Introduction
Last updated on: 25 November 2024
Edit this page on GitHubLast updated on: 25 November 2024
Edit this page on GitHubWeb applications are critical infrastructure used by media organizations and civil society to disseminate free flow of information as well as to provide functionalities to their stakeholders. Adversaries attack these web applications for various purposes, including shutting down the free flow of information, reputational damage, access to private systems, theft of sensitive information, surveillance, and device compromise. By proactively identifying vulnerabilities in web applications used by your clients and partners, you can head off potential compromises before they occur.
This learning path covers intermediate and advanced knowledge needed to deeply understand and identify vulnerabilities in web applications. This can be used to find vulnerabilities in an application before threat actors do, to guide secure development practices, or to more effectively fix vulnerabilities in web applications. In this learning path we will cover:
Adversaries, especially political rivals, have a history of attempting to hack into the websites of civil society groups. Some documented examples include:
Additionally, any site on the internet is subject to opportunistic and targeted attacks by financially-motivated threat actors. These adversaries have goals such as stealing user passwords, payment card information, etc. for resale, modifying site content for search ranking manipulation or click fraud,using the site’s infrastructure itself for cryptocurrency mining, sending spam, or launching denial of service attacks. Although many of these attacks may not be targeted based on political motivations, they nonetheless pose significant reputational and confidentiality risks to any organization. For more information on opportunistic and automated attacks on web applications, see this report by OWASP.
The Badge-holder should be able to efficiently perform comprehensive security assessments of web applications, including identifying the vulnerabilities in the OWASP top 10.
Web application assessment skills can help respond to hacking threats by:
You will need a computer capable of running Java applications and Docker. Any macOS, Windows, or Linux device with 8GM of RAM and some free disk space should work. All of the labs here were also tested on devices running Apple Silicon, and work.
Many of the tools in this learning path run best on Unix-like operating systems. This means that it’s easiest to use Linux, macOS devices, or Windows devices with WSL (Windows Subsystem for Linux) installed on them.
If you are running macOS, it’s a good idea to install Homebrew or Macports; those are package managers which can automate the process of installing some of the tools outlined throughout the learning path.
Alternatively, if you have an installation of Kali Linux (you can use the same one you used for the Web Application Security Fundamentals learning path), most of the tools outlined below should already come pre-installed.
If you are running Windows, we recommend you install WSL (Windows Subsystem for Linux) to run some of the tools outlined below. While many of them can run in Docker, those which require Python might be much easier to run within WSL, which will require less fiddling with dependencies.
wsl --set-default-version 2
The output from this command will look like:For information on key differences with WSL 2 please visit https://aka.ms/wsl2
The operation completed successfully.
Once WSL 2 is installed, you can install your preferred Linux distribution from the Microsoft Store or by using the command line. Simply search for “Linux” in the Microsoft Store, select your desired distribution (e.g., Ubuntu, Debian, or others), and click “Install”. Alternatively, you can install a Linux distribution using PowerShell or Command Prompt. Open a Windows Powershell or Command Prompt and list the distributions available:
wsl --list --online
Install a distribution from this list using wsl –install -d <Distribution Name> command.
wsl --install -d Ubuntu
After installation, each Linux distribution will have an icon on the Windows application menu. Once you have installed WSL, you will need to create a user account and password for your newly installed Linux distribution.
A new window should open with a Linux shell.
Here is a quick review of the WSL command line options
Print the usage information and see the command line arguments:
wsl --help
List the installed distributions:
wsl --list
List only the running distributions:
wsl --list --running
Terminate a running distribution:
wsl --terminate Ubuntu-22.04
Shutdown all running distributions:
wsl --shutdown
Unregister the Linux distribution and delete the filesystem:
wsl --unregister Ubuntu-22.04
Update WSL to the latest version:
wsl --update
Start the default distribution:
wsl
After completing this learning path, we would recommend that learners work on Web Application Hardening, Forensics, and Incident Response.
Congratulations on finishing the introduction!
Mark the checkbox to confirm you have read the introduction and continue to the next module.
Marks the introduction as completed and saves the progress for the user.
You've completed all modules in this learning path.