My Web security Engineer's way of learning--Planning Chapter

According to the online collection of web security engineers need to master what skills, job requirements and how to get started, coupled with learning NetEase launched the Web security Engineer Micro-professional course, in order to further study, so to do some small planning, but also want to become a Web security engineer colleagues to some reference.

The first part--Basic Learning

1#web Security Engineer Job description and requirements:

You need to master the basic layering diagram:

！ --First in front of us, we must know what the Web is, how is a website built? ——！
3# Basic Learning--static layer
Based on the layered learning above, the first step is to perform static layer learning, including HTML and JavaScript.
about how to get started:
HTML learning can be on W3school (http://www.w3school.com.cn/html/index.asp)
Generally 2-3 days to learn to get started, understand the meaning of each label and write a simple static website, later useful to other search manuals can be.
JavaScript learning can also be started on the W3school, learn the DOM section, and then refer to the book "JavaScript DOM programming Art" to learn,
JavaScript is also necessary to learn more in-depth, in favor of the following XSS vulnerability learning. (5-Day introductory)

There is also the need to learn about the HTTP protocol related content, to know what the status code meaning, HTTP headers have what information.

HTTP protocol? http://www.yiibai.com/http/# #学起来吧, Sao year. (1-2 days)

4# Basic Learning--script layer (dynamic layer)
Most of the learning of programming is suggested to learn PHP, other programming languages have recommended Java and others, this later to learn,
Learn Simple PHP (after all, open source, hehe), as well as the scripting language Python required by security engineers.
About PHP and Python I bought two books (follow-up will send reading notes to the blog, hehe):

！ --before learning about Python, listen to a live, for reference only--!
"Python Learning Link: electronic version-[Dumb way to learn Python] http://www.kancloud.cn/kancloud/learn-python-hard-way/49863
Crossin's programming Classroom-Python http://res.crossincode.com/wechat/python.html
Python 2.7 Tutorial-Liaoche's official website http://www.liaoxuefeng.com/wiki/001374738125095c955c1e6d8bb493182103fac9270762a000

Python3 Tutorial http://www.yiibai.com/python3/--If you want to learn python3, look at this, I first learn 2 and then slowly learn 3. 】
Another day if you have to listen to the PHP live has recommended to share to everyone, hehe. --About Python and PHP you insist on learning, hold on, stick to it.

* Basic Learning--Database layer

About the database learning, you can master some SQL statements, and then send some time to learn a door, I choose MySQL to learn.

SQL Tutorial _w3cschool http://www.w3cschool.cn/sql/

MySQL Tutorial _w3cschool http://www.w3cschool.cn/mysql/

21 minutes MySQL Getting Started Tutorial-wid-Blog Park http://www.cnblogs.com/mr-wid/archive/2013/05/09/3068229.html (I think I learned the SQL statement. Check this out or OK)

6# Basic Learning--Server layer

First, this process is mainly to start learning how to build the environment, understanding the concept of the various server middleware.

Current common Web servers:
Large: Microsoft IIS, IBM WebSphere, BEA WebLogic, Apache, Tomcat
Small: Nginx, micro_httpd, mini_httpd, thttpd, LIGHTTPD, shttpd

Middleware:

# # #主要了解下先, also do not need to master the deep, as long as some of the commonly used words when more to go deep.

Second, the construction of infiltration environment

PHP collection Environment software: Phpstudy

JSP collection Environment software: Jspstudy

ASP's collection Environment software: Small Cyclone ASP Server

# # # #环境都有了, let's do it now ...

"Beginner's Guide: teach you how to build your own penetration test environment-freebuf.com | Focus on hackers and geeks

Http://www.freebuf.com/sectool/102661.html "

In addition to freebuf this article set up the environment, recently saw a good environment can also recommend to everyone:

Webug Vulnerability Environment-official http://www.webug.org/#page1

!--about the environment to build or can learn docker, understand the specific stamp below the link. --!

Docker Tutorials | Rookie Tutorial Http://www.runoob.com/docker/docker-tutorial.html

#7基础学习-System Layer

Now comes our magical system layer, primarily Linux and Windows systems, with a major understanding of the relevant commands.

DOS technique in 100 cases _w3cschool http://www.w3cschool.cn/dosmlxxsc1/cudkrf.html

Linux Tutorials | Rookie Tutorial Http://www.runoob.com/linux/linux-tutorial.html

!--about learning to knock more orders, play more. I decided to set up an Ubuntu and windows2012 to play, and I--!

Linux learning almost, can play Kali Yo, yes!

Xuan Soul Kali Link: https://pan.baidu.com/s/1ccTB7S password: bp4y(invalid words in contact me, I'm mending it)

# # #第一部分都是基础, hit the country must have some basic skills, dry up, for Jiangshan, learn the foundation, yes.

The second part of the Web Common Vulnerability principle

Basic learning is almost, first to learn the Web-related vulnerability principle, owasp Top 10 this to understand well, now has 2017 version, yes.

【

"OWASP Top 100 security hole candidates, what do you think?" -freebuf.com | Focus on hackers and Geeks http://www.freebuf.com/news/131778.html "

Web Security Common Web Vulnerability-MOSHENGLV column-Blog channel-Csdn.net http://blog.csdn.net/moshenglv/article/details/53439579

Network security vulnerability Popular science and concept understanding-network security Focus http://www.chncto.com/0day/16091.html

Common logic Vulnerability Resolution in Web security testing (actual combat)-freebuf.com | Focus on hackers and geeks http://www.freebuf.com/vuls/112339.html

"Safety Science" web security penetration Testing process-Anka9080-Blog Park http://www.cnblogs.com/anka9080/p/shentouliucheng.html

】

Almost all of these first understand, other usually more on the forum, Big Guy Blog, look at the loopholes, learn how to learn the principle of vulnerability and how to find loopholes.

Recommended Sites:

"Vulnerability Bank: http://www.bugbank.cn/skills.html

freebuf.com | Focus on hackers and geeks http://www.freebuf.com/

Mottoin http://www.mottoin.com

I Spring Forum | white Hat Hacker Forum | Network Penetration Technology | website Security | Mobile Security | Communication Security https://bbs.ichunqiu.com/portal.php

Safety Pulse https://www.secpulse.com/

91ri.org http://www.91ri.org

Vulnerability research-security technology Community https://xianzhi.aliyun.com/forum/thread/4.html

Yi-Zhi-https://zhuanlan.zhihu.com/leafsec (know that there are other good columns to look for) "

Part III Web security Tools

It is called 工欲善其事, its prerequisite.

Too many tools, do not introduce too much, to find their own handy tools, such as Python learning proficiency, can also write their own tools.

Let's talk about some tools for comparing artifacts,

1, Firefox browser, Google Chrome

2,nmap (port scan + others)

3,AWVS (Vulnerability Scan)

4, Royal Sword (background directory scan)

5,sqlmap (injection artifact)

6,burpsuite (artifact)

7,webrobot (crawler, look at the file structure, etc., very good)

8,subdomainsbrute and Layer sub-domain name excavators

Others to find out ...

Attached:

Security industry practitioners self-developed open source Scanner collection (2017/01/11 update)-mottoin http://www.mottoin.com/94492.html

Burpsuite Practical Guide https://t0data.gitbooks.io/burpsuite/content/?q=

Mister House White Hat Training Handout-Download channel-csdn.net http://download.csdn.net/detail/wizardforcel/9728354

Recommended Books:

Web Security Book recommendation-https://zhuanlan.zhihu.com/p/23065460 column

That's it, you can slowly build your own back.

Construction of Web security system

Next, the combination of the environment, the actual combat to it ...

Reference:
Web security Engineer-security skills-secwiki HTTPS://WWW.SEC-WIKI.COM/SKILL/2
Web security Getting Started heart-https://zhuanlan.zhihu.com/p/26053309 column
0 How does the foundation learn WEB security? -Robin Https://www.zhihu.com/question/21606800
Getting Started with Web security-books and advice-Pinterest http://www.jianshu.com/p/6dcebd54fb24

My Web security Engineer's way of learning--Planning Chapter