Hello everyone, I am Xiao V. Recently, a friend asked me if there is any route to learn web security . Indeed, the scope of web security is too large, which ones to learn first, and which ones to learn later, if there is no systematic route, it will reduce everyone's efficiency, which is simply a "nightmare" for students who are just getting started. When I first started, I took a lot of detours, and even did useless work for half a year. Now I am gradually on the right track. Therefore, I plan to write a blog post similar to the learning route, to help newbies who are just getting started avoid detours, and hope to give you some help.
Books are packaged in pdf version
01 Basic language (60 days)
If people who do web security do not understand development and languages, they are so-called script kiddies , which is very scary. You will quickly encounter bottlenecks, and that is the language. I hope that everyone will lay a solid foundation from the very beginning and learn the language well. The better you learn, the higher your bottleneck will be.
Common languages: HTML, CSS, JS, JAVA, PHP, SQL, Python, Ruby
The above languages are all related to development and scripting. Just imagine, when you do code auditing and scripting in the future, if you already master these languages, wouldn’t it be nice.
Recommend related books (no commercial relationship)
02Basic agreement (20 days)
Because it is web security, you must focus on learning the HTTP protocol and the TCP/IP protocol, which will also be a factor that determines your bottleneck.
Recommend related books (no commercial relationship)
03 Common vulnerabilities and tools (60 days)
Common tools: AWVS, sqlmap, Burp, nessus , chopper, nmap, Appscan... (read the official API of the tool yourself)
Common vulnerabilities: SQL injection, XSS attack, CSRF vulnerability, file upload bypass, file inclusion vulnerability, arbitrary code execution, business logic vulnerability ...
These must be learned and mastered. These loopholes and tools are covered in the books I recommend. You can read books to learn, or search online.
Recommend related books (no commercial relationship)
04 Tool development (10 days)
Although there are tools released by Daniel on the Internet, there are always some difficulties in the process of using them, or there is no such tool on the Internet at all, and some EXPs and POCs need to be written by ourselves. At these times, you have to develop your own tools , and the development tools are mainly python and C#.
Recommend related books (no commercial relationship)
05 Server security configuration (10 days)
First of all, you must be familiar with common commands under Linux, such as: ifconfig, ls, cp, mv, vi, wget, service, sudo, etc.;
Familiar with common cmd commands under Windows , such as: ipconfig, nslookup, tracert, net, tasklist, etc.;
Then learn the server environment configuration, and be able to discover the security problems in the configuration through thinking.
For example:
IIS configuration under Windows environment, pay special attention to configuration security and operation permissions;
The security configuration of LAMP in the Linux environment mainly considers running permissions, cross-directory, folder permissions, etc.;
Remote system reinforcement, restrict user name and password login, and restrict ports through iptables;
Configure software Waf to strengthen system security, and configure mod_security and other systems on the server to pass.
Recommend related books (no commercial relationship)
After at least 160 days of study, I think you can get started with web security, and the rest can only be explored by yourself. Hope this article can help you.
Finally, if you need an e-book, you can get it in the comment area~ I will post it one by one