Overview of Web Application Security and Setup ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ Section Overview Where to get assistance Assignment #1 Infrastructure Setup Web Security Overview Web Application Evaluation & Testing Application Security Requirements Web Application Security Requirements ¡ Material Source § OWASP Testing Guide v3 § WebGoat ¡ Lab Goals § Learn real world skillz § Teach offensive and defensive security § Teach self-­‐reliance and communication § Instill collaborative development and teamwork ¡ ¡ ¡ Developed and published by OWASP Application security testing guideline Breaks down testing ¡ ¡ Vulnerable web application used to teach web app security Our use is two-­‐fold § Teach yourself how to exploit the vulnerabilities § Projects will require you to report and fix bugs ¡ GoogleGroups § https://groups.google.com/forum/?fromgroups#! forum/comp327-­‐spring-­‐2013 ¡ OWASP Testing Guide § https://www.owasp.org/images/5/56/ OWASP_Testing_Guide_v3.pdf ¡ WebGoat Tutorial Videos § http://yehg.net/lab/pr0js/training/webgoat.php ¡ Email TAs ¡ ¡ ¡ ¡ ¡ ¡ Download project appliances from the site Setup Bitbucket accounts Create a private git repo Link the repo to the one on the VM Share your repo with the course TAs Reading Assignment ¡ Download the Virtual Appliances § http://markov.cs.rice.edu/comp327/ § Do it on campus with a wired connection! ¡ OWASP_BWA_Comp327.ova § Contains an instance of WebGoat § Used to test and learn how to exploit the vulnerabilities you will fix. ¡ webgoat_developer.ova § Development environment ▪ Eclipse with Java EE environment ▪ WebGoat source code in a git repo ¡ Download & Install VirtualBox § https://www.virtualbox.org/ ¡ Import the Virtual Appliance § In class demo § Google if not in class § Ask questions on the forum if confused ¡ Configuring network for VMs § In class demo § Google if not in class § Ask questions on the forum if confused ¡ Create a Bitbucket Account § https://bitbucket.org/ ¡ 1 person in each group needs to do this § Link the git repo on Webgoat_Developer with a new repo in BitBucket § Invite your partner to the repo and they will follow similar procedures outlined below ¡ ¡ Start the WebGoat_Development VM Login to the VM § User: webgoatdev § Pass: !webgoatdev ¡ Start a Terminal § Click the “Black Screen” in the bar ¡ ¡ Type ./eclipse/eclipse in the Terminal After Eclipse is started § Goto: Windows-­‐>Open Perspective-­‐>Other § Select: Git Repository Exploring ¡ ¡ ¡ ¡ ¡ Expand Webgoat [master] Right click Select: “Create Remote…” Type or copy in the git repo Type in the username and password Click Finish ¡ Right click on the origin under Remotes ¡ Click “Save and Push” ¡ Click on the progress bar in lower left to reveal upload progress ¡ When the push is complete … ¡ Once your Bitbucket repo is synched § Share (invite) the TAs to your repository § Theodore Book (tbook) § Adam Pridgen (apridgen) ¡ How do web applications work? Source: http://www.simondelliott.com/blog/welcome/architecture-­‐for-­‐the-­‐consumer/ ¡ How do attack web attacks work? Source: http://www.preventia.co.uk/application-­‐penetration-­‐testing-­‐service.php ¡ Basic Vocabulary § Threat, Vulnerability, Risk, Mitigation § Attack vs. Defense § Client vs. Server § Web Proxy § Session Cookie § … ¡ Web Application Security Testing Overview § Manual Inspections & Reviews § Threat Modeling § Source Code Review § Penetration Testing ¡ Manual Inspections & Reviews § Review Technical decisions § Review Architectural designs § Review Security (configuration and coding) policies § Review Security requirements ¡ Manual Inspections & Reviews Advantages § § § § § ¡ Requires no supporting technology Can be applied to a variety of situations Flexible Promotes teamwork Early in the SDLC Manual Inspections & Reviews Disadvantages § Can be time consuming § Supporting material not always available § Requires extensive knowledge and experience ¡ Threat Modeling § Decomposing the application § Defining and classifying the assets § Exploring potential vulnerabilities § Exploring potential threats § Creating mitigation strategies ¡ Threat Modeling Advantages § Practical attacker's view of the system § Flexible § Early in the SDLC ¡ Threat Modeling Disadvantages § Extensive knowledge and experience required § Project or business names change over lifecyle ¡ Source Code Review § Evaluate data and control flow of application § Line by line analysis of source code § Read comments and intended functionality ¡ Source Code Review Advantages § Completeness and effectiveness § Potential accuracy § Manual and automated processes ¡ Source Code Review Disadvantages § § § § Requires highly skilled security developers Can miss issues in third-­‐party libraries Run-­‐time errors may go unnoticed Subtleties and knowledge of the underlying language ¡ Penetration Testing § Black box testing using attack tools § Mostly Develop an understanding based on ▪ Error messages ▪ Client and server technologies § Exploit the application ▪ Attempt to compromise users, functionality, and data ¡ Penetration Testing Advantages § Time boxed and scope limited § Tests code and functionality that is exposed ¡ Penetration Testing Disadvantages § Completeness of testing § Latent services or data manipulation and usage § Only tests code and functionality that is exposed ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ User Management Authentication Authorization Data Confidentiality Integrity Accountability Session Management Transport Security Tiered System Segregation (Trust relationships) Privacy ¡ Web Application Security Testing Framework § Authentication & Access Control § Input Validation & Encoding § Data and Transport Encryption § User and Session Management § Error and Exception Handling § Auditing and Logging 1. OWASP Testing Guide v3, https:// www.owasp.org/images/5/56/ OWASP_Testing_Guide_v3.pdf ¡ Authentication & Access Control § ¡ Input Validation & Encoding ¡ Data and Transport Encryption ¡ User and Session Management ¡ Error and Exception Handling ¡ Auditing and Logging