WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security [email protected] 6th OWASP AppSec Conference Milan - May 2007 WebGoat Project Lead: Bruce.
Download
Report
Transcript WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security [email protected] 6th OWASP AppSec Conference Milan - May 2007 WebGoat Project Lead: Bruce.
WebGoat v5 Project:
Autumn of Code 2006 Project
Presenter: Dave Wichers
OWASP Conferences Chair
COO, Aspect Security
[email protected]
6th OWASP
AppSec
Conference
Milan - May 2007
WebGoat Project Lead: Bruce Mayhew
[email protected]
Copyright © 2007 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document under the
terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this
license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
http://www.owasp.org/
About the Speaker
Background
IT Security Consultant for past 19 years
Focus on application security for past 9 years
Bachelor’s and Masters Degrees in Computer Science
CISSP, CISM
Aspect Security Founder and COO
Specialists in application security
Verify critical applications (~3 million LOC/month)
Enable companies to reliably produce secure code
OWASP Foundation
Coauthor of OWASP Top 10
Member of OWASP Board
Conferences Chair for OWASP AppSec Conferences
Established OWASP as 501c3 not-for-profit in U.S.
6th OWASP AppSec Conference – Milan – May 2007
2
What’s a WebGoat
OWASP project with ~115,000 downloads
Deliberately insecure Java EE web application
Teaches common application vulnerabilities via a
series of individual lessons
6th OWASP AppSec Conference – Milan – May 2007
3
History of WebGoat
Donated to OWASP by Aspect Security ~2002
Project Lead is Bruce Mayhew
Started to receive outside contributions in 2005
v5 produced as AoC
2006 project
6th OWASP AppSec Conference – Milan – May 2007
4
WebGoat Demonstrates Vulnerabilities
WebGoat uses “goatified” real world
examples
Cross site scripting
SQL Injection
Command Injection
Forced Browsing
Access Control
Data, presentation, business, & environmental
layers
Authentication
AJAX
WebServices
….
6th OWASP AppSec Conference – Milan – May 2007
5
Picking up Steam…
Used by source code analysis and web
application security scanning vendors for demos
Used by universities in security curriculum
Carnegie-Mellon
Using WebGoat as open source project option
University of Denver
Wouldn’t it be great if students contributed lessons as
part of their class projects!!
OWASP Autumn 2006 and Spring of Code 2007
Projects
Used by many companies as a training tool
LOTS of emails from user community
6th OWASP AppSec Conference – Milan – May 2007
6
What’s New in 5.X
5.0 – Autumn of Code 2006 Release
Many new lessons
AJAX, JSON, HTTP response splitting, CSRF, cache poisoning,
log poisoning, XML & XPATH Injection, forced browsing
5.1 (Goals – Summer 2007)
Servlet that allows attacks to post data
Posted data is pushed back to originating lesson
XSS Phishing attack
Improved lesson content
Enhanced Documentation (A SpoC 2007 project)
6th OWASP AppSec Conference – Milan – May 2007
7
Roadmap
Create database schema common to all lessons
Convert lessons to a common theme
HR System (WebGoat Financials)
Online Banking or Video Store
Make WebGoat more CBT like
Teach application security, not just demonstate how
to attack
Convert lessons to JSPs for easier content
editing
6th OWASP AppSec Conference – Milan – May 2007
8
Demos – Lets go through some lessons!!
6th OWASP AppSec Conference – Milan – May 2007
9
Questions and Answers
QUESTIONS
ANSWERS
6th OWASP AppSec Conference – Milan – May 2007
Share your ideas / Let us know you’re using it!
Bruce Mayhew
[email protected]
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://code.google.com/p/webgoat/
6th OWASP AppSec Conference – Milan – May 2007
11