Your SlideShare is downloading. ×
0
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
OWASPAppSec2007Milan_WebGoatv5.ppt
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASPAppSec2007Milan_WebGoatv5.ppt

550

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
550
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security [email_address] WebGoat Project Lead: Bruce Mayhew [email_address]
  • 2. About the Speaker <ul><li>Background </li></ul><ul><ul><li>IT Security Consultant for past 19 years </li></ul></ul><ul><ul><li>Focus on application security for past 9 years </li></ul></ul><ul><ul><li>Bachelor’s and Masters Degrees in Computer Science </li></ul></ul><ul><ul><li>CISSP, CISM </li></ul></ul><ul><li>Aspect Security Founder and COO </li></ul><ul><ul><li>Specialists in application security </li></ul></ul><ul><ul><li>Verify critical applications (~3 million LOC/month) </li></ul></ul><ul><ul><li>Enable companies to reliably produce secure code </li></ul></ul><ul><li>OWASP Foundation </li></ul><ul><ul><li>Coauthor of OWASP Top 10 </li></ul></ul><ul><ul><li>Member of OWASP Board </li></ul></ul><ul><ul><li>Conferences Chair for OWASP AppSec Conferences </li></ul></ul><ul><ul><li>Established OWASP as 501c3 not-for-profit in U.S. </li></ul></ul>
  • 3. What’s a WebGoat <ul><li>OWASP project with ~115,000 downloads </li></ul><ul><li>Deliberately insecure Java EE web application </li></ul><ul><li>Teaches common application vulnerabilities via a series of individual lessons </li></ul>
  • 4. History of WebGoat <ul><li>Donated to OWASP by Aspect Security ~2002 </li></ul><ul><li>Project Lead is Bruce Mayhew </li></ul><ul><li>Started to receive outside contributions in 2005 </li></ul><ul><li>v5 produced as AoC 2006 project </li></ul>
  • 5. WebGoat Demonstrates Vulnerabilities <ul><li>WebGoat uses “goatified” real world examples </li></ul><ul><ul><li>Cross site scripting </li></ul></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Command Injection </li></ul></ul><ul><ul><li>Forced Browsing </li></ul></ul><ul><ul><li>Access Control </li></ul></ul><ul><ul><ul><li>Data, presentation, business, & environmental layers </li></ul></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>AJAX </li></ul></ul><ul><ul><li>WebServices </li></ul></ul><ul><ul><li>… . </li></ul></ul>
  • 6. Picking up Steam… <ul><li>Used by source code analysis and web application security scanning vendors for demos </li></ul><ul><li>Used by universities in security curriculum </li></ul><ul><ul><li>Carnegie-Mellon </li></ul></ul><ul><ul><ul><li>Using WebGoat as open source project option </li></ul></ul></ul><ul><ul><li>University of Denver </li></ul></ul><ul><ul><li>Wouldn’t it be great if students contributed lessons as part of their class projects!! </li></ul></ul><ul><li>OWASP Autumn 2006 and Spring of Code 2007 Projects </li></ul><ul><li>Used by many companies as a training tool </li></ul><ul><li>LOTS of emails from user community </li></ul>
  • 7. What’s New in 5.X <ul><li>5.0 – Autumn of Code 2006 Release </li></ul><ul><ul><li>Many new lessons </li></ul></ul><ul><ul><ul><li>AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing </li></ul></ul></ul><ul><li>5.1 (Goals – Summer 2007) </li></ul><ul><ul><li>Servlet that allows attacks to post data </li></ul></ul><ul><ul><ul><li>Posted data is pushed back to originating lesson </li></ul></ul></ul><ul><ul><li>XSS Phishing attack </li></ul></ul><ul><ul><li>Improved lesson content </li></ul></ul><ul><ul><li>Enhanced Documentation (A SpoC 2007 project) </li></ul></ul>
  • 8. Roadmap <ul><li>Create database schema common to all lessons </li></ul><ul><li>Convert lessons to a common theme </li></ul><ul><ul><li>HR System (WebGoat Financials) </li></ul></ul><ul><ul><li>Online Banking or Video Store </li></ul></ul><ul><li>Make WebGoat more CBT like </li></ul><ul><ul><li>Teach application security, not just demonstate how to attack </li></ul></ul><ul><li>Convert lessons to JSPs for easier content editing </li></ul>
  • 9. Demos – Lets go through some lessons!!
  • 10. Questions and Answers A Q & Q U E S T I O N S A N S W E R S
  • 11. Share your ideas / Let us know you’re using it! Bruce Mayhew [email_address] http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://code.google.com/p/webgoat/

×