Internet security learning and stepping on the pit experience

Looking back on the past year of learning network security, I have stepped on many pitfalls and taken many detours. I will summarize it here, hoping to help those students who want to get started with web security or want to play CTF.

Pit point

Let me summarize first, the pits I encountered in my study

1. Just watch the video, don't practice, don't summarize

2. Resource collection squirrel disease, I naively think that collecting is learning, don’t krypton gold open Baidu cloud and still have a lot of savings, in fact, I want to learn something about a station b, after all, we all know that station b is a place for learning, ahem, what should be collected is still Want to collect (express this article)

3. Daily water group, no knowledge, learned a lot of slang, after all, Baidu

   

suggestion

1. Ask your seniors and sisters for advice (understand the art of asking questions before asking), and don’t get stuck, especially if you are just getting started and don’t know anything. Maybe you have studied things for several days, and it’s just a matter of one sentence. For example, environment construction is getting started Difficulties in learning, and docker can solve most of the pain points in environment construction
2. Join a security team, see what those big cows are learning, even if you can't get in, you can get a wave of interview experience
3. Work hard, type more code, practice more, and take notes. This is the most important thing. Human memory is limited. If you don’t read it for a long time, you must forget it. Writing notes by yourself is not only for deepening the impression when learning, but also for quick review. Learning from the past. You can build a blog by yourself, or register with CSDN, blog park, etc., and share your notes. These are positive feedback for learning and are the motivation to motivate yourself to continue learning
4. The degree to which you have learned is considered learned. You can explain others clearly. Explaining problems to others can not only summarize your own knowledge, but also deepen your impression.
5. If you are learning a certain language, you can do a little project when you are learning about the same, and you will be very proud of the results. I made a website when I was learning flask before, and I can feel the learning motivation at that time. feet
6. Cultivate your own self-study ability. Without a master, you can learn it in a few days. The masters all learn it in the early morning. Maybe this is the reason why the master's hairstyle is always eye-catching. Besides, the knowledge of network security is intricate, and computers are changing with each passing day. If you go deep into the research, it is enough to spend your life
7. Pay attention to network security events, as before: Defcon, GeekPwn, etc., cultivate interest, interest is the best teacher
8. Pay more attention to the public accounts of some big cows, such as station b, I recommend some

• forum:

  1. My love crack

  2. Kanxue Forum

  3. Safety guest

  4. prophetic community

  5. FreeBuf

  The powerful masters have good articles that can be posted to these forums, which is not only a positive feedback for learning, but also a small amount of money

• No public:

  1. Infiltrate Cloud Notes

     Send out some resources from time to time

  2. Brother Dao's blackboard

     That’s right, Ali’s brother Dao, a white hat author who talks about web security, his official account has been updated recently after being silent for a long time

  3. Xie Gongzi learns safety

     Mr. Xie's official account

  4. code audit

     P God's official account, java code audit content is more, students with small money can add P God's small honey ring, it will be valid forever, this should be the most real small honey ring

  5. Mountain Police Cyberspace Security and Electronic Data Forensics

     The public account of the school community, the content is mainly CTF

  6. godfather loves to share

     I send out resources from time to time, and I’m also close to the Godfather’s group, it’s still worth it

  7. dark cloud security

     Resources will be sent out from time to time, no need to buy, no need to buy, no need to buy

• station b:

  1. CodeSheep

     Programmer UP, very down-to-earth, content: Java and C and some experience

  2. Vulnerability Bank, DeeLMind

     Irregularly invite big guys to be guests to share knowledge

  3. Star Alliance Security Team, Nip Technology, Gcow Security Team

web learning path

Web security learning routes can be divided into two types:

1. Learn the basics first, then turn to safety
2. Learn safety while supplementing basics

For security newcomers, the second learning method is recommended. Learn the principles of vulnerabilities while supplementing the basics. For example, if you are learning xss vulnerabilities, you can learn JavaScript knowledge

You can follow the steps below

The first stage

• web vulnerability

  1. SQL injection

     Then learn sql statements, various databases

  2. CSRF vulnerability

     Then learn cookie and session mechanism

  3. XSS

     Then learn javas

  4. command execution

     Then learn linux, bash, cmd commands

  5. file upload, the file contains

     Understand different website building language suffixes, background logic

  6. SSRF

  7. logic loophole

  8. and other web vulnerabilities

• Programming language

  Python and php can be learned together, and you don’t need to go too deep in the early stage. You can learn together with the principles of web vulnerabilities

• Understand the web technology stack

  1. Computer network (http, tcp/ip)
  2. middleware
  3. database
  4. operating system

second stage

• web security

  1. Vulnerability mining
  2. code audit
  3. Escalation of rights
  4. Intranet penetration
  5. social worker

• Programming language

  Yes, you still need to learn the language. A good programmer is not necessarily a good security personnel, but a good security personnel must be a good programmer

• In-depth web technology stack

  1. Backend language (java, php, python)
  2. Backend framework (Spring, ThinkPHP, Django)

Recommend some web security books

1. "Deep Analysis of Web Security"
2. "White hats talk about web security"
3. "Illustrating HTTP"
4. "Code Audit Enterprise Web Security Framework"
5. "Mastering Metasploit Penetration Testing"
6. "Web Security Attack and Defense: A Practical Guide to Penetration Testing"
7. "Web Attack and Defense Business Security Practical Guide"
8. "Web front-end technology secret"

Let’s prioritize from top to bottom. If you read more books, you will know more about nature, but the knowledge you have written must be a bit old. You should keep up with current events and read more articles.

enough, boy? enough? enough boy, fake ctf contestant

Finally, I recommend two books, both of which are produced by the awesome CTF team

1. Team Nu1l: 0 to 1: The growth path of CTFer
2. FlappyPig Team: CTF Special Training Camp

Learning network security may be a little stressful for students who do not have a computer foundation or who are interdisciplinary, but computer is a well-known hodgepodge of majors, and many masters are interdisciplinary, such as gynecologists.

I share these with you, and at the same time, I also say it to myself. Finally, children without umbrellas must learn to run, break out of their comfort zone, and keep going.