Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.
OWASP Zed Attack Proxy Project Lead
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Attacking Applications: SQL Injection & Buffer Overflows.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ASP.NET The Clock Project. The ASP.NET Clock Project The ASP.NET Clock Project is the topic of Chapter 23. By completing the clock project, you will learn.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
1 The current lesson plans provided for in Webgoatv2 include Http Basics How to Perform Database Cross Site Scripting (XSS) How to Spoof an Authentication.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Dean Anderson Polk County, Oregon GIS in Action 2014 Modifying Open Source Software (A Case Study)
Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
MIS Week 5 Site:
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Testing and delivery Web design principles. Web development is software development.
Group 18: Chris Hood Brett Poche
TOPIC: Web Security (Part-4)
World Wide Web policy.
SQL Injection Attacks Many web servers have backing databases
OWASP WebGoat v5 16 April 2010.
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
Lecture 2 - SQL Injection
Web Hacking: Beginners
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec June 2004 NYC WebGoat Project Review Bruce Mayhew WebGoat Project Technical Lead

1 OWASP AppSec 2004 How Do You Teach Application Security? Change the way developers think…  They have to understand the danger  Prove their code can be broken  Show them how to exploit flaws

1 OWASP AppSec 2004 What is WebGoat?  Concept  Full web application riddled with holes  Training environment  Hands-on learning for developers  Individual lessons for OWASP Top 10  Implementation  J2EE Servlet with JDBC database  Basic authenticaton, roles  Declarative and programatic access control  Persistant  Very easy to add new lessons

1 OWASP AppSec 2004 What's in a Lesson?  Explain the vulnerability.  Show the broken code.  Allow the user to exploit the vulnerabilty.  Show the correct code.

1 OWASP AppSec 2004 Explain the Vulnerabilty  Fail Open Authentication  This lesson presents the basics for understanding the "fail open" condition regarding authentication. The security term, “fail open” describes a behavior of a verification mechanism. This is when an error (i.e. unexpected exception) occurs during a verification method causing that method to evaluate to true. This is especially dangerous during login.

1 OWASP AppSec 2004 Show the Broken Code String username = ""; String password = ""; try { username = s.getParser().getRawParameter( USERNAME ); password = s.getParser().getRawParameter( PASSWORD ); // if credentials are bad, send the login page if ( !"webgoat".equals( username ) || !password.equals( "webgoat" ) ) { s.setMessage( "Invalid username and password entered." ); return ( makeLogin( s ) ); } catch ( Exception e ) { s.setMessage( "Error generating " + this.getClass().getName() ); } return ( makeUser( s, username, "Login Succeeded" ));

1 OWASP AppSec 2004 Exploit the Vulnerability  Picture of WebGoat Lesson

1 OWASP AppSec 2004 Exploit the Vulnerability  Picture of WebGoat Lesson

1 OWASP AppSec 2004 How It Should Be Done String username = ""; String password = ""; try { username = s.getParser().getRawParameter( USERNAME ); password = s.getParser().getRawParameter( PASSWORD ); // if credentials are bad, send the login page if ( "webgoat".equals( username ) && password.equals( "webgoat" ) ) { s.setMessage( "Invalid username and password entered." ); return ( makeUser( s, username, "Login Succeeded" ) ); } catch ( Exception e ) { s.setMessage( "User name or password is incorrect ); } return ( makeLogin( s ));

1 OWASP AppSec 2004 It's Simple to Add a Lesson  Set up the framework.  Implement createContent().  Implement the other methods.  Install and run.

1 OWASP AppSec 2004 Setup the Framework  Use the WebGoat LessonAdapter. public class NewLesson extends LessonAdapter { protected Element createContent(WebSession s) { return( new StringElement( "Hello World" ) ); } public String getCategory() { } protected List getHints() { } protected String getInstructions() { } protected Element getMenuItem() { } protected Integer getRanking() { } public String getTitle() { } }

1 OWASP AppSec 2004 Implement createContent()  The “brains” of the lesson. protected Element createContent(WebSession s) { ElementContainer ec = new ElementContainer(); try { // get some input from the user -- see ParameterParser for details String userInput = s.getParser().getStringParameter(INPUT, ""); // do something with the input // -- SQL query?, -- Runtime.exec? -- Some other dangerous thing // generate some output -- a string and an input field ec.addElement(new StringElement("Enter a string: ")); ec.addElement( new Input(Input.TEXT, INPUT, userInput) ); // Tell the lesson tracker the lesson has completed, when lesson has been “hacked” getLessonTracker( s ).setCompleted( true ); } catch (Exception e) { s.setMessage("Error generating " + this.getClass().getName()); e.printStackTrace(); } return (ec); }

1 OWASP AppSec 2004 Implement the other methods  Add the supporting details  Use Ant to build, install, and run public String getCategory() { return( "New Category or Existing Category" ); } protected List getHints() { // Hints will be returned to the user in the order they appear below // when the user clicks on the "next hint" List hints = new ArrayList(); hints.add("A general hint to put users on the right track"); hints.add("A hint that gives away a little piece of the problem"); hints.add("A hint that basically gives the answer"); return hints; } protected String getInstructions(){ return(“Lesson scenario and instructions"); } protected Element getMenuItem() { return( "MyLesson" ); } protected Integer getRanking() { return new Integer(10); } public String getTitle() { return ("My Lesson's Short Title"); }

1 OWASP AppSec 2004 It Looked Pretty Easy It Was! You can create a simple lesson in 30 minutes.

1 OWASP AppSec 2004 How Do You Run WebGoat?  Problems with old installer fixed  Download, Unzip, Click, & Browse   Unzip the distribution  Use WebGoat-3.0b.zip if you have Java  Use WebGoat-3.0b_JAVA.zip if you don’t  Double-click tomcat.bat  Browse to

1 OWASP AppSec 2004 Cool Stuff  Report Card

1 OWASP AppSec 2004 Cool Stuff  Hackable Admin Interface

1 OWASP AppSec 2004 WebGoat Supports the OWASP Top 10  Thread Safety  Hidden Field Tampering  Anonymous/Dangerous  Javascript Validation  Remote Admin  Access Control  Weak Authentication Cookie  Stored and Reflected Cross Site Scripting  HTML Clues  Encoding Basic  Forced Browsing  HTTP Basic  Fail Open Authentication  Command Injection  Forget password *  Buffer Overflow *  Denial of Service (Login ) **  Challenge

1 OWASP AppSec 2004 Roadmap  For the user:  More lessons  Update the User's Guide  Is it too simple?  Improve the infrastructure:  Use JSP's to replace ECS  Port to Apache struts  Refactor internal database

1 OWASP AppSec 2004 OWASP Wants Your Ideas!  Is WebGoat part of your training environment?  What features do you need?  How can you get involved?  Even a little effort helps  Great place to learn web application basics  WebGoat could use help with:  Converting to JSP's and Struts ( Java, HTML, Struts )  Storybooking lessons  Updating lesson plans and lesson instructions

1 OWASP AppSec 2004 Share your Ideas Bruce Mayhew

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.