Your SlideShare is downloading. ×
0
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010

1,833

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,833
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon February 5th, 2010
  • 2. 2 About . . .  Doug Wilson − IT geek and “security guy” since 1999 − Co-Chair OWASP DC, organizer CapSec DC − Organizer AppSecDC 2009 (and 2010?)  − Incident Response and Forensics − Proactive, Research, and Training − Commercial and Federal Services − Product – Mandiant Intelligent Response
  • 3. 3 OWASP  Open Web Application Security Project − OWASP Top Ten − ESAPI / ESAPI WAF / AntiSamy − OpenSAMM / ASVS − Dev / Testing / Code Review Guides − XSS / SQLi / CSRF Cheat Sheets  http://www.owasp.org
  • 4. 4 So you want to learn about Web Application Security?  Not everyone starts out L33T  Most don’t start out in Web App Sec  Learn best by doing  There should be stuff in the intarwebs . . . . Right?  Well . . .
  • 5. 5 Existing Options  Let’s assume you are not a “Black Hat”  Real Apps − Some obvious problems here  Training Apps − OWASP: WebGoat, Vicnum, etc − Damn Vulnerable Web App, Mutillidae, Badstore  Similar Projects − Moth by Bonsai – mainly focused on w3af − Matt Johansen – WebGoat/mutillidae/DVWA
  • 6. 6 Similar Problems Exist  If you want to test scanners  If you want to test code review tools  If you want to test WAFs  If you want to have a testbed, it’s a lot of sysadmin work.
  • 7. 7 How to Solve Several Problems?  We were looking for web applications with vulnerabilities where we could test: − Manual Attack Techniques − Scanners − Source Code Analysis  And − Look at the “Bad Code” − Modify/Fix Code − Examine evidence left by attacks − Test web application firewalls / IDS systems
  • 8. 8 Solution? OWASP BWA  Assemble a set of broken, open source applications  Figure out all the configuration headaches  Put them all on a Virtual Machine  Donate it to OWASP  Step Five: Profit?
  • 9. 9 Base Software  Based on Ubuntu Linux Server 9.10 − No X-Windows or GUI − Apache − PHP − Perl − MySQL − PostgreSQL − Tomcat − OpenJDK − Mono
  • 10. 10 Management Software  OpenSSH  Samba  phpMyAdmin  Subversion Client
  • 11. 11 Intentionally Broken Apps (v 0.9)  OWASP WebGoat version 5.3 (Java)  OWASP Vicnum version 1.3 (Perl)  Mutillidae version 1.3 (PHP)  Damn Vulnerable Web Application version 1.06 (PHP)  OWASP CSRFGuard Test Application version 2.2 (Java)
  • 12. 12 Intentionally Broken Apps (v 0.9)  Mandiant Struts Forms (Java/Struts)  Simple ASP.NET Forms (ASP.NET/C#)  Simple Form with DOM Cross Site Scripting (HTML/JavaScript)  More identified and planned for 1.0 release  LOOKING FOR DONATIONS!
  • 13. 13 Old Versions of Real Apps (v 0.9)  phpBB 2.0.0 (PHP, released April 4, 2002)  WordPress 2.0.0 (PHP, released December 31, 2005)  Yazd version 1.0 (Java, released February 20, 2002)  More identified and planned for 1.0 release  LOOKING FOR IDEAS!
  • 14. 15 Challenges  Organization and Roadmap  Finding more apps  Documentation and Education  Making this a cohesive tool, rather than just a collection − Documenting Vulnerabilities − Gathering Evidence  Different levels of logging  Integration w/ WAFs, mod_security, ESAPI WAF, PHP-IDS
  • 15. 16 The Future  GET PEOPLE INVOLVED!  Update project for collaboration − Figure out how to distribute tasks − Create and maintain documentation − Push content to Google Code  Incorporate additional broken apps − The larger, the better − Would like more real / realistic applications − Adobe Flash / Drupal / Ruby on Rails
  • 16. 17 More Information and Downloads  More information can be found at http://owaspbwa.org or on Google Code.  Google Group available for support / discussion  Version 0.9 released at AppSecDC − Mostly functional, just fewer applications than we would like − Couple bugs (that we know of)  Version 1.0 will be released later in 2010
  • 17. 18 We welcome any help, broken applications, and feedback you can provide! owaspbwa.org
  • 18. 19 Questions?  owaspbwa.org / owasp.org  OWASP DC / CapSec DC  AppSecDC . . . Maybe again in 2010?  mandiant.com
  • 19. Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon 2010 February 5th, 2010

×