Last week (5-8 August) I was attended training provided by Condition Zebra. The training is to basically show you how to use Pentest tools to find vulnerabilities in the website. Here is my review for this courses.
For this post I will cover few things to highlight in the the training provided.
- Prerequisite requirements to enter to course.
- Material provided
- How training was conducted
When in the training, I think most of the participant coming from different background and diffrent company. BUT I feel that the candidate must be a programmer and at least have knowledge and have experience developing 3 website in order to understand most of the topics in the training. Because the topics is to find vulnerabilities and it is said in the title Advanced, if you are not developer and you are not developing the website, how can you find the vulnerabilities?
Example to find SQL injection in the website, you need to know how the value passed to server to generate sql syntax, and because of the value is not sanitize properly hence the sql syntax generated is altered based on the passed value from the form or parameters.
Now think about this statement. How non developer can understand this statement. Imposible right. They don't even know what is sql syntax and how to write and execute it in programming. So I would suggest only developer attend this training with at least experienced developed 3 websites.
The 3 websites because basically the first time developed website, developer may not care about the secure coding, they just focus on the output.
The second time they might have learn from first experience and try to avoid any mistake and do some best practices to have secure coding practices.
The third experience they become experienced already. So some best practices they already follow and applied in coding hence this experience and knowledge are required in order to understand easily for this training. (*That is my though. )
Condition Zebra provide all materials needed for the training. They give one Book for reference and also the target host to test the and find the vulnerabilities. Overall material given are enough to practice the pentest tools. They also provide one VM with Kali linux installed. So you dont need to bring you laptop and configure to use the pentest tools. BUT I would suggest you bring thumbdrive or External Harddisk to copy the Kali VM. So after training you already have Configured Kali VM image. You can install it in your laptop or Desktop for further practice.
How Training Was Conducted.
So far from day 1 to day 4, The training conducted by only one trainer. So you don't get confuse because sometime if the trainer changed, this trainer teach different way, others may teach different way even though the topics are same. Basically the trainer will go one by one topics he/she already porepared. Trainer will give example on how to identified the vulnerabilities and how to defence it from hacker.
Most of the vulnerabilities are found using tools and also using manual way. Manual way can be found by checking on the cvedetails website . Some of the bug/vulnerabilities have reference website that have steps by steps to reproduce the vulnerabilities. So this reference site might helping hackers to do POC on our website. So it is important that we always maintain the website security & patches.
I will also recommend to do security checking before website go live.
Training start from 9 AM - 5PM . So you need to be prepared with alot of information to digest in one day. Most of the topics covered by
- understand the vulnerabilities,
- how to find vulnerabilities in website using tools or Manual way,
- and how to defence the vulnerabilities
Day 4 is actually half day training or Q&A before we attend Examination at 2PM. The exam is 2 and half hour. You will be given one target host(different from training), and with 8 question. 8 Question will be give you 80% marks and you need to find another 4 vulnerabilities to complete 20% additional marks. Each additional vulnerability will be given 5%. The passing mark is 70%. To be honest, the exam not starigh forward to answer, you need to know how to find vulnerabilities using tools and also manual way, because automation tools sometime not able to find hidden things like hard coded comments in the html source.
Here are the tips I can share.
- Understand Top 10 vulnerabilities from OWASP
- Don't just remember steps by steps to use the tools. You need to understand the vulnerabilities, then only you find a way to proof it using tools.
- The topics sometime can be hard to understand. Don't panic. Take note and practice it at home.
- Ask your friend if you get confuse. Don't assume something that you not sure. Raise your hand and ask the teacher.
- If after teacher explanation you still don't understand, then try ask other friend that can explain to you in different way. Sometime the explanation is important. Different people explain in the different way but the basic still the same. Remember understand about the vulnerabilities is more important that know how to use tools.
Participants of the training. (TIME dotCom Berhad, Maxis Broadband Sdn Bhd, Kumpulan Semesta Sdn Bhd, Total Reach Marketing Sdn Bhd & Network Transit Asia Sdn Bhd)
Link : https://www.condition-zebra.com/main/advance-web-hacking-defense-training-5-8-august-2019/
To enquiry this training, you can contact Mamady - 0104379218