How can you become a competent web application security expert without breaking the law?

Question

This question was asked here on Programmers Exchange, but it was suggested I ask here as well since most of the experts would likely hang out on IT Security exchange instead.

I find this to be equivalent to undercover police officers who join a gang, do drugs and break the law as a last resort in order to enforce it. To be a competent security expert, I feel hacking has to be a constant hands-on effort. Yet, that requires finding exploits, testing them on live applications, and being able to demonstrate those exploits with confidence. For those that consider themselves "experts" in Web application security, what did you do to learn the art without actually breaking the law? Or, is this the gray area that nobody likes to talk about because you have to bend the law to its limits?

Answer 1

I don't work as a security consultant but I've worked with them (and with the police incidentally and your analogy is more cop show than reality) and none of them to my knowledge have spent time hacking illegally.

Hacking is only illegal if you don't have permission but there is no difference on a technical level (that is to say in terms of security) between a server you've got permission to hack and one you haven't. If you're working for or with a company then attempting to access their servers (with their prior written understanding and permission) is fine and no less real world experience than picking a random system.

Failing that there is no reason you can't set up your own hosted servers and attempt to compromise them - or buddy up, two of you each set up a server and the winner is the first one to find an exploit in the others system. That has the dual advantage of seeing it from both sides.

Answer 2

The answer to that question is much like the answer to any "How do I become an expert at **" question... it ultimately boils down to time and experience.

For some specifics though, if college/university is an option look into programs dealing with Information Security, Computer Forensics, and Information Assurance.. all of those would give you a solid background for application security development.

Also, take a look into the specifics of these laws... for instance you can attack services/applications/systems on your own network legally in most places (assuming you own the equipment and network infrastructure being used). An open-sourced application too, where you have freedom to modify/reuse the code, would in most cases be open to vulnerability testing, as long as you weren't running the 'malicious' code on remote systems or sharing it.. but again, laws vary greatly by State/Country.

Reading, as always, is a good source... not just on 'security' itself, but general coding principals. A background knowledge is always an asset. Websites like "hackthissite.com" also give some hands-on guides and 'challenges' to do. Though, that one isn't really "application security" specific at all.

Answer 3

In addition to Jetti and Jon Hopkins' answers, there are also organizations and tools designed to teach the basics of web security. The Open Web Application Security Project (OWASP) comes to mind as a prime example of this.

OWASP has extensive documentation on their site about various security exploits and techniques, as well as how-tos for both creating secure software and finding exploits in existing software. They also produce a tool known as WebGoat, which is an insecure JEE application that you can host and learn about different techniques to damage or compromise web environments.

Answer 4

I also don't work in the security area, but there is nothing that prevents you from simulating the internet using a couple routers and switches on a home network with maybe the exception of some of the high price security hardware out there. Like Jon stated, you can easily setup IIS, Apache, or whatever web server you want on a home network. There are also some practice apps out there like Hacme bank that you can practice basic web vulnerabilities on.

Answer 5

First start by learning some theory. Start off with OWASP (the "bible" for webappsec), then browse around this site. I'm sure you will find numerous questions that would interest you...

Next find the issues in your own code...

Then, there are several "broken app" kits that you can use, for educational purposes.
For example, take a look at Starting with sandbox development. I'd used OWASP WebGoat for many years for giving training, but thanks to that question I found Google Gruyere, which I highly recommend for you.

Btw, I think you should also take a look at this question: What are the career paths in the computer security field? - I think it will help give you some direction.

Answer 6

I'm troubled by the implication that in order to become a 'competent web application security expert' the easiest route is to break the law. I agree with @DKGasser, the general route to become an expert is similar in all fields. You need to learn, practice, discuss, and experiment.

Illegal activity is only likely to teach you is how to exploit poorly secured systems, and how to exploit very specific vulnerabilities. It is unlikely to teach you the theory behind secure systems.

There are lots of legal things you can do to explore web application security, starting with setting up your own home network with a webserver and attacking your webserver. You can even look at the webservers log in real time as you attempt various attacks. It is usually better to set up a wired two computer network with a attack computer and a target computer as the only machines on the experimental network, as this will prevent you from accidently attacking someone else.

Try different operating systems, different web servers, different application frameworks, different programming languages, etc. Set up a honeypot server and observer what attacks are attempted on it.

Answer 7

Spend a lot of time in-person with someone who is already a web application security expert.

Answer 8

I thought I'd chime in and point out that the police analogy is a little flawed if what you are looking for is education, versus detection. Granted my law enforcement experience is limited to an excessive love of Law & Order, but going with the cop show analogy - when police offers go under cover - it's generally the smart, experienced, stable guy who graduated with decent grades from the police academy. Not the summer intern. :)

Same thing for a penetration test (as John Hopkins describes) - companies are hired for pen tests based on corporate experience, the credentials of the individual engineers on the team, the professional reputation of everyone involved, and the cost and schedule proposed by the team. Just like you don't really want the crazy, unqualified cop to be the guy undercover, you don't hire a no-name, untrusted company to do your penetration testing.

The way to get to the point of being an individual on a pen test team?

It's the same almost any other career in engineering:

• study the technology that allows and prevents security exploits - learn about as many areas of the security trade as you can - human factors, physical, network, software, operating systems, data protection, etc.

• use academic institutions and professional certifications to establish credentials - some professional organizations also include a promise of ethics.

• establish bonding as a way of providing additional reassurance of honesty - this is along the same lines of working as a lock smith.

• work in the field in less high-risk jobs - security system development, system administration, IT security groups, risk management teams, etc.

• do independent projects to get experience - like setting up a honey pot at home, or playing with security configurations on network gear.

• get mentorship from someone more senior.

Just like undercover cops are a special group of police officers, who get special training, unique treatment and have particular credentials - penetration testers are a unique group of security professionals. The people I've met that do this type of work are often a similar personality type to the aggressive startup company programmer/architect/CTO type person - very smart, very driven, intensely focused on the state of the art, and quite intellectually aggressive. They generally come with very high level credentials and are very expensive.

I'm sure there are plenty of folks out there who are stupid and will try cracking into assets without corporate permission - but the folks I consider the real professionals in this area are too smart for that. They're aware of the laws in this domain, and they are too smart to jeopardize their careers by hacking on the side. A good pen tester knows that a portion of his high fee comes from the fact that the company is willing to trust him and if he does something on the side to break that trust, then he's out of a job and probably out of a career.

Answer 9

I think Jon Hopkins has a good point, there is no difference between illegally hacking and hacking something you were allowed to hack. As a teen I remember wanting to get into hacking (thanks to the wonderful movie Hackers) and there were sites that are setup that encourage people to hack into them for learning. I wish I could remember the sites, but I know they are out there and I'm sure they are still alive and well.

A few things to consider:

You may want to let your ISP know that you are doing this and that you have full consent. That way, if they see anything suspicious they don't cut off your service, or worse report you to authorities.

Actually hacking into a system isn't the only way to learn about security. Being able to recognize when code is insecure or other vulnerabilities is just as important.

There are quite a few people who are former hackers who are now running their own security companies, however they also had to spend time in Federal prison to get there. Kevin Mitnick is the first to come to mind but I know there are more. So be careful with the "gray area"

Answer 10

The difference is that if you want to become a security expert, then you need to know WHY things like exploits, buffer overflows and cryptography breaking works. You're not only going to be responsible for finding a hole, but knowing how to patch it properly, including software\network redesign.

Attacks and exploits are published online. You could read up on the latest security patches for various systems then trying them on a local copy of that software on your own computer, virtualization would be great for this.

Answer 11

This question is full of faulty premises and preconceptions.

It is NOT TRUE that you have to break the law to learn to be a security expert, or that breaking the law is even particularly helpful in making you expert in this area. You seem to be assuming that the way to learn web security is to break the law, and that is simply not accurate.

The question also seems to assume that being a web security expert is all about knowing the coolest ways to hack a web site, and so the best way to become a web security expert is to hack lots of web sites. That is not accurate, either.

You'd get better answers if you asked how to learn to be a security expert, without making assumptions in advance about the form of answer.

Answer 12

Practicing on your own hardware is not illegal!

Practicing with written permission is not illegal!

I'm going to assume you already have sufficient background in technology to understand the basics. Given that, it is trivially easy to practice on your own hardware, and for a minimal investment you can rent virtual machines on an as-needed basis in order to practice on other platforms (e.g. Amazon EC2).

There is an abundance of material with which to practice on your own hardware:

• Get comfortable working with virtual machines. Being able to quickly bring up a new machine running a given OS in a given configuration is helpful for practicing (and repeating) certain skills. (It also allows you to make good bug reports since you'll be able to easily recreate a bug on a clean system.)
• Keep a notebook -- or have some means of organizing material that you're learning. I use a combination of a (self-operated, private) wiki and bookmarking tools to keep track of things as I learn new material.
• Follow mailing lists or forums like this site, bugtraq, etc. This lets you keep up with current and emerging attacks.
• Learn about web application security in general. There are a number of good websites (e.g. OWASP) and books (e.g. The Web Application Hacker's Handbook, by Stuttard and Pinto). These references provide lists of tools and techniques that you can put into practice immediately. WAHH has exercises sprinkled throughout each chapter -- do these.
• Learn about web infrastructure. High-end deployments will be much more sophisticated than what you can set up in your own lab. Load balancers, firewalls, caches, etc. These can either make life as a penetration tester harder (i.e. by acting as layered defenses) or easier (i.e. by introducing complexity and more attack surface).
• Learn about internet infrastructure. Understand how DNS works, for example; what it's vulnerabilities as a system are and how it can be both secured and attacked.
• Install some applications in your VM. E.g. LAMP with popular apps -- phpMyAdmin, phpBB, etc. Or IIS. Or tomcat. (Eventually, you'll want to practice on all of them! This will give you experience with a variety of platforms, languages, configurations, and different issues.)
  1. Leave them in the default configuration.
  2. Attack them. (DoS, intrusion, XSS, SQLi, firesheep, etc.)
  3. Secure them against those attacks.
  4. Goto 2.
• Buddy up: find a partner with whom you can practice. For example, you can run "capture the flag" (CTF) exercises where you each set up a system and then attempt to infiltrate your partner's system. This gives you practice both in creating and maintaining a secure configuration and in penetration testing. (Just be careful where you set up your systems: I wouldn't recommend attacking your partner from your home; his ISP or your ISP might take a dim view of certain activities crossing their networks. And you probably don't want him attacking your home; your ISP may not like you attracting malicious traffic.)
• If you have a budget for tools and books:
  • Maintain a reading queue or similar (e.g. wishlist on Amazon) for new books that you see recommended. When I see a book recommended more than 3 or 4 times, I put it in my reading queue.
  • You can pick up cheap hardware for practicing if you keep an eye on craigslist, freecycle, ebay, etc. VMs can do a lot, but having a few cheap PCs and a router are nice for practicing setting up a firewall-dmz-intranet with real hardware.
  • Having spare hardware also makes it easier to have a "LAN party" style CTF with your buddy. Configure a PC according to the rules of this week's game, grab a switch/router/etc, and join the party.
• Get out and meet people. OWASP has chapters all over. Look on meetup for security-oriented meetings. (Or web-application-related meetings -- e.g. your local PHP or RoR meetup might occasionally have a session on security.)
  • These meetings are always looking for speakers. Learn enough about a niche topic, or create a new special-purpose tool or technique, or discover a new class of vulnerability related to the meeting's topic, or take some new technique you saw on bugtraq and make it relevant to the meetup, and prepare a "lightning talk". (If you enroll in a university course you'll often have to do this sort of thing.)
• Get an entry-level job or internship. Find a mentor.

There are a few websites and applications that are set up as exercises for hacking. I've found that these tend to be very introductory, but they're useful as beginner material:

• hACME game
• Hack This Site!
• Try searching for "computer security wargame" or "capture the flag computer security".
• Damn Vulnerable Web Application -- this is a web app that you can drop into one of your VMs; it is structured similarly to the hack sites mentioned above
• Hackme Bank, Google Gruyere, OWASP WebGoat. (I haven't tried these yet, but have seen them recommended.)
• Install a popular web framework with a lot of plugins. Wordpress comes to mind. (Ok, it isn't intended as practice for hacking, but it might as well be...)
  • Install it in a VM, install a handful of plugins, add some filler content.
  • Start with the basics, doing stuff "by hand". For example, install firebug in firefox, modify cookies, modify form fields, set breakpoints in javascript to alter client-side validation, etc. You can also use curl and other low-level tools to construct requests to bypass security. Doing it "the hard way" will give you a good understanding of what the tools are doing for you -- so that you understand their limitations and best application.
  • After you have a feel for what's going on under the covers (and you've managed to find and responsibly report a couple of security flaws), start learning the tools you've discovered in your reading and have recorded in your notebook.
  • You should be able to find a security weakness within a few hours of hacking on, say, Wordpress with a handful of plugins. I managed to find a 3 or 4 XSS, plus some other bugs, in 3 or 4 hours of testing some very popular WP plugins, without using much for tools beyond FF+firebug, chrome, and curl. If you watch bugtraq or other such lists, you'll get a feel for which applications will be good install and test.
• Similarly for applications with a long history of security flaws. phpMyAdmin and BIND come to mind. (True, BIND is not a "web application", but it would make for interesting testing along a different sort of axis, and it's an important piece of infrastructure that your web application depends on.) Apache would be fair game too.

Of course, all of this won't make you an expert, but you'll be on the road and at least have achieved "conscious incompetence" -- you'll know what the next steps are for you to increase your skill level.

Answer 13

I think the first thing is to get some academic course. But it is not mandatory. And it is not sufficient, because you need to confront the real world. To get more experience you have two choice (coming to my mind)

• Be part of a company which work in security: pen-testing, intrusion detection/prevention, disaster recovery. This will also teach you what company wants from security experts and give you a direction for what to learn.
• Curiosity: build yourself a sandbox to test on your own (this should avoid you law breaking learning). Keep inform of security issue on the internet, what are trending topics, most exploited breaches. Use your sandbox to reproduce this and find how to counter it. In this area you will learn what company needs from security experts but are not aware of.

Answer 14

There is a big difference to finding security holes and to exploiting those holes. Of course the former can still be illegal depending on what you are doing.