Your SlideShare is downloading. ×
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Learning  By  Breaking  O W A S P  B W A  Doug  Wilson  Shmoo 2010
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010

1,223

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,223
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon February 5th, 2010
  • 2. 2 About . . .  Doug Wilson − IT geek and “security guy” since 1999 − Co-Chair OWASP DC, organizer CapSec DC − Organizer AppSecDC 2009 (and 2010?)  − Incident Response and Forensics − Proactive, Research, and Training − Commercial and Federal Services − Product – Mandiant Intelligent Response
  • 3. 3 OWASP  Open Web Application Security Project − OWASP Top Ten − ESAPI / ESAPI WAF / AntiSamy − OpenSAMM / ASVS − Dev / Testing / Code Review Guides − XSS / SQLi / CSRF Cheat Sheets  http://www.owasp.org
  • 4. 4 So you want to learn about Web Application Security?  Not everyone starts out L33T  Most don’t start out in Web App Sec  Learn best by doing  There should be stuff in the intarwebs . . . . Right?  Well . . .
  • 5. 5 Existing Options  Let’s assume you are not a “Black Hat”  Real Apps − Some obvious problems here  Training Apps − OWASP: WebGoat, Vicnum, etc − Damn Vulnerable Web App, Mutillidae, Badstore  Similar Projects − Moth by Bonsai – mainly focused on w3af − Matt Johansen – WebGoat/mutillidae/DVWA
  • 6. 6 Similar Problems Exist  If you want to test scanners  If you want to test code review tools  If you want to test WAFs  If you want to have a testbed, it’s a lot of sysadmin work.
  • 7. 7 How to Solve Several Problems?  We were looking for web applications with vulnerabilities where we could test: − Manual Attack Techniques − Scanners − Source Code Analysis  And − Look at the “Bad Code” − Modify/Fix Code − Examine evidence left by attacks − Test web application firewalls / IDS systems
  • 8. 8 Solution? OWASP BWA  Assemble a set of broken, open source applications  Figure out all the configuration headaches  Put them all on a Virtual Machine  Donate it to OWASP  Step Five: Profit?
  • 9. 9 Base Software  Based on Ubuntu Linux Server 9.10 − No X-Windows or GUI − Apache − PHP − Perl − MySQL − PostgreSQL − Tomcat − OpenJDK − Mono
  • 10. 10 Management Software  OpenSSH  Samba  phpMyAdmin  Subversion Client
  • 11. 11 Intentionally Broken Apps (v 0.9)  OWASP WebGoat version 5.3 (Java)  OWASP Vicnum version 1.3 (Perl)  Mutillidae version 1.3 (PHP)  Damn Vulnerable Web Application version 1.06 (PHP)  OWASP CSRFGuard Test Application version 2.2 (Java)
  • 12. 12 Intentionally Broken Apps (v 0.9)  Mandiant Struts Forms (Java/Struts)  Simple ASP.NET Forms (ASP.NET/C#)  Simple Form with DOM Cross Site Scripting (HTML/JavaScript)  More identified and planned for 1.0 release  LOOKING FOR DONATIONS!
  • 13. 13 Old Versions of Real Apps (v 0.9)  phpBB 2.0.0 (PHP, released April 4, 2002)  WordPress 2.0.0 (PHP, released December 31, 2005)  Yazd version 1.0 (Java, released February 20, 2002)  More identified and planned for 1.0 release  LOOKING FOR IDEAS!
  • 14. 15 Challenges  Organization and Roadmap  Finding more apps  Documentation and Education  Making this a cohesive tool, rather than just a collection − Documenting Vulnerabilities − Gathering Evidence  Different levels of logging  Integration w/ WAFs, mod_security, ESAPI WAF, PHP-IDS
  • 15. 16 The Future  GET PEOPLE INVOLVED!  Update project for collaboration − Figure out how to distribute tasks − Create and maintain documentation − Push content to Google Code  Incorporate additional broken apps − The larger, the better − Would like more real / realistic applications − Adobe Flash / Drupal / Ruby on Rails
  • 16. 17 More Information and Downloads  More information can be found at http://owaspbwa.org or on Google Code.  Google Group available for support / discussion  Version 0.9 released at AppSecDC − Mostly functional, just fewer applications than we would like − Couple bugs (that we know of)  Version 1.0 will be released later in 2010
  • 17. 18 We welcome any help, broken applications, and feedback you can provide! owaspbwa.org
  • 18. 19 Questions?  owaspbwa.org / owasp.org  OWASP DC / CapSec DC  AppSecDC . . . Maybe again in 2010?  mandiant.com
  • 19. Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon 2010 February 5th, 2010

×