What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt 2 Few Facts and figures: How Many Vulnerabilities Are Application Security Related? 2 3 What is OWASP? Open Web Application Security Project 3 ● Promotes secure software development ● Oriented to the delivery of web oriented services ● Focused primarily on the “back-end” than web-design issues ● An open forum for discussion ● A free resource for any development team 4 120+ Chapters Worldwide 5 OWASP Sponsors 6 OWASP Publications- All Free Top 10 Web Application Security Vulnerabilities Guide to Building Secure Web Applications Legal Project Metrics & Measurements Project Testing Project AppSec Faq www.owasp.org 6 7 OWASP Software Major Applications WebGoat WebScarab .Net Projects oLab Projects 7 8 OWASP Software - .NET Projects .Net Projects ● ● ● ● 8 A collection of tools focused on securing ASP.NET projects Include security analyzers and documentation projects Current Projects ̶ Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments ̶ SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments ̶ ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security ̶ Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments http://www.owasp.org/software/dotnet.html 9 What is the OWASP Live CD A bootable CD with loads of pre packaged Web security tools and toys The Latest project of OWASP and the most talked about in the Web Security Community Comes also as a Free VM Image 10 Live CD Benefits and Tools List It’s Free , Easy and Safe to use Current Tools List ● OWASP WebScarab ● OWASP WebGoat ● OWASP JBroFuzz ● Paros Proxy ● nmap ● Wireshark ● tcpdump ● Firefox 3 ● Burp Suite ● Grenedel-Scan ● OWASP DirBuster ● OWASP SQLiX ● OWASP WSFuzzer ● Metasploit 3 Future Tools List ● nikto ● Skavenger ● sqlmap ● sqlninja ● Absinthe ● webshag ● httprint ● BEEF ● ProxyMon ● Rat Proxy 11 Tool Focus WebGoat Start the WebGoat Server from the Main Menu In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack User Name: guest Password: guest Start Learning !! 12 What is WebGoat OWASP project with ~115,000 downloads so far Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of individual lessons 13 Real World Examples ● ● ● ● ● Cross site scripting SQL Injection Command Injection Forced Browsing Access Control ̶ ● ● ● Data, presentation, business, & environmental layers Authentication AJAX WebServices 14 WebGoat Users Used by Clients for source code analysis and web application security scanning. Used by universities in security curriculum ● Carnegie-Mellon ̶ ● ● Using WebGoat as open source project option University of Denver Wouldn’t it be great if students contributed lessons as part of their class projects!! OWASP Autumn 2006 and Spring of Code 2007 Projects Used by many companies as a “safe”training tool LOTS of emails from user community 15 What’s New in 5.x 5.0 – Autumn of Code 2006 Release ● Many new lessons AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing ̶ 5.1 (Summer 2007) ● Servlet that allows attacks to post data ̶ ● ● ● Posted data is pushed back to originating lesson XSS Phishing attack Improved lesson content Enhanced Documentation (A SpoC 2007 project) 16 Work in Progress Convert lessons to a common theme ● HR System (WebGoat Financials) ● Online Banking or Video Store 17 Questions & Demo Thank You www.qcert.org