Best learning resources for hacking port 80.

So, I'm new and want to focus my efforts (for a start) on ways to hack an open port 80. So Does anyone have any suggestions for learning to hack web server, maybe some VMs and scenarios? Also maybe books or website to learn how to use the different tools?

Comments

  • I'd start with the stuff on OWASP or Portswigger.net

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • edited September 27

    Type your comment> @TazWake said:

    I'd start with the stuff on OWASP or Portswigger.net

    portswigger is underrated IMO, lots of stuff on there, great site.

    If someone goes through all of that, it'd be a great foundation.

    Not affiliated with any website, company, etc. Hahaha

    Hack The Box

  • Type your comment> @TazWake said:

    I'd start with the stuff on OWASP or Portswigger.net

    Thanks a lot, I signed up for the academy! Looks great :)

  • Type your comment> @pizzapower said:

    Type your comment> @TazWake said:

    I'd start with the stuff on OWASP or Portswigger.net

    portswigger is underrated IMO, lots of stuff on there, great site.

    If someone goes through all of that, it'd be a great foundation.

    Not affiliated with any website, company, etc. Hahaha

    To add to more resources, I would definitely recommend Owasp Juice shop and Bwapp, the only thing that is a bit succy about it is the fact that you have to host it yourself (VM), but apart from that, both of them are great!

  • Type your comment> @PapyrusTheGuru said:

    Type your comment> @pizzapower said:

    Type your comment> @TazWake said:

    I'd start with the stuff on OWASP or Portswigger.net

    portswigger is underrated IMO, lots of stuff on there, great site.

    If someone goes through all of that, it'd be a great foundation.

    Not affiliated with any website, company, etc. Hahaha

    To add to more resources, I would definitely recommend Owasp Juice shop and Bwapp, the only thing that is a bit succy about it is the fact that you have to host it yourself (VM), but apart from that, both of them are great!

    This is all cool but the problem I have now is that I go on a website like google gruyere or OWASP Juice Shop and I have no idea what to do. I start burp and am quite lost :/

    Also when I was trying to do the portswigger academy I couldn't login for whatever reason so I couldn't do the labs to train, but I feel like they'll be the same thing, throwing you out there with the tools but no info on how to use them. Any help? :(

  • @wh4ck said:

    This is all cool but the problem I have now is that I go on a website like google gruyere or OWASP Juice Shop and I have no idea what to do. I start burp and am quite lost :/

    You need to determine where you need to start. Web application attacks are complicated and can range from simple to super-advanced exploitation. If you have limited experience, then it might be better to look at the more foundational things.

    Also when I was trying to do the portswigger academy I couldn't login for whatever reason

    You need to create an account then you can log in. If you can't login, it's probably worth trying to find out why. If you've forgotten your password you can reset it.

    so I couldn't do the labs to train, but I feel like they'll be the same thing,

    Well, it depends. Portswigger has some of the best content for learning web application security - for example:

    https://portswigger.net/web-security/web-cache-poisoning

    You don't need an account to see that, the academy access is more for the labs to practice this.

    throwing you out there with the tools but no info on how to use them. Any help? :(

    There is a lot of information out there - but you really need to look for it if you want it for free. It is very hard for other people to point you at things which you will understand rather than the things they understand.

    There are countless places to look with content on places like Pluralsight, Cybrary, Udemy, Tutorialspoint, Guru99, Hackingarticles etc.

    If the free information isn't working then the only real alternative is to fund some formal training.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Not sure if i'm allowed to recommend tryhackme or not but they have DVWA and Juiceshop rooms that you can jump straigh into.
    not affiliated with them but just thought it's easier than hosting your own vm.

  • Type your comment> @TazWake said:

    @wh4ck said:

    This is all cool but the problem I have now is that I go on a website like google gruyere or OWASP Juice Shop and I have no idea what to do. I start burp and am quite lost :/

    You need to determine where you need to start. Web application attacks are complicated and can range from simple to super-advanced exploitation. If you have limited experience, then it might be better to look at the more foundational things.

    Also when I was trying to do the portswigger academy I couldn't login for whatever reason

    You need to create an account then you can log in. If you can't login, it's probably worth trying to find out why. If you've forgotten your password you can reset it.

    so I couldn't do the labs to train, but I feel like they'll be the same thing,

    Well, it depends. Portswigger has some of the best content for learning web application security - for example:

    https://portswigger.net/web-security/web-cache-poisoning

    You don't need an account to see that, the academy access is more for the labs to practice this.

    throwing you out there with the tools but no info on how to use them. Any help? :(

    There is a lot of information out there - but you really need to look for it if you want it for free. It is very hard for other people to point you at things which you will understand rather than the things they understand.

    There are countless places to look with content on places like Pluralsight, Cybrary, Udemy, Tutorialspoint, Guru99, Hackingarticles etc.

    If the free information isn't working then the only real alternative is to fund some formal training.

    As always you present some of the best information for everyone IMO. Learning web application attacks can be hard, but it's about breaking these attacks apart and learning the foundations of these attacks individually.

  • This is all cool but the problem I have now is that I go on a website like google gruyere or OWASP Juice Shop and I have no idea what to do. I start burp and am quite lost :/

    Also when I was trying to do the portswigger academy I couldn't login for whatever reason so I couldn't do the labs to train, but I feel like they'll be the same thing, throwing you out there with the tools but no info on how to use them. Any help? :(

    Well, at least how I see it, "hacking" is learned by getting your hands dirty and figuring stuff out by reading blogs, watching youtube videos, and spending a lot of time in the mud. Don't be afraid of walkthroughs of HTB retired boxes while you're learning. They'll be a wealth of information.

    Unfortunately, that's how a lot of jobs are - here are the tools, figure it out. I mean, I've been at it for years, and I still feel like a complete moron daily. Granted, I'm just a lifelong "amateur" hacker, and I don't work in the industry.

    So tighten up those googling skills, figure out why you can't login to portswigger, and just hammer away at it. Can't use Burp? Google it. Can't enumerate directories? Google it. Don't know what port forwarding is? Google it.

    Google has the answers to everything, but It won't be easy, and you'll never feel like you have a full grasp of everything out there.

    Hack The Box

  • Type your comment> @pizzapower said:

    This is all cool but the problem I have now is that I go on a website like google gruyere or OWASP Juice Shop and I have no idea what to do. I start burp and am quite lost :/

    Also when I was trying to do the portswigger academy I couldn't login for whatever reason so I couldn't do the labs to train, but I feel like they'll be the same thing, throwing you out there with the tools but no info on how to use them. Any help? :(

    Well, at least how I see it, "hacking" is learned by getting your hands dirty and figuring stuff out by reading blogs, watching youtube videos, and spending a lot of time in the mud. Don't be afraid of walkthroughs of HTB retired boxes while you're learning. They'll be a wealth of information.

    Unfortunately, that's how a lot of jobs are - here are the tools, figure it out. I mean, I've been at it for years, and I still feel like a complete moron daily. Granted, I'm just a lifelong "amateur" hacker, and I don't work in the industry.

    So tighten up those googling skills, figure out why you can't login to portswigger, and just hammer away at it. Can't use Burp? Google it. Can't enumerate directories? Google it. Don't know what port forwarding is? Google it.

    Google has the answers to everything, but It won't be easy, and you'll never feel like you have a full grasp of everything out there.

    Agreed, to be successful (realistically) in any field, you have to love to research, learn and google (things) :P

  • So basically I was wrong about portswigger - it teaches me without giving me all the answers - I just couldn't do the labs because there was a problem with my account, but I emailed them and they fixed it. Also I was reading the articles before my account was fixed but it isn't the same as actually doing it. Thanks a lot guys!

Sign In to comment.