This article is featured in the DZone Guide to Application Security. Get your free copy for more insightful articles, industry statistics, and more.
You will get hacked—that’s a reality. As a matter of fact, your application is statistically far more prone to be hacked than not. According to a report by Whitehat Security, 86% of websites contain at least one “serious” vulnerability.
Software developers are asked to respond to the ever-growing threat of cyber attacks by gaining more offensive and defensive application security skills and reflecting those skills in the security of their applications.
Risk, which is a function of probability and impact, is an important aspect of application security. Risk is very intangible and tends to vary significantly across industries and organizations. Without properly understanding security risks, any security bug would just look like another bug to a developer.
One of the best ways for developers to understand and appreciate the risk involved with security bugs is to learn to actually hack their own applications first before attacks do. This also happens to be one of the best ways to learn about application security overall. Once developers know attackers’ thought processes and techniques, they will be best positioned to protect their applications.
These are The Top 8 Tips to Keep in Mind as You Start Hacking Away
2. Make sure you understand the syntax differences between different databases; e.g. Oracle vs. SQL Server vs. MySQL. Pentest Monkey has good cheat sheets for different databases.
3. Understanding the different HTML contexts is key to properly exploit and mitigate cross-site scripting attacks. OWASP Cross-site Scripting Prevention Cheat Sheet is a great resource to get you familiar with the different HTML contexts.
4. Custom-built authentication mechanisms are more prone to have security flaws than framework-based ones (e.g. Spring Security, .Net Forms authentication, etc). Focus on logic issues in custom-built authentication and configuration issues in framework-based authentication.
5. Authorization attacks have three forms: vertical (gain higher/lower permission set), horizontal (gain access to another user's’ data), or record based (gaining access to arbitrary internal implementation objects such as files, or database records). Make sure you check every authorization form.
7. Encoding is not encryption. Make sure you understand the difference, and know how you can spot BASE64, URL, and HTML encoding in HTTP Requests and Responses.
8. Being an expert in a small set of testing tools is much more effective than being a generalist in a large set of tools.
Practice, Practice, Practice
All that you need as you are starting out is a good HTTP Proxy like Burp or ZAP. You will also need a sample application to attack. Most organizations will require you to get authorization from the security department to install vulnerability scanning tools and/or use them against your applications, so make sure you get that authorization first. If this is not possible, or you are not ready to practice offensive security against your applications yet, there are plenty of vulnerable applications for you to practice on.
So how do you pick the right sample vulnerable application?
There are several factors to keep in consideration:
1. Online vs. offline applications: some vulnerable applications are downloadable where everything resides locally; this takes some time to set up, but then you have control over everything, including the source code. Online or hosted applications don’t involve any setup time, but they might be challenging to attack as you are starting out.
2. The application’s technology stack: You might want to stick to a familiar technology stack, or one that resembles your application’s. If you are a Java/Struts/Oracle developer, it might be challenging to practice against a .NET stack or a MEAN (MongoDB, Express.js, Angular, Node.js) stack.
3. The application’s maintenance: there are great vulnerable applications out there, but they are not maintained as often (or sometimes at all). These might be developed using older technologies, so the vulnerabilities planted there are not quite relevant, and sometimes not even possible anymore.
4. Lesson-based vs. Realistic vs. Capture-the-Flag (CTF) applications: vulnerability types are organized in Lesson-based applications, so you know exactly which vulnerability you are about to find and exploit. Realistic applications resemble real-life applications, so vulnerabilities are not marked and could be anywhere in the application. Finally, capture-the-flag style applications take the form of a game, comprised of levels, where you need to reach a prize (usually a password) at the end of the level to unlock the next one.
The following is a set of my favorite lesson-based vulnerable applications. I find it much easier to tackle lesson-based applications rather than CTF or realistic applications when you are starting out. There are certainly other quality applications, but for the sake of this article, we will just focus on a few noteworthy ones. The following are the criteria I used to pick the applications:
1. Setup time.
2. Updated within the last two years.
3. The selection and number of vulnerabilities.
OWASP WebGoat (Java/Lesson-Based/Offline) is probably the most famous vulnerable app, where you can practice all of the OWASP Top 10 attacks and more.
OWASP Security Shepherd(Java/Lesson-Based/Offline) is another great web and mobile security training platform. One of the cool features of Security Shepherd is that it is highly configurable, so it could run in single user, competitive-classroom, or capture-the-flag modes.
Damn Vulnerable Web Application (DVWA) (PHP/Lesson-Based/Offline) is one of the most maintained PHP vulnerable applications out there; it’s very easy to setup and includes a good set of vulnerabilities.
Taking Your Skills to the Next Level
Now you know the basics. You probably can find vulnerabilities given the vulnerability type and location. Most real-life web applications will not advertise their vulnerabilities, so you will have to first find them before you will be able to exploit them.
The following are the top 4 tips to keep in mind when you go from amateur to pro:
1. Use a good web crawler to index every possible page and request to your application. Most vulnerability scanners come with a built-in crawler.
2. Fuzzing is a good place to start against unmarked web applications. Again, most scanners come with a fuzzing functionality.
3. Get into the habit of reading raw HTTP requests and responses. You will be surprised with the amount of information you can find in these.
4. Attackers will Google your application to find out as much information as possible about it. So it only makes sense to know what they will find by doing so. Architecture documents, databases schemas, employee names, and code snippets are among some of the things usually found on Google.
Other sample vulnerable applications you may want to try for testing include:
BodgeItStore (Java/Realistic/Offline) is a downloadable application that is much smaller than WebGoat and requires less maintenance. It could be a good place to start as you go pro.
Altoro Mutual (.NET/Realistic/Online) Is a great realistic online banking application. Altoro Mutual is the closest thing here to a real-life application and contains a multitude of vulnerabilities.
Cryptopal (Crypto/Lesson-Based/Online) is a small set of lessons focused on cryptography. While you might not face a lot of crypto challenges in real life, it is very good to understand the differences between encoding, encryption, and hashing. You will also get firsthand experience on how easy it is to hack weak crypto.
Over the Wire(Several/CTF/Online) contains several online CTF-style games. My favorite is Natas, which has about 28 levels. Each level is unlocked using a password retrieved from the previous level. The password can be found by using different hacking techniques.
Dedicated vulnerable applications are a great way to teach yourself hacking. Hacking your own code is a very rewarding experience, as you will gain valuable offensive and defensive security skills. In my experience teaching application security to developers using some of these vulnerable applications, developers usually have a lot of fun going through the exercise.
For more insights on security tools, application vulnerabilities, and how to build secure applications, get your free copy of the DZone Guide to Application Security!