REVIEW - Web Fundamentals by TRY HACK ME
So, before reading this post or starting the path of Web Fundamentals I highly recommend you guys to read the blog about Beginners Path, because most of the fundamentals & tools will be covered in it, and will be easier to finish Web Fundamentals. Now let's get into the review
The idea of this path as mentioned in the description is to " Teach you how to attack web applications and exploit them". So, how are we going to do those.? We have these 4 modules which help us learn Web Exploits. They are :
Web Fundamentals: This module teaches us the basic knowledge needed to exploit or find vulnerabilities in websites. The topics covered are
Networking: As in every networking course or lecture, We are taught about the OSI and TCP/IP model. Basic commands like ping, whois dig, traceroute are also explained.
Web-Fundamentals: Web fundamentals such as HTTP and tasty cookies 🍪 are taught. We also have a mini CTF to apply what we learned.
Introduction to Django: Yes, as you guessed we need to learn the basics of python to do this, don't worry there is a small intro room for python which explains all the topics needed for this room. I recommend you finish the python room first which hardly takes few minutes. Afterward, get into Django where we are taught to create a simple website using Django.
Security Tools: This room covers two tools we will use for finding and exploiting the vulnerabilities in websites, they are
Burp Suite: Installation of Burp Suite and how to use it to exploit and find vulnerabilities.
Owasp ZAP: It is an alternate software to Burp Suite for people who can't afford the paid version of it. Both of them have similar functionalities. Everything about ZAP is explained from installation to exploitation.
Vulnerabilities: Now we're getting into the interesting part "VULNERABILITIES", many vulnerabilities are explained which we can apply when doing bug bounties. Some of them are,
LFI: What is LFI and how to find LFI. CTF to find LFI and privesc
Authenticate: Attacks like Dictionary, Re-registration, and JSON web token are explained with CTF.
XXE: Introduction to XML,DTD and XXE payloads with CTF.
XSS: Different types of XSS such as stores XSS, Reflected XSS, DOM-based XSS, XSS for IP/Port scanning, XSS keylogger, and Filter Evasion & Protection.
ZTH: Introduction to ZTH vulnerabilities such as SSTI, CSRF, JWT and XXE.
SSRF: Introduction to SSRF
Upload Vulnerabilities: Vulnerabilities through the upload section of web pages are explained with CTF.
PRACTICE: There are a total of 4 rooms to apply what we have learned. All those CTF are good.
Refer to writeups only when you are stuck at some point. Keep trying and eventually, you will get the FLAGS 🚩. If you are planning to do bug bounty I highly suggest you finish this path to get some idea. Good luck.
My Social media handles: > LinkedIN > Twitter > THM > HackerOne