WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security [email protected] 6th OWASP AppSec Conference Milan - May 2007 WebGoat Project Lead: Bruce.
Download ReportTranscript WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security [email protected] 6th OWASP AppSec Conference Milan - May 2007 WebGoat Project Lead: Bruce.
WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security [email protected] 6th OWASP AppSec Conference Milan - May 2007 WebGoat Project Lead: Bruce Mayhew [email protected] Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation http://www.owasp.org/ About the Speaker Background IT Security Consultant for past 19 years Focus on application security for past 9 years Bachelor’s and Masters Degrees in Computer Science CISSP, CISM Aspect Security Founder and COO Specialists in application security Verify critical applications (~3 million LOC/month) Enable companies to reliably produce secure code OWASP Foundation Coauthor of OWASP Top 10 Member of OWASP Board Conferences Chair for OWASP AppSec Conferences Established OWASP as 501c3 not-for-profit in U.S. 6th OWASP AppSec Conference – Milan – May 2007 2 What’s a WebGoat OWASP project with ~115,000 downloads Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of individual lessons 6th OWASP AppSec Conference – Milan – May 2007 3 History of WebGoat Donated to OWASP by Aspect Security ~2002 Project Lead is Bruce Mayhew Started to receive outside contributions in 2005 v5 produced as AoC 2006 project 6th OWASP AppSec Conference – Milan – May 2007 4 WebGoat Demonstrates Vulnerabilities WebGoat uses “goatified” real world examples Cross site scripting SQL Injection Command Injection Forced Browsing Access Control Data, presentation, business, & environmental layers Authentication AJAX WebServices …. 6th OWASP AppSec Conference – Milan – May 2007 5 Picking up Steam… Used by source code analysis and web application security scanning vendors for demos Used by universities in security curriculum Carnegie-Mellon Using WebGoat as open source project option University of Denver Wouldn’t it be great if students contributed lessons as part of their class projects!! OWASP Autumn 2006 and Spring of Code 2007 Projects Used by many companies as a training tool LOTS of emails from user community 6th OWASP AppSec Conference – Milan – May 2007 6 What’s New in 5.X 5.0 – Autumn of Code 2006 Release Many new lessons AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing 5.1 (Goals – Summer 2007) Servlet that allows attacks to post data Posted data is pushed back to originating lesson XSS Phishing attack Improved lesson content Enhanced Documentation (A SpoC 2007 project) 6th OWASP AppSec Conference – Milan – May 2007 7 Roadmap Create database schema common to all lessons Convert lessons to a common theme HR System (WebGoat Financials) Online Banking or Video Store Make WebGoat more CBT like Teach application security, not just demonstate how to attack Convert lessons to JSPs for easier content editing 6th OWASP AppSec Conference – Milan – May 2007 8 Demos – Lets go through some lessons!! 6th OWASP AppSec Conference – Milan – May 2007 9 Questions and Answers QUESTIONS ANSWERS 6th OWASP AppSec Conference – Milan – May 2007 Share your ideas / Let us know you’re using it! Bruce Mayhew [email protected] http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://code.google.com/p/webgoat/ 6th OWASP AppSec Conference – Milan – May 2007 11