• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
 

Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010

on

  • 1,590 views

 

Statistics

Views

Total Views
1,590
Views on SlideShare
1,588
Embed Views
2

Actions

Likes
0
Downloads
12
Comments
0

1 Embed 2

http://www.slideshare.net 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010 Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010 Presentation Transcript

    • Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon February 5th, 2010
    • 2 About . . .  Doug Wilson − IT geek and “security guy” since 1999 − Co-Chair OWASP DC, organizer CapSec DC − Organizer AppSecDC 2009 (and 2010?)  − Incident Response and Forensics − Proactive, Research, and Training − Commercial and Federal Services − Product – Mandiant Intelligent Response
    • 3 OWASP  Open Web Application Security Project − OWASP Top Ten − ESAPI / ESAPI WAF / AntiSamy − OpenSAMM / ASVS − Dev / Testing / Code Review Guides − XSS / SQLi / CSRF Cheat Sheets  http://www.owasp.org
    • 4 So you want to learn about Web Application Security?  Not everyone starts out L33T  Most don’t start out in Web App Sec  Learn best by doing  There should be stuff in the intarwebs . . . . Right?  Well . . .
    • 5 Existing Options  Let’s assume you are not a “Black Hat”  Real Apps − Some obvious problems here  Training Apps − OWASP: WebGoat, Vicnum, etc − Damn Vulnerable Web App, Mutillidae, Badstore  Similar Projects − Moth by Bonsai – mainly focused on w3af − Matt Johansen – WebGoat/mutillidae/DVWA
    • 6 Similar Problems Exist  If you want to test scanners  If you want to test code review tools  If you want to test WAFs  If you want to have a testbed, it’s a lot of sysadmin work.
    • 7 How to Solve Several Problems?  We were looking for web applications with vulnerabilities where we could test: − Manual Attack Techniques − Scanners − Source Code Analysis  And − Look at the “Bad Code” − Modify/Fix Code − Examine evidence left by attacks − Test web application firewalls / IDS systems
    • 8 Solution? OWASP BWA  Assemble a set of broken, open source applications  Figure out all the configuration headaches  Put them all on a Virtual Machine  Donate it to OWASP  Step Five: Profit?
    • 9 Base Software  Based on Ubuntu Linux Server 9.10 − No X-Windows or GUI − Apache − PHP − Perl − MySQL − PostgreSQL − Tomcat − OpenJDK − Mono
    • 10 Management Software  OpenSSH  Samba  phpMyAdmin  Subversion Client
    • 11 Intentionally Broken Apps (v 0.9)  OWASP WebGoat version 5.3 (Java)  OWASP Vicnum version 1.3 (Perl)  Mutillidae version 1.3 (PHP)  Damn Vulnerable Web Application version 1.06 (PHP)  OWASP CSRFGuard Test Application version 2.2 (Java)
    • 12 Intentionally Broken Apps (v 0.9)  Mandiant Struts Forms (Java/Struts)  Simple ASP.NET Forms (ASP.NET/C#)  Simple Form with DOM Cross Site Scripting (HTML/JavaScript)  More identified and planned for 1.0 release  LOOKING FOR DONATIONS!
    • 13 Old Versions of Real Apps (v 0.9)  phpBB 2.0.0 (PHP, released April 4, 2002)  WordPress 2.0.0 (PHP, released December 31, 2005)  Yazd version 1.0 (Java, released February 20, 2002)  More identified and planned for 1.0 release  LOOKING FOR IDEAS!
    • 15 Challenges  Organization and Roadmap  Finding more apps  Documentation and Education  Making this a cohesive tool, rather than just a collection − Documenting Vulnerabilities − Gathering Evidence  Different levels of logging  Integration w/ WAFs, mod_security, ESAPI WAF, PHP-IDS
    • 16 The Future  GET PEOPLE INVOLVED!  Update project for collaboration − Figure out how to distribute tasks − Create and maintain documentation − Push content to Google Code  Incorporate additional broken apps − The larger, the better − Would like more real / realistic applications − Adobe Flash / Drupal / Ruby on Rails
    • 17 More Information and Downloads  More information can be found at http://owaspbwa.org or on Google Code.  Google Group available for support / discussion  Version 0.9 released at AppSecDC − Mostly functional, just fewer applications than we would like − Couple bugs (that we know of)  Version 1.0 will be released later in 2010
    • 18 We welcome any help, broken applications, and feedback you can provide! owaspbwa.org
    • 19 Questions?  owaspbwa.org / owasp.org  OWASP DC / CapSec DC  AppSecDC . . . Maybe again in 2010?  mandiant.com
    • Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon 2010 February 5th, 2010