You might like these hacking challenges
I often hear that vulnerabilities in there are too “obvious” and would never be found that easily in reality. This might be true, but I still believe in the effectiveness of the challenges and I consider it very useful being able to test attacks and train certain procedures. All too often attacks fail because of improper execution and reading articles cannot replace exploiting vulnerabilities and practising certain attack scenarios.
When I had just joined the RedTeam of scip AG, one of the first platforms I practiced on was WebGoat. WebGoat is an insecure web application that is maintained by OWASP (Open Web Application Security Project).
This app provides good explanations and conveys basic theory with challenges and attacks predominantly designed for beginners. This way the fundamentals are first taught and can subsequently be tried out on the application. A major advantage is the existence of different challenges on various topics. Overall, there are tutorials covering all OWASP Top10 vulnerabilities.
Some of the subjects are extremely instructive and well described. Particularly the chapter depicting JSON Web Tokens gave me a deeper understanding of JWTs and the resulting risks. Another advantage is the possibility of a step-by-step disclosure of hints during more difficult challenges, pointing one in the right direction.
A possible downside is that the application has to be downloaded and installed independently. Furthermore, there exist no official solutions, so if there are no hints for a challenge and no help can be found searching the web, the challenge might remain unsolved.
In contrast to WebGoat, Root Me does not need to be downloaded. All free challenges are instantly accessible after a registration by e-mail. Personally, my restricted time has only allowed me to deal with the challenges on the topics of web client and web server. Nevertheless, I figure that other exercises in the area of cryptanalysis, programming and network might be thrilling as well.
Difficulties of the challenges range from extremely simple to very complex approaches. The displayed statistics about, for example, how many users validated a challenge, the difficulty it is rated at, number of example solutions and more are also very interesting.
On top of that, authors are free to share any documentation they consider useful. I’ve found some very interesting cheat sheets, descriptions or presentations of vulnerabilities in the related resources section already.
In addition, it is very helpful during a challenge to be able to rely on a pre-selected source of information. Particularly inspiring are best practices from other users, which may motivate you to check your own approach’s efficiency or give insights into other mental models or methods of resolution.
In April 2019, PortSwigger announced their Web Security Academy. In the beginning there were challenges for 4 of the most famous vulnerabilities: SQL Injection, Cross-Site Scripting, OS Command Injection and Directory Traversal. Since then, there are various other tutorials that have been added to the existing ones. Unfortunately, I lacked time to solve all of them yet only have first-hand experience with the CSRF, XSS, File Path Traversal and SQL Injection tutorials.
Let me state up front that I am thrilled about this platform. All the descriptions are extremely detailed and well-constructed. The degree of difficulty is constantly increasing but the user is never left alone. Past a certain difficulty level, a solution is provided. Every area consists of several challenges, which enables everybody to train newly acquired knowledge more than once. As the theory provided is exceptionally well written, it is even possible for a complete beginner to find their way into the subject area und solve the challenges.
As a convenient side effect, the solutions occasionally include Burp Suite settings, which some of the users may not have known yet. For now, I have not found any disadvantage of the Academy.
There are numerous online trainings that help with improving and broadening your skills. Apart from the three platforms mentioned there exist various other, professional ones.
What counts in the end is to not get out of practice. Vulnerabilities that one hasn’t encountered for some time or which rarely exist anymore, are easily forgotten and it is natural that penetration testers begin to neglect these exploit methods more and more. Particularly “theoretical” tutorials may help remind oneself of these techniques.
Furthermore, best practices are always instructive as somebody might have discovered other approaches or tricks that are new and simplify life a lot.
We are going to monitor the digital underground for you!
Our experts will get in contact with you!
Further articles available here