Upcoming SlideShare
Loading in...5

Like this? Share it with your network








Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

OWASPAppSec2007Milan_WebGoatv5.ppt Presentation Transcript

  • 1. WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security [email_address] WebGoat Project Lead: Bruce Mayhew [email_address]
  • 2. About the Speaker
    • Background
      • IT Security Consultant for past 19 years
      • Focus on application security for past 9 years
      • Bachelor’s and Masters Degrees in Computer Science
      • CISSP, CISM
    • Aspect Security Founder and COO
      • Specialists in application security
      • Verify critical applications (~3 million LOC/month)
      • Enable companies to reliably produce secure code
    • OWASP Foundation
      • Coauthor of OWASP Top 10
      • Member of OWASP Board
      • Conferences Chair for OWASP AppSec Conferences
      • Established OWASP as 501c3 not-for-profit in U.S.
  • 3. What’s a WebGoat
    • OWASP project with ~115,000 downloads
    • Deliberately insecure Java EE web application
    • Teaches common application vulnerabilities via a series of individual lessons
  • 4. History of WebGoat
    • Donated to OWASP by Aspect Security ~2002
    • Project Lead is Bruce Mayhew
    • Started to receive outside contributions in 2005
    • v5 produced as AoC 2006 project
  • 5. WebGoat Demonstrates Vulnerabilities
    • WebGoat uses “goatified” real world examples
      • Cross site scripting
      • SQL Injection
      • Command Injection
      • Forced Browsing
      • Access Control
        • Data, presentation, business, & environmental layers
      • Authentication
      • AJAX
      • WebServices
      • … .
  • 6. Picking up Steam…
    • Used by source code analysis and web application security scanning vendors for demos
    • Used by universities in security curriculum
      • Carnegie-Mellon
        • Using WebGoat as open source project option
      • University of Denver
      • Wouldn’t it be great if students contributed lessons as part of their class projects!!
    • OWASP Autumn 2006 and Spring of Code 2007 Projects
    • Used by many companies as a training tool
    • LOTS of emails from user community
  • 7. What’s New in 5.X
    • 5.0 – Autumn of Code 2006 Release
      • Many new lessons
        • AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing
    • 5.1 (Goals – Summer 2007)
      • Servlet that allows attacks to post data
        • Posted data is pushed back to originating lesson
      • XSS Phishing attack
      • Improved lesson content
      • Enhanced Documentation (A SpoC 2007 project)
  • 8. Roadmap
    • Create database schema common to all lessons
    • Convert lessons to a common theme
      • HR System (WebGoat Financials)
      • Online Banking or Video Store
    • Make WebGoat more CBT like
      • Teach application security, not just demonstate how to attack
    • Convert lessons to JSPs for easier content editing
  • 9. Demos – Lets go through some lessons!!
  • 10. Questions and Answers A Q & Q U E S T I O N S A N S W E R S
  • 11. Share your ideas / Let us know you’re using it! Bruce Mayhew [email_address] http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://code.google.com/p/webgoat/