Author Archives: Ma5t3rX

Picking the short straw…aka WebGoat.

One of the assignments that the rookies got was to go through the various broken web applications, such as WebGoat, WebMaven, Hacme Casino, Hacme Bank, and Hacme books and complete them. While we worked through our various tasks we were to thoroughly document the steps, take screen captures and ensure that all steps necessary were shown on how to exploit these applications. Joe had asked for volunteers so I stepped up and picked WebGoat.

Prior to Joe handing out this task I had worked with WebGoat for about 15 minutes and I really liked it, hence why I choose it. What I did not realize at the time was the scope of WebGoat and just how large it was. Unlike the broken web applications like WebMaven, WebGoat covers a lot of content including: SQL injection, XSS, session cookie manipulation, hidden forms and fail open authentication just to name a few. Webgoat covers all of this in somewhere around 30 lessons.

Being able to get the WebGoat work done in a timely manner is very important to Joe and working on WebGoat was going to be a learning experience. In typical Joe fashion I got my deadline for this project; he wanted it done in two days, which in fact is better than his usual “I need this yesterday.” I start working on this project having no real experience with any of the covered concepts. After two very long days report balloons to over 45 pages of documentation outlining the steps. I winded up having to call in for some help on a few of the lessons due to some issues with WebScarab not working for me but we pulled it off.

After completing this task I was one, tired; two, sick of seeing WebGoat; and three, pretty well educated with the low level, fundamental hacks on web applications. While I do not think I could hack a website there is some significant value add in understanding the lessons contained in WebGoat. Also I will say that while I tried as much to avoid the built-in documentation, WebGoat has a very comprehensive built-in documentation guide for any beginners looking to learn these concepts. I have to say that the developers or this OWASP project did a fantastic job on building a system that can teach you how to hack web applications and more importantly how to help secure them through understanding. I would encourage anyone looking to get into the Infosec career field to check out WebGoat.

OWASP WebGoat –
Maven Security WebMaven –
McAfee Hacme Casino –
McAfee Hacme Books –
McAfee Hacme Bank –

The Path to Infosec

The Path to Infosec

By: Edward Valenzuela

Information technology has always been an area of study that I have enjoyed. I have jumped around a bit with my college coursework from network administration for my Associates degree, programming for my Bachelors degree and I finally settled with information security and assurance for my Master’s degree.

Right before I decided to continue my education with my Masters degree I started to get into Infosec pretty heavy, reading and watching a lot of videos, understanding the concepts but not really knowing much. Most of the videos that I watched were of DEFCON talks, Jeff “The Dark Tangent” Moss’ CiscoGate talk (Defcon 15. 2007), Renderman’s “How Can I Pwn Thee? Let Me Count the Ways“ (Defcon 16. 2008), Iftach Ian Amit’s “Down the Rabbit Hole: Uncovering a Criminal Server“ (Defcon 17. 2009) and Joseph McCray’s “You Spent All That Money And You Still Got Owned…“ (Defcon 19. 2010)  really stood out, mostly because of the entertainment value in their talks.  (By no means is this some kind of plug for J0e, I firmly believe that that this talk was one of the more entertaining ones)

This is about the time that I hooked up with Joe McCray on LinkedIn and saw that he was putting on an online course called “Hackers Boot camp.” I had messaged Joe about it, gotten a response and was just waiting for the class to come up so I could enroll. Then I noticed that he was accepting interns to work for him. Initially I thought, the guys in Maryland and I’m in California, there is no way this is going to work. So I had the first phone call and was really surprised that the internship would actually work out, there was no real need to meet at a physical location to participate which was awesome.

The next step that I took was to hit up J0e and get some information, let him know that I was in fact interested in joining as an intern, and a few days go by. I get my first e-mail from J0e, outlining the responsibilities of an intern, expectations, communication methods and so on. Our first task is outlined, pretty easy Linux stuff followed up with reading infosec blog posts and writing about a page on what we read as a demonstration of competency on our part. By no means did this prepare me for what I was getting myself into and the insane schedules that would be to follow.

After all of that we have our first scheduled Skype call which was run by a few of the more senior guys on J0e’s team. This is where we find out just how big this internship is and how difficult it is to manage. After J0e accepted the initial interns we had somewhere around 75 individuals. Now I don’t know if you have ever tried to have a Skype call with that many people but there are two problems with this: first you cannot have that many people on Skype (think the limit is 50), and for some reason people do not know how to mute their microphones which makes for a very problematic conversation. In short, disorganized chaos was in full effect.

About three weeks from receiving the initial e-mail from J0e we get tasked on our first assignment. We are tasked out with compiling an open source intelligence (OSINT) report for a client. The true madness really begins here. This was tasked out to all 75+ interns via e-mail and was told to be completed as soon as possible. I tend to have this innate ability to of picking the absolutely most difficult tasks that exists and this was no different. Not having much knowledge about doing an OSINT report I went for something I felt I could contribute to the group. I volunteered for compiling the report based on the information from all of the interns. This turned into a giant time-sink/nightmare for me. By the end of the second day I had to dig through over 150 emails to compile the report and when it was completed it sat right about 45 pages. This seems to be the norm for interning, getting an insanely large document done in a time-frame that, in normal circumstances, just would not happen. If you are looking forward to interning with J0e I would caution you, be prepared to get an e-mail at three in the morning telling you to get something done by tomorrow.

Some of my favorite videos from :Sources
Moss. J. (2007) CiscoGate. via Jeff “The Dark Tangent”  Moss – CiscoGate
Renderman. (2008) How Can I Pwn Thee? Let Me Count the Ways. via Renderman – How Can I Pwn Thee? Let Me Count the Ways
Amit. I. (2009) Down the Rabbit Hole: Uncovering a Criminal Server. via Iftach Ian Amit – Down the Rabbit Hole: Uncovering a Criminal Server

Joseph McCray – You Spent All That Money And You Still Got Owned…