0
OWASP Broken Web Applications
(OWASP BWA): Beyond 1.0
Agenda
•
•
•
•
•

Introductions
Project Background
Current Status
Future
Q&A

2
About Me
• Sr. Technical Director at Mandiant in DC
• Application Security, Penetration
Testing, Source Code
Analysis, For...
Project Background
Problem
• Looking for web applications with
vulnerabilities where I could:
– Test web application scanners
– Test manual a...
OWASP WebGoat
• It is a great learning tool, but…

• It is a training environment, not a real
application
• Same held for ...
Proprietary “Free” Apps
• Realistic applications with vulnerabilities
• Often closed source, which prevents some
uses
• Ca...
OWASP BWA Solution
• Free, Linux-based Virtual Machine
• Contains a variety of web applications
– Some intentionally broke...
OWASP BWA History
• Initial 0.9 release at AppSec DC 2009
• 1.0 release in July 2012
• Current version is 1.1.1
– Released...
OWASP BWA Details
Virtual Machine
• Available in VMware and OVA formats
• Compatible with
– VMware Products
• No-cost and commercial
• OWASP...
Base Operating System
• OS is Ubuntu Linux Server 10.04 LTS
– No X-Windows / Graphical User Interface

• Managed via
– Con...
Base Software
•
•
•
•
•
•
•
•
•

Apache
PHP
Perl
MySQL
Tomcat
OpenJDK
Mono
Ruby
Rails
13
Additional Software
•
•
•
•
•

SubVersion client
GIT client
PostgreSQL
ModSecurity and OWASP Core Rule Set
Custom scripts
...
Applications
Training Applications
• OWASP WebGoat (Java)
• OWASP WebGoat.NET (ASP.NET/C#)
• OWASP ESAPI Java SwingSet Interactive
(Jav...
Realistic, Intentionally Broken Apps
•
•
•
•
•
•
•
•

OWASP Vicnum (PHP/Perl)
OWASP 1-Liner (Java/JavaScript)
Google Gruye...
Old Versions of Real Applications
• WordPress 2.0.0 (PHP, released December 31, 2005)
– myGallery plugin version 1.2
– Spr...
Other Applications
• Applications for Testing Tools
– OWASP ZAP-WAVE (Java JSP)
– WAVSEP (Java JSP)
– WIVET (Java JSP)

• ...
Other Features
Editing Applications
• Application code can be edited via SMB
shares, SSH, or the console
• Updates to PHP, JSP, etc. appl...
Updating VM
• Scripts are provided to update VM from
source code repositories
– OWASP BWA specific files from Google Code
...
OWASP ModSecurity Core Rule Set
• Web server on OWASP BWA is running
mod_security
• By default, no rules are enabled
• Scr...
Log Files
• Logging for the web and application
servers are left in their default
configuration
– What you will most likel...
User Guide
• User Guide available on Google Code Wiki
https://code.google.com/p/owaspbwa/wiki/UserGuide

• Welcome any vol...
Vulnerabilities
Where are the vulnerabilities?
• Don’t have a master list of vulnerabilities
(yet)
• Looking for the community to contribu...
Tracking Known Vulnerabilities
• Anyone can search issues

28
Tracking Known Vulnerabilities
• Anyone can see details on issues

29
Tracking Known Vulnerabilities
• Anyone can submit issues

• Considering a registration requirement in
order to prevent sp...
Tracking Known Vulnerabilities
• Registered users can edit issues

31
The Future
Near Term
• Version 1.2 planned before the end of
2013
– Bug fixes
– Add bWAPP application
– Update applications
– Add abi...
Other Near Term Items
• Documentation can use some work

• Catalog of vulnerabilities can be expanded

34
Longer Term
• Will get increasingly difficult to support
modern and old applications
– Due to library and other dependency...
Wish List
• More applications in more languages
– Compiled Java
– ASP.NET
– Python
– Node.js

• Common frameworks and libr...
Wish List
• More modern UIs
– Rich JavaScript
– HTML5
– Mobile optimized sites
– Adobe Flash

37
Wish List
• More database backends
– PostgreSQL
– SQLite
– NoSQL

• Opportunity for someone
– Create a small data driven a...
Wish List
• Improved set of real applications with
security issues
– More applications
– More modern applications

39
Wish List
• More web services
– Mobile apps
– Rich web UIs
– Desktop thick clients

40
Wish List
• Updated home page on VM
– More intuitive layout
– Refreshed appearance
– Perhaps indicate applications based o...
What do you want to see in
OWASP BWA?
We welcome any
help, feedback, or broken
apps you can provide!
More Information and Getting Involved
• More information on the project can be
found at http://www.owaspbwa.org/
• Join ou...
Upcoming SlideShare
Loading in...5
×

Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21

5,724

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
5,724
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21"

  1. 1. OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
  2. 2. Agenda • • • • • Introductions Project Background Current Status Future Q&A 2
  3. 3. About Me • Sr. Technical Director at Mandiant in DC • Application Security, Penetration Testing, Source Code Analysis, Forensics, Incident Response, Research and Development • Leader of OWASP Broken Web Applications project • chuck.willis@mandiant.com • @chuckatsf 3
  4. 4. Project Background
  5. 5. Problem • Looking for web applications with vulnerabilities where I could: – Test web application scanners – Test manual attack techniques – Test source code analysis tools – Look at the code that implements the vulnerabilities – Modify code to fix vulnerabilities – Test web application firewalls – Examine evidence left by attacks 5
  6. 6. OWASP WebGoat • It is a great learning tool, but… • It is a training environment, not a real application • Same held for many other “training” applications 6
  7. 7. Proprietary “Free” Apps • Realistic applications with vulnerabilities • Often closed source, which prevents some uses • Can conflict with one another • Can be difficult to install • Licensing restrictions 7
  8. 8. OWASP BWA Solution • Free, Linux-based Virtual Machine • Contains a variety of web applications – Some intentionally broken – Some old versions of open source applications • Pre-configured and ready to use / test • All applications are open source – Allows for source code analysis – Allows users to modify the source to fix vulnerabilities (or add new ones) 8
  9. 9. OWASP BWA History • Initial 0.9 release at AppSec DC 2009 • 1.0 release in July 2012 • Current version is 1.1.1 – Released in September 2013 – Download links off www.owaspbwa.org – Some known issues 9
  10. 10. OWASP BWA Details
  11. 11. Virtual Machine • Available in VMware and OVA formats • Compatible with – VMware Products • No-cost and commercial • OWASP BWA intentionally uses older VM format – Oracle VirtualBox – Parallels Desktop 11
  12. 12. Base Operating System • OS is Ubuntu Linux Server 10.04 LTS – No X-Windows / Graphical User Interface • Managed via – Console – OpenSSH – Samba – phpMyAdmin 12
  13. 13. Base Software • • • • • • • • • Apache PHP Perl MySQL Tomcat OpenJDK Mono Ruby Rails 13
  14. 14. Additional Software • • • • • SubVersion client GIT client PostgreSQL ModSecurity and OWASP Core Rule Set Custom scripts 14
  15. 15. Applications
  16. 16. Training Applications • OWASP WebGoat (Java) • OWASP WebGoat.NET (ASP.NET/C#) • OWASP ESAPI Java SwingSet Interactive (Java) • OWASP Mutillidae II (PHP) • OWASP RailsGoat (Ruby on Rails) • OWASP Bricks (PHP) • Damn Vulnerable Web Application (PHP) • Ghost (PHP) • Magical Code Injection Rainbow (PHP) 16
  17. 17. Realistic, Intentionally Broken Apps • • • • • • • • OWASP Vicnum (PHP/Perl) OWASP 1-Liner (Java/JavaScript) Google Gruyere (Python) Hackxor (Java JSP) WackoPicko (PHP) BodgeIt (Java JSP) Cyclone Transfers (Ruby on Rails) Peruggia (PHP) 17
  18. 18. Old Versions of Real Applications • WordPress 2.0.0 (PHP, released December 31, 2005) – myGallery plugin version 1.2 – Spreadsheet for WordPress plugin version 0.6 • • • • • • • • • OrangeHRM version 2.4.2 (PHP, released May 7, 2009) GetBoo version 1.04 (PHP, released April 7, 2008) gtd-php version 0.7 (PHP, released September 30, 2006) Yazd version 1.0 (Java, released February 20, 2002) WebCalendar version 1.03 (PHP, released April 11, 2006) TikiWiki version 1.9.5 (PHP, released September 5, 2006) Gallery2 version 2.1 (PHP, released March 23, 2006) Joomla version 1.5.15 (PHP, released November 4, 2009) AWStats version 6.4 (Perl, released February 25, 2005) 18
  19. 19. Other Applications • Applications for Testing Tools – OWASP ZAP-WAVE (Java JSP) – WAVSEP (Java JSP) – WIVET (Java JSP) • Demonstration Pages / Small Applications – – – – OWASP CSRFGuard Test Application (Java) Mandiant Struts Forms (Java/Struts) Simple ASP.NET Forms (ASP.NET/C#) Simple Form with DOM Cross Site Scripting (HTML/JavaScript) • OWASP Demonstration Applications – OWASP AppSensor Demo Application (Java) 19
  20. 20. Other Features
  21. 21. Editing Applications • Application code can be edited via SMB shares, SSH, or the console • Updates to PHP, JSP, etc. application files will take place immediately • Scripts provided to rebuild and redeploy applications that require it: – WebGoat – Yazd – CSRFGuard Test Apps – SwingSet Apps 21
  22. 22. Updating VM • Scripts are provided to update VM from source code repositories – OWASP BWA specific files from Google Code SVN repository – Application files from their SVN or GIT repositories • Can break applications due to changes in database schemas or dependencies • Can allow for using updated versions of applications without waiting for a new version of OWASP BWA 22
  23. 23. OWASP ModSecurity Core Rule Set • Web server on OWASP BWA is running mod_security • By default, no rules are enabled • Scripts are provided to: – Enable logging using CRS: • owaspbwa-modsecurity-crs-log.sh – Enable blocking using CRS: • owaspbwa-modsecurity-crs-block.sh – Disable all rules: • owaspbwa-modsecurity-crs-off.sh • Rules can be easily edited via SMB shares 23
  24. 24. Log Files • Logging for the web and application servers are left in their default configuration – What you will most likely see when responding to an incident • Logs are available via SMB share • Logging settings can be easily edited • Logs are cleared when VM is packaged 24
  25. 25. User Guide • User Guide available on Google Code Wiki https://code.google.com/p/owaspbwa/wiki/UserGuide • Welcome any volunteers to contribute – Author – Review – Edit – Comment 25
  26. 26. Vulnerabilities
  27. 27. Where are the vulnerabilities? • Don’t have a master list of vulnerabilities (yet) • Looking for the community to contribute • Using “Trac” issue tracker at SourceForge: http://sourceforge.net/apps/trac/owaspbwa/report/1 • Not intended to duplicate content within applications or application documentation 27
  28. 28. Tracking Known Vulnerabilities • Anyone can search issues 28
  29. 29. Tracking Known Vulnerabilities • Anyone can see details on issues 29
  30. 30. Tracking Known Vulnerabilities • Anyone can submit issues • Considering a registration requirement in order to prevent spam 30
  31. 31. Tracking Known Vulnerabilities • Registered users can edit issues 31
  32. 32. The Future
  33. 33. Near Term • Version 1.2 planned before the end of 2013 – Bug fixes – Add bWAPP application – Update applications – Add ability to more easily update OWASP Mutillidae 33
  34. 34. Other Near Term Items • Documentation can use some work • Catalog of vulnerabilities can be expanded 34
  35. 35. Longer Term • Will get increasingly difficult to support modern and old applications – Due to library and other dependency issues • May move to multiple VMs • Would like to improve set of applications… 35
  36. 36. Wish List • More applications in more languages – Compiled Java – ASP.NET – Python – Node.js • Common frameworks and libraries • Looking for feedback from people who use VM for developer training 36
  37. 37. Wish List • More modern UIs – Rich JavaScript – HTML5 – Mobile optimized sites – Adobe Flash 37
  38. 38. Wish List • More database backends – PostgreSQL – SQLite – NoSQL • Opportunity for someone – Create a small data driven application with SQL injection – Make variants connected to different database backends 38
  39. 39. Wish List • Improved set of real applications with security issues – More applications – More modern applications 39
  40. 40. Wish List • More web services – Mobile apps – Rich web UIs – Desktop thick clients 40
  41. 41. Wish List • Updated home page on VM – More intuitive layout – Refreshed appearance – Perhaps indicate applications based on • Application’s scope • Application’s level of activity / updates • User’s role / level • Looking for feedback from users 41
  42. 42. What do you want to see in OWASP BWA?
  43. 43. We welcome any help, feedback, or broken apps you can provide!
  44. 44. More Information and Getting Involved • More information on the project can be found at http://www.owaspbwa.org/ • Join our Google Group: owaspbwa • Follow us on Twitter @owaspbwa • Submit bugs and security issues to the trackers 44
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×