Learning Path: Riding without training wheels 🚲

In this blog post, my goal is to share tips that, from my perspective, can significantly aid your learning journey in web security. These insights will serve not only as a starting point for your exploration into the subject but also as a means to continually uncover new and intriguing topics. Similarly, as you progress through your journey, you'll develop personalized methods of learning that suit your individual approach.

Introduction

In computer science, like many other fields, being self-taught is key. Essentially, you’ll need to harness the infinite possibilities of the internet to learn on your own. The internet can feel overwhelming initially, but it offers numerous possibilities once you explore its potential. Steering clear of all sorts of deceptive promises like ‘become a hacker in 20 days’ schemes peddled by opportunists. Similarly, one can become a proficient researcher without investing in costly courses or programs. To serve this purpose, this post shares my experiences and insights — resources I wish I had possessed when I first began. Before delving into the various sections, I’d like to highlight these introductory blogs by Jack Halon, offering a great starting point for this post.

• Beginners Quest - Introduction
• So You Want To Be a Pentester?

Furthermore, I highly recommend Stanford Web Security Class (Syllabus)(youtube).

Capture The Flag (CTF) competition

An essential aspect of security is balancing theoretical knowledge acquisition with practical application. Capture The Flags (CTF) competitions (What is a CTF?) stand out as one of the finest resources for simultaneous theoretical learning and practical application. I won’t delve extensively into this, but I highly recommend readers explore this further online (check the references for some of them). What I aim to emphasize in this subsection are resources specifically tailored to Web Security that I love. All of them free ;-)

• CTFTime: A centralized platform for tracking past, ongoing, and upcoming CTF competitions. Moreover, CTF competitions incorporate a rating system that assesses their difficulty level or the engaging nature of the challenges. CTF’s rated from 0 to 25 typically represent new events, beginner-friendly competitions, or those considered less engaging. On the other hand, challenges rated above 50 tend to be highly competitive and challenging, offering compelling and engaging experiences from players with a minimum level.

• Web Security Academy (PortSwigger): I risk to affirm that one of the most complete web-security platform.

• TryHackMe: Not limited to web. ‘Gamified lessons’ in different topics in Cyber.

• HackTheBox Not limited to web. Mostly focused in pentesting machines (e.g., boot2root).

• root-me Not limited to web. French based CTF platform. In my case, I started CTF’s in this platform.

• picoCTF: Not limited to web. Beginner’s CTF platform, by excellence.

• pwn.college: Focused in low-level concepts but with some sections focusing web. IMHO, one of the best platforms and learning path I have seen.

• CryptoHack: Crypto stuff.

• Bug Bounty Platforms challenges: Intigriti, BugCrowd, …

• OverTheWire: Not limited to web. One of the most historical platform.

Research Blogs & Security researchers

Research blogs serve as pivotal resources in Cybersecurity, encompassing both company research blogs and individual blogs authored by leading researchers in the field. In this section, I’ll highlight a few blogs that immediately spring to mind. Disclaimer, for sure, there are a plenty of them that I do not mention.

• PortSwigger Research Blog.
• Cure53.
• Chrome for Developers.
• Acunetix.
• Securitum.
• Sonar Source.
• Github Blog.
• NCC Group.
• Intigriti.
• Bugcrowd University.
• Almost any R&D Business in Security has a blog.

Another crucial aspect of cybersecurity involves following the right people. Specifically, following security researchers on Twitter (I refuse to call it the other way). In the following words, I’ll highlight some of the best (IMHO) researchers in our exciting field. Random list of security researchers: Huli, Orange tsai, text/plain, strellic Terjanq, Zeyu, Siunam, Kahla, Gareth Heyes, James Kettle, Ark, liveoverflow, Ankur Sundara, Michał Bentkowski, Kévin Mizu, Sirdarkcat, Ben Stock, Peter Snyder, Nick Nikiforakis, Alexandros Kapravelos, …

Conferences

Conferences, whether from industry or academia, serve as another invaluable source of knowledge. Most of the conferences publish the videos on Youtube after some months. Same as previous sections, I’ll mention a list of them:

• BlackHat.
• DEF CON.
• Chaos Computer Club (CCC).
• OffensiveCon.
• NullCon.
• M0lecon.
• DragonJAR.
• Ekoparty.
• NahamCon.
• No Hat.
• DefCamp.
• Usenix Security (Academic).
• NDSS Symposium (Academic).
• ACM CCS (Academic).
• IEEE Security&Privacy (Academic).
• TheWebConf WWW (Academic).
• PETS (Academic).
• Web Engines Hackfest.
• Ad-Filtering Dev Summit (AFDS).

Other resources

Videos / Podcasts

Another intriguing avenue for learning about cybersecurity topics is through security content creators. They’re not only beneficial for getting started in the field but also for staying updated on the latest concepts within it. In the following list I write some of really good youtube channels:

• CTFRadiooo
• Security Content Creators
• Critical Thinking - Bug Bounty Podcast
• LiveOverflow
• John Hammond
• CryptoCat
• …

Chromium bugs / Individual CVEs / Bug Bounty reports / CTF writeups

Reading software bugs blogs provide another really interesting way of improving yourself and learning. In our field, a few of these resources include the following:

• Chromium bugs.
• Individual CVEs (e.g., vulns in common libraries).
• Bug Bounty reports (e.g., HackerOne).
• Capture-The-Flag (CTF) Writeups.

Books

In this final section, I’d like to highlight some books related to this topic. While not essential reads, they offer valuable insights into the subject. (I have a fondness for reading physical books when away from the computer, which is why I’m also mentioning them here).

• The web application hackers handbook
• Javascript for hackers
• Bug Bounty Bootcamp by No Starch Press
• Real-World Bug Hunting.
• Almost all the No Starch Press books.

Mental Health

Last but certainly not least, I’d like to touch on the subject of mental health. Learning cybersecurity or web security content isn’t a sprint; it’s more like a marathon. At times, the abundance of concepts to learn can be overwhelming, leading to comparisons with experts in the field without knowing their background. I recommend to see the following video by LiveOverflow (link) about enjoying the path and this another about starting in Hacking (link). Moreover, there are instances where dedicating excessive time to learning in this field can lead to burnout. It’s crucial to strike a balance between immersion in the subject and maintaining a healthy pace to avoid mental and physical exhaustion. Also, I recommend reading this blog post from Azeria.

Conclusion

In conclusion, my aspiration for this blog is to facilitate the entry of newcomers into the field without overwhelming them in the process of exploration and learning. Additionally, this blog serves as a means for me to solidify my understanding by articulating intriguing concepts within the field, attempting to encapsulate over 20 years of web research into accessible blog posts.

References:

• Recommended [Github Repo]: A collection of awesome lists for hackers, pentesters & security researchers.
• Recommended [VIDEO]: Building a Competitive Hacking Team (USENIX Enigma 2016) by Tyler Nighswander
• Recommended [VIDEO]: Real World CTF Finals 2018 by LiveOverflow
• Recommended [VIDEO]: What is a CTF by CTFRadiooo
• Recommended [VIDEO]: How to get into it, by CTFRadiooo
• Recommended [Blog]: Demystifying Browsers by Ericlaw