What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt

2 2 Few Facts and figures: How Many Vulnerabilities Are Application Security Related?

3 3 What is OWASP?  Open Web Application Security Project ● Promotes secure software development ● Oriented to the delivery of web oriented services ● Focused primarily on the “back-end” than web-design issues ● An open forum for discussion ● A free resource for any development team

Chapters Worldwide

5 OWASP Sponsors

6 6 OWASP Publications- All Free Top 10 Web Application Security Vulnerabilities Guide to Building Secure Web Applications Legal Project Metrics & Measurements Project Testing Project AppSec Faq

7 7 OWASP Software Major Applications WebGoat WebScarab.Net Projects oLab Projects

8 8 OWASP Software -.NET Projects .Net Projects ● A collection of tools focused on securing ASP.NET projects ● Include security analyzers and documentation projects ● Current Projects ̶ Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments ̶ SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments ̶ ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security ̶ Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments ●

9 What is the OWASP Live CD  A bootable CD with loads of pre packaged Web security tools and toys  The Latest project of OWASP and the most talked about in the Web Security Community  Comes also as a Free VM Image

10 Live CD Benefits and Tools List  It’s Free, Easy and Safe to use  Current Tools List ● OWASP WebScarab ● OWASP WebGoat ● OWASP JBroFuzz ● Paros Proxy ● nmap ● Wireshark ● tcpdump ● Firefox 3 ● Burp Suite ● Grenedel-Scan ● OWASP DirBuster ● OWASP SQLiX ● OWASP WSFuzzer ● Metasploit 3  Future Tools List ● nikto ● Skavenger ● sqlmap ● sqlninja ● Absinthe ● webshag ● httprint ● BEEF ● ProxyMon ● Rat Proxy

11 Tool Focus WebGoat  Start the WebGoat Server from the Main Menu  In Firefox Type :  User Name: guest  Password: guest  Start Learning !!

12 What is WebGoat  OWASP project with ~115,000 downloads so far  Deliberately insecure Java EE web application  Teaches common application vulnerabilities via a series of individual lessons

13 Real World Examples ● Cross site scripting ● SQL Injection ● Command Injection ● Forced Browsing ● Access Control ̶ Data, presentation, business, & environmental layers ● Authentication ● AJAX ● WebServices

14 WebGoat Users  Used by Clients for source code analysis and web application security scanning.  Used by universities in security curriculum ● Carnegie-Mellon ̶ Using WebGoat as open source project option ● University of Denver ● Wouldn’t it be great if students contributed lessons as part of their class projects!!  OWASP Autumn 2006 and Spring of Code 2007 Projects  Used by many companies as a “safe”training tool  LOTS of s from user community

15 What’s New in 5.x  5.0 – Autumn of Code 2006 Release ● Many new lessons ̶ AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing  5.1 (Summer 2007) ● Servlet that allows attacks to post data ̶ Posted data is pushed back to originating lesson ● XSS Phishing attack ● Improved lesson content ● Enhanced Documentation (A SpoC 2007 project)

16 Work in Progress  Convert lessons to a common theme ● HR System (WebGoat Financials) ● Online Banking or Video Store

17 Questions & Demo

Thank You