What is OWASPOWASP Live CD Live Demo Omar Sherin-OWASP Egypt
Few Facts and figures: How Many Vulnerabilities Are Application Security Related?
What is OWASP? • Open Web Application Security Project • Promotes secure software development • Oriented to the delivery of web oriented services • Focused primarily on the “back-end” than web-design issues • An open forum for discussion • A free resource for any development team
OWASP Publications- All Free Top 10 Web Application Security Vulnerabilities Guide to Building Secure Web Applications Legal Project Metrics & Measurements Project Testing Project AppSecFaq www.owasp.org
OWASP Software Major Applications WebGoat WebScarab .Net Projects oLab Projects
OWASP Software - .NET Projects • .Net Projects • A collection of tools focused on securing ASP.NET projects • Include security analyzers and documentation projects • Current Projects • Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments • SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments • ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security • Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments • http://www.owasp.org/software/dotnet.html
What is the OWASP Live CD • A bootable CD with loads of pre packaged Web security tools and toys • The Latest project of OWASP and the most talked about in the Web Security Community • Comes also as a Free VM Image
Live CD Benefits and Tools List • It’s Free , Easy and Safe to use • Current Tools List • OWASP WebScarab • OWASP WebGoat • OWASP JBroFuzz • Paros Proxy • nmap • Wireshark • tcpdump • Firefox 3 • Burp Suite • Grenedel-Scan • OWASP DirBuster • OWASP SQLiX • OWASP WSFuzzer • Metasploit 3 • Future Tools List • nikto • Skavenger • sqlmap • sqlninja • Absinthe • webshag • httprint • BEEF • ProxyMon • Rat Proxy
Tool Focus WebGoat • Start the WebGoat Server from the Main Menu • In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack • User Name: guest • Password: guest • Start Learning !!
What is WebGoat • OWASP project with ~115,000 downloads so far • Deliberately insecure Java EE web application • Teaches common application vulnerabilities via a series of individual lessons
Real World Examples • Cross site scripting • SQL Injection • Command Injection • Forced Browsing • Access Control • Data, presentation, business, & environmental layers • Authentication • AJAX • WebServices
WebGoat Users • Used by Clients for source code analysis and web application security scanning. • Used by universities in security curriculum • Carnegie-Mellon • Using WebGoat as open source project option • University of Denver • Wouldn’t it be great if students contributed lessons as part of their class projects!! • OWASP Autumn 2006 and Spring of Code 2007 Projects • Used by many companies as a “safe”training tool • LOTS of emails from user community
What’s New in 5.x • 5.0 – Autumn of Code 2006 Release • Many new lessons • AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing • 5.1 (Summer 2007) • Servlet that allows attacks to post data • Posted data is pushed back to originating lesson • XSS Phishing attack • Improved lesson content • Enhanced Documentation (A SpoC 2007 project)
Work in Progress • Convert lessons to a common theme • HR System (WebGoat Financials) • Online Banking or Video Store
Thank You www.qcert.org