Who has not faced a similar situation? Hectic times filled with project after project, where one’s flexibility and concentration are taxed to the utmost. And then there is the famous calm before the storm (or even after it). It is a welcome opportunity to prepare oneself, to maintain and to improve tools and skills. Personally, I like to occupy myself with challenges and tutorials around web application security during the more quiet times of the year. In the following article, I will present 3 platforms I have already spent quite a lot of time on, learning a lot and enhancing my skills.

I often hear that vulnerabilities in there are too “obvious” and would never be found that easily in reality. This might be true, but I still believe in the effectiveness of the challenges and I consider it very useful being able to test attacks and train certain procedures. All too often attacks fail because of improper execution and reading articles cannot replace exploiting vulnerabilities and practising certain attack scenarios.

WebGoat by OWASP

When I had just joined the RedTeam of scip AG, one of the first platforms I practiced on was WebGoat. WebGoat is an insecure web application that is maintained by OWASP (Open Web Application Security Project).

This app provides good explanations and conveys basic theory with challenges and attacks predominantly designed for beginners. This way the fundamentals are first taught and can subsequently be tried out on the application. A major advantage is the existence of different challenges on various topics. Overall, there are tutorials covering all OWASP Top10 vulnerabilities.

Some of the subjects are extremely instructive and well described. Particularly the chapter depicting JSON Web Tokens gave me a deeper understanding of JWTs and the resulting risks. Another advantage is the possibility of a step-by-step disclosure of hints during more difficult challenges, pointing one in the right direction.

A possible downside is that the application has to be downloaded and installed independently. Furthermore, there exist no official solutions, so if there are no hints for a challenge and no help can be found searching the web, the challenge might remain unsolved.

Root Me

In contrast to WebGoat, Root Me does not need to be downloaded. All free challenges are instantly accessible after a registration by e-mail. Personally, my restricted time has only allowed me to deal with the challenges on the topics of web client and web server. Nevertheless, I figure that other exercises in the area of cryptanalysis, programming and network might be thrilling as well.

Difficulties of the challenges range from extremely simple to very complex approaches. The displayed statistics about, for example, how many users validated a challenge, the difficulty it is rated at, number of example solutions and more are also very interesting.

On top of that, authors are free to share any documentation they consider useful. I’ve found some very interesting cheat sheets, descriptions or presentations of vulnerabilities in the related resources section already.

In addition, it is very helpful during a challenge to be able to rely on a pre-selected source of information. Particularly inspiring are best practices from other users, which may motivate you to check your own approach’s efficiency or give insights into other mental models or methods of resolution.

At the same time, I would like to highlight the downside of example solutions presented on Root Me. These are only visible to people that have already successfully solved the challenges. If you are stuck, there are only very limited possibilities for getting help, aside from the already mentioned documents in the section related resources. Although there is a community forum where you are able to ask questions, most of the time there is no response about the more difficult challenges or the hints are kept extremely generic, which leaves you stuck on the challenge. Additionally, the questions asked are not allowed to be too specific, otherwise a user might leak parts of the solution (these posts are censored). I myself got stuck on the challenge named Javascript Obfuscation 5. Unfortunately, my direct messages to two other users (one of them the author of the challenge), in hopes of getting a hint, have remained unanswered. So, several months have passed while being unable to validate the challenge (of course I tried to get some help through search engines – unsuccessfully, as the policy of Root Me stipulates that publishing solutions is forbidden). In such a case it is a pity that it is impossible to have a glance at the solutions. I do understand of course that it is not the goal to instantly take the easy way, although my personal opinion is that this is the responsibility of the user.

Web Security Academy by PortSwigger

In April 2019, PortSwigger announced their Web Security Academy. In the beginning there were challenges for 4 of the most famous vulnerabilities: SQL Injection, Cross-Site Scripting, OS Command Injection and Directory Traversal. Since then, there are various other tutorials that have been added to the existing ones. Unfortunately, I lacked time to solve all of them yet only have first-hand experience with the CSRF, XSS, File Path Traversal and SQL Injection tutorials.

Let me state up front that I am thrilled about this platform. All the descriptions are extremely detailed and well-constructed. The degree of difficulty is constantly increasing but the user is never left alone. Past a certain difficulty level, a solution is provided. Every area consists of several challenges, which enables everybody to train newly acquired knowledge more than once. As the theory provided is exceptionally well written, it is even possible for a complete beginner to find their way into the subject area und solve the challenges.

As a convenient side effect, the solutions occasionally include Burp Suite settings, which some of the users may not have known yet. For now, I have not found any disadvantage of the Academy.

Conclusion

There are numerous online trainings that help with improving and broadening your skills. Apart from the three platforms mentioned there exist various other, professional ones.

What counts in the end is to not get out of practice. Vulnerabilities that one hasn’t encountered for some time or which rarely exist anymore, are easily forgotten and it is natural that penetration testers begin to neglect these exploit methods more and more. Particularly “theoretical” tutorials may help remind oneself of these techniques.

Furthermore, best practices are always instructive as somebody might have discovered other approaches or tricks that are new and simplify life a lot.

About the Author

Valérie Kastner studies Business Economics with focus on Risk & Insurance at the Zurich University of Applied Sciences. After several years in underwriting and technical center for insurances, she has been working in IT security since 2018 with a focus on Web Application Security Testing and Social Engineering. (ORCID 0000-0002-9214-572X)

Links

• https://portswigger.net/blog/introducing-the-web-security-academy
• https://portswigger.net/burp
• https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
• https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
• https://www.root-me.org