Posted in Blog, Course Review

Course Review Securing the Cloud: Foundations w/Andrew Krug (Antisyphon Training)

TL;DR – Good course, solid labs. If brand new to AWS, plan on needing extra time to dedicate to the labs. Heavy on CloudFormation. Good way to bring a security engineer up to speed with the basics.

Having done some hands-on work attacking AWS (see my Hands-On AWS Penetration Testing with Kali Linux Notes), I wanted to get some hands-on experience with the defensive side. I’ve done enough to have a decent idea of how to secure things, but I wanted background on setting up a secure environment from scratch. The course info for Securing the Cloud: Foundations was a good fit for what I was looking for. The timing was a bit rough – I ended up listening live around meetings and then going through the class recordings. But I got a lot out of the class. The class starts with getting set up in AWS, so even with no experience you can get a lab environment up and running. He does recommend a clean AWS account so you don’t mess anything up. I used my secondary lab account that I keep for pretty much this – I’ve built and blown away so much stuff in there that I’m not concerned with messing stuff up. Total cost for the labs while I was working through things was less than $20.00 USD for the month. If you work through everything in a week, the spend could probably be kept under $10.00 USD. Leaving stuff up longer would incur greater cost. The little bit I left up to play with runs about $2.00 USD per month.

Class content was very good. Pacing was good, though maybe a bit hard to keep up if brand new to AWS. But with the recordings available and the materials provided, I think the speed was right. Fast enough that you were dragging, but slow enough that people aren’t getting lost. The class Discord also helps and made it easy to catch things when I was watching the recordings. Setting up the billing alerts are one part of this class that I think anyone working with AWS needs to learn. It’s easy to leave some running or misconfigure autoscaling and end up with a higher than expected spend. Billing alerts won’t completely solve the problem, but set conservatively enough can limit the pain a bit. I really liked the use of CloudFormation. That kept the focus on security rather than the mechanics of building resources. I’d done a bit with CloudFormation, so I was happy to get a deeper look. Coming in with more Terraform experience than CloudFormation, it was interesting to see the contrast. The class focus is very practical and builds logically.

One of the more interesting parts of this class session was a broken tool. Andrew worked through the troubleshooting live so we could see what needed to be done. And he put in the PR to fix it. He used the opportunity to demonstrate what to do when a tool isn’t working and talk about contributing to open source software. It was a great teachable moment, and I thought he really used it well. He also encouraged students to put in PRs on the class GitHub if they noticed errors or had suggestions. Really cool.

I would recommend this class to those new to or with a little AWS experience. A little meaning maybe you’ve set up some labs and played around a bit or work in an org where the security stuff was already set up and you want to understand what was done better. If this course ever becomes available on-demand, I could see it fitting nicely into an onboarding process. It would be A LOT for onboarding, but for non-AWS focused security engineers, I think it’s a good investment. And the cost is low enough to make it viable.

Posted in Blog, PortSwigger

PortSwigger Web Academy – 11 XSS

On to the client-side! I spent about half of this section smacking myself for not having as much dev experience as I would like. At some point I’ve got to pick up a bit more JavaScript, but it’s really not been a priority. That lack of experience made this section particularly challenging. To the point I left 2 of the labs incomplete because they are expert level and I’m hoping they’ll make more sense after working through more of the client-side topics. Don’t get me wrong, the labs are great (and plentiful!) – it’s just content that I’m way less familiar with when it gets into the more complicated exploits.

There is a lot of content in this section. I think going through all of the content and then doing the labs would have been a better approach for me. I am having to fill in some gaps to understand what’s going on. I think it would be beneficial to take a quick JavaScript intro module before I revisit these labs. If you’ve done XSS labs previously, the first few should be familiar. I found most of the apprentice levels ones that I knew what I wanted to do, but I didn’t really remember how to do it. That’s a feature of not doing much web app pen testing over the past few years, so I’m not real surprised. I’m thinking after going through the other client-side modules I’ll have gotten back in that headspace enough to make the XSS make a bit more sense.

The biggest takeaways for me in this section were seeing what the payloads would look like in the logs. That’s the big reason for wanting to go through this material. I’ve lost a bit of momentum between taking several courses and trying to focus more on my threat hunting course. Priorities…shrug.

I do feel like I’ll be rearranging the order for client-side as well. I found the CSRF section made more sense (more on that later) based on what was done in the server-side modules. I think I also ran into a bit of just wanting to be done with the XSS section. I probably would have benefited from breaking and doing a different module then coming back. There are 30ish XSS labs (PortSwigger says 30, some how I’ve ended up with 33 in my notes, but that may be from doing ones they put elsewhere working while I was working through the content) . It’s by far the most concentrated and in-depth group of XSS labs I’ve gone through.

I think if you are coming in to this section with very little familiarity with JavaScript, it would be a good idea to go through at least an intro module like you would find on Codecademy or SoloLearn. I’d started the Codecademy Learn JavaScript intro a long time ago – I think taking the couple hours to finish that would be beneficial before revisiting the XSS stuff. The people I’ve talked to with stronger development backgrounds found this unit pretty easy. I’m really happy with what was covered and feel like I can use it to build out a decent framework for testing. I just know there are some knowledge gaps I would need to fill if web app pen testing was my main focus. Too many things I want to learn and not enough time.

Posted in Blog, Course Review, Resources

Course Review: Getting Started in Packet Decoding w/Chris Brenton (Antisyphon Training )

TL;DR – Solid content, a lot to take in for newer learners, well worth taking as an introduction or refresher

I’d been waiting to take this class and finally had a chance a few months ago. My goal was to refresh some fundamentals and fill in some holes that I felt when I took the intermediate threat hunting course. Plus check out the content to see if it would be a good course to recommend to people wanting to get into IT or infosec. It’s a pay what you can, so it’s very accessible pricewise. There’s a ton of content and labs that give you hands-on experience. A lot of the class was review given how much I’ve done with packet captures, but there were enough tips and tricks that it was well worth the 16 hours of class time. There was good coverage of tcpdump, tshark, and Wireshark. I think it’s important to have multiple options for packet captures since Wireshark really doesn’t do well with large captures.

The depth of material was quite good. I think if you were coming in with very little experience with packet captures and network traffic this would be drinking from the firehose. It’s a lot to take it. You do have access to the recordings for 6 months, the course VM, and course PowerPoints. I think if it was over your head, that set of resources would let you get a good grasp on things after the course concludes. Ideally you would take this before the threat hunting course linked above. If you are new to the content, be prepared to revisit the information to grasp it. It’s worth taking the time to go back through until you get it.

I took away a good refresher on tcpdump and tshark plus refreshing networking concepts. Plus some good reminders of deeper functionality in Wireshark. The labs were fun and related well to the material. No issues with the VM. The Discord channels for the class were helpful. I’d recommend the class to anyone wanting to review ICMP, TCP, and UDP.

For someone taking a DIY approach to learning infosec, this is gives a solid networking concepts foundation. It doesn’t cover setting up network sensors and such, but that’s not really something I think the target audience of this course would need to focus on. Even if you are looking at more cloud-based security, the content in this class is worth taking.

Posted in Blog, PortSwigger

PortSwigger Web Academy – 09, 10, & Server-Side Wrap-Up

It’s a little hard to believe that I’ve made it through all of the Server-Side topics of the web academy, but so I have. The last two sections were SSRF (server-side request forgery) and XXEi (XML eternal entity injection). Both were good. The SSRF section was a little shorter than I would have liked, but there were bits of SSRF in other places as well. The labs were good and introduced interesting techniques. You do need pro for the last one, but that seems reasonable.

The XXEi section was a bit odd. I did a couple of the labs earlier before doing the rest of the sections. Coming back to the rest now, they made a lot more sense. I like this section being the end of the server-side topics. I think it works well. I do think this section will be very tough if you don’t have any experience with XML. The provided solutions make it doable, but a fair amount of practice would be needed to get comfortable.

So 10 sections in, all the server-side topics down, where does that put me? From a web app pen testing standpoint, do I feel like I could sit down and do an effective pen test from memory? Meh, not without references. I think I could run a basic web app pen test. I know I’m capable of more in-depth testing, but I also recognize there are holes. Probably will fill in some of those in the client-side modules. I feel like I’m recognizing patterns and seeing possible exploits better. This was the deepest dive I’ve taken in some of these areas, which was helpful. I feel like I wanted to really internalize the info, I’d need to take a couple weeks and really focus on just this. Since my goal was more around getting ideas for detections and recognizing malicious activity in logs, I’m not as concerned with that. If I get time, I could apply this to bug bounty programs. Squeezing these in between other trainings (I did the Getting Started in Packet Decoding w/Chris Brenton and Securing the Cloud w/Andrew Krug since the last blog – reviews to come, both were very good), made this less of a priority.

If someone can prioritize these sections and combine it with bug bounty programs, I think they could come a long way very quickly. And that’s with all the client-side topics to go. I’m happy with my order for these – I’d leave XXEi to the end, but I would bump SSRF up compared to where PortSwigger has it.

  • Directory Traversal
  • Information Disclosure
  • Access Control
  • File Upload Vulnerabilities
  • Command Injection
  • Authenticaion
  • SSRF
  • Business Logic Vulnerabilities
  • SQLi
  • XXEi

I think this order builds well to allow someone with little to no experience to get to a decent level of web application pen testing fairly quickly. I would recommend doing them in a more compressed time frame than I have if you can. The content is really good for the most part. There are some gaps in the content that mostly get filled in with the labs (places where there’s a jump in the tactics or skills from the provided material to the labs). For free content put out by a company that isn’t focused on content, I’m good with that. I think if you are lost on how to do a specific lab going to the solutions will at least give you enough information to do more research. For several, just looking at the solutions was a face palm moment where I realized what I was missing. The best part for me was seeing what to look for in logs and getting ideas about ways to monitor. I would like to give the content more attention than I am, but that’s not my priority at the moment.

Posted in Blog, PortSwigger, ProfDev

PortSwigger Web Academy – 08 File Upload Vulnerabilities

This section is basically brand new. It was added after I started the Academy. The section was relatively short with enough labs to get comfortable with the basic concepts. You don’t need to know how to create the web shells yourself, but you should at least be familiar with what they are. The labs give you some practice combining techniques – I think this is incredibly valuable and appreciate when this is included. There is a little practice with ExifTool, which is just a good thing to get familiar with if you’re not already. The race condition lab was pretty cool.

I would put this section 4th so far. I feel fairly comfortable with my order for the server-side content:

  • Directory Traversal
  • Information Disclosure
  • Access Control
  • File Upload Vulnerabilities
  • Command Injection
  • Authentication
  • SSRF
  • Business Logic Vulnerabilities
  • SQLi
  • XXEi

I might switch Authentication and SSRF, but I think Authentication is a more familiar topic to those new to web app pen testing. I’ve got about half of SSRF and 2/3 of XXEi to go, but I think the above order make a lot of sense. I don’t have them ordered in terms of “value” for bug hunting or pen testing, but in the order that I think would build most logically for those just getting started. I think basic technology skills will help you get through the first few sections and provide more gradual build than the PortSwigger order. I don’t have a problem with the PortSwigger, but I think I’m coming at it from a different perspective. The content and labs are excellent, so the order probably isn’t that important. My order is just what I would recommend to people looking to transition into infosec or someone with more of a defensive focus to work on some offensive skills.