was interesting at the time. His syllabus was called "Path to Pentester (Anon's Quest)"

> Path to Pentester (Anon's Quest v2)
https://archive.is/XB5hl (Saved from https://pastebin.com/vyhNRqj8)

> The relevant /biz/ threads
https://warosu.org/biz/thread/S14246491
https://warosu.org/biz/thread/S14291877
https://warosu.org/biz/thread/S14451088
https://warosu.org/biz/thread/S14460030
https://warosu.org/biz/thread/S14784856
https://warosu.org/biz/thread/S14908749
https://warosu.org/biz/thread/S15009378
https://warosu.org/biz/thread/S15111033
https://warosu.org/biz/thread/S15140492
https://warosu.org/biz/thread/S15195727
https://warosu.org/biz/thread/S15207935
https://warosu.org/biz/thread/S15467643
https://warosu.org/biz/thread/S15621836
https://warosu.org/biz/thread/S15892816
https://warosu.org/biz/thread/S16205844
https://warosu.org/biz/thread/S16273859
https://warosu.org/biz/thread/S17186747
https://warosu.org/biz/thread/S17503559
https://warosu.org/biz/thread/S17814875
https://warosu.org/biz/thread/S18157805
https://warosu.org/biz/thread/S19434152
https://warosu.org/biz/thread/S20399888
https://warosu.org/biz/thread/S22240382