Best resources to learn web security attacks?

OWASP has a couple of very interesting resources of this kind:

  • Hacme Bank: a banking application built with some vulnerabilities for you to find and try to exploit
  • The WebGoat Project: web application with several vulnerabilities. Every possible attack is explained in a specific lesson, so that you can concentrate on one technique at the time

I suggest you start by developing dynamic websites that involve a database, using HTML/CSS, a client side programming language (like JavaScript), and a dynamic language (PHP is a popular choice). To fully understand web security attacks, you need first to get familiar with the client/server architecture, and the way a dynamic language interacts with a database to retrieve/insert/modify data.

Once you grasp the basics of dynamic web development, you can start learning about attacks. The OWASP Guide Project is a great resource and a reference for experienced web penetration testers as well as newcomers. For hands-on training, just google for a vulnerable web application and you'll find many deliberately vulnerable apps to safely and legally practice against. DVWA is a good starting point.

The next step is learning about tools. I advise you not to use these until you fully understand the different attacks (XSS, SQLi, CSRF, RFI/LFI, XST, etc) and how to manually perform them. For a concise list of open source tools to use when assessing a web application, you can check this previous answer of mine.


Sans has a Web Penetration Testing and Ethical Hacking: Capture the Flag class you might be interested at https://www.sans.org/security-training/web-penetration-testing-ethical-hacking-capture-flag-day-6-13632-cid

There are some capture the flag sites that you might learn from using

  • http://hax.tor.hu/
  • https://pwn0.com/
  • http://www.smashthestack.org/
  • http://www.hellboundhackers.org/
  • http://www.overthewire.org/wargames/
  • http://counterhack.net/Counter_Hack/Challenges.html
  • http://www.hackthissite.org/

A larger list can be found at http://captf.com/practice-ctf/