OWASP_WebGoat

Download Report

Transcript OWASP_WebGoat 

OWASP WebGoat v5
<Presenter>
OWASP
16 April 2010
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
What’s a WebGoat
OWASP project with ~115,000 downloads
Deliberately insecure Java EE web application
Teaches common application vulnerabilities via a
series of individual lessons
OWASP
2
History of WebGoat
Donated to OWASP by Aspect Security ~2002
Project Lead is Bruce Mayhew
Started to receive outside contributions in 2005
v5 produced as AoC
2006 project
OWASP
3
WebGoat Demonstrates Vulnerabilities
WebGoat uses “goatified” real world
examples
Cross site scripting
SQL Injection
Command Injection
Forced Browsing
Access Control
 Data, presentation, business, & environmental
layers
Authentication
AJAX
WebServices
….
OWASP
4
Picking up Steam…
Used by source code analysis and web
application security scanning vendors for demos
Used by universities in security curriculum
Carnegie-Mellon
 Using WebGoat as open source project option
University of Denver
Wouldn’t it be great if students contributed lessons as
part of their class projects!!
OWASP Autumn 2006 and Spring of Code 2007
Projects
Used by many companies as a training tool
LOTS of emails from user community
OWASP
5
What’s New in 5.X
5.0 – Autumn of Code 2006 Release
Many new lessons
 AJAX, JSON, HTTP response splitting, CSRF, cache poisoning,
log poisoning, XML & XPATH Injection, forced browsing
5.2 – current release
Introduction and WebGoat instructions
Multi Level Login Lesson
Session Fixation Lesson
Insecure Login Lesson
Lesson Solution Videos
Bug Report Feature
OWASP
6
Roadmap
Create database schema common to all lessons
Convert lessons to a common theme
HR System (WebGoat Financials)
Online Banking or Video Store
Make WebGoat more CBT like
Teach application security, not just demonstate how
to attack
Convert lessons to JSPs for easier content
editing
OWASP
7
Demos – Lets go through some lessons!!
OWASP
8
Questions and Answers
QUESTIONS
ANSWERS
OWASP