Media:OWASP_Tools_Demo_090908

Download Report

Transcript Media:OWASP_Tools_Demo_090908 

WebGoat & WebScarab
September 9, 2008
By Stephen Carter & Mike Nixon
[email protected]
[email protected]
OWASP
Copyright © 2008 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org
Part 1
Introduction to WebGoat & WebScarab
OWASP
2
WebGoat
WebGoat is a deliberately insecure J2EE web
application maintained by OWASP
Goal: Create a de-facto interactive teaching
environment for web application security
Currently over 30 lessons
 Anyone can create a lesson
Future “security benchmarking platform and Web site
Honeypot”
Project Page:
http://www.owasp.org/index.php/Category:OWASP_Web
Goat_Project
OWASP
3
WebGoat
OWASP
WebGoat Installation
Obtaining WebGoat
http://sourceforge.net/project/showfiles.php?group_i
d=64424&package_id=61824
Installation (Developer Version for Windows)
Download WebGoat-OWASP_Developer-5.2.zip
Unzip to C:\
Unzip Eclipse-Workspace.zip to C:\WebGoat-5.2
Double-click eclipse.bat
Open http://localhost/WebGoat/attack
Default username “guest”, password “guest”
OWASP
WebScarab
 WebScarab is a framework for analyzing applications
that communicate using the HTTP and HTTPS protocols
 Proxy, Fuzzer, Session ID Analyzer, Spider and more…
 Disclaimer: “…it is a tool primarily designed to be used by
people who can write code themselves…”
 WebScarab-NG
 Complete rewrite with focus on user-friendliness
 Uses Spring RCP
 Project Page:
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Pr
oject
OWASP
WebScarab Installation
Obtaining WebScarab
http://sourceforge.net/project/showfiles.php?group_i
d=64424&package_id=61823
Installation (Windows)
Download
Double-click webscarab-installer-20070504-1631.jar
Next, Next, …
Start > Programs > WebScarab > WebScarab
OWASP
WebScarab as a Proxy
Firefox
Tools > Options > Advanced > Network > Setting >
Manual Proxy Configuration
 Localhost, port 8008
WebScarab
Proxy > Intercept Requests
OWASP
Part 2
Using WebGoat & WebScarab
OWASP
9
WebGoat Tips
Helpful Tools
HTTP Proxy
 OWASP WebScarab
 Livehttpheaders
 TamperData
Web Developer Tools
 Firebug
 Web Developer
OWASP
10
WebGoat Tips
Built-in help
Hints
 Fight the urge
Show Params
 HTTP Request Params
Show Cookies
 HTTP Request Cookies
Lesson Plan
 Goals & Objectives
Show Java
 Underlying Java source code for the lesson
Solutions
 Last resort!
OWASP
11
Lab: Role Based Access Control
Stage 1: Bypassing business layer access control
Stage 2: Add business layer access control
Check that user is authorized for action
handleRequest() in RoleBasedAccessControl.java
Stage 3: Bypass data layer access control
Stage 4: Add data layer access control
Check that user is authorized for action on a certain
employee
handleRequest() in RoleBasedAccessControl.java
OWASP
Lab: Cross Site Scripting (XSS)
 Stage 1 – Stored XSS
 Stage 2 – Correct Stored XSS Vuln
 Filter before it is written to the database
 parseEmployeeProfile() in UpdateProfile.java
 Stage 3 – Stored XSS revisited
 Stage 4 – Correct Stored XSS Vuln
 Encode/filter after retrieving from database, before displaying to
the user
 getEmployeeProfile() in ViewProfile.java
 HtmlEncoder.encode()
 Stage 5 – Reflected XSS
 Stage 6 – Correct Reflected XSS Vuln
 getRequestParameter() in FindProfile.java
OWASP
OWASP
Reminders
 Next Meeting
 December 2, 2008 6:00 PM – 8:00 PM
 Presentations: TBD
 Some ideas: Jakarta Commons/Struts Validator, SOA/Web Services Security, Web
application security testing, ACEGI, mod_security
 Location: Gevity, Lakewood Ranch
 OWASP Conference & Training




http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Joe Jarzombek (Director for Software Assurance – DHS)
Howard Schmidt (White House Cyber-security Advisor)
Robert “Rsnake” Hansen, Jeremiah Grossman, and others
OWASP
15
Reminders
Becoming Involved
Participate in OWASP projects
 Contribute to existing projects
 Propose new projects
 Spearhead new ventures
Support & Participate in the Suncoast Chapter
 Present
 Spread the word
 Sponsorship
Mailing Lists
 Open forums for discussion of any relevant web application
security topics
Become a Member
http://www.owasp.org/index.php/Membership
OWASP
16
Special thanks to John Hale &
Gevity for the conference room!
Thank you for attending!
OWASP
17
References
RSA 2008 Breifing by J. Grossman
http://www.slideshare.net/guestdb261a/csrfrsa2008j
eremiahgrossman-349028/
OWASP