Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Broken Web Applications (OWASP BWA): Beyond 1.0

Similar presentations


Presentation on theme: "OWASP Broken Web Applications (OWASP BWA): Beyond 1.0"— Presentation transcript:

1 OWASP Broken Web Applications (OWASP BWA): Beyond 1.0

2 Agenda Introductions Project Background Current Status Future Q & A 2

3 Sr. Technical Director at Mandiant in DC
About Me Sr. Technical Director at Mandiant in DC Application Security, Penetration Testing, Source Code Analysis, Forensics, Incident Response, Research and Development Leader of OWASP Broken Web Applications project @chuckatsf 3

4 Project Background

5 Looking for web applications with vulnerabilities where I could:
Problem Looking for web applications with vulnerabilities where I could: Test web application scanners Test manual attack techniques Test source code analysis tools Look at the code that implements the vulnerabilities Modify code to fix vulnerabilities Test web application firewalls Examine evidence left by attacks 5

6 It is a great learning tool, but…
OWASP WebGoat It is a great learning tool, but… It is a training environment, not a real application Same held for many other “training” applications 6

7 Proprietary “Free” Apps
Realistic applications with vulnerabilities Often closed source, which prevents some uses Can conflict with one another Can be difficult to install Licensing restrictions 7

8 Free, Linux-based Virtual Machine
OWASP BWA Solution Free, Linux-based Virtual Machine Contains a variety of web applications Some intentionally broken Some old versions of open source applications Pre-configured and ready to use / test All applications are open source Allows for source code analysis Allows users to modify the source to fix vulnerabilities (or add new ones) 8

9 Initial 0.9 release at AppSec DC 2009 1.0 release in July 2012
OWASP BWA History Initial 0.9 release at AppSec DC 2009 1.0 release in July 2012 Current version is 1.1.1 Released in September 2013 Download links off Some known issues 9

10 OWASP BWA Details

11 Available in VMware and OVA formats Compatible with
Virtual Machine Available in VMware and OVA formats Compatible with VMware Products No-cost and commercial OWASP BWA intentionally uses older VM format Oracle VirtualBox Parallels Desktop 11

12 OS is Ubuntu Linux Server 10.04 LTS Managed via
Base Operating System OS is Ubuntu Linux Server LTS No X-Windows / Graphical User Interface Managed via Console OpenSSH Samba phpMyAdmin 12

13 Base Software Apache PHP Perl MySQL Tomcat OpenJDK Mono Ruby Rails 13

14 ModSecurity and OWASP Core Rule Set Custom scripts
Additional Software SubVersion client GIT client PostgreSQL ModSecurity and OWASP Core Rule Set Custom scripts 14

15 Applications

16 Training Applications
OWASP WebGoat (Java) OWASP WebGoat.NET (ASP.NET/C#) OWASP ESAPI Java SwingSet Interactive (Java) OWASP Mutillidae II (PHP) OWASP RailsGoat (Ruby on Rails) OWASP Bricks (PHP) Damn Vulnerable Web Application (PHP) Ghost (PHP) Magical Code Injection Rainbow (PHP) 16

17 Realistic, Intentionally Broken Apps
OWASP Vicnum (PHP/Perl) OWASP 1-Liner (Java/JavaScript) Google Gruyere (Python) Hackxor (Java JSP) WackoPicko (PHP) BodgeIt (Java JSP) Cyclone Transfers (Ruby on Rails) Peruggia (PHP) 17

18 Old Versions of Real Applications
WordPress (PHP, released December 31, 2005) myGallery plugin version 1.2 Spreadsheet for WordPress plugin version 0.6 OrangeHRM version (PHP, released May 7, 2009) GetBoo version 1.04 (PHP, released April 7, 2008) gtd-php version 0.7 (PHP, released September 30, 2006) Yazd version 1.0 (Java, released February 20, 2002) WebCalendar version 1.03 (PHP, released April 11, 2006) TikiWiki version (PHP, released September 5, 2006) Gallery2 version 2.1 (PHP, released March 23, 2006) Joomla version (PHP, released November 4, 2009) AWStats version 6.4 (Perl, released February 25, 2005) 18

19 Other Applications Applications for Testing Tools
OWASP ZAP-WAVE (Java JSP) WAVSEP (Java JSP) WIVET (Java JSP) Demonstration Pages / Small Applications OWASP CSRFGuard Test Application (Java) Mandiant Struts Forms (Java/Struts) Simple ASP.NET Forms (ASP.NET/C#) Simple Form with DOM Cross Site Scripting (HTML/JavaScript) OWASP Demonstration Applications OWASP AppSensor Demo Application (Java) 19

20 Other Features

21 Application code can be edited via SMB shares, SSH, or the console
Editing Applications Application code can be edited via SMB shares, SSH, or the console Updates to PHP, JSP, etc. application files will take place immediately Scripts provided to rebuild and redeploy applications that require it: WebGoat Yazd CSRFGuard Test Apps SwingSet Apps 21

22 Scripts are provided to update VM from source code repositories
Updating VM Scripts are provided to update VM from source code repositories OWASP BWA specific files from Google Code SVN repository Application files from their SVN or GIT repositories Can break applications due to changes in database schemas or dependencies Can allow for using updated versions of applications without waiting for a new version of OWASP BWA 22

23 OWASP ModSecurity Core Rule Set
Web server on OWASP BWA is running mod_security By default, no rules are enabled Scripts are provided to: Enable logging using CRS: owaspbwa-modsecurity-crs-log.sh Enable blocking using CRS: owaspbwa-modsecurity-crs-block.sh Disable all rules: owaspbwa-modsecurity-crs-off.sh Rules can be easily edited via SMB shares 23

24 Logs are available via SMB share Logging settings can be easily edited
Log Files Logging for the web and application servers are left in their default configuration What you will most likely see when responding to an incident Logs are available via SMB share Logging settings can be easily edited Logs are cleared when VM is packaged 24

25 User Guide available on Google Code Wiki
https://code.google.com/p/owaspbwa/wiki/UserGuide Welcome any volunteers to contribute Author Review Edit Comment 25

26 Vulnerabilities

27 Where are the vulnerabilities?
Don’t have a master list of vulnerabilities (yet) Looking for the community to contribute Using “Trac” issue tracker at SourceForge: Not intended to duplicate content within applications or application documentation 27

28 Tracking Known Vulnerabilities
Anyone can search issues 28

29 Tracking Known Vulnerabilities
Anyone can see details on issues 29

30 Tracking Known Vulnerabilities
Anyone can submit issues Considering a registration requirement in order to prevent spam 30

31 Tracking Known Vulnerabilities
Registered users can edit issues 31

32 The Future

33 Version 1.2 planned before the end of 2013
Near Term Version 1.2 planned before the end of 2013 Bug fixes Add bWAPP application Update applications Add ability to more easily update OWASP Mutillidae 33

34 Documentation can use some work
Other Near Term Items Documentation can use some work Catalog of vulnerabilities can be expanded 34

35 Will get increasingly difficult to support modern and old applications
Longer Term Will get increasingly difficult to support modern and old applications Due to library and other dependency issues May move to multiple VMs Would like to improve set of applications… 35

36 More applications in more languages
Wish List More applications in more languages Compiled Java ASP.NET Python Node.js Common frameworks and libraries Looking for feedback from people who use VM for developer training 36

37 Wish List More modern UIs Rich JavaScript HTML5 Mobile optimized sites
Adobe Flash 37

38 More database backends
Wish List More database backends PostgreSQL SQLite NoSQL Opportunity for someone Create a small data driven application with SQL injection Make variants connected to different database backends 38

39 Improved set of real applications with security issues
Wish List Improved set of real applications with security issues More applications More modern applications 39

40 Wish List More web services Mobile apps Rich web UIs
Desktop thick clients 40

41 Looking for feedback from users
Wish List Updated home page on VM More intuitive layout Refreshed appearance Perhaps indicate applications based on Application’s scope Application’s level of activity / updates User’s role / level Looking for feedback from users 41

42 What do you want to see in OWASP BWA?

43 We welcome any help, feedback, or broken apps you can provide!

44 More Information and Getting Involved
More information on the project can be found at Join our Google Group: owaspbwa Follow us on Submit bugs and security issues to the trackers 44


Download ppt "OWASP Broken Web Applications (OWASP BWA): Beyond 1.0"

Similar presentations


Ads by Google