SlideShare a Scribd company logo

Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010

S
SecurityTube.Net
Technology
1 of 19
Download to read offline
Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon February 5th, 2010
2 About . . .  Doug Wilson − IT geek and “security guy” since 1999 − Co-Chair OWASP DC, organizer CapSec DC − Organizer AppSecDC 2009 (and 2010?)  − Incident Response and Forensics − Proactive, Research, and Training − Commercial and Federal Services − Product – Mandiant Intelligent Response
3 OWASP  Open Web Application Security Project − OWASP Top Ten − ESAPI / ESAPI WAF / AntiSamy − OpenSAMM / ASVS − Dev / Testing / Code Review Guides − XSS / SQLi / CSRF Cheat Sheets  http://www.owasp.org
4 So you want to learn about Web Application Security?  Not everyone starts out L33T  Most don’t start out in Web App Sec  Learn best by doing  There should be stuff in the intarwebs . . . . Right?  Well . . .
5 Existing Options  Let’s assume you are not a “Black Hat”  Real Apps − Some obvious problems here  Training Apps − OWASP: WebGoat, Vicnum, etc − Damn Vulnerable Web App, Mutillidae, Badstore  Similar Projects − Moth by Bonsai – mainly focused on w3af − Matt Johansen – WebGoat/mutillidae/DVWA
6 Similar Problems Exist  If you want to test scanners  If you want to test code review tools  If you want to test WAFs  If you want to have a testbed, it’s a lot of sysadmin work.
7 How to Solve Several Problems?  We were looking for web applications with vulnerabilities where we could test: − Manual Attack Techniques − Scanners − Source Code Analysis  And − Look at the “Bad Code” − Modify/Fix Code − Examine evidence left by attacks − Test web application firewalls / IDS systems
8 Solution? OWASP BWA  Assemble a set of broken, open source applications  Figure out all the configuration headaches  Put them all on a Virtual Machine  Donate it to OWASP  Step Five: Profit?
9 Base Software  Based on Ubuntu Linux Server 9.10 − No X-Windows or GUI − Apache − PHP − Perl − MySQL − PostgreSQL − Tomcat − OpenJDK − Mono
10 Management Software  OpenSSH  Samba  phpMyAdmin  Subversion Client
11 Intentionally Broken Apps (v 0.9)  OWASP WebGoat version 5.3 (Java)  OWASP Vicnum version 1.3 (Perl)  Mutillidae version 1.3 (PHP)  Damn Vulnerable Web Application version 1.06 (PHP)  OWASP CSRFGuard Test Application version 2.2 (Java)
12 Intentionally Broken Apps (v 0.9)  Mandiant Struts Forms (Java/Struts)  Simple ASP.NET Forms (ASP.NET/C#)  Simple Form with DOM Cross Site Scripting (HTML/JavaScript)  More identified and planned for 1.0 release  LOOKING FOR DONATIONS!
13 Old Versions of Real Apps (v 0.9)  phpBB 2.0.0 (PHP, released April 4, 2002)  WordPress 2.0.0 (PHP, released December 31, 2005)  Yazd version 1.0 (Java, released February 20, 2002)  More identified and planned for 1.0 release  LOOKING FOR IDEAS!
15 Challenges  Organization and Roadmap  Finding more apps  Documentation and Education  Making this a cohesive tool, rather than just a collection − Documenting Vulnerabilities − Gathering Evidence  Different levels of logging  Integration w/ WAFs, mod_security, ESAPI WAF, PHP-IDS
16 The Future  GET PEOPLE INVOLVED!  Update project for collaboration − Figure out how to distribute tasks − Create and maintain documentation − Push content to Google Code  Incorporate additional broken apps − The larger, the better − Would like more real / realistic applications − Adobe Flash / Drupal / Ruby on Rails
17 More Information and Downloads  More information can be found at http://owaspbwa.org or on Google Code.  Google Group available for support / discussion  Version 0.9 released at AppSecDC − Mostly functional, just fewer applications than we would like − Couple bugs (that we know of)  Version 1.0 will be released later in 2010
18 We welcome any help, broken applications, and feedback you can provide! owaspbwa.org
19 Questions?  owaspbwa.org / owasp.org  OWASP DC / CapSec DC  AppSecDC . . . Maybe again in 2010?  mandiant.com
Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon 2010 February 5th, 2010

Recommended

Owasp Memphis Flyer 2010
Owasp Memphis Flyer 2010Owasp Memphis Flyer 2010
Owasp Memphis Flyer 2010Tommy Tracx Xaypanya
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014Boy Baukema
 
Websauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkWebsauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkMikko Ohtamaa
 
Upgrading JavaScript to ES6 and using TypeScript as a shortcut
Upgrading JavaScript to ES6 and using TypeScript as a shortcutUpgrading JavaScript to ES6 and using TypeScript as a shortcut
Upgrading JavaScript to ES6 and using TypeScript as a shortcutChristian Heilmann
 
10 Things You Probably Didn't Know About Plone
10 Things You Probably Didn't Know About Plone10 Things You Probably Didn't Know About Plone
10 Things You Probably Didn't Know About PloneJazkarta, Inc.
 
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...tdc-globalcode
 

Recommended

Owasp Memphis Flyer 2010
Owasp Memphis Flyer 2010Owasp Memphis Flyer 2010
Owasp Memphis Flyer 2010Tommy Tracx Xaypanya
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014Boy Baukema
 
Websauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkWebsauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkMikko Ohtamaa
 
Upgrading JavaScript to ES6 and using TypeScript as a shortcut
Upgrading JavaScript to ES6 and using TypeScript as a shortcutUpgrading JavaScript to ES6 and using TypeScript as a shortcut
Upgrading JavaScript to ES6 and using TypeScript as a shortcutChristian Heilmann
 
10 Things You Probably Didn't Know About Plone
10 Things You Probably Didn't Know About Plone10 Things You Probably Didn't Know About Plone
10 Things You Probably Didn't Know About PloneJazkarta, Inc.
 
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...tdc-globalcode
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do ThatNathan Smith
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Jacek Tomaszewski
 
PWA
PWAPWA
PWAAnuradha Malalasena
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Google presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobileGoogle presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobilePeter-Paul Koch
 
Top Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemTop Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemIonic Framework
 
Tastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierTastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierHarvard Web Working Group
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overviewNikola Milosevic
 
Open Source in Higher Education 2007
Open Source in Higher Education 2007Open Source in Higher Education 2007
Open Source in Higher Education 2007ssorden
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataHananto Wibowo Soenarto
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...Felipe Prado
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)SecurityTube.Net
 
Guest Stealing...The VMware Way
Guest Stealing...The VMware WayGuest Stealing...The VMware Way
Guest Stealing...The VMware WaySecurityTube.Net
 

More Related Content

Similar to Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010

RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do ThatNathan Smith
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Jacek Tomaszewski
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Google presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobileGoogle presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobilePeter-Paul Koch
 
Top Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemTop Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemIonic Framework
 
Tastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierTastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierHarvard Web Working Group
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Open Source in Higher Education 2007
Open Source in Higher Education 2007Open Source in Higher Education 2007
Open Source in Higher Education 2007ssorden
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataHananto Wibowo Soenarto
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...Felipe Prado
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 

Similar to Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010 (20)

RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do That
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1
 
PWA
PWAPWA
PWA
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Google presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobileGoogle presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobile
 
Top Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemTop Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle Them
 
Tastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierTastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work Easier
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
 
Open Source in Higher Education 2007
Open Source in Higher Education 2007Open Source in Higher Education 2007
Open Source in Higher Education 2007
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOps
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 

More from SecurityTube.Net

Guest Stealing...The VMware Way
Guest Stealing...The VMware WayGuest Stealing...The VMware Way
Guest Stealing...The VMware WaySecurityTube.Net
 
Keynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapKeynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapSecurityTube.Net
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010SecurityTube.Net
 
GPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security ShootoutGPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security ShootoutSecurityTube.Net
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS VulnerabilitiesSecurityTube.Net
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneSecurityTube.Net
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie StealingSecurityTube.Net
 
Black Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating SslBlack Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating SslSecurityTube.Net
 
SSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSecurityTube.Net
 

More from SecurityTube.Net (15)

Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)
 
Guest Stealing...The VMware Way
Guest Stealing...The VMware WayGuest Stealing...The VMware Way
Guest Stealing...The VMware Way
 
Keynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapKeynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication Gap
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
 
GPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security ShootoutGPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security Shootout
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
Network Attacks
Network AttacksNetwork Attacks
Network Attacks
 
TCP/IP basics
TCP/IP basicsTCP/IP basics
TCP/IP basics
 
Wireless Security Basics
Wireless Security BasicsWireless Security Basics
Wireless Security Basics
 
Linux Vulnerabilities
Linux VulnerabilitiesLinux Vulnerabilities
Linux Vulnerabilities
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS Vulnerabilities
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
Black Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating SslBlack Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating Ssl
 
SSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSSL MITM Attack Over Wireless
SSL MITM Attack Over Wireless
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010

  • 1. Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon February 5th, 2010
  • 2. 2 About . . .  Doug Wilson − IT geek and “security guy” since 1999 − Co-Chair OWASP DC, organizer CapSec DC − Organizer AppSecDC 2009 (and 2010?)  − Incident Response and Forensics − Proactive, Research, and Training − Commercial and Federal Services − Product – Mandiant Intelligent Response
  • 3. 3 OWASP  Open Web Application Security Project − OWASP Top Ten − ESAPI / ESAPI WAF / AntiSamy − OpenSAMM / ASVS − Dev / Testing / Code Review Guides − XSS / SQLi / CSRF Cheat Sheets  http://www.owasp.org
  • 4. 4 So you want to learn about Web Application Security?  Not everyone starts out L33T  Most don’t start out in Web App Sec  Learn best by doing  There should be stuff in the intarwebs . . . . Right?  Well . . .
  • 5. 5 Existing Options  Let’s assume you are not a “Black Hat”  Real Apps − Some obvious problems here  Training Apps − OWASP: WebGoat, Vicnum, etc − Damn Vulnerable Web App, Mutillidae, Badstore  Similar Projects − Moth by Bonsai – mainly focused on w3af − Matt Johansen – WebGoat/mutillidae/DVWA
  • 6. 6 Similar Problems Exist  If you want to test scanners  If you want to test code review tools  If you want to test WAFs  If you want to have a testbed, it’s a lot of sysadmin work.
  • 7. 7 How to Solve Several Problems?  We were looking for web applications with vulnerabilities where we could test: − Manual Attack Techniques − Scanners − Source Code Analysis  And − Look at the “Bad Code” − Modify/Fix Code − Examine evidence left by attacks − Test web application firewalls / IDS systems
  • 8. 8 Solution? OWASP BWA  Assemble a set of broken, open source applications  Figure out all the configuration headaches  Put them all on a Virtual Machine  Donate it to OWASP  Step Five: Profit?
  • 9. 9 Base Software  Based on Ubuntu Linux Server 9.10 − No X-Windows or GUI − Apache − PHP − Perl − MySQL − PostgreSQL − Tomcat − OpenJDK − Mono
  • 10. 10 Management Software  OpenSSH  Samba  phpMyAdmin  Subversion Client
  • 11. 11 Intentionally Broken Apps (v 0.9)  OWASP WebGoat version 5.3 (Java)  OWASP Vicnum version 1.3 (Perl)  Mutillidae version 1.3 (PHP)  Damn Vulnerable Web Application version 1.06 (PHP)  OWASP CSRFGuard Test Application version 2.2 (Java)
  • 12. 12 Intentionally Broken Apps (v 0.9)  Mandiant Struts Forms (Java/Struts)  Simple ASP.NET Forms (ASP.NET/C#)  Simple Form with DOM Cross Site Scripting (HTML/JavaScript)  More identified and planned for 1.0 release  LOOKING FOR DONATIONS!
  • 13. 13 Old Versions of Real Apps (v 0.9)  phpBB 2.0.0 (PHP, released April 4, 2002)  WordPress 2.0.0 (PHP, released December 31, 2005)  Yazd version 1.0 (Java, released February 20, 2002)  More identified and planned for 1.0 release  LOOKING FOR IDEAS!
  • 14. 15 Challenges  Organization and Roadmap  Finding more apps  Documentation and Education  Making this a cohesive tool, rather than just a collection − Documenting Vulnerabilities − Gathering Evidence  Different levels of logging  Integration w/ WAFs, mod_security, ESAPI WAF, PHP-IDS
  • 15. 16 The Future  GET PEOPLE INVOLVED!  Update project for collaboration − Figure out how to distribute tasks − Create and maintain documentation − Push content to Google Code  Incorporate additional broken apps − The larger, the better − Would like more real / realistic applications − Adobe Flash / Drupal / Ruby on Rails
  • 16. 17 More Information and Downloads  More information can be found at http://owaspbwa.org or on Google Code.  Google Group available for support / discussion  Version 0.9 released at AppSecDC − Mostly functional, just fewer applications than we would like − Couple bugs (that we know of)  Version 1.0 will be released later in 2010
  • 17. 18 We welcome any help, broken applications, and feedback you can provide! owaspbwa.org
  • 18. 19 Questions?  owaspbwa.org / owasp.org  OWASP DC / CapSec DC  AppSecDC . . . Maybe again in 2010?  mandiant.com
  • 19. Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon 2010 February 5th, 2010