April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Windows Azure for SharePoint people Dennis – Solution Architect Microsoft Windows Azure.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

By Josh Sokol. # whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

3/10/07ACM SIGCSE'071 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin) Du Zhouxuan Teng & Ronghua Wang Department.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT

1 Bringing P2P to the Web: Security and Privacy in the Firecoral Network Jeff Terrace Harold Laidlaw Hao Eric Liu Sean Stern Michael Freedman.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Penetration testing – W3AF Tool

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

Maintain and Modify By: Sahar Aftab (1253 ) and Mehboob Nazim (1085) Central Library.

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

WHAT IS PHP PHP is an HTML-embedded scripting language primarily used for dynamic Web applications.

SYST Web Technologies SYST Web Technologies Installing a Web Server (XAMPP)

Security Scanning OWASP Education Nishi Kumar Computer based training

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

MIS Week 5 Site:

bWAPP – Bee Bug – Installation

Presentation 8: SOAP in a distributed object framework, Application Servers & AXIS SOAP.

Nynox.com Nynox Help Desk Affordable Help Desk Solution.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

PHP and MySQL by Example COMP YL Professor Mattos.

Architecture Planning and designing a successful system Use tried and tested techniques Easy to maintain Robust and long lasting.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.

1Computer Sciences Department Princess Nourah bint Abdulrahman University.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Presentation: SOAP/WS in a distributed object framework, Application Servers & AXIS SOAP.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

I-Hack’08 International Hacking Competition “Details”

Web Applications Testing By Jamie Rougvie Supported by.

Deconstructing API Security

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

MIS Week 5 Site:

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."

Outline  XAMPP  XAMPP Install  Put php and HTML documents  Windows and Mac Version  Security.

PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used, free, and efficient alternative.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Software Testing Training Online. Software testing is ruling the software business in current scenario. It provides an objective, independent view of.

Introduction to Internet Programming (Web Based Application)

Web Programming Language

Web Application Security

WEB APPLICATION TESTING

OWASP Static Analysis (SA) Track Goals, Objectives, and Track Roadmap

PHP / MySQL Introduction

An example of a pilot project as part of USP course:

Yii - For the Future - Gen Web Development Platform

Advanced Penetration testing

OWASP WebGoat v5 16 April 2010.

HTML Level II (CyberAdvantage)

Web Application Development Using PHP

Presentation transcript:

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

April 14, 2008Secure Coding Faculty Workshop Approaches 1. Write your own web application Students evaluate and fix your code. 2. Students write a web application Students evaluate and fix their own code. 3. Construct exercises with 3 rd party tools i. Use a web security teaching tool (WebGoat) ii. Use a web application designed for learning about security (BadStore) iii. Analyze an open source web application with known vulnerabilities.

April 14, 2008Secure Coding Faculty Workshop Tools for Exercises Browser Plugins Modify HTTP headers + form parameters. Examples: Tamper Data for Firefox Proxy Suites Modify parameters + Spidering Fuzz testing. Session key analysis. Decoding. Examples: Burp Suite, Paros Proxy, WebScarab Static + Dynamic Analysis

April 14, 2008Secure Coding Faculty Workshop Write your own web application Most flexible approach. Also the most time-consuming. Can be used for Individual vulnerability education Penetration testing exercise Pen test + code maintenance exercise Framework for students to build upon.

April 14, 2008Secure Coding Faculty Workshop My web applications BlogEngine: PHP-based blog application with many types of vulnerabilities including access ctl, dir traversal, SQL injection, XSS. SQL Injection Demos: Perl-based SQL injection demonstrations, with 2 vulnerable perl CGI scripts, 3 fixed CGI scripts with different approaches to fixing.

April 14, 2008Secure Coding Faculty Workshop Distribution Issues 1. Compatibility Can the application run on students’ PCs? 2. Permissions Do students have rights to install + run? 3. Security If students can hack app, so can others. Need to isolate insecure app from Internet.

April 14, 2008Secure Coding Faculty Workshop Distribution Solutions Virtual Machines VM environment identical for all students. VM can be isolated to host-only network. VMWare Player free for Linux + Windows Used for SQL injection demos. XAMPP Apache + MySQL + PHP + Perl Easy to install distribution Linux, Windows, Mac OS X, Solaris Used for BlogEngine.

April 14, 2008Secure Coding Faculty Workshop Students write a web application Advantages Students see what bugs they write. Compare different implementations of app. Good technique for integrating into SwEng. Disadvantages Cannot predict vulnerabilities in advance. Limited by time students have to develop.

April 14, 2008Secure Coding Faculty Workshop Exercises Abuse Cases Use attack patterns to create abuse cases. Architectural Risk Analysis Draw + review DFDs for application. Risk analysis based on DFDs + abuse cases. Most useful after first iteration. Code Review + Static Analysis Use Fortify SCA to analyze source code. Code review: moderator, author Penetration Testing Find bugs in their own or another group’s project.

April 14, 2008Secure Coding Faculty Workshop Exercises with 3 rd party tools 1. Use a web security teaching tool 1. Exercises for specific vulnerabilities. 2. May include hints, completion tracking. 2. Use a web application designed for learning about security 1. Application designed with vulnerabilities. 2. Vary based on web platform, vuln types. 3. Analyze an open source web application with known vulnerabilities.

April 14, 2008Secure Coding Faculty Workshop Web Security Teaching Tools WebGoat GPL J2EE teaching application Hack This Site Online security exercises, incl web security. NTO Hackme Site Only two live lessons (XSS and SQL inject)

April 14, 2008Secure Coding Faculty Workshop Using Web Security Teaching Tools Focus on a single vulnerability Learn about single vulnerability in isolation. No need to understand entire application. Useful for In-class demonstrations of vulnerabilities. Single vulnerability assignments. Multi-vulnerability assignments for classes that have only a single unit on web security.

April 14, 2008Secure Coding Faculty Workshop Web Security Demo Apps BadStore GPL shopping app available as ISO image Hacme Bank, Books, and Travel J2EE, MS, and C++ apps for pen testing WebMaven (aka Buggy Bank) GPL bank app, MS install instructions only International Capture the Flag Annual competition focusing on web apps.

April 14, 2008Secure Coding Faculty Workshop Using Web Security Demo Apps Focus on penetration testing Broad range of web vulnerabilities. Requires > effort & skill than teaching tools Advantages Whole application security perspective. Provide a more authentic experience. Useful for Penetration testing assignments (find 10 vulnerabilities in the next week.)

April 14, 2008Secure Coding Faculty Workshop Using Open Source Web Apps Focus on testing and fixing vulnerabilities Not as many known vulnerabilities. May take effort to find insecure versions. Provides a more authentic experience. Useful for Penetration testing assignments. Code maintenance assignments. Static and dynamic analysis assignments.

April 14, 2008Secure Coding Faculty Workshop Key Points Write your own web application Flexible but time-consuming approach. Student-written applications Assignments throughout the SDLC. Cannot predict vulnerabilities in advance. Third party applications Use WebGoat to teach about vulnerabilities. Use BadStore to teach about vulnerabilities in semi- authentic context, penetration testing. Open source to teach about authentic vulnerabilities.