What is OWASP OWASP Live CD Live Demo - PowerPoint PPT Presentation

what is owasp owasp live cd live demo n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
What is OWASP OWASP Live CD Live Demo PowerPoint Presentation
Download Presentation
What is OWASP OWASP Live CD Live Demo

play fullscreen
1 / 18
What is OWASP OWASP Live CD Live Demo
202 Views
Download Presentation
briana
Download Presentation

What is OWASP OWASP Live CD Live Demo

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. What is OWASPOWASP Live CD Live Demo Omar Sherin-OWASP Egypt

  2. Few Facts and figures: How Many Vulnerabilities Are Application Security Related?

  3. What is OWASP? • Open Web Application Security Project • Promotes secure software development • Oriented to the delivery of web oriented services • Focused primarily on the “back-end” than web-design issues • An open forum for discussion • A free resource for any development team

  4. 120+ Chapters Worldwide

  5. OWASP Sponsors

  6. OWASP Publications- All Free Top 10 Web Application Security Vulnerabilities Guide to Building Secure Web Applications Legal Project Metrics & Measurements Project Testing Project AppSecFaq www.owasp.org

  7. OWASP Software Major Applications WebGoat WebScarab .Net Projects oLab Projects

  8. OWASP Software - .NET Projects • .Net Projects • A collection of tools focused on securing ASP.NET projects • Include security analyzers and documentation projects • Current Projects • Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments • SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments • ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security • Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments • http://www.owasp.org/software/dotnet.html

  9. What is the OWASP Live CD • A bootable CD with loads of pre packaged Web security tools and toys • The Latest project of OWASP and the most talked about in the Web Security Community • Comes also as a Free VM Image

  10. Live CD Benefits and Tools List • It’s Free , Easy and Safe to use • Current Tools List • OWASP WebScarab • OWASP WebGoat • OWASP JBroFuzz • Paros Proxy • nmap • Wireshark • tcpdump • Firefox 3 • Burp Suite • Grenedel-Scan • OWASP DirBuster • OWASP SQLiX • OWASP WSFuzzer • Metasploit 3 • Future Tools List • nikto • Skavenger • sqlmap • sqlninja • Absinthe • webshag • httprint • BEEF • ProxyMon • Rat Proxy

  11. Tool Focus WebGoat • Start the WebGoat Server from the Main Menu • In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack • User Name: guest • Password: guest • Start Learning !!

  12. What is WebGoat • OWASP project with ~115,000 downloads so far • Deliberately insecure Java EE web application • Teaches common application vulnerabilities via a series of individual lessons

  13. Real World Examples • Cross site scripting • SQL Injection • Command Injection • Forced Browsing • Access Control • Data, presentation, business, & environmental layers • Authentication • AJAX • WebServices

  14. WebGoat Users • Used by Clients for source code analysis and web application security scanning. • Used by universities in security curriculum • Carnegie-Mellon • Using WebGoat as open source project option • University of Denver • Wouldn’t it be great if students contributed lessons as part of their class projects!! • OWASP Autumn 2006 and Spring of Code 2007 Projects • Used by many companies as a “safe”training tool • LOTS of emails from user community

  15. What’s New in 5.x • 5.0 – Autumn of Code 2006 Release • Many new lessons • AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing • 5.1 (Summer 2007) • Servlet that allows attacks to post data • Posted data is pushed back to originating lesson • XSS Phishing attack • Improved lesson content • Enhanced Documentation (A SpoC 2007 project)

  16. Work in Progress • Convert lessons to a common theme • HR System (WebGoat Financials) • Online Banking or Video Store

  17. Questions & Demo

  18. Thank You www.qcert.org