Last week (5-8 August) I attended training provided by Condition Zebra. The training is to basically show you how to use Pentest tools to find vulnerabilities in the website. Here is my review of this course.
For this post, I will cover a few things to highlight in the training provided.
- Prerequisite requirements to enter the course.
- Material provided
- How training was conducted
When in the training, I think most of the participants came from different backgrounds and different companies. But I feel that the candidate must be a programmer and at least have the knowledge and experience developing 3 websites in order to understand most of the topics in the training. Because the topic is to find vulnerabilities and it is said in the title Advanced, if you are not developer and you are not developing the website, how can you find the vulnerabilities?
Example to find SQL injection in the website, you need to know how the value passed to server to generate sql syntax, and because of the value is not sanitize properly hence the sql syntax generated is altered based on the passed value from the form or parameters.
Now think about this statement. How non-developer can understand this statement? Imposible right? They don’t even know what is SQL syntax and how to write and execute it in programming. So I would suggest only developers attend this training with at least experience developing 3 websites.
The 3 websites because basically the first time developed website, the developer may not care about the secure coding, they just focus on the output.
The second time they might have to learn from their first experience and try to avoid any mistakes and do some best practices to have secure coding practices.
The third experience they become experienced already. So some best practices they already follow and applied in coding hence this experience and knowledge are required in order to understand easily for this training. (*That is my thought. )
Condition Zebra provide all materials needed for the training. They give one Book for reference and also the target host to test and find the vulnerabilities. Overall material given is enough to practice the pentest tools. They also provide one VM with Kali Linux installed. So you don’t need to bring your laptop and configure it to use the pentest tools. But I would suggest you bring thumb-drive or External Harddisk to copy the Kali VM. So after training you already have Configured Kali VM image. You can install it on your laptop or Desktop for further practice.
How Training Was Conducted.
So far from day 1 to day 4, The training was conducted by only one trainer. So you don’t get confused because sometimes if the trainer changes, this trainer teaches a different way, and others may teach different ways even though the topics are the same. Basically, the trainer will go one by one through topics he/she already prepared. The trainer will give examples of how to identify vulnerabilities and how to defend them from hackers.
Most of the vulnerabilities are found using tools and also using manual ways. The manual way can be found by checking on the Cvedetails website. Some of the bugs/vulnerabilities have reference websites that have steps by steps to reproduce the vulnerabilities. So this reference site might help hackers to do POC on our website. So it is important that we always maintain the website security & patches.
I will also recommend doing security checking before the website goes live.
Training starts from 9 AM – 5 PM . So you need to be prepared with a lot of information to digest in one day. Most of the topics covered by
- understand the vulnerabilities,
- how to find vulnerabilities in a website using tools or Manual way,
- and how to defend the vulnerabilities
Day 4 is actually half-day training or Q&A before we attend the Examination at 2 PM. The exam is 2 and a half hours. You will be given one target host(different from training), and with 8 questions. 8 Questions will give you 80% marks and you need to find another 4 vulnerabilities to complete 20% additional marks. Each additional vulnerability will be given 5%. The passing mark is 70%. To be honest, the exam is not straightforward to answer, you need to know how to find vulnerabilities using tools and also manually way because automation tools sometimes are not able to find hidden things like hard-coded comments in the HTML source.
Here are the tips I can share.
- Understand the Top 10 vulnerabilities from OWASP
- Don’t just remember step by step to use the tools. You need to understand the vulnerabilities, then only you find a way to prove it using tools.
- The topics sometimes can be hard to understand. Don’t panic. Take note and practice it at home.
- Ask your friend if you get confused. Don’t assume something that you are not sure about. Raise your hand and ask the teacher.
- If after the teacher’s explanation, you still don’t understand, then try asking other friends that can explain to you in a different way. Sometimes the explanation is important. Different people explain in different ways but the basic still the same. Remember understanding the vulnerabilities is more important than knowing how to use tools.
Participants of the training. (TIME dotCom Berhad, Maxis Broadband Sdn Bhd, Kumpulan Semesta Sdn Bhd, Total Reach Marketing Sdn Bhd & Network Transit Asia Sdn Bhd)