1

I am currently teaching myself computer security and pentesting. My problem is the following: I more or less know the absolute basics (tcp/ip, bufferoverflows, xss...) but in all those areas I dont have complete and deep understanding of the topics. My current way of teaching myself is doing wargames, right know pwnable.kr, and then I try to read myself into the exercise until I can solve it. Unfortunately at wargames there are often no good answers or solutions and often when I google the topics I only fing very superficial explanations of what is going on.

  • So my first problem is: How do I get a deep understanding of common vulnerabilities and how to exploit them?

My second problem is this if a very unstructured approach and I feel like I am missing out on important things. What would you recommend? What is a good approach to get from "I pretty much know the basics" to "I can apply my knowledge to pentesting and can solve wargames/ctf's" ?

  • In other words: Program/List/FAQ/Course about pentesting that guides you from easy things to the advanced stuff?

I am thinking about all those fitnes websites that have detailed plans how to make progress where you personally stand.

  • Are there any good moocs for computer security?

My personal goal is to compete in a live ctf someday, so I want to teach myself the skills needed for that. Thank you so much!

the_wee
  • 13
  • 2
  • 1
    Possible duplicate of [Resources to learn about security](http://security.stackexchange.com/questions/266/resources-to-learn-about-security) – Xander Dec 08 '15 at 12:54

1 Answers1

0

How do I get a deep understanding of common vulnerabilities and how to exploit them?

There are papers about vulnerabilities which describe the attack vectors, a deep knowledge of the used functions and programming and scripting languages may be required. Generally you learn by auditing and testing code and learning the OWASP cheatsheets for common webapp vulnerabilities.

Program/List/FAQ/Course about pentesting that guides you from easy things to the advanced stuff?

There are some institutes and websites which provide free and paid trainings and courses and free papers. But you should also practive on real webapps, read exploits and try to understand how they work.

Best way is to learn the languages, their functions / methods and their pitfalls.

As software- or webdeveloper you have a much better overview when writing and reading code.

Here are some helpful ressources:
https://github.com/enaqx/awesome-pentest
https://github.com/sbilly/awesome-security#scanning--pentesting

OWAS ZAP is a well known pentesting tool and OWASP has many articles and cheatsheets about pentesting and security.

https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
https://www.owasp.org/index.php/Category:How_To

You may take a look at the SANS Institute reading room:
https://www.sans.org/reading-room/whitepapers/testing/

They also provide courses, trainings and certificates.

Daniel Ruf
  • 1,682
  • 14
  • 18