Web Security

OWASP Top 10

This guide is published by OWASP, an open group focused on web security. The latest revision (2013) details the top 10 web vulnerabilities seen in the wild, with extensive information on each one. Definitely a great starting point.

WebGoat

WebGoat is a purposely insecure web application made by OWASP to demonstrate basic security vulnerabilities. Each vulnerability in the app comes with extensive write-ups and information so you can really learn the ins and outs of every vuln.

Beyond SQLi: Obfuscate and Bypass

This site lists techniques to get around filtering to help you with SQL injection. However, these techniques can be applied to filtering in general, such as to get around XSS or other filters.

SQL Injection Cheat Sheets

This site hosts cheat sheets for 7 different flavours of SQL. They go into enumerating tables, columns and other kinds of data you’d need from a database.

Cryptography

Matasano Crypto Challenges

A series of online problems designed to take you from the basics of crypto-math to attacks on real world cryptography.

Introduction to Cryptography on Coursera

This online course is taught by Dan Boneh, one of the researchers on the forefront of modern cryptography. The course runs year-round, but there are also scheduled classes taught a few times a year.

Handbook of Applied Cryptography

Chapter 1 has a great overview of many different cryptographic primitives: symmetric-key encryption, public-key encryption, digital signatures, hash functions, randomness, etc. The other chapters get pretty intense but are also very good. Chapter 1 is probably all you’d need as an intro.

Application Security

Open Security Training

A series of courses that build malware analysis and exploitation knowledge from the ground up. Start at Introductory x86 and move on from there.

Microcorruption

A cool embedded security CTF made by the creators of Cryptopals, Matasano. A great way to learn assembly and debugging in a realistic context.

Modern Binary Exploitation

This repository contains the materials to an RPI course on vulnerability research, reverse engineering and binary exploitation. The expected demographic is students with zero reverse engineering or binary exploitation knowledge.

Smashing the Stack for Fun and Profit

This is THE writeup on buffer overflows. It requires a basic knowledge of x86 assembly. An understanding of concepts such as memory is helpful, but the paper does a nice job of explaining the stack and how programs access it.

General Practice

Practice Lab Mindmap

A huge list of sites, web apps, operating systems and mobile apps to practice exploiting. Some of the best are listed below.

Hack this Site

In addition to some basic challenges, this site hosts a series of “realistic” challenges which give you (almost) a full site to hack.

Over the Wire Wargames

This site hosts a number of environments to try out binary exploitation. The levels start out very accessible, and build knowledge as you progress. The first wargame, bandit, also teaches how to use the command line on a linux system.

Smash the Stack Wargames

Another set of wargames, this site offers additional opportunities for reverse engineering and exploitation.

Advanced

Pwnable.kr

A more advanced collection of security challenges. Mostly deals with executables, reversing, or system knowledge.

Security Traps

More advanced security challenges!

Metasploit Unleashed

Metasploit is the world’s most used penetration testing software. This course will teach you how to use Metasploit in a structured and professional manner.

CTF Information

CTFtime.org

Hosts information about past CTFs, upcoming CTFs, and participants. Useful for finding upcoming live events to participate in!

Shell Storm Archives

Stores challenges from past CTFs.

CTF Writeups

A GitHub organization with past year CTF writeups. Organized into different repositories for different years.

picoCTF

This is a good introductory CTF which is available for practice even though it’s ended. Also see picoCTF 2013.

News/Blogs

Schneier on Security

Bruce Schneier is an internationally renowned security technologist. His blog is pretty good. Also check out his newsletter “Crypto-Gram”.

Krebs on Security

Brian Krebs is a reporter who also knows a lot about security. Doesn’t have headlines, does have very good in-depth reporting.

SANS Internet Storm Center

The Internet Storm Center (ISC) monitors for and identifies new and emerging cyber threats. Sometimes the threats are underwhelming (e.g. malicious spam with Word document), but the ISC has also detected and analysed important new malware.

Hacker News

Mostly about software development, but also some security.

Although this organization has members who are University of Virginia students and may have, University employees associated or engaged in its activities and affairs, the organization is not a part of or an agency. It is a separate and independent organization, which is responsible for and manages its own activities and affairs. The University does not direct, supervise or control the organization and is not responsible for the organization’s contracts, acts or omissions.

© CNS@UVA