(from Robert Portvliet)
Here's list of some (SQL Injection) resources I had put together, a good portion of it is probably covered in the Phoenix OWASP list, but here it is anyway:
Vulnerable WebApps:
GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
MOTH - http://www.bonsai-sec.com/en/research/moth.php
Damn Vulnerable Web App - http://www.dvwa.co.uk/
Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Videos & webcasts:
OWASP Appsec NYC 2008 -
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Caught in the web series - http://www.coresecurity.com/content/ondemand-caught
Invasion of the browser snatchers series -
http://www.coresecurity.com/content/on-demand-snatchers
Advanced SQL injection -
http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection
Websec 101 - http://www.foundstone.com/us/websec101.asp
Hackme Bank & Hackme Travel videos-
http://www.foundstone.com/us/resources-videos.asp
Tools
Samurai Web Testing Framework (Live CD which contains most tools
needed to perform web assesment) - http://samurai.inguardians.com
Methodologies
OWASP Testing Guide -
http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
Cheat Sheets
SQL Injection Cheat Sheet -
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet
SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/
SQL Injection Cheat Sheets sorted by DB -
http://pentestmonkey.net/index.php?option=com_content&task=category§ionid=9&id=24&Itemid=1
XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html
Web App Assesment Cheat Sheet -
http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
Books:
Web Application Hackers Handbook - http://portswigger.net/wahh/
Whitepapers & slides-
OWASP article on Web application penetration testing -
http://www.owasp.org/index.php/Web_Application_Penetration_Testing
Advanced SQL injection -
http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
Best of web application penetration testing tools -
http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf
(The next two papers are a little old, but still quite useful)
Advanced SQL Injection in SQL Server -
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
(More) Advanced SQL Injection in SQL server -
http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
An even more detailed version of this list can be found at http://www.owasp.org/index.php/Phoenix/Tools
ReplyDelete