would this be a good way to start web hacking?
#1
So for my major I am taking an actual class on web development. After that, I am 100% going to turn to my own course on web development to learn PHP over the summer. I aim to make a few full-stack web apps without using any frameworks before I start learning web hacking. I plan on doing the web development along with CCNA training after the semester ends and I have a couple more certs.

What are some good network-based or client-server web apps that I could design that would get me all of the required knowledge to learn web hacking in depth? Like could someone give me a list of assignments?

I haven't been involved in web dev outside of the class actually offered by my school.

Could someone please give me some help with this?

This is the Udemy course I'm gonna complete over the summer before I start making the web app:

https://www.udemy.com/course/the-complet...?start=375

I think if people here could give me assignments to practice what I learn, that would be great.
Reply
#2
No need to become a full front/back-end programming to learn web-app hacking. But a good start is jot down the basics of javascript to understand XSS/CSRF, get the basics of SQL for SQL-injection and PHP+linux commandline for shells.

So I'd say simple project that involves it all. Start a PHP project, with javascript on the frontend. That communicates with a database through SQL and php. So maybe like a simple guestbook/messageboard?

Edit:

Go to wargames sections for a lot of exercises to do: https://greysec.net/forumdisplay.php?fid=15
Reply
#3
(03-26-2020, 08:20 PM)Insider Wrote: No need to become a full front/back-end programming to learn web-app hacking. But a good start is jot down the basics of javascript to understand XSS/CSRF, get the basics of SQL for SQL-injection and PHP+linux commandline for shells.

So I'd say simple project that involves it all. Start a PHP project, with javascript on the frontend. That communicates with a database through SQL and php. So maybe like a simple guestbook/messageboard?

Edit:

Go to wargames sections for a lot of exercises to do: https://greysec.net/forumdisplay.php?fid=15

Would it be ideal to learn from code academy or sololearn then or does the course I picked work just fine?

Also, MuddyBucket said that if I wanted to be a hacker I should spend several months on web development first.

Why do I get conflicted answers on this? The people at my school say what you say but the people on Reddit agree with MuddyBucket.

Do both answers work?
Reply
#4
(03-26-2020, 09:42 PM)QMark Wrote: Would it be ideal to learn from code academy or sololearn then or does the course I picked work just fine?


Also, MuddyBucket said that if I wanted to be a hacker I should spend several months on web development first.



Why do I get conflicted answers on this? The people at my school say what you say but the people on Reddit agree with MuddyBucket.



Do both answers work?

Both answers work. We all have different experiences with this, and that's why you're getting different answers.

For learning SQL I recommend:
  1. Codecademy 
  2. Khan Academy
  3. w3Schools Quiz
Boring but you'll remember. When that's done, make sure to actually do some project or something to apply your knowledge to something. So it will stick.
I'm going to create a tutorial series for this later though.

Further learning (Google to find more):
At this point I'd recommend you to go ahead and set up your own database somewhere. Find some big datasets or test databases to import. Connect to it with mysql workbench and start playing around. Create your own stored procedures, tables, views etc.
Reply
#5
(03-26-2020, 09:58 PM)Insider Wrote:
(03-26-2020, 09:42 PM)QMark Wrote: Would it be ideal to learn from code academy or sololearn then or does the course I picked work just fine?


Also, MuddyBucket said that if I wanted to be a hacker I should spend several months on web development first.



Why do I get conflicted answers on this? The people at my school say what you say but the people on Reddit agree with MuddyBucket.



Do both answers work?

Both answers work. We all have different experiences with this, and that's why you're getting different answers.

For learning SQL I recommend:
  1. Codecademy 
  2. Khan Academy
  3. w3Schools Quiz
Boring but you'll remember. When that's done, make sure to actually do some project or something to apply your knowledge to something. So it will stick.
I'm going to create a tutorial series for this later though.

Further learning (Google to find more):
At this point I'd recommend you to go ahead and set up your own database somewhere. Find some big datasets or test databases to import. Connect to it with mysql workbench and start playing around. Create your own stored procedures, tables, views etc.

I'm gonna take your advice. I'm gonna get around to this basic web development this summer after I learn some networking concepts. I think I'm gonna be good at this stuff very quickly now that I'm focused.
Reply
#6
(03-26-2020, 09:42 PM)QMark Wrote: Also, MuddyBucket said that if I wanted to be a hacker I should spend several months on web development first.

Why do I get conflicted answers on this? The people at my school say what you say but the people on Reddit agree with MuddyBucket.

Do both answers work?

I'm pretty sure I probably said to be a *good* hacker, you should become a solid programmer - among other things.

There are plenty of shortcuts in life. I can easily teach you a bunch of hacks and tricks over the course of a few months that would make you look a lot like a hacker. And you'd fool a lot of people into thinking you were a hacker. But in my opinion, you wouldn't *really* be a hacker.

I'll try to use an analogy. I have a car. Over the years I've learned how to change my brake pads. change my spark plugs, change my air filter, change my battery,  change my oil, and a few other things Some of it I've self-taught. Some of it I've had friends show me. 

Am I an auto mechanic? If my car didn't start tomorrow, could I fix it? Maybe. If it was just a dead battery. Otherwise, probably not. I've only learned how to do specific tasks. I don't have a full understanding of all the components, and how they work together to make a car run. My ability to change spark plugs doesn't inherently mean I understand fuel to air ratios, etc for optimum fuel economy.

Likewise, I can teach you hacking tricks, much like i can teach you how to change a spark plug. If you do X action, under Y condition, you'll get Z result. However if you try X under A, B, or C condition - it won't necessarily work. If you understand whats happening under A, B, and C condition, you though, you may be able to adapt X action into something else that does work.

It comes down to there being an easy way, and a hard way. The easy way probably won't lead to jobs, opportunities, etc. And if you're looking to do illegal shit, the easy way is usually what lands you in jail. Cause you don't *really* understand what you're doing and you're more likely to be caught.
Reply
#7
(03-27-2020, 03:03 AM)MuddyBucket Wrote:
(03-26-2020, 09:42 PM)QMark Wrote: Also, MuddyBucket said that if I wanted to be a hacker I should spend several months on web development first.

Why do I get conflicted answers on this? The people at my school say what you say but the people on Reddit agree with MuddyBucket.

Do both answers work?

I'm pretty sure I probably said to be a *good* hacker, you should become a solid programmer - among other things.

There are plenty of shortcuts in life. I can easily teach you a bunch of hacks and tricks over the course of a few months that would make you look a lot like a hacker. And you'd fool a lot of people into thinking you were a hacker. But in my opinion, you wouldn't *really* be a hacker.

I'll try to use an analogy. I have a car. Over the years I've learned how to change my brake pads. change my spark plugs, change my air filter, change my battery,  change my oil, and a few other things Some of it I've self-taught. Some of it I've had friends show me. 

Am I an auto mechanic? If my car didn't start tomorrow, could I fix it? Maybe. If it was just a dead battery. Otherwise, probably not. I've only learned how to do specific tasks. I don't have a full understanding of all the components, and how they work together to make a car run. My ability to change spark plugs doesn't inherently mean I understand fuel to air ratios, etc for optimum fuel economy.

Likewise, I can teach you hacking tricks, much like i can teach you how to change a spark plug. If you do X action, under Y condition, you'll get Z result. However if you try X under A, B, or C condition - it won't necessarily work. If you understand whats happening under A, B, and C condition, you though, you may be able to adapt X action into something else that does work.

It comes down to there being an easy way, and a hard way. The easy way probably won't lead to jobs, opportunities, etc. And if you're looking to do illegal shit, the easy way is usually what lands you in jail. Cause you don't *really* understand what you're doing and you're more likely to be caught.

So why did Insider recommend the easy way? Why do people at my school on the cybersecurity team say "some networking and some linux basics and you can start." On the other hand, people that are a part of the alt.2600 hacking community say I need far more programming skills. So on one hand I even hear some professional hackers tell me to learn much more advanced programming in order to get good. But then when I contact the elearn security team they say "to take our web hacking course just know basic networking and linux and take our intro course first" and I think "well, but if I do that, how will I be as effective as someone who knows enough web development that they could have invented SQLi?"

Thanks for the answer by the way. I really appreciate it. I'm gonna spend several months learning web development while I work on Sec+ and CCNA over the summer. In fact, I am gonna be working on web development as of today and I already started again on code academy. I made a decision to do both: learn the programming and web development and get good at that, as well as learn the Linux and networking knowledge. I think its better to go overkill than underkill when it comes to learning, and as well as in life in general.

But right now I'm focused on computer networking and web dev and I'm aiming to practice a little more Linux skills maybe in Fall, while still learning web development. By that point, I think I am gonna end up learning some of my web penetration testing through the unlimited elearn security courses my school's cybersecurity club gave me access to. That is, if I'm ready by then. I think I probably will be ready though because I'm a fast learner when I put my mind to something.

I have just been very scattered about everything, but now I am more focused and persistent the past few months.
Reply
#8
(03-27-2020, 06:13 AM)QMark Wrote: So why did Insider recommend the easy way? Why do people at my school on the cybersecurity team say "some networking and some linux basics and you can start." On the other hand, people that are a part of the alt.2600 hacking community say I need far more programming skills. So on one hand I even hear some professional hackers tell me to learn much more advanced programming in order to get good. But then when I contact the elearn security team they say "to take our web hacking course just know basic networking and linux and take our intro course first" and I think "well, but if I do that, how will I be as effective as someone who knows enough web development that they could have invented SQLi?"

Thanks for the answer by the way. I really appreciate it. I'm gonna spend several months learning web development while I work on Sec+ and CCNA over the summer. In fact, I am gonna be working on web development as of today and I already started again on code academy. I made a decision to do both: learn the programming and web development and get good at that, as well as learn the Linux and networking knowledge. I think its better to go overkill than underkill when it comes to learning, and as well as in life in general.

But right now I'm focused on computer networking and web dev and I'm aiming to practice a little more Linux skills maybe in Fall, while still learning web development. By that point, I think I am gonna end up learning some of my web penetration testing through the unlimited elearn security courses my school's cybersecurity club gave me access to. That is, if I'm ready by then. I think I probably will be ready though because I'm a fast learner when I put my mind to something.

I have just been very scattered about everything, but now I am more focused and persistent the past few months.

Based on what I've read, I'm not certain that Insider necessarily recommended the easy way. I'm not a full-on developer. I don't like coding (anymore at least). But I have a solid understanding of programming concepts. I can look at source code and completely understand what it's doing. I can see security mistakes and oversights that have been made. If I need to write code I can write code in about a dozen languages. But the last time I actually worked on an actual programming project/application was probably 5 years ago. But that's the thing. If you can't look at code, understand what it's doing, then how are you going to even begin to break it?? This is the key. You don't need to be the world's best programmer. You need to be a solid programmer. To be good.

However, maybe I wasn't particularly clear. When you're learning programming, you should absolutely be learning secure programming practices as well. Security isn't an addon, it's integrated. Or at least it should be. Same goes with networking. Learn networking, but you should be learning about best practices as well, which includes security. Security should never be an afterthought. 

Security isn't really something you should 'go back and learn'. It should be part of the learning process. This learning process is more or less what makes you a good hacker. You begin to fully understand how things work. Once you've gotten to a point where you fully understand how things work, you begin to understand how you can break them. It's a natural progression. Once you get to this point, you may do more research on new ways people have come up to break systems - that you may not have found. And while this is similar to X action, Y condition, Z result - understanding how everything works allows you to change X actions depending on how Y condition changes to get the same or similar results.
Reply
#9
(03-27-2020, 09:12 AM)MuddyBucket Wrote:
(03-27-2020, 06:13 AM)QMark Wrote: So why did Insider recommend the easy way? Why do people at my school on the cybersecurity team say "some networking and some linux basics and you can start." On the other hand, people that are a part of the alt.2600 hacking community say I need far more programming skills. So on one hand I even hear some professional hackers tell me to learn much more advanced programming in order to get good. But then when I contact the elearn security team they say "to take our web hacking course just know basic networking and linux and take our intro course first" and I think "well, but if I do that, how will I be as effective as someone who knows enough web development that they could have invented SQLi?"

Thanks for the answer by the way. I really appreciate it. I'm gonna spend several months learning web development while I work on Sec+ and CCNA over the summer. In fact, I am gonna be working on web development as of today and I already started again on code academy. I made a decision to do both: learn the programming and web development and get good at that, as well as learn the Linux and networking knowledge. I think its better to go overkill than underkill when it comes to learning, and as well as in life in general.

But right now I'm focused on computer networking and web dev and I'm aiming to practice a little more Linux skills maybe in Fall, while still learning web development. By that point, I think I am gonna end up learning some of my web penetration testing through the unlimited elearn security courses my school's cybersecurity club gave me access to. That is, if I'm ready by then. I think I probably will be ready though because I'm a fast learner when I put my mind to something.

I have just been very scattered about everything, but now I am more focused and persistent the past few months.

Based on what I've read, I'm not certain that Insider necessarily recommended the easy way. I'm not a full-on developer. I don't like coding (anymore at least). But I have a solid understanding of programming concepts. I can look at source code and completely understand what it's doing. I can see security mistakes and oversights that have been made. If I need to write code I can write code in about a dozen languages. But the last time I actually worked on an actual programming project/application was probably 5 years ago. But that's the thing. If you can't look at code, understand what it's doing, then how are you going to even begin to break it?? This is the key. You don't need to be the world's best programmer. You need to be a solid programmer. To be good.

However, maybe I wasn't particularly clear. When you're learning programming, you should absolutely be learning secure programming practices as well. Security isn't an addon, it's integrated. Or at least it should be. Same goes with networking. Learn networking, but you should be learning about best practices as well, which includes security. Security should never be an afterthought. 

Security isn't really something you should 'go back and learn'. It should be part of the learning process. This learning process is more or less what makes you a good hacker. You begin to fully understand how things work. Once you've gotten to a point where you fully understand how things work, you begin to understand how you can break them. It's a natural progression. Once you get to this point, you may do more research on new ways people have come up to break systems - that you may not have found. And while this is similar to X action, Y condition, Z result - understanding how everything works allows you to change X actions depending on how Y condition changes to get the same or similar results.

Would building networks help? What is a good way of learning computer networking fundamentals? I get that it doesn't help just to earn a bunch of certs is why I ask.
Reply
#10
(03-27-2020, 06:14 PM)QMark Wrote: Would building networks help? What is a good way of learning computer networking fundamentals? I get that it doesn't help just to earn a bunch of certs is why I ask.

Learning by doing is a my go to way. Back in the day when I first started it was by getting 3-4 old shitty computers, and some simple routers/switches/hubs. But this was ~20 years ago. About 8 years ago when I wanted to update my skills and knowledge, I built a solid PC with 64gb ram, lots of diskspace, and ran virtual operating systems and virtual networks.

These days, and in the fact the future - software defined networking a thing. As is cloud-based stuff. I actually need to update my skillset again - and this time it will be Google and AWS that I focus on. Their networking capabilities and systems are soooo extensive. I have a basic understanding of some things through my day to day work - but I have barely scratched the surface. 

If you're just learning the basics of networking and routing and you want to physically see the design and handle stuff, the first route is still fine today. It's just potentially costly/resource intensive. If you are alright operating on virtual routing and what not, option 2 is also fine. It's probably what i'd recommend. Doesn't need to be a beast of a computer. though at least 8GB of ram, and preferably at least 16. The more you have the more you can run at a time. Stick to shit like CLI only Linux to reduce the resource requirements for each VM.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Basics of website and server hacking Insider 0 1,156 03-26-2020, 09:34 PM
Last Post: Insider
  is my site secure from common hacking? mhiats37 1 1,827 05-11-2019, 03:03 AM
Last Post: misfit
  WebDAV Hacking [Detect & Exploit] Insider 1 15,535 04-24-2019, 09:03 PM
Last Post: thunder
  Best books for web zebisnaga 8 5,573 09-22-2018, 08:28 PM
Last Post: QMark