

Learn Web Penetration Testing The Right Way - morphics
https://www.pentesterlab.com/

======
qpleple
> Do you accept donations?

> Sure, you can make donation to louis@pentesterlab.com using Paypal. If you
> don't like Paypal just send a donation to any charity and email me so I will
> feel good about it ;)

I like this state of mind.

~~~
rubinelli
Don't say you accept donations over Paypal unless you are a registered non-
profit organization. This is one of the most common reasons why accounts get
frozen.

(EDIT: I re-checked, and it seems plenty of people receive donations with
Paypal without a hitch... until they reach a certain threshold and get locked
out.)

~~~
saurik
You would be surprised at how many people claim to be accepting "donations"
but then are really selling things (while carefully avoiding the word "sell"
for whatever reason, such as to not have to collect and file sales tax or not
claim income): "donate $5 and I'll send you a copy of my software / give you
access to my website / send you a free gift", for example. This is the real
reason so many accounts get frozen with relation to donations, not quantity.

(That said, you should make it clear to your contributors that their
"donation" is not a charitable contribution from a tax perspective, which many
people might fail to realize if you use the word "donate"; but, in my direct
experience from getting my account temporarily limited, if you get dinged on
this one it is easy enough to talk to PayPal, find out what happened, and get
everything up again in a couple hours after working out better wording with
them.)

------
a1a
I like it, looks great. But I would like to see your
education/certification/experience presented on the website. I would say that
is kind of mandatory when saying you teach "The Right Way" of something.

~~~
snyff
Yes, sorry for that, it may be a bit presumptuous. I tried "The Worst Way" it
didn't work as much ;)

Joke aside, most training/material I saw give too much information or not
enough, I tried to find the right balance to help people understand (giving a
lot of information) and remember things (working hard to learn stuff).

Most other training are also pretty expensive: I tried to a cheap version and
ended up providing the exercises for free. An lot of universities don't have
the resources to provide good quality/up-to-date training, I hope students
will be able to learn from my exercises...

Most other training are backed up by a certifications: I tried to do something
where people just learn stuff because they are interested by them and want to
get better and not teaching them "just what they need to pass the cert..."

Regarding my background: one engineering degree in IT architecture, one master
in Security (both done in France). Few years of sysadmin at school and
teaching web tuff (mostly PHP to pay for stuff). 3 years working in France as
a security consultant, where I also gave few trainings and talks. And the same
thing for 4 years in Australia. I don't put that online because I didn't think
it was relevant :/

Finally, marketing is hard and I needed something catchy ;)

~~~
a1a
I see! Well, since you had a really proper background, it doesn't bother me
you used such a phrase.

For all I knew, you were a high school kid who had just read some books and
thought he now knew all there is to know. ;)

------
_mpf
Great initiative, it would be nice to have some more info on your site who you
(they) are. I think many people aren`t going to download and execute data from
unknown person/organisation.

~~~
wyck
His name is listed in the PDF's and his twitter, <https://twitter.com/snyff>

~~~
_mpf
Thanks. I didn`t dig that far ;)

------
darxius
Very cool stuff. However, I think you might get more people to use it if
everything was web-based (instead of having to download the .iso).

~~~
snyff
Yes, good point. However it's a bit harder to maintain a working architecture
while giving a shell to everyone on Internet ;)

~~~
qu4z-2
Good answer.

------
robmil
For anyone who's after a book: I've found Dafydd Stuttard and Marcus Pinto's
"The Web Application Hacker's Handbook" to be invaluable.

------
shicky
Slightly off-topic but I figure what the hell I may ask. I am two years out of
university (comp sci), working as support/development in investment banks
(indeed the work is destroying my soul.) I've spent quite a bit of time
looking into fields I may be interested in such as security i.e. why I'm going
to try your exercises.

My question is, this area seems quite niche, how does the average person work
out if they're suited to this? Furthermore, is there obvious prerequisites to
working out whether you will enjoy certain areas. i.e. I do not feel very good
at programming, therefore is it strongly unlikely I would enjoy testing /
security.

I realise this isn't the right place so feel free to ignore me :)

I can't seem to find the right place :( !

~~~
snyff
I think you can be suited for everything. IT Security is a real big domain,
depending on your skills and what you like, you can land different jobs. If
you are a person who go to calmly deep dive into problems, you may be
interested by security code review, if you're more into quickly understand how
things work and try to abuse the default behaviour, you can work in pentest.
IT sec is a huge field. Just start learning and you will see what you like...
There is no suited for this, even if being curious and working hard help a lot
;)

Feel free to email me (my email is on the exercises' front page), if you need
to talk about this ;)

~~~
shicky
Very much appreciate the reply and thank you for the kind offer of e-mail.
Hopefully I'll find time to try your course, e-mail you some feedback and
perhaps pick your brain :)

Again OT, you said you taught PHP, where and how did you get into this?

Hope this takes off for you mate, best of luck!

~~~
snyff
Just did that at school, they needed someone to teach and I got lucky and got
selected to do it :)

Thanks ;)

------
david_shaw
Looks interesting. I have a couple new engineers joining our appsec team soon,
so I'll give this a shot as part of our training package.

It certainly looks a step above the "standard" tools of reading documentation
and trying lessons learned on things like WebGoat and Gruyere.

There's no substitute for experience and guidance, but this seems like it
might be the next best thing. Thanks!

------
mooneater
Some corporate clients are asking for pentest results from "a reputable
pentest organization". Anyone on this thread have advice as to how I can
satisfy them without breaking my startup bank?

~~~
snyff
You can try bugcrowd, they won't qualify for "a reputable pentest
organization" _yet_ , but they will get stuff done and you can then argue that
you had few hundreds hacker attacking your app.

Maybe you can talk to one of this "reputable pentest organization" and get
them to drop the price if they can blog or use your startup as a show case for
other potential clients. Pentest companies have a hard time advertising their
services (it's "lemon market"), so everyone could win in that deal.

