OWASP Web Application Pentesting Guide Ebook

Hi, I hope you'd read my previous post - An Inspirational interview of a very passionate pentester and security researcher. Today I've shared latest release of an Ebook by OWASP - Web Application Pentesting Guide v4.0, I'm reading it from last 3 days and trust me its one of the best ebook to learn lots of Web Application Penetration Testing. The Ebook is contains 224 pages of web application penetration testing guide.

What are the benefits of reading this Ebook?

If you want to learn Web Application Penetration Testing There are many benefits of reading this ebook, It covers almost all web application vulnerability testing guide, which helps lot in learning and exploring web application penetration testing. Very informative for beginners who are curious and willing to learn pentesting and ethical hacking.
Click Here to Download OWASP Web App Testing Guide v4.0

Table of Contents (In short)

Here is a short glimpse of OWASP Testing Guide Ebook. Note this is only short glimpse of table of contents please download and you'll learn lots of advance web application penetration testing and vulnerabilities.

  • Authorization Testing
  • Session Management Testing
  • Input Validation Testing
  • Client Side Testing
  • Authentication Testing
  • Identity Management Testing

Testing for Authorization and Authentication vulnerabilies, Input Validation is one of the most common for eg: SQL, XSS, LDAP, XML, RCE testing guide. Session management, And Identity management testing. If anyone interested in Web Application Penetration Testing its highly recommended for you.

Meet Jasminder Singh - Indian Security Researcher

Hi friends first of all I really apologize for not being active on my blog. So here I'm back with an exclusive interview article of a very passionate security enthusiast and a bug bounty hunter - Jasminder Pal Singh (Jas) aka Zero-Guy. What's catchy about Jas is he is very humble and have lots of patience towards his work, And of-course he respect and guide newbies like us. Let me mention his recent achievements; Recently he discovered critical stored XSS flaw in YouTube, As a white hat he immediately reported it to Google Security Team and he received positive reply. That's not all, He'd also discovered multiple vulnerabilities on Nokia, Facebook etc.

Today Jas have shared his journey, motivation and lots of good guides with me and our blog community Hackw0rm. Go through it, I'm sure you'll like it :)

1. Hello Jas, Please introduce yourself to our readers

Hello, I'm Jasminder Pal Singh, another computing and internet addict. The main areas I love to work on are Web Development and Web Application Security Research. About the studies, I am a B.Tech holder in the stream of Computer Science and currently persuing Masters in the same. Professionally I am a freelance web developer and web application security penetration tester.

2. How you got fascinated towards Security field?

I was attracted by the word "Hacking". Few years back before coming into security research, I was into malwares, Trojans etc. I studied how they work, did the stuff practically. I just loved these things. But I had to drop them because there was no peace of mind while working with these things and jumped into web development so obviously I was aware that there are destructive minds to attack my web apps. I wanted to make them secure so I started learning web application security & now doing Bug Hunting too.

3. What motivates you? and who stands as your Inspiration or Ideal?

Actually there were many motivations/inspirations during the journey and its still ON, If you ask about Web Application Security, it is necessary for a web developer to secure their developed applications. I want to give credit to two persons. One is Rafay Baloch and other is Siddhesh Gawde. Siddhesh once sent my name for Microsoft Hall of fame, I didn't do anything though. I was quite happy and decided to start penetration testing. After that I was strongly inspired by the research of Rafay Baloch. He is very genuine person and helped me quite a few times. 

4. Apart from Pentesting stuff what else you like to do?

Apart from web application security testing
  • Being a web developer I like to develop interactive/dynamic web apps.
  • I love to capture imaginary shots with my Lumia 820, Few shots.
  • I love to watch moon while listening to some good music.
5. Describe your IT Security (Pentesting) Journey?

I started pentesting around 2 years ago. As I wrote above I was strongly inspired by research of Rafay Baloch in the field of web application pentesting. At first I started securing the applications I developed and then started testing the websites which fall under vulnerability disclosure program.

6. If money weren't an issue, would you be still in IT Security field?

Yea, IT security is my passion. I take finding bugs in big Orgs, as a challenge. It gives me self happiness. Obviously money is a point too but its more about passion. While back I wrote something about it

"Money is slave of Skills, just make sure you're not after the slave."

7. What is your advice to beginner in Pentesting or (Hacking) field?

Well, I am not an expert. I am just a fresher in the big world of IT security but yes based on my tiny experience I have few suggestions for very beginners.

i) Learn the basics: This is key, without basics we are like shooting arrows in dark. It may hit correct sometime by chance but majority will go in vain. I would like to quote few words of Amine Cherrai.

"Never try to think outside of the box before you know what is inside it"

I was into web applications development before pentesting, so i had some command over web development languages like php,js,html/xhtml,css etc. It helped alot to understand the behavior of the application. I was able to code my own payloads instead of injecting static ready made vectors.

ii) Watch POCs / Read WriteUps: Its a good practice to watch video Proof of Concepts and read the writeUps of bugs discovered by other security researchers. It will increase your area of thinking about injecting into application. Some good resources are: Hackerone.com, vulnerability-lab.com, Youtube.com(Video POCs). On Youtube set the search filter to "Last Week" and input search terms like "XSS" , "CSRF" etc and watch the latest POCs.

iii) Avoid Pentesting the websites which doesn't have a Vulnerability Disclosure Program. Its kinda against the rules aka illegal. There are many websites you can practice pentesting. Here is the list Vulnerability Lab and Bugcrowd.

iv) Follow IT security and pentesting field people on twitter, I follow some good researchers on twitter, you can check them here. Also navigate to hall of fame pages of different websites like google, facebook etc and check out the websites/blogs of the researchers.

8. Which is your favorite Vulnerability found by you?

#1 Last year I discovered a DOM based Cross Site Scripting bug which abused CORS in Nokia's Ovi Store. It affected whole site. I have shared the writeUp of this bug on my blog. It was quite interesting bug, I had to work lot to make the vector a.k.a payload.

#2 Second vulnerability which is also my favourite was in Youtube.com. I haven't disclosed its Write-Up, because its not fixed yet. Will write about it once it gets fixed.

9. Which is your most favorite Quote or Thought? 

"Getting Inspired instead of being jealous on someone's success will lead you towards the Success."

10. Share your thoughts about Hackw0rm blog

You guys are doing good job, because I believe every person has some good actually interesting knowledge that is worthy to be shared. You are making contacts with IT security related people, talking to them and making the information/knowledge they have, available to public. I really liked this idea. Keep it up.

*Thank you very much Jas, Is there anything else you want to share?

Thanks to you too. Yea, I suggest you guys to show your work to your good friends who always encourage you to keep it up . It gives much power to work more. I would like to thank all my friends (Roshan, Raamee, Romy,  Sahil, Sael, Siddhesh, Nirmal, Akash, Ravi, Sachin and many more) and readers of my blog. There are my social media links below, anyone can contact me if any queries.

Learn Penetration Testing by Web For Pentesters Ebook

After a short break! I'm back, Well recently I've found two ebooks for Web For Pentesters, Really it's an amazing, useful, elegant e-book who really wants to learn Penetration Testing and Ethical hacking. Beginner must download and read it.

Web for Pentesters

There're two part of Web for Pentesters Part 1 and Part 2. Both e-book are written by (pentesterlab.com). Web for Penetration e-book covers important and very easy tutorial for beginners and hackers. Several hacking methods and exploits are shared including Web vulnerabilities hacking tutorial and security researching.

Should I Download it ? Is it Useful to me ?

Well, if it'd be same as some silly e-books, I'd never posted on my blog. This e-book helped me a lot in learning Penetration Testing and Hacking Web Applications. If you're beginner in hacking and seeking for something that would help you to learn real web hacking and methods, I would highly recommend you to download this 3.5 Mb E-books.

NOWASP Mutillidae 30 Web Application Ethical Hacking Videos

Hey, buddy don't mind the picture I was just trying to get your attention. Well you might remember that I'd also posted an article : OWASP Web-Goat Pentest lab solution videos, and believe me buddy it just rocked!. So this time I've zipped around 30 web application hacking videos, - Pentest lab NOWASP Mutillidae. So go ahead and download whole stuff.

Web Application Hacking Video Tutorial List :

I would just say these resources are really useful, in fact I've zipped each tutorial in one zip and can be downloaded easily. Well let's take a review on topics. Size 553 MB

Click on Image to Enlarge it

WOW! You know when i got these stuffs, I didn't went out for two days, I learnt each and every method properly. So just thought to share with you.

Note : All tutorials in videos are shown on NOWASP Mutillidae Penetration Testing lab. So if you want to test those attacks, I'll recommend you to get NOWASP Mutillidae Penetest Lab : Click here to get one.

Want to download ? Go ahead :

It's nothing hard to download just click on below's button and you'll be redirected to Google Drive - Click on Download, and remember it might show you warning (We can't scan files for virus), it's because the file is too large, so that's the reason google drive don't scan huge files. But don't worry! it's virus free and Click on Download. *Enjoy*

Thanks for reading my post, If you've any further doubts. Please comment and let me know. Please do share and increase us.

OWASP Web-Goat Solution Videos Ethical Hacking

Whether you believe or not, but that's true - Every beginner install and create Penetration testing lab but don't know how to hack because the fact is he hasn't learnt everything properly. So  today is really something very special for you guys. We've zipped complete WebGoat Pentest lab video tutorials.

{OWASP WebGoat is very powerful and huge Penetration Testing Lab (Vulnerable Web Application) to learn WebApp Hacking. It's really very awesome in it's own structure and features. Click Here to Get One}

Is that true ? How you got ? Where is it ?

Yes! Well, I've got this in OWASP Site. This is really an awesome resource for beginners to learn Hacking + Penetration Testing - With Solutions, and that's fantastic!. You might have read my article on How to Create an Extreme Penetration Testing Lab Using : OWASP WebGoat. (Lot's of readers asked me for solution videos too, so that's the reason I've hunted this.).

We've Hosted it on Google Drive. It's Size is 387 MB (ZIP). It's really very simple to download it. Click Here to Go on Download Page. Learn & Hack.

How to use it ? isn't it little messy ?

Nope! it's very simple to learn through it, just you'll need a Web-Browser to watch all videos (Video Embed into HTML + SWF). After downloading, Extract ZIP calmly, You'll get a folder named "Viewer" - Go in it - And You'll find index.html (Double Click & Start it in your Favorite browser.)

Next you'll come to see one logo "YGN Ethical Hacker Group" - If you want to read description, then please do nor go on scrolling until you get video tutorial index (Listed with tutorial name and vulnerability).

There will be list like this! 

So, assume that you want to learn SQL Injection so click on Injection Flaws, your browser will automatically take you to Injection Flaws Page.

(Remember not to click on DOWNLOAD, because it's already there in your own computer.) Click on View, wait for 3 Second, and your tutorial will be started.

Thank you for reading my article, If you like it please share it and increase us. More gazing hacky stuff will come soon. Till then cheerio.

Why You Should Learn Programming & Networking

Hi readers, today I'm not gonna share any tutorial or Hack but a short guide, which I've experienced in my learning carrier. Well It's been completely one year! to me in this field (Not Pro, neither Expert!) still a learner. But have you ever thought why experienced Hacker/Researcher always recommend us to learn Programming & Networking before engaging in Hacking ? Well that's what we're supposed to discuss in this post.

When | Where | How | - can I learning Hacking ?

I've started this with the term 'Hacking' - If you're reading this then probably you want to become a Hacker. But do you really think it is so easy to become Hacker ?. Well let it be up to you, so what do i need to become Hacker ?

First of all you must have two things in your soul : Passion & Determination. This all isn't just a words but a power to change everything. If you've passion and determination you can do anything. Well in short You've to do little hard work with little sacrifices. Let's reinforce each question with easy answers and have a little chat.

When Can I Learn Hacking ? (Sounds Like : Eligibility to become Hacker)

Well, up till now even you've realized that becoming hacker isn't that much easy! it requires lots of experience and knowledge in Software, Networking, Programming, Web Application etc. Eligibility ? Did I used any wrong word ? Let it be, there's no age limit to learn Hacking. So what is the eligibility ?

You can start learning Hacking - When you've at least 50% to 60% knowledge in Software and Web Application Programming. The second most important thing you should know Networking - At least 60%.

Why everyone recommend to learn Programming first before Hacking ?

It's simple, tell me how Software, Web Apps are made ? - Programming Languages. Almost every technology runs on Programming Language. So if you want to break (Hack) software, You must know Programming Languages. Because You're going to Hack/Crack it - Simply if you don't know Programming - So how'll you understand how it is made ? How it is working ? What's its weakness point. These questions matters! a lot.

What about Networking ? They recommend Networking too!

Almost everywhere is network! - Softwares are moving on Cloud. Cloud based technology is evolving very fast. Every Web Applications runs on Network - TCP/IP and Servers. It's highly recommended you to learn and understand how those Protocols - and technology communicates with each others on Internet. How Computer Network, Servers, Client communicates with each others.

But From Where Can I Learn Programming/Networking & Hacking ?

If you're asking from where ? well even a small kid will laugh on you. Okay! There're so many resources, sites, wiki, blogs, white/black hat videos, tutorials, forums etc to learn almost everything. If you can't understand - ask for help in learning, explaining or Join any Programming/Hacking/Networking coaching. But there's no need to waste money! just with little effort you can learn in free at your home. Even we share plenty of articles, Tutorials. Join Forums, Get connected to Blogs, read Wiki's, Google each and every query you get into your mind. Read White Papers, Learn Programming from millions of sites - Search on Google. For Networking do same.

Okay Now the final & Most Important query -  How can i learn Hacking ?

This question doesn't make sense, How Can I Learn Hacking. If you're good in Programming and Networking - You can start learning Hacking. It'll be easy and understandable for you. Programming - Networking - Hacking.

We've discussed and answered some important questions, but what is the main thing in this Process ? - Whether you've Passion and Determination or Not. See even i'm learner, I understand how it feels. But never ever give-up! Be confident, Passionate, Inspired and Determined on your task.

Feel free to comment and ask question. This is openly written by our admin Viv, according to his knowledge & experience. Thank you.

An Inspirational Interview with Arul Kumar - Security Researcher

Hello, everyone I'm really very excited to share this inspirational interview. Today we've Interviewed an Independent Security Researcher Arul Kumar (Bug Bounty Hacker) Who've got awarded by Facebook Security Team two times. Recently he'd discovered very critical vulnerability in Facebook that led him to reward of $12,500 USD by Facebook, also lots of respect from society. He's also one of mine best friend.

The News also staring on Times of India Website and other Newspapers

Click on Image to Enlarge it, or Click here

I'm proud to be his friend and glad to see his success, so we've arranged one inspirational Interview for our readers. Hope you'll like it, Let's start buddyy!.

1. Please Introduce yourself first.

Hi, I am Arul Kumar, 21 years old, From Salem, Tamil Nadu, India. I am an Electronics & Communication Engineer passionate in Ethical Hacking and Penetration Testing.

2. How and Why did you get into Information Security & Hacking Field ?

As I don't have enough resources, I have learned everything at my College Net Lab since 2009. I have spent lot of times in front of System rather than Electronic Hardware. That took much time for me to learn because my internet usage timing is 2 hours/day during college days, and I got my laptop in January 2013 only.

Then I came to know about Bug Bounty Programs because of an Incident, In July 2012 I have read a news from an online portal "Facebook Rewards Hyderabad Youngsters For Finding Bugs". After that I realised that Facebook rewarded two guys named "Harsha Vardhan Boppana & Rishal Dwivedi" who have been listed as White Hat Hacker in Facebook (Hall Of Fame) for finding bugs. That incident inspired me much and finally after some months Information Security became my passion.

3. When did you started Security Researching & Bug Hunting ?

I've been researching and Hunting Bugs since 2013, After getting my Laptop.

4. From Where did you learnt so many things ? Please leak your learning sources

Google is Powerful search engine and school to learn everything from beginning. For Penetration Testing I would recommend OWASP and Irongeek Guides.

5. What is your first finding ? How did you feel at that time ?

My first finding is Open URL Redirection bugs in Facebook unfortunately I got duplication issue for all of my 4 submissions. I got much frustration but I did not gave up, Within 2 days I got another 3 new Open Redirection which become valid after one month and it encouraged me to find more.

6. What is your favorite Vulnerability found by you ? Describe it!

My favorite one is Photo Deletion Bug in Facebook which I found recently. By using that bug, I was able to delete anybody's photo on Facebook without their Permission/Interaction. This is applicable to all of 1+ billion Facebook Users including Mark Zuckerberg. Facebook team appreciated and rewarded me $12,500 (USD) for this finding.

7. What are your Future Plans ?

I'm still learning so I cannot say anything now about my future plans. I wanna do many things to make my homeland (India) Proud.

8. What is your advice to New Bug Hunters / Beginners in Hacking field ?

Hey, You should ask this question to Experts. Still I am a beginner. Anyways! according to my experience, I would say Just use Google and your brain. You should take Everything as reference which you have learned from Google. Try to learn everything by raising questions yourself like How? Why ? What ? on every methodologies. If you really wanna see real hacking watch out security conference presentation and videos from Defcon, Blackhat and so on.

After Some Years, I hope that Bug Bounty Program will be more Competitive and become Worth. Because we cannot imagine anything without Vulnerability. So Hunt bugs for fun & Knowledge so never aim for money, and also automated tools will never help you to find bugs in big sites which will not improve you in gaining knowledge. If you are really honest with your task you will get success. Never give up if you failed at beginning & be patient. Still many critical bugs in big sites are hidden but not yet discovered.

9. What do you think about Hack w0rm Blog ?

Kudos to your huge efforts. Hackw0rm is really different than other blog and it brings tutorials from basics with well explained manner. I would suggest Hackw0rm blog who want to learn about basics of Pentesting & Hacking, Keep it up your good work.

10. We Appreciate your Advice, Is there anything else you want to mention  ?

I would like to thank each & every soul who inspired and supported me to get into Information Security field. From this Bug Bounty Program, I have got many good friends around the world. Thank you Vivek and Hackw0rm team for giving me the opportunity to share my experience with all of you. Thanks Everyone.

Thank you Arul bro for your precious time, Bucket full of love to you from my side and Best of Luck for your future life. Also Thanks for recommending our blog to Beginners! I appreciate it. You can also follow Arul Kumar on Twitter & Facebook.

Thanks for reading my post, If you've any kind of doubts please leave your comment and let me know. Don't forget to share this amazing inspirational interview.

Download & Learn any Programming, Networking & Technology

           Hello buddies! after a long time i'm writing something on Hackw0rm Blog, This might be the best resource of learning Programming, Networking, and Telecom Technology I'm sharing with you. Well, through this you can learn many interesting computer technologies, programming languages with examples. It's really worthy for you, so let's review and download it.

What is it Exactly ? and What can I learn through this ?

I'm sure you guys have definitely got this question in your head, well it's complete offline site of Tutorials Point and W3schools. Tutorials Point is one of the best site to learn Programming, Networking, Telecom Technology and many more interesting stuffs! but the problem is we require an internet connection to connect to live site, so somehow i obtained it's complete offline site with thousands of Programming and Networking tutorials that is really very worthy for geeks! 100% Pure Technological Useful Resource ever.

And I'm pretty sure you know what is W3schools, well it's an another biggest online programming school but same you'll require an internet connection to read tutorials and learn. But if you don't want to waste your internet and keep complete site every-time in your pocket or home. So i guess there won't be better idea than this.

You can learn following Programming languages through this :

Web Programming : HTML, HTML 5, CSS, JavaScript, AJAX, jQuery, PHP, Advance Scripting, ASP.NET, Apache Server Handling, RSS, Perl, XML, DHTML, XHTML, JSP, SQL, MySQL, Web Technology and Services etc.

Software Programming & Others : C and C++ Programming, Python, Java, Ruby, Ruby on Rails, DLL Programming, Perl, JDBC, LDAP, SQL, Prototype, UNIX, UDDI, SOAP, Socket Programming, UML, WSDL, CGI and Perl, Radius, DB Programming, TK, +XML etc

Networking & Telecom Technology : Complete Computer Networking, TCP/IP, HTTP, Internet Protocol, Telecom Technologies like : Wi-fi, i-mode, GPRS, GSM, WAP, WML, WiMAX, Telecom Billing, etc.

There is many more things that are not mentioned but this will be the best resource to learn so much things. No More Googling and Searching Just download and learn everything from one Kit!

How to Download this Complete Kit and Start Learning :

Well it's really very simple to Download complete it, Just click on below Download button and download it from Google Drive. Note the Size of Complete Kit is 420+ MB but we've highly compressed it in just 122 MB Zip file.

Download and Uncompress file - Again you'll get another two compressed file named with tutorialspoint and w3schools. It is recommended to run w3schools in Apache server to get complete access to offline site and real experience. And Tutorials point doesn't require any server you can just open its folder and double click on index.html and start learning everything. Please make sure you've wamp or XAMPP server to run w3schools offline site because it is programmed in asp so it's compulsory to have web server for it. If you're using wamp server the place entire folder into www folder and if you're using XAMPP server then place entire w3schools folder in htdocs folder.

Thank you for reading my post, If you've any kind of problem related to this content please comment and let us know. If you liked our blog and post please share it and increase us :