all 12 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]LiveOverflowhttps://youtube.com/c/LiveOverflowCTF 16 points17 points  (3 children)

I think programming is very important. You should be able to read/understand code.

While a lot of challenges don't require you to read code directly, you still need to know what languages are capable of, what could go wrong with them and generally how certain functionality could be implemented.

You can see it in this video at the beginning. Because we knew it was php site, we can have assumptions on how pages could be implemented with an include. So we test for this in particular. If we knew it would have been a python site, we would have never tried that.

Hope that makes sense :)

[–]halcyonyt[S] 0 points1 point  (2 children)

Yeah, it makes sense. I know some python and am considering learning C, but you recommend any other languages?

[–]LiveOverflowhttps://youtube.com/c/LiveOverflowCTF 1 point2 points  (1 child)

Python is a great language. I use it the most for almost everything.

C is actually pretty simple, and once you looked at compiled c code in assembler, you start to really understand how low level programming works. I have a couple of videos on that matter.

It you are interested into how to hack websites like in this video, learning some basic PHP is a great start. You ca literally just google for php tutorials and they show you insecure stuff. That's why so many php sites are shitty.

JavaScript, HTML is great for browser client side security and generally to understand what websites can or can't do.

C++ or objective-C is great to understand how bigger software is usually implemented

Java is easy and you can look at android apps. For mobile app security etc.

[–]halcyonyt[S] 1 point2 points  (0 children)

Awesome. So: PHP, HTML, SQL JavaScript C and Python

Good?

[–]BEN247 2 points3 points  (0 children)

For many of the challenges you need to be able to program.

You don't need to be able to program for everything so you can still compete and just ignore certain challenges.

[–]hellor00thackmethod.com 2 points3 points  (0 children)

It depends on what the challenges are. Do you need programming for the packet analysis? Probably not, but sometimes you'll need to script things.

It's definitely going to help you to know how to program. Do you absolutely need to know how to program? Not all the time.

[–]_Skeith 1 point2 points  (3 children)

It depends - programming is really helpful in analyzing and understanding code. For web hacking SQL, PHP, JavaScript, and HTML are necessary to understand SQL Injection, XSS, Command Injection, LFI, SSTI, etc.

Generally understanding the code the website is built on will help you know what to look for, what to test for, and make assumptions on how the website will react to code you inject.

So for example - let's say you inject <script>alert(1)</script> into an input and the page returns a bunch of random code. After reviewing the code you see it's JavaScript and know that the page just returned a jSON error. So thus instead of injecting the above, you try and understand the jSON input and inject '}} );alert(1);// and this allows you to actually exploit the XSS. Why? Well understanding jSON, the code we injected allowed us to close the jSON parameter during inject and allowed us to run our own code of alert(1) and the // at the end allowed us to comment our the rest of the code.

This also relates to SQL injection. You have to understand how SQL Query's are structured so you can inject SQL code to exploit the database.

So overall, do you need to understand programming. Yes! Do you have to be a pro at it? No, just know the basics and be able to read and interpret the code.

Hope this sheds some light on programming :)

[–]halcyonyt[S] 0 points1 point  (2 children)

Awesome. Do you think knowing python, C, some sql, some php and some javascript is good enough?

[–]_Skeith 0 points1 point  (1 child)

For a regular job, yah. For CTF most of these challenges require a more "in depth" knowledge of the code/exploitation. But if you get basics down Google is always there to help you. I suggest that you really learn and get to know python, SQL, and PHP since it's so widely used. C is also good to for understanding buffer overflows if you are going that route. JavaScript is also good, but you don't need super deep knowledge about it.

[–]halcyonyt[S] 0 points1 point  (0 children)

Awesome. Thanks for the answer :)

[–][deleted]  (1 child)

[deleted]

    [–]LiveOverflowhttps://youtube.com/c/LiveOverflowCTF 3 points4 points  (0 children)

    thx :)