Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
Build a home hacker lab using SecGen
Tool
SecGen creates vulnerable virtual machines, lab environments, and hacking challenges, so students can learn security penetration testing techniques. Boxes like Metasploitable2 are always the same, this project uses Vagrant, Puppet, and Ruby to create randomly vulnerable virtual machines that can be used for learning or for hosting CTF events.
Give TryHackMe a go
TryHackMe
TryHackMe goes way beyond textbooks and focuses on fun interactive lessons that make you put theory into practice. You'll get an immersive learning experience with network simulations, intentionally vulnerable technology based on real world examples and more.
12 factor apps
Play the Citadel Programming Lab from CyBOK
The Citadel Programming Lab is an online virtual secure coding game-based computer lab. The Lab combines a tower defence game with 6 security programming tasks. The lab is based on a serious game approach to join learning and playfulness. The lab’s platform combines a Unity game linked with a coding environment based on an instance of GitLab. The game elements and coding exercises are linked to CyBOK, the Cybersecurity Body of Knowledge, to map its cybersecurity content.
Read the CyBOK Web & Mobile Security Knowledge Area introduction
CyBOK Introduction
The Cyber Security Body Of Knowledge is a comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector. The CyBOK project aims to bring cyber security into line with the more established sciences by distilling knowledge from major internationally-recognised experts to form a Cyber Security Body of Knowledge that will provide much-needed foundations for this emerging topic. The project, funded by the National Cyber Security Programme, is led by the University of Bristol's Professor Awais Rashid, along with other leading cyber security experts - including Professor Andrew Martin, Professor Steve Schneider, Dr Yulia Cherdantseva, Dr Rod Chapman and Dr Marina Krotofil.
Read the OWASP Application Security Verification Standard (ASVS)
The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection. This standard can be used to establish a level of confidence in the security of Web applications.
Read the OWASP Top 10
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Setup a web service behind an nginx reverse proxy
nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers.
Try out bWAPP
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web vulnerabilities! It covers all major known web bugs, including all risks from the OWASP Top 10 project. bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It can also be installed with WAMP or XAMPP. Another possibility is to download the bee-box, a custom Linux VM pre-installed with bWAPP.
Try out OWASP Mutillidae II
OWASP Mutillidae II is a free, open-source, deliberately vulnerable web application providing a target for web-security training. With dozens of vulnerabilities and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets.
Try The Backdoor Factory (BDF)
The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
Try web scraping using scrapy
Scrapy is an open source and collaborative framework for extracting the data you need from websites. In a fast, simple, yet extensible way.
Use Frida
Frida is a dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Inject your own scripts into black box processes. Hook any function, spy on crypto APIs or trace private application code, no source code needed. Edit, hit save, and instantly see the results. All without compilation steps or program restarts.
Watch Maddie Stone's talk, Bad Binder: Finding an Android In The Wild 0day
Bad Binder talk
Maddie Stone is a security researcher on Google Project Zero.
Work through the pwn.college labs
pwn.college is an education platform for students (and other interested parties) to learn about, and practice, core cybersecurity concepts in a hands-on fashion.