Problems that may be encountered in learning web security:
1. It takes a long time to lay the foundation
It took a long time to learn the basics. There are several optical languages. Some people will stop on the way of learning the linux system and commands, and more people will stop on learning the language;
2. The knowledge points are not clear enough
For the basic content of network security, many people don't know how much they need to learn, which leads to spending too much time on the basics; many students bought HTML, PHP, database, computer network
Waiting for books, each of them is very thick, and many of them are written in depth, but I find that the more I learn, the less confident I am. Others can find a job by learning PHP or database, but I have to learn so much about network security. It's not that I chose the wrong direction;
3. Knowledge points are unclear
Many students spent a lot of energy to learn the basic content, but found that a lot of knowledge has little to do with subsequent network security, did not distinguish the key points, and wasted a lot of time;
4. The learning of knowledge points is not systematic enough
I saw that many students found a lot of learning videos on station b, and bought some small lessons on other platforms. There are also 1-2T learning materials and video content on Baidu cloud disk, but it takes a lot of money to finish each class time, and the content is repetitive. After learning SQL injection, I saw another company talking about SQL injection later. It was not bad. I will study it again. I found that after learning all the principles of web vulnerabilities, I am still not sure. Whether I have learned all the knowledge points of web vulnerabilities, so I don’t know whether I have learned it or not;
5. Insufficient ability to solve problems by oneself
For beginners, many people will build some shooting ranges by themselves, but due to the configuration environment, it will take a lot of time, especially for beginners who cannot solve three consecutive problems, it is easy to give up; for some hands-on skills Poor students, this may directly affect the confidence to continue learning;
6. Insufficient actual combat level
For learning network security and penetration testing technology, in fact, to a large extent, what you learn is "hacking" technology. By learning how to attack and intrude, you can better understand how to defend systems and applications; and this is precisely network security. If you only have theory and little practical experience, it will be more difficult to get a job; in normal study, in addition to building some open source shooting ranges for practice, it is best to have a shooting range composed of real loopholes for learning. You can go to the SRC platform to test some real websites (you must obtain authorization to penetrate real websites), but it is relatively difficult to find out, and many beginners will lose confidence and doubt their abilities;
7. Intranet learning is relatively difficult
The information about web penetration is everywhere on various platforms on the Internet, and it is relatively easy to learn, but there are relatively few materials about intranet on Internet platforms, and there are not many materials that can be used for reference. In addition, corresponding shooting ranges are also required With practice, you can improve your skills and accumulate experience, and learning will be more difficult.
The correct order to learn web security:
Phase 1: Basic Knowledge
Before you start learning about web security, you need to have a basic knowledge of web development. Here are some study suggestions for the basics.
1. Learn HTML, CSS, JavaScript and other basic languages
HTML, CSS, JavaScript, etc. are the most basic languages in web development. Learning these languages can understand the basic structure, style and interaction of web pages.
2. Learn basic server-side programming languages
In web development, server-side programming languages handle tasks such as interacting with databases, authenticating users, and more. You can choose a server-side programming language to learn, such as PHP, Python, etc.
3. Learn web frameworks
The web framework can simplify the web development process and improve development efficiency. Learning commonly used web frameworks, such as Django, Ruby on Rails, etc., can help you better understand the basic principles of web development.
Phase Two: Web Security Fundamentals
After you understand the basics of web development, you need to learn web security fundamentals. Here are some study suggestions for the basics.
1. Learn about web security threats and attack types
Understanding web security threats and attack types can help you better understand the basics of web security. You need to learn some common types of web security attacks, such as SQL injection attacks, cross-site scripting attacks, etc.
2. Learn web security defense measures
Learning web security defenses can help better secure web applications and websites. You need to understand some common web security defense measures, such as input verification and identity verification.
3. Learn Web Security Tools
Web security tools can help better discover security holes in web applications and websites. You can learn some commonly used web security tools, such as Burp Suite, Nmap, etc.
The third stage: advanced knowledge of web security
After mastering the basic knowledge of web security, you need to have a deep understanding of advanced knowledge of web security. The following are some study suggestions for advanced knowledge.
1. Learn encryption and decryption algorithms
Understanding encryption and decryption algorithms can help better protect sensitive information on web applications and websites. Need to learn some commonly used encryption and decryption algorithms, such as AES, RSA, etc.
2. Learn vulnerability mining and utilization techniques
Learning vulnerability mining and exploitation techniques can help you better discover security vulnerabilities of web applications and websites, and exploit these vulnerabilities for attacks. You can learn some common vulnerability mining and utilization techniques, such as SQL injection, XSS, etc.
3. Learn Web Secure Coding Practices
Web secure coding practices can help to better write secure web applications and websites. Need to learn some common web security coding practices, such as input validation, output encoding, etc.
Phase Four: Practice and Application
After learning the basics and advanced knowledge of web security, practice and application are required. Here are some practical and applied suggestions.
1. Build web applications and websites
Building web applications and websites can help you gain a better understanding of web development and web security. Web applications and websites can be built using some common web frameworks and server-side programming languages.
2. Conduct web security testing
Conducting web security testing can help discover security gaps in web applications and websites. You can use some commonly used web security testing tools for testing, such as Burp Suite, OWASP ZAP, etc.
3. Participate in CTF competitions and vulnerability challenges
Participating in CTF competitions and vulnerability challenges can help better develop web security skills. These competitions provide a deeper understanding of web security offensive and defensive techniques and improve skill levels.
Regarding network security, I have also done a lot of research myself and compiled a lot of network security resources, ranging from entry to advanced, including a complete learning roadmap for red-blue confrontation, supporting video tutorials, toolkits and techniques Documentation and more: