[Help] Web Hacking

[Kiuhnm]

Quality of information is not measured in the quantity of words.

But if two things are of the same quality, the quantity of words matters.
Why are you assuming that that book is of lower quality?

[Kiuhnm]

True, the lab they provide allows you to experiment a bit, but in the long run 7$/hour can be quite a big amount. Unluckily i don't know many alternatives, there's Hack this site, but personally i don't like it.

Did you try this?
https://www.hacking-lab.com/index.html
Here's a list of challenges:
https://www.hacking-lab.com/Remote_Sec_Lab/caselist/

[lucid]

Why are you assuming that that book is of lower quality?

To some people, reading a pdf on hacking is MUCH lower quality information then reading a quick tut and getting your hands dirty.

[Kiuhnm]

To some people, reading a pdf on hacking is MUCH lower quality information then reading a quick tut and getting your hands dirty.

IMHO, it also depends on what you want to accomplish and how much you are willing to study for reaching your goal.
For instance, I used to be a cracker and while many crackers relied almost completely on quick tutorials, I also read books such as The Art Of Assembly Programming, the Pentium Manuals, etc... It took some effort but it was well worth it.
I know many programmers who learned C++ or Python by reading a few tutorials here and there and it shows. Moreover, they never took the time to learn about algorithms, data structures, numerical analysis, etc... (I saw seasoned programmers ask why, in their programs, 0.1 + 0.2 != 0.3).
I think that getting one's hands dirty too soon is counterproductive. The risk is to become a script kiddie and to be overly dependent on what others may teach you. One should learn from the best and then try to stand on their own.
Another thing to keep in mind is that I don't want to just do some hacking but become a penetration tester. This means that I should be able to discover a large spectrum of vulnerabilities while a black hat hacker might focus on just a few (say SQLi and XSS). A book can give me a fair idea of what there is out there, while a bunch of tutorials can't.
I think tutorials are great because they may contain information you can't find anywhere else, but you can't rely on them to build solid foundations, especially if you're a beginner.
That's my opinion and my method has always served me well in everything I've done. Motivation is also very important. For instance, I never learned to write perfect English because that's too hard and I think it isn't worth it. I don't know anyone who speaks English so I just read a bunch of grammar books and watch movies and TV series every day in English without subtitles. That's about it. So, as you can see, I'm not overly perfectionist in everything I do, but now becoming a good penetration tester is my main goal in life

[chapp]

but now becoming a good penetration tester is my main goal in life

I feel sad reading this... OT: If reading is your thing go a head and read 900 pages. Remember that most American publishers pay by the page. You don't need 900 pages to cover web exploitation and you could do just fine with less. The entire Windows Internals are covered by just over 1400 pages in Windows Internals part 1 and 2, it's *slightly* more complex.

The problem with books about exploitation vectors is how fast they are out dated. It's a 900 page book from 3 years ago. That aside it sounds like you have decided and likely already reading, I wish you the best and hope you will get the information needed.

[Kiuhnm]

I feel sad reading this... OT: If reading is your thing go a head and read 900 pages. Remember that most American publishers pay by the page. You don't need 900 pages to cover web exploitation and you could do just fine with less. The entire Windows Internals are covered by just over 1400 pages in Windows Internals part 1 and 2, it's *slightly* more complex.

Not only do you need 900 pages to cover web exploitation, but I also think they're not nearly enough.
For instance, the book merely touched on silverlight, Java applets, ActiveX controls and Flash objects. To reverse engineer native code, you need to know assembly, how to use ollydbg and IDA pro, how to beat obfuscation, etc... 1000 pages wouldn't be enough.
Web exploitation is way more complex than what you think, IMHO.

The problem with books about exploitation vectors is how fast they are out dated. It's a 900 page book from 3 years ago. That aside it sounds like you have decided and likely already reading, I wish you the best and hope you will get the information needed.

Directly from the book:

In the four years since the first edition of this book was published, much has
changed, and much has stayed the same. The march of new technology has, of
course, continued apace, and this has given rise to specific new vulnerabilities
and attacks. The ingenuity of hackers has also led to the development of new
attack techniques and new ways of exploiting old bugs. But neither of these
factors, technological or human, has created a revolution. The technologies
used in today’s applications have their roots in those that are many years old.
And the fundamental concepts involved in today’s cutting-edge exploitation
techniques are older than many of the researchers who are applying them so
effectively. Web application security is a dynamic and exciting area to work in,
but the bulk of what constitutes our accumulated wisdom has evolved slowly
over many years. It would have been distinctively recognizable to practitioners
working a decade or more ago.
This second edition is not a complete rewrite of the first. Most of the material
in the first edition remains valid and current today. Approximately 30% of the
content in this edition is either new or extensively revised. The remaining 70%
has had minor modifications or none at all.

[lady__godiva]

Books get outdated, tutorials get outdated too. In general, resources get outdated. I don't matter books vs tutorial or whatever, but i like resources that give good explanation. You might say that reading a couple tutorials and getting hands dirty is enough, in my opinion it is not. Most tutorials just tell you how to do things, but you aren't really understanding why you can exploit a certain vulnerability and your skillset will always be limited. The truth is, it depends on what you are looking for.

Did you try this?
https://www.hacking-lab.com/index.html
Here's a list of challenges:
https://www.hacking-lab.com/Remote_Sec_Lab/caselist/

Thanks for sharing, i'm taking a look at it now.

[lucid]

This means that I should be able to discover a large spectrum of vulnerabilities while a black hat hacker might focus on just a few (say SQLi and XSS).

Did you read that in a book?

[Kiuhnm]

Did you read that in a book?

Yes. A black hat hacker can DSF whereas a pentester need to BSF.

[lucid]

See that's exactly the problem. If all your info is based on books then you end up making ridiculously broad generalizations like that one. Reading is good, but there's only so much you can take from a book. Nothing substitutes for a little hands-on experience.

Also, reading is not the best way to learn. It's the best way for some people to learn. Some people learn by hearing, some learn by seeing, some learn by doing.

[Kiuhnm]

See that's exactly the problem. If all your info is based on books then you end up making ridiculously broad generalizations like that one.

Are you saying that if I had read a few quick tutorials by now I'd be an expert? I doubt that.
Also, you should explain to me what's so ridiculous about what I said. Try to be constructive.

Reading is good, but there's only so much you can take from a book. Nothing substitutes for a little hands-on experience.

Also, reading is not the best way to learn. It's the best way for some people to learn. Some people learn by hearing, some learn by seeing, some learn by doing.

I only said that, for me, reading a good book, when available, is the best way to start learning something. That doesn't contradict what you said.

[lucid]

Are you saying that if I had read a few quick tutorials by now I'd be an expert? I doubt that.

No. I said that a little bit of hands on practice can be worth more then ten books. I promise you that.

I only said that, for me, reading a good book, when available, is the best way to start learning something. That doesn't contradict what you said.

This is a fair statement. If that's how you learn best then do it by all means. I must've gotten caught up in the idea..

[Kiuhnm]

No. I said that a little bit of hands on practice can be worth more then ten books. I promise you that.

I completely agree with you!
Now give me back my cookie 
Just joking! 

[lucid]

I completely agree with you!
Now give me back my cookie 
Just joking! 

I don't take cookies. Obviously someone else also disagreed with something you've said.

[Kiuhnm]

I don't take cookies. Obviously someone else also disagreed with something you've said.

I don't care about cookies, but I think that such a system is immoral if used this way. At least here, skills and dedication to the community should be all that matters. One shouldn't down vote somebody else just because he/she doesn't agree with him.
But since I couldn't care less, I'll keep speaking my mind and damn the consequences!