SlideShare a Scribd company logo

Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010

S
SecurityTube.Net
Technology
1 of 19
Download to read offline
Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon February 5th, 2010
2 About . . .  Doug Wilson − IT geek and “security guy” since 1999 − Co-Chair OWASP DC, organizer CapSec DC − Organizer AppSecDC 2009 (and 2010?)  − Incident Response and Forensics − Proactive, Research, and Training − Commercial and Federal Services − Product – Mandiant Intelligent Response
3 OWASP  Open Web Application Security Project − OWASP Top Ten − ESAPI / ESAPI WAF / AntiSamy − OpenSAMM / ASVS − Dev / Testing / Code Review Guides − XSS / SQLi / CSRF Cheat Sheets  http://www.owasp.org
4 So you want to learn about Web Application Security?  Not everyone starts out L33T  Most don’t start out in Web App Sec  Learn best by doing  There should be stuff in the intarwebs . . . . Right?  Well . . .
5 Existing Options  Let’s assume you are not a “Black Hat”  Real Apps − Some obvious problems here  Training Apps − OWASP: WebGoat, Vicnum, etc − Damn Vulnerable Web App, Mutillidae, Badstore  Similar Projects − Moth by Bonsai – mainly focused on w3af − Matt Johansen – WebGoat/mutillidae/DVWA
6 Similar Problems Exist  If you want to test scanners  If you want to test code review tools  If you want to test WAFs  If you want to have a testbed, it’s a lot of sysadmin work.
7 How to Solve Several Problems?  We were looking for web applications with vulnerabilities where we could test: − Manual Attack Techniques − Scanners − Source Code Analysis  And − Look at the “Bad Code” − Modify/Fix Code − Examine evidence left by attacks − Test web application firewalls / IDS systems
8 Solution? OWASP BWA  Assemble a set of broken, open source applications  Figure out all the configuration headaches  Put them all on a Virtual Machine  Donate it to OWASP  Step Five: Profit?
9 Base Software  Based on Ubuntu Linux Server 9.10 − No X-Windows or GUI − Apache − PHP − Perl − MySQL − PostgreSQL − Tomcat − OpenJDK − Mono
10 Management Software  OpenSSH  Samba  phpMyAdmin  Subversion Client
11 Intentionally Broken Apps (v 0.9)  OWASP WebGoat version 5.3 (Java)  OWASP Vicnum version 1.3 (Perl)  Mutillidae version 1.3 (PHP)  Damn Vulnerable Web Application version 1.06 (PHP)  OWASP CSRFGuard Test Application version 2.2 (Java)
12 Intentionally Broken Apps (v 0.9)  Mandiant Struts Forms (Java/Struts)  Simple ASP.NET Forms (ASP.NET/C#)  Simple Form with DOM Cross Site Scripting (HTML/JavaScript)  More identified and planned for 1.0 release  LOOKING FOR DONATIONS!
13 Old Versions of Real Apps (v 0.9)  phpBB 2.0.0 (PHP, released April 4, 2002)  WordPress 2.0.0 (PHP, released December 31, 2005)  Yazd version 1.0 (Java, released February 20, 2002)  More identified and planned for 1.0 release  LOOKING FOR IDEAS!
15 Challenges  Organization and Roadmap  Finding more apps  Documentation and Education  Making this a cohesive tool, rather than just a collection − Documenting Vulnerabilities − Gathering Evidence  Different levels of logging  Integration w/ WAFs, mod_security, ESAPI WAF, PHP-IDS
16 The Future  GET PEOPLE INVOLVED!  Update project for collaboration − Figure out how to distribute tasks − Create and maintain documentation − Push content to Google Code  Incorporate additional broken apps − The larger, the better − Would like more real / realistic applications − Adobe Flash / Drupal / Ruby on Rails
17 More Information and Downloads  More information can be found at http://owaspbwa.org or on Google Code.  Google Group available for support / discussion  Version 0.9 released at AppSecDC − Mostly functional, just fewer applications than we would like − Couple bugs (that we know of)  Version 1.0 will be released later in 2010
18 We welcome any help, broken applications, and feedback you can provide! owaspbwa.org
19 Questions?  owaspbwa.org / owasp.org  OWASP DC / CapSec DC  AppSecDC . . . Maybe again in 2010?  mandiant.com
Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon 2010 February 5th, 2010

Recommended

Owasp Memphis Flyer 2010
Owasp Memphis Flyer 2010Owasp Memphis Flyer 2010
Owasp Memphis Flyer 2010Tommy Tracx Xaypanya
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014Boy Baukema
 
Websauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkWebsauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkMikko Ohtamaa
 
Upgrading JavaScript to ES6 and using TypeScript as a shortcut
Upgrading JavaScript to ES6 and using TypeScript as a shortcutUpgrading JavaScript to ES6 and using TypeScript as a shortcut
Upgrading JavaScript to ES6 and using TypeScript as a shortcutChristian Heilmann
 
10 Things You Probably Didn't Know About Plone
10 Things You Probably Didn't Know About Plone10 Things You Probably Didn't Know About Plone
10 Things You Probably Didn't Know About PloneJazkarta, Inc.
 
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...tdc-globalcode
 

Recommended

Owasp Memphis Flyer 2010
Owasp Memphis Flyer 2010Owasp Memphis Flyer 2010
Owasp Memphis Flyer 2010Tommy Tracx Xaypanya
 
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisAppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр АнтухOWASP Russia
 
WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014WebAppSec @ Ibuildings in 2014
WebAppSec @ Ibuildings in 2014Boy Baukema
 
Websauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkWebsauna - introduction to the best Python web framework
Websauna - introduction to the best Python web frameworkMikko Ohtamaa
 
Upgrading JavaScript to ES6 and using TypeScript as a shortcut
Upgrading JavaScript to ES6 and using TypeScript as a shortcutUpgrading JavaScript to ES6 and using TypeScript as a shortcut
Upgrading JavaScript to ES6 and using TypeScript as a shortcutChristian Heilmann
 
10 Things You Probably Didn't Know About Plone
10 Things You Probably Didn't Know About Plone10 Things You Probably Didn't Know About Plone
10 Things You Probably Didn't Know About PloneJazkarta, Inc.
 
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...
TDC2016POA | Trilha Web - Garanta a segurança de suas aplicações Web com Keyc...tdc-globalcode
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do ThatNathan Smith
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction alessiomarziali
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Jacek Tomaszewski
 
PWA
PWAPWA
PWAAnuradha Malalasena
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Google presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobileGoogle presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobilePeter-Paul Koch
 
Top Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemTop Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemIonic Framework
 
Tastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierTastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierHarvard Web Working Group
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overviewNikola Milosevic
 
Open Source in Higher Education 2007
Open Source in Higher Education 2007Open Source in Higher Education 2007
Open Source in Higher Education 2007ssorden
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataHananto Wibowo Soenarto
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...Felipe Prado
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 
Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)SecurityTube.Net
 
Guest Stealing...The VMware Way
Guest Stealing...The VMware WayGuest Stealing...The VMware Way
Guest Stealing...The VMware WaySecurityTube.Net
 

More Related Content

Similar to Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010

RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCDenim Group
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do ThatNathan Smith
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Websec México, S.C.
 
Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Jacek Tomaszewski
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandMatt Tesauro
 
Google presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobileGoogle presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobilePeter-Paul Koch
 
Top Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemTop Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemIonic Framework
 
Tastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierTastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierHarvard Web Working Group
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Open Source in Higher Education 2007
Open Source in Higher Education 2007Open Source in Higher Education 2007
Open Source in Higher Education 2007ssorden
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataHananto Wibowo Soenarto
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...Felipe Prado
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxgerardkortney
 

Similar to Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010 (20)

RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
HTML5 Can't Do That
HTML5 Can't Do ThatHTML5 Can't Do That
HTML5 Can't Do That
 
OWASP an Introduction
OWASP an Introduction OWASP an Introduction
OWASP an Introduction
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
Protección web con ESAPI y AppSensor [GuadalajaraCON 2013]
 
Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1Become a webdeveloper - AKAICamp Beginner #1
Become a webdeveloper - AKAICamp Beginner #1
 
PWA
PWAPWA
PWA
 
Intro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP SwitzerlandIntro to DefectDojo at OWASP Switzerland
Intro to DefectDojo at OWASP Switzerland
 
Google presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobileGoogle presentation: The Open Web goes mobile
Google presentation: The Open Web goes mobile
 
Top Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle ThemTop Cordova Challenges and How to Tackle Them
Top Cordova Challenges and How to Tackle Them
 
Tastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work EasierTastypie: Easy APIs to Make Your Work Easier
Tastypie: Easy APIs to Make Your Work Easier
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Owasp Serbia overview
Owasp Serbia overviewOwasp Serbia overview
Owasp Serbia overview
 
Open Source in Higher Education 2007
Open Source in Higher Education 2007Open Source in Higher Education 2007
Open Source in Higher Education 2007
 
DevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOpsDevOps Indonesia #9 - DevSecOps
DevOps Indonesia #9 - DevSecOps
 
DevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf HadiwinataDevSecOps : The Open Source Way by Yusuf Hadiwinata
DevSecOps : The Open Source Way by Yusuf Hadiwinata
 
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
DEF CON 27 - workshop - RYAN CHAPMAN - understanding and analyzing weaponized...
 
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docxOWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
OWASP Top 10 - 2017The Ten Most Critical Web Application Sec.docx
 

More from SecurityTube.Net

Guest Stealing...The VMware Way
Guest Stealing...The VMware WayGuest Stealing...The VMware Way
Guest Stealing...The VMware WaySecurityTube.Net
 
Keynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapKeynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapSecurityTube.Net
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010SecurityTube.Net
 
GPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security ShootoutGPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security ShootoutSecurityTube.Net
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS VulnerabilitiesSecurityTube.Net
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneSecurityTube.Net
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie StealingSecurityTube.Net
 
Black Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating SslBlack Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating SslSecurityTube.Net
 
SSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSecurityTube.Net
 

More from SecurityTube.Net (15)

Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)Gsm Srsly (Shmoocon)
Gsm Srsly (Shmoocon)
 
Guest Stealing...The VMware Way
Guest Stealing...The VMware WayGuest Stealing...The VMware Way
Guest Stealing...The VMware Way
 
Keynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication GapKeynote - Closing the TLS Authentication Gap
Keynote - Closing the TLS Authentication Gap
 
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
Learning By Breaking O W A S P B W A Doug Wilson Shmoo 2010
 
GPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security ShootoutGPU vs CPU Supercomputing Security Shootout
GPU vs CPU Supercomputing Security Shootout
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
Network Attacks
Network AttacksNetwork Attacks
Network Attacks
 
TCP/IP basics
TCP/IP basicsTCP/IP basics
TCP/IP basics
 
Wireless Security Basics
Wireless Security BasicsWireless Security Basics
Wireless Security Basics
 
Linux Vulnerabilities
Linux VulnerabilitiesLinux Vulnerabilities
Linux Vulnerabilities
 
Microsoft OS Vulnerabilities
Microsoft OS VulnerabilitiesMicrosoft OS Vulnerabilities
Microsoft OS Vulnerabilities
 
Cryptography Lecture by Sam Bowne
Cryptography Lecture by Sam BowneCryptography Lecture by Sam Bowne
Cryptography Lecture by Sam Bowne
 
Active Https Cookie Stealing
Active Https Cookie StealingActive Https Cookie Stealing
Active Https Cookie Stealing
 
Black Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating SslBlack Hat Dc 09 Marlinspike Defeating Ssl
Black Hat Dc 09 Marlinspike Defeating Ssl
 
SSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSSL MITM Attack Over Wireless
SSL MITM Attack Over Wireless
 

Recently uploaded

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaWSO2
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfdanishmna97
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuidePixlogix Infotech
 

Recently uploaded (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Modernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using BallerinaModernizing Legacy Systems Using Ballerina
Modernizing Legacy Systems Using Ballerina
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 

Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010

  • 1. Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon February 5th, 2010
  • 2. 2 About . . .  Doug Wilson − IT geek and “security guy” since 1999 − Co-Chair OWASP DC, organizer CapSec DC − Organizer AppSecDC 2009 (and 2010?)  − Incident Response and Forensics − Proactive, Research, and Training − Commercial and Federal Services − Product – Mandiant Intelligent Response
  • 3. 3 OWASP  Open Web Application Security Project − OWASP Top Ten − ESAPI / ESAPI WAF / AntiSamy − OpenSAMM / ASVS − Dev / Testing / Code Review Guides − XSS / SQLi / CSRF Cheat Sheets  http://www.owasp.org
  • 4. 4 So you want to learn about Web Application Security?  Not everyone starts out L33T  Most don’t start out in Web App Sec  Learn best by doing  There should be stuff in the intarwebs . . . . Right?  Well . . .
  • 5. 5 Existing Options  Let’s assume you are not a “Black Hat”  Real Apps − Some obvious problems here  Training Apps − OWASP: WebGoat, Vicnum, etc − Damn Vulnerable Web App, Mutillidae, Badstore  Similar Projects − Moth by Bonsai – mainly focused on w3af − Matt Johansen – WebGoat/mutillidae/DVWA
  • 6. 6 Similar Problems Exist  If you want to test scanners  If you want to test code review tools  If you want to test WAFs  If you want to have a testbed, it’s a lot of sysadmin work.
  • 7. 7 How to Solve Several Problems?  We were looking for web applications with vulnerabilities where we could test: − Manual Attack Techniques − Scanners − Source Code Analysis  And − Look at the “Bad Code” − Modify/Fix Code − Examine evidence left by attacks − Test web application firewalls / IDS systems
  • 8. 8 Solution? OWASP BWA  Assemble a set of broken, open source applications  Figure out all the configuration headaches  Put them all on a Virtual Machine  Donate it to OWASP  Step Five: Profit?
  • 9. 9 Base Software  Based on Ubuntu Linux Server 9.10 − No X-Windows or GUI − Apache − PHP − Perl − MySQL − PostgreSQL − Tomcat − OpenJDK − Mono
  • 10. 10 Management Software  OpenSSH  Samba  phpMyAdmin  Subversion Client
  • 11. 11 Intentionally Broken Apps (v 0.9)  OWASP WebGoat version 5.3 (Java)  OWASP Vicnum version 1.3 (Perl)  Mutillidae version 1.3 (PHP)  Damn Vulnerable Web Application version 1.06 (PHP)  OWASP CSRFGuard Test Application version 2.2 (Java)
  • 12. 12 Intentionally Broken Apps (v 0.9)  Mandiant Struts Forms (Java/Struts)  Simple ASP.NET Forms (ASP.NET/C#)  Simple Form with DOM Cross Site Scripting (HTML/JavaScript)  More identified and planned for 1.0 release  LOOKING FOR DONATIONS!
  • 13. 13 Old Versions of Real Apps (v 0.9)  phpBB 2.0.0 (PHP, released April 4, 2002)  WordPress 2.0.0 (PHP, released December 31, 2005)  Yazd version 1.0 (Java, released February 20, 2002)  More identified and planned for 1.0 release  LOOKING FOR IDEAS!
  • 14. 15 Challenges  Organization and Roadmap  Finding more apps  Documentation and Education  Making this a cohesive tool, rather than just a collection − Documenting Vulnerabilities − Gathering Evidence  Different levels of logging  Integration w/ WAFs, mod_security, ESAPI WAF, PHP-IDS
  • 15. 16 The Future  GET PEOPLE INVOLVED!  Update project for collaboration − Figure out how to distribute tasks − Create and maintain documentation − Push content to Google Code  Incorporate additional broken apps − The larger, the better − Would like more real / realistic applications − Adobe Flash / Drupal / Ruby on Rails
  • 16. 17 More Information and Downloads  More information can be found at http://owaspbwa.org or on Google Code.  Google Group available for support / discussion  Version 0.9 released at AppSecDC − Mostly functional, just fewer applications than we would like − Couple bugs (that we know of)  Version 1.0 will be released later in 2010
  • 17. 18 We welcome any help, broken applications, and feedback you can provide! owaspbwa.org
  • 18. 19 Questions?  owaspbwa.org / owasp.org  OWASP DC / CapSec DC  AppSecDC . . . Maybe again in 2010?  mandiant.com
  • 19. Doug Wilson Principal Consultant MANDIANT douglas.wilson@mandiant.com LEARNING BY BREAKING A NEW PROJECT FOR INSECURE WEB APPS ShmooCon 2010 February 5th, 2010