Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

  • wop@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I am hosting multiple services, but my application/web security knowledge is lacking. Is there a guide or framework to check for common or risky mistakes? Is there a list of things I should check every application for, or guide on how to harden hosted applications? That is a topic that I am going to tackle in the near future, and would appreciate some tips in advance.

    • ComradeKhoumrag@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      There’s a browser extension you can use by owasp, I think it’s “Penetration Tool Kit” or ptk

      I stopped using it because it was slow (being a browser extension and all) but I do like how easy it was to use while needing to be logged in or get past captchas

      Owasp zap is good for reconnaissance scanning

      I really like burp suite for reverse engineering a web app. You can use the proxy to intercept http packets and see what every change illicits

    • unashamedgeek@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      OWASP is arguably the standard for web application assessments. They cover most of the areas and testing guidance. Burp Suite web academy offers labs that cover many web application security issues. For secure coding, you’d need to look for references aligned with your language of choice.