Uploaded by solamun

appsec labs

advertisement
Overview of Web Application Security and Setup ¡
¡
¡
¡
¡
¡
¡
¡
Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security Requirements Web Application Security Requirements ¡
Material Source § OWASP Testing Guide v3 § WebGoat ¡
Lab Goals § Learn real world skillz § Teach offensive and defensive security § Teach self-­‐reliance and communication § Instill collaborative development and teamwork ¡
¡
¡
Developed and published by OWASP Application security testing guideline Breaks down testing ¡
¡
Vulnerable web application used to teach web app security Our use is two-­‐fold § Teach yourself how to exploit the vulnerabilities § Projects will require you to report and fix bugs ¡
GoogleGroups § https://groups.google.com/forum/?fromgroups#!
forum/comp327-­‐spring-­‐2013 ¡
OWASP Testing Guide § https://www.owasp.org/images/5/56/
OWASP_Testing_Guide_v3.pdf ¡
WebGoat Tutorial Videos § http://yehg.net/lab/pr0js/training/webgoat.php ¡
Email TAs ¡
¡
¡
¡
¡
¡
Download project appliances from the site Setup Bitbucket accounts Create a private git repo Link the repo to the one on the VM Share your repo with the course TAs Reading Assignment ¡
Download the Virtual Appliances § http://markov.cs.rice.edu/comp327/ § Do it on campus with a wired connection! ¡
OWASP_BWA_Comp327.ova § Contains an instance of WebGoat § Used to test and learn how to exploit the vulnerabilities you will fix. ¡
webgoat_developer.ova § Development environment ▪ Eclipse with Java EE environment ▪ WebGoat source code in a git repo ¡
Download & Install VirtualBox § https://www.virtualbox.org/ ¡
Import the Virtual Appliance § In class demo § Google if not in class § Ask questions on the forum if confused ¡
Configuring network for VMs § In class demo § Google if not in class § Ask questions on the forum if confused ¡
Create a Bitbucket Account § https://bitbucket.org/ ¡
1 person in each group needs to do this § Link the git repo on Webgoat_Developer with a new repo in BitBucket § Invite your partner to the repo and they will follow similar procedures outlined below ¡
¡
Start the WebGoat_Development VM Login to the VM § User: webgoatdev § Pass: !webgoatdev ¡
Start a Terminal § Click the “Black Screen” in the bar ¡
¡
Type ./eclipse/eclipse in the Terminal After Eclipse is started § Goto: Windows-­‐>Open Perspective-­‐>Other § Select: Git Repository Exploring ¡
¡
¡
¡
¡
Expand Webgoat [master] Right click Select: “Create Remote…” Type or copy in the git repo Type in the username and password Click Finish ¡
Right click on the origin under Remotes ¡
Click “Save and Push” ¡
Click on the progress bar in lower left to reveal upload progress ¡
When the push is complete … ¡
Once your Bitbucket repo is synched § Share (invite) the TAs to your repository § Theodore Book (tbook) § Adam Pridgen (apridgen) ¡
How do web applications work? Source: http://www.simondelliott.com/blog/welcome/architecture-­‐for-­‐the-­‐consumer/ ¡
How do attack web attacks work? Source: http://www.preventia.co.uk/application-­‐penetration-­‐testing-­‐service.php ¡
Basic Vocabulary § Threat, Vulnerability, Risk, Mitigation § Attack vs. Defense § Client vs. Server § Web Proxy § Session Cookie § … ¡
Web Application Security Testing Overview § Manual Inspections & Reviews § Threat Modeling § Source Code Review § Penetration Testing ¡
Manual Inspections & Reviews § Review Technical decisions § Review Architectural designs § Review Security (configuration and coding) policies § Review Security requirements ¡
Manual Inspections & Reviews Advantages §
§
§
§
§
¡
Requires no supporting technology Can be applied to a variety of situations Flexible Promotes teamwork Early in the SDLC Manual Inspections & Reviews Disadvantages § Can be time consuming § Supporting material not always available § Requires extensive knowledge and experience ¡
Threat Modeling § Decomposing the application § Defining and classifying the assets § Exploring potential vulnerabilities § Exploring potential threats § Creating mitigation strategies ¡
Threat Modeling Advantages § Practical attacker's view of the system § Flexible § Early in the SDLC ¡
Threat Modeling Disadvantages § Extensive knowledge and experience required § Project or business names change over lifecyle ¡
Source Code Review § Evaluate data and control flow of application § Line by line analysis of source code § Read comments and intended functionality ¡
Source Code Review Advantages § Completeness and effectiveness § Potential accuracy § Manual and automated processes ¡
Source Code Review Disadvantages §
§
§
§
Requires highly skilled security developers Can miss issues in third-­‐party libraries Run-­‐time errors may go unnoticed Subtleties and knowledge of the underlying language ¡
Penetration Testing § Black box testing using attack tools § Mostly Develop an understanding based on ▪ Error messages ▪ Client and server technologies § Exploit the application ▪ Attempt to compromise users, functionality, and data ¡
Penetration Testing Advantages § Time boxed and scope limited § Tests code and functionality that is exposed ¡
Penetration Testing Disadvantages § Completeness of testing § Latent services or data manipulation and usage § Only tests code and functionality that is exposed ¡
¡
¡
¡
¡
¡
¡
¡
¡
¡
User Management Authentication Authorization Data Confidentiality Integrity Accountability Session Management Transport Security Tiered System Segregation (Trust relationships) Privacy ¡
Web Application Security Testing Framework § Authentication & Access Control § Input Validation & Encoding § Data and Transport Encryption § User and Session Management § Error and Exception Handling § Auditing and Logging 1.
OWASP Testing Guide v3, https://
www.owasp.org/images/5/56/
OWASP_Testing_Guide_v3.pdf ¡
Authentication & Access Control § ¡
Input Validation & Encoding ¡
Data and Transport Encryption ¡
User and Session Management ¡
Error and Exception Handling ¡
Auditing and Logging 
Download