I hack websites. I’ve been doing it for a long time, across various industries, tech stacks, and programming languages. When I tell people what I do, especially those in the tech community, they often ask how I started and how can they learn more. So today, I’m going to give you a quick intro of the tools and tricks to get started with web hacking. The best way to start is to dive into the details and start using some hacking tools.
Here’s how I recommend starting:
- Understand the tools of the trade
- Understand common attacks and defenses
- Practice on test sites
Since we will be focusing on web hacking, a basic understanding and/or refresher may be useful. If so, check out my post on, “Understanding HTTP Basics,” then come back. Don’t worry, its pretty simple but lays the groundwork for later.
Tools of the Trade
I think anyone trying to get involved with web app security needs to know is how to use the most common web hacking tool. Most noteworthy is the proxy. Proxies let you intercept HTTP requests and responses. This allows you to fully understand how a website works and lets you uncover security issues. I wrote a post, “Web hacking Tools: Proxies,” which walks through installing and using the most common web proxy used by security people, Burp.
After you spend some time using a web proxy, it’s pretty eye-opening to see how some of your favorite sites work, under the covers at the HTTP layer. This is also super-useful during normal development to debug and troubleshoot web application problems.
Common Attacks
Next, you need to gain an understanding of the common attacks hackers use to break-in, so you can test your sites and code for these vulnerabilities. You should check out my article on the iCloud attack here. OWASP provides a list of the top 10 attacks. This is a great place to start, although I should warn you that some of them get into the weed fairly quickly. By understanding those you can review sites you build to make sure they are protected.
Practice makes perfect
Armed with your first hacking tool, the web proxy, and an understanding of common attacks, it’s time to put your newfound knowledge to the test with a few hacking challenges. There are great sites out there where you can learn and try out hacking techniques without being worried about breaking the law. These are a few of my favorites:
- http://xss-game.appspot.com/
- https://www.hackthissite.org/info/about
- http://canyouhack.it/Hacking-Challenges/Web%20Based-Challenges
After you brush up on your skills, you can also take it to the next level with a few public bug bounty programs. These programs are great because they pay for you finding vulnerabilities in public websites, such as Google, Facebook, and Paypal. Make sure you read all the rules before starting:
- http://www.google.com/about/appsecurity/reward-program/
- https://www.facebook.com/BugBounty
- https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
Also, if you don’t want to deal with these companies directly, you can also join a bug bounty program through a dedicated bug bounty company. These work with various businesses to test security using a pool of freelance hackers, including you! These two are the best:
