What is OWASP
OWASP Live CD
Live Demo
Omar Sherin-OWASP Egypt
2
Few Facts and figures:
How Many Vulnerabilities Are Application Security Related?
2
3
What is OWASP?
Open Web Application Security Project
3
●
Promotes secure software development
●
Oriented to the delivery of web oriented services
●
Focused primarily on the “back-end” than web-design
issues
●
An open forum for discussion
●
A free resource for any development team
4
120+ Chapters Worldwide
5
OWASP Sponsors
6
OWASP Publications- All Free
Top 10 Web Application Security Vulnerabilities
Guide to Building Secure Web Applications
Legal Project
Metrics & Measurements Project
Testing Project
AppSec Faq
www.owasp.org
6
7
OWASP Software
Major Applications
WebGoat
WebScarab
.Net Projects
oLab Projects
7
8
OWASP Software - .NET Projects
.Net Projects
●
●
●
●
8
A collection of tools focused on securing ASP.NET projects
Include security analyzers and documentation projects
Current Projects
̶
Asp.Net Baseline Security – a suite of tools to assist administrators in
identifying common issues in Asp.Net deployments
̶
SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments –
toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments
̶
ANSA – Asp.Net Security Analyzer written in C# to identify configuration and
software issues that impact security
̶
Asp.Net Security Guides – a set of documents covering the design and
deployment of secure software in Asp.Net hosting environments
http://www.owasp.org/software/dotnet.html
9
What is the OWASP Live CD
A bootable CD with loads of pre packaged Web
security tools and toys
The Latest project of OWASP and the most talked
about in the Web Security Community
Comes also as a Free VM Image
10
Live CD Benefits and Tools List
 It’s Free , Easy and Safe to use
 Current Tools List
● OWASP WebScarab
● OWASP WebGoat
● OWASP JBroFuzz
● Paros Proxy
● nmap
● Wireshark
● tcpdump
● Firefox 3
● Burp Suite
● Grenedel-Scan
● OWASP DirBuster
● OWASP SQLiX
● OWASP WSFuzzer
● Metasploit 3
 Future Tools List
● nikto
● Skavenger
● sqlmap
● sqlninja
● Absinthe
● webshag
● httprint
● BEEF
● ProxyMon
●
Rat Proxy
11
Tool Focus
WebGoat
 Start the WebGoat Server from the Main Menu
 In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack
 User Name: guest
 Password: guest
 Start Learning !!
12
What is WebGoat



OWASP project with ~115,000 downloads so far
Deliberately insecure Java EE web application
Teaches common application vulnerabilities via a series of
individual lessons
13
Real World Examples
●
●
●
●
●
Cross site scripting
SQL Injection
Command Injection
Forced Browsing
Access Control
̶
●
●
●
Data, presentation, business, & environmental
layers
Authentication
AJAX
WebServices
14
WebGoat Users


Used by Clients for source code analysis and web application
security scanning.
Used by universities in security curriculum
●
Carnegie-Mellon
̶
●
●



Using WebGoat as open source project option
University of Denver
Wouldn’t it be great if students contributed lessons as part of their class
projects!!
OWASP Autumn 2006 and Spring of Code 2007 Projects
Used by many companies as a “safe”training tool
LOTS of emails from user community
15
What’s New in 5.x
 5.0 – Autumn of Code 2006 Release
●
Many new lessons
AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log
poisoning, XML & XPATH Injection, forced browsing
̶
 5.1 (Summer 2007)
●
Servlet that allows attacks to post data
̶
●
●
●
Posted data is pushed back to originating lesson
XSS Phishing attack
Improved lesson content
Enhanced Documentation (A SpoC 2007 project)
16
Work in Progress
Convert lessons to a common theme
●
HR System (WebGoat Financials)
●
Online Banking or Video Store
17
Questions & Demo
Thank You
www.qcert.org