This guide is published by OWASP, an open group focused on web security. The latest revision (2013) details the top 10 web vulnerabilities seen in the wild, with extensive information on each one. Definitely a great starting point.
WebGoat is a purposely insecure web application made by OWASP to demonstrate basic security vulnerabilities. Each vulnerability in the app comes with extensive write-ups and information so you can really learn the ins and outs of every vuln.
This site lists techniques to get around filtering to help you with SQL injection. However, these techniques can be applied to filtering in general, such as to get around XSS or other filters.
This site hosts cheat sheets for 7 different flavours of SQL. They go into enumerating tables, columns and other kinds of data you’d need from a database.
A series of online problems designed to take you from the basics of crypto-math to attacks on real world cryptography.
This online course is taught by Dan Boneh, one of the researchers on the forefront of modern cryptography. The course runs year-round, but there are also scheduled classes taught a few times a year.
Chapter 1 has a great overview of many different cryptographic primitives: symmetric-key encryption, public-key encryption, digital signatures, hash functions, randomness, etc. The other chapters get pretty intense but are also very good. Chapter 1 is probably all you’d need as an intro.
A series of courses that build malware analysis and exploitation knowledge from the ground up. Start at Introductory x86 and move on from there.
A cool embedded security CTF made by the creators of Cryptopals, Matasano. A great way to learn assembly and debugging in a realistic context.
This repository contains the materials to an RPI course on vulnerability research, reverse engineering and binary exploitation. The expected demographic is students with zero reverse engineering or binary exploitation knowledge.
This is THE writeup on buffer overflows. It requires a basic knowledge of x86 assembly. An understanding of concepts such as memory is helpful, but the paper does a nice job of explaining the stack and how programs access it.
A huge list of sites, web apps, operating systems and mobile apps to practice exploiting. Some of the best are listed below.
In addition to some basic challenges, this site hosts a series of “realistic” challenges which give you (almost) a full site to hack.
This site hosts a number of environments to try out binary exploitation. The levels start out very accessible, and build knowledge as you progress. The first wargame, bandit, also teaches how to use the command line on a linux system.
Another set of wargames, this site offers additional opportunities for reverse engineering and exploitation.
A more advanced collection of security challenges. Mostly deals with executables, reversing, or system knowledge.
More advanced security challenges!
Metasploit is the world’s most used penetration testing software. This course will teach you how to use Metasploit in a structured and professional manner.
Hosts information about past CTFs, upcoming CTFs, and participants. Useful for finding upcoming live events to participate in!
Stores challenges from past CTFs.
A GitHub organization with past year CTF writeups. Organized into different repositories for different years.
This is a good introductory CTF which is available for practice even though it’s ended. Also see picoCTF 2013.
Bruce Schneier is an internationally renowned security technologist. His blog is pretty good. Also check out his newsletter “Crypto-Gram”.
Brian Krebs is a reporter who also knows a lot about security. Doesn’t have headlines, does have very good in-depth reporting.
The Internet Storm Center (ISC) monitors for and identifies new and emerging cyber threats. Sometimes the threats are underwhelming (e.g. malicious spam with Word document), but the ISC has also detected and analysed important new malware.
Mostly about software development, but also some security.
Although this organization has members who are University of Virginia students and may have, University employees associated or engaged in its activities and affairs, the organization is not a part of or an agency. It is a separate and independent organization, which is responsible for and manages its own activities and affairs. The University does not direct, supervise or control the organization and is not responsible for the organization’s contracts, acts or omissions.
© CNS@UVA