I am a 15 year old student who has been programming for 2 years now. I have recently taken an interest in Web Security/White-Hat Hacking. Does anyone know any websites that are good at teaching beginner -> Intermediate level Web Security? I would prefer it if they were free as I do not have that much expendable income being a student.
am i allowed to bump this?
While this doesn’t directly teach you by giving you instructions, it gives you the hands on experience you’ll need, best to use to attack while you follow along some other tutorial(s), of which I’ll list below.
Anyway, it is called Juice Shop: https://github.com/bkimminich/juice-shop
Juice Shop is a web application built with modern technologies. A lot of the vulnerabilities are frequently found in real-world apps, which makes Juice Shop so good - it is essentially a real-world app.
Now, with Juice Shop installed, you want to attack it. You might follow along the videos and CTFs created by HackerOne (a bug bounty platform): https://www.hackerone.com/hacker101 to get a feel for things. The book considered to be the holy grail of web application security is The Web Application Hacker’s Handbook. It’s a little old, but is still super useful. You might also find The Tangled Web a to be useful.
Some additional resources:
https://pentesterlab.com/ (Offers free, but is mostly premium $19.99/month)
Also, an extremely useful tool to have is Burp Suite: https://portswigger.net/burp (created by the coauthor of the Web Application Hacker’s Handbook). OWASP also has ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.
Anyway, a glimpse threw the Web Application Hacker’s Handbook will provide a solid understanding into attacking web applications, it is invaluable. I hope this provides enough for you to dig into. However, I apologize that it isn’t in a much better order.
This is a bit of a necropost, and the OP hasn’t logged in for months… But I love the topic!
I had a lot of fun playing with https://www.hackthissite.org/
It appears to be currently down for maintenance, so hopefully it’s not completely offline now. It’s not the best way to get into real pentesting etc, but it is a lot of fun!
Yeah, I thought the OP was new until I read the date. Guess it’s new in the new category.
Love HTS. It originally got me interested in the web.
It’s not the best way to get into real pentesting
It can be, though - they give you full permission to attack their website.