Chuck Willis proposes a new OWASP project called the "OWASP Broken Web Applications Project" that would provide a virtual machine containing intentionally vulnerable web applications. The virtual machine would contain various vulnerable versions of applications like WebGoat, WordPress, and phpBB to allow testing of vulnerability scanning, code analysis, and other security tools. Willis is seeking help expanding and maintaining the project.

1. The OWASP Foundation
AppSec DC
http://www.owasp.org
Learning by Breaking
A New Project for Insecure Web Apps
Chuck Willis
Technical Director
MANDIANT
chuck.willis@mandiant.com
November 12, 2009

2. OWASP
About Me
MANDIANT
Commercial Services
Federal Services
Training and Education
Product – Mandiant Intelligent Response
My Experience
10+ years total experience in Information Security
Penetration Testing, Application Security, Source
Code Analysis, Forensics, Incident Response, R&D
Member of OWASP DC Chapter (and CapSec)

3. OWASP
Problem
I was looking for web applications with
vulnerabilities where I could:
Test web application scanners
Test manual techniques
Test source code analysis tools
Look at the code that implements the vulnerabilities
Modify code to fix vulnerabilities
Test web application firewalls
3

4. OWASP
Option – WebGoat
It is a great learning tool, but
It is a training environment, not a real application
Same holds for other “artificial” applications
4

5. OWASP
Option – Proprietary “Free” Apps
Realistic applications with vulnerabilities
Often closed source, which prevents some uses
Can conflict with one another
Can be difficult to install
Licensing restrictions
5

6. OWASP
Solution
Create a set of broken, open source applications
Put them all on a VMWare Virtual Machine
Donate it to OWASP
Profit?
6

7. OWASP
Base Software
Based on Ubuntu Linux Server 9.10
No X-Windows
Apache
PHP
Perl
MySQL
PostgreSQL
Tomcat
OpenJDK
Mono
7

8. OWASP
Management Software
OpenSSH
Samba
phpMyAdmin
Subversion Client
8

9. OWASP
Intentionally Broken Apps
OWASP WebGoat version 5.3 (Java)
OWASP Vicnum version 1.3 (Perl)
Mutillidae version 1.3 (PHP)
Damn Vulnerable Web Application version 1.06
(PHP)
9

10. OWASP
Intentionally Broken Apps
OWASP CSRFGuard Test Application version 2.2
(Java)
Mandiant Struts Forms (Java/Struts)
Simple ASP.NET Forms (ASP.NET/C#)
Simple Form with DOM Cross Site Scripting
(HTML/JavaScript)
LOOKING FOR DONATIONS!
10

11. OWASP
Old Versions of Real Applications
phpBB 2.0.0 (PHP, released April 4, 2002)
WordPress 2.0.0 (PHP, released December 31,
2005)
Yazd version 1.0 (Java, released February 20,
2002)
LOOKING FOR IDEAS!
11

12. OWASP
Where are the vulnerabilities?
Don’t have a master list of vulnerabilities (yet)
Counting on the community to contribute
Experimenting with using the issue tracker at
Google Code to allow the community to
contribute vulnerabilities as they are found
May move to wiki page(s) on the OWASP site
12

13. OWASP
What’s in a name?
Tentatively called “OWASP Broken Web
Applications Project”
I’m open to suggestions
13

14. OWASP
The Future
Establish as an OWASP project
Wiki page
Mailing list
Update project for collaboration
Create and maintain documentation
Push content to Google Code
Incorporate additional broken apps
The larger, the better
Would like more real / realistic applications
Adobe Flash (could use some help here)
Ruby on Rails?
14

15. OWASP
More Information and Downloads
More information can be found at
http://code.google.com/p/owaspbwa/
Version 0.9 of the VM has been released!
Linked from the blog at mandiant.com
I have a few CDs of the VM for anyone who
wants them
15

16. OWASP 16
I welcome any help /
broken apps you can
provide!

17. OWASP 17
Questions?

18. The OWASP Foundation
AppSec DC
http://www.owasp.org
Learning by Breaking
A New Project for Insecure Web Apps
Chuck Willis
Technical Director
MANDIANT
chuck.willis@mandiant.com
November 12, 2009