So I switch Udemy courses to one that includes PHP as well. I’m trying to find a course that has languages that I can stick to that will get as many of the prerequisites to web hacking as possible so that I can practice and become a fluent web developer while still working towards learning web hacking while I’m not thinking about it. I plan on making real websites for people in that time period.
Here’s the new course that I got to replace the old one:
In the browser you’ll see JavaScript, even if the source code is different, it has to be js in the end, so that’s definitely one to learn.
My personal opinion is is that you should start with PHP (it’s very beginner friendly, and also I think it’s the easiest one to exploit). Then you can jump to JS, it shouldn’t be a big step, and then to some Python (used for backends, but more importantly it’s a good scripting language you can use to automate tools/hax) and then maybe to Ruby or even Java.
For the tools part, git is sort of a must, but I think things like Bootstrap shouldn’t be taught, once you know some JS, HTML and CSS you can easily consume their docs (and there are many alternatives).
And there are many frameworks for each language and if applicable, each layer - my advice is: learn the basics first, then it’s going to be easier to choose which one makes the most sense to you.
Feel free to reach out here, on Twitter or the 0x00 discord if I can help
In addition to everything @device said, what helped me the most was understanding how the software stack works and how different components work with each other. Everything is connected.
I’ve had so many web devs argue with me over why an unsupported version of CentOS underneath their ReactJS app is a problem. What they don’t get is that their app firewall doesn’t mean shit if I can get RCE on the OS. If you can get that one exploit past sanitation, it’s all over.
Understanding the big picture is critical also. Web app hacking requires context since so much of the attack surface consists of end users, not developers. Maybe you got XSS - great, why should they care? Can you steal sessions? Drop other payloads?
Web technologies are very important to have a working knowledge of, but you’re really just working with another service on another port. It just so happens to be a service that can be highly complex as opposed to FTP or SMB.
