The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT November 12, 2009
OWASP About Me MANDIANT Commercial Services Federal Services Training and Education Product – Mandiant Intelligent Response My Experience 10+ years total experience in Information Security Penetration Testing, Application Security, Source Code Analysis, Forensics, Incident Response, R&D Member of OWASP DC Chapter (and CapSec)
OWASP Problem I was looking for web applications with vulnerabilities where I could: Test web application scanners Test manual techniques Test source code analysis tools Look at the code that implements the vulnerabilities Modify code to fix vulnerabilities Test web application firewalls 3
OWASP Option – WebGoat It is a great learning tool, but It is a training environment, not a real application Same holds for other “artificial” applications 4
OWASP Option – Proprietary “Free” Apps Realistic applications with vulnerabilities Often closed source, which prevents some uses Can conflict with one another Can be difficult to install Licensing restrictions 5
OWASP Solution Create a set of broken, open source applications Put them all on a VMWare Virtual Machine Donate it to OWASP Profit? 6
OWASP Base Software Based on Ubuntu Linux Server 9.10 No X-Windows Apache PHP Perl MySQL PostgreSQL Tomcat OpenJDK Mono 7
OWASP Management Software OpenSSH Samba phpMyAdmin Subversion Client 8
OWASP Intentionally Broken Apps OWASP WebGoat version 5.3 (Java) OWASP Vicnum version 1.3 (Perl) Mutillidae version 1.3 (PHP) Damn Vulnerable Web Application version 1.06 (PHP) 9
OWASP Intentionally Broken Apps OWASP CSRFGuard Test Application version 2.2 (Java) Mandiant Struts Forms (Java/Struts) Simple ASP.NET Forms (ASP.NET/C#) Simple Form with DOM Cross Site Scripting (HTML/JavaScript) LOOKING FOR DONATIONS! 10
OWASP Old Versions of Real Applications phpBB (PHP, released April 4, 2002) WordPress (PHP, released December 31, 2005) Yazd version 1.0 (Java, released February 20, 2002) LOOKING FOR IDEAS! 11
OWASP Where are the vulnerabilities? Don’t have a master list of vulnerabilities (yet) Counting on the community to contribute Experimenting with using the issue tracker at Google Code to allow the community to contribute vulnerabilities as they are found May move to wiki page(s) on the OWASP site 12
OWASP What’s in a name? Tentatively called “OWASP Broken Web Applications Project” I’m open to suggestions 13
OWASP The Future Establish as an OWASP project Wiki page Mailing list Update project for collaboration Create and maintain documentation Push content to Google Code Incorporate additional broken apps The larger, the better Would like more real / realistic applications Adobe Flash (could use some help here) Ruby on Rails? 14
OWASP More Information and Downloads More information can be found at Version 0.9 of the VM has been released! Linked from the blog at mandiant.com I have a few CDs of the VM for anyone who wants them 15
OWASP 16 I welcome any help / broken apps you can provide!
OWASP 17 Questions?
The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT November 12, 2009