
So You Want To Be A Breaker, Part 1: Web Security - daeken
http://daeken.com/2013-03-17_So_You_Want_To_Be_A_Breaker__Pt__1__Web_Security.html
======
tptacek
If this stuff fascinates you _and_ you're a solid software developer _and_
you'd be interested in having this be your full-time job for awhile _and_
you're willing to sink a little bit of your own time into ramping up, give us
a ping. We'll help you get there.

This page has a lot of info on how we recruit. We're getting pretty good at
turning systems programmers into breakers, and we love hiring from HN:

<http://www.matasano.com/careers/>

The great thing about this field is that it's always changing. A long-term dev
job gives you a chance to master two or three different technology stacks.
Your next three projects at an appsec shop might each be just two weeks apart,
and each will use radically different technologies. Even (maybe even
especially) with web software.

You could join one startup... or spend a couple years beating up all of all
the startups.

Also: I understand why Cody didn't write it this way, but the reality is, if
you're going to test web apps, Burp is the standard tool. You can use things
like mitmproxy or even WebScarab, but most people end up in Burp. Burp is also
extremely valuable for testing even if you're not doing appsec full-time.

~~~
tptacek
Oh, hey! And if you'd like to learn to break crypto at the same time as you
work through Cody's web recommendations --- even if you don't want to be an
appsec person --- mail sean at matasano dot com. He's got a pretty kick-ass
set of ~40 crypto-breaking exercises. Something like 200 people have started
them over the past 6 months; only a few people have made it through the end.

(They aren't deliberately hard; they just cover a lot of ground --- you're
starting with basic substitution ciphers and ending with RSA signature block
forgeries).

I helped design them, and I'm really happy with how they came out. They're
neat. You should see how many sets you can get through.

I hope it goes without saying that if you crush Sean's crypto challenges for
fun _and_ are interested in being a full-time appsec person, you will have our
full and undivided attention. :)

~~~
jcr
As one of the 200 incompletes mentioned, I gotta say Sean Devlin at Matasano
is top notch. The puzzles are fun, possibly too much fun. It's easy to wander
off into the weeds and spend a lot of time thinking through and testing the
non-puzzle implications. I hope to get through the puzzles eventually, but I'm
terribly slow and it will take me a very long time. Even if you're a sec-idiot
like me, the puzzles are a wonderful way to spend time learning.

~~~
tptacek
\o/

~~~
switch33
Any idea why he's doing this stuff only primarily by e-mail? It'd be great if
this stuff was online like in a blog or whatnot.

I'd like to take the time and look over the crypto challenges.

~~~
tptacek
We want to actually teach people how to do stuff, instead of giving people
something they can toss around in message board and twitter arguments; we also
want to track (in a macro sense) how people do with them, and to be able to
tell people when we add more challenges (I'm working on 42-48 next week).

~~~
losvedir
This sounds like an amazing win-win scenario you've got here. People can have
fun and learn more about security and cryptography, and you guys get a channel
from which to hire the best and brightest.

I sent Sean an email. Even if I'm not in that latter category, it still sounds
like a great chance to learn a little something about a field which
intimidates but interests me.

------
jfolkins
Tutorial I wrote on how to setup* BURP using OSX.

[http://www.acloudtree.com/how-to-configure-burp-and-
chrome-f...](http://www.acloudtree.com/how-to-configure-burp-and-chrome-for-
https-ssl-packet-inspection-and-web-site-debugging-on-mac-osx/)

~~~
rdl
I've always preferred keeping all that stuff in a VM (usually linux).

~~~
daeken
I have a Windows VM that's snapshotted with all of my favorite tools. When I
need to test something, I do so and then roll back. No mess, no cross-
pollination of tests.

~~~
rdl
Yeah, I do the same thing with snapshots (and in some cases you're supposed to
do work only on client/government-provided equipment, so moving a VM over is
helpful).

------
Slimbo
This guide is exactly what I've been looking for, thanks Cody. Been on the
receiving end of some very talented pentesters, and really want to learn more
about how on earth they find the things they do.

Want to make sure I catch your future editions, do you have anything I can
sign up for notification? Can't find an RSS feed on your blog.

~~~
Serplat
I second the need for an RSS feed. I was actually a bit surprised when I
couldn't find one.

~~~
daeken
It's something I thought about for a while and just decided it wasn't worth
it. I just switched away from Posterous (c.f.
<https://news.ycombinator.com/item?id=5388857> ) and when I was building the
new blog, I looked at my RSS subscribers and realized only 15 people actually
use it. Just wasn't worth building.

~~~
bigiain
FWIW, it looks like I'm at least the 3rd person today who would have added
your rss feed if it existed...

~~~
defrndr
And I'll be the 4th.

~~~
amhindle
And my axe!

And the 5th

------
jbackus
No LFI/RFI mention?
<http://en.wikipedia.org/wiki/File_inclusion_vulnerability>

------
Fa773NM0nK
Great List.

From now on, every time I write web code I'll use this as a check list!

------
edem
So the official term for this kind of occupation is "breaker"?

~~~
daeken
Security consultant, pentester, breaker. I prefer the latter.

------
pgambling
Is "Breaker" in the title a Dark Tower reference?

~~~
daeken
No, but "So You Want To Be A ..." is a reference to
[http://en.wikipedia.org/wiki/Quest_for_Glory:_So_You_Want_to...](http://en.wikipedia.org/wiki/Quest_for_Glory:_So_You_Want_to_Be_a_Hero)

------
passfree
Or you can forget this java madness and go with Websecurify Suite
(<https://suite.websecurify.com>). It works from the browser and it is a lot
faster.

~~~
tptacek
I tried to see what this was and kept getting asked to sign into Google; I saw
a page that mentioned "Subscriptions" and "Google Wallet", and thought to
myself, "this is probably not going to talk me out of Burp Suite".

I don't like Java applications any more than you do, but it happens that the
best web testing application is built in Java; I'm not going to not use it out
of pique.

~~~
nbpoole
Hmm, a majority of passfree's account's submissions (20/25) appear to be for
websecurify.com. Combined with the dismissal of Burp as "java madness," seems
like a socketpuppet on behalf of the company.

~~~
daeken
Every one of them is either about it or a link to the site itself.

