Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP WebGoat & WebScarab September 9, 2008 By Stephen Carter & Mike Nixon
OWASP 2 Part 1 Introduction to WebGoat & WebScarab
OWASP 3 WebGoat WebGoat is a deliberately insecure J2EE web application maintained by OWASP Goal: Create a de-facto interactive teaching environment for web application security Currently over 30 lessons Anyone can create a lesson Future “security benchmarking platform and Web site Honeypot” Project Page: Goat_Project Goat_Project
OWASP WebGoat
OWASP WebGoat Installation Obtaining WebGoat d=64424&package_id= d=64424&package_id=61824 Installation (Developer Version for Windows) Download WebGoat-OWASP_Developer-5.2.zip Unzip to C:\ Unzip Eclipse-Workspace.zip to C:\WebGoat-5.2 Double-click eclipse.bat Open Default username “guest”, password “guest”
OWASP WebScarab WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols Proxy, Fuzzer, Session ID Analyzer, Spider and more… Disclaimer: “…it is a tool primarily designed to be used by people who can write code themselves…” WebScarab-NG Complete rewrite with focus on user-friendliness Uses Spring RCP Project Page: oject
OWASP WebScarab Installation Obtaining WebScarab d=64424&package_id= d=64424&package_id=61823 Installation (Windows) Download Double-click webscarab-installer jar Next, Next, … Start > Programs > WebScarab > WebScarab
OWASP WebScarab as a Proxy Firefox Tools > Options > Advanced > Network > Setting > Manual Proxy Configuration Localhost, port 8008 WebScarab Proxy > Intercept Requests
OWASP 9 Part 2 Using WebGoat & WebScarab
OWASP 10 WebGoat Tips Helpful Tools HTTP Proxy OWASP WebScarab Livehttpheaders TamperData Web Developer Tools Firebug Web Developer
OWASP 11 WebGoat Tips Built-in help Hints Fight the urge Show Params HTTP Request Params Show Cookies HTTP Request Cookies Lesson Plan Goals & Objectives Show Java Underlying Java source code for the lesson Solutions Last resort!
OWASP Lab: Role Based Access Control Stage 1: Bypassing business layer access control Stage 2: Add business layer access control Check that user is authorized for action handleRequest() in RoleBasedAccessControl.java Stage 3: Bypass data layer access control Stage 4: Add data layer access control Check that user is authorized for action on a certain employee handleRequest() in RoleBasedAccessControl.java
OWASP Lab: Cross Site Scripting (XSS) Stage 1 – Stored XSS Stage 2 – Correct Stored XSS Vuln Filter before it is written to the database parseEmployeeProfile() in UpdateProfile.java Stage 3 – Stored XSS revisited Stage 4 – Correct Stored XSS Vuln Encode/filter after retrieving from database, before displaying to the user getEmployeeProfile() in ViewProfile.java HtmlEncoder.encode() Stage 5 – Reflected XSS Stage 6 – Correct Reflected XSS Vuln getRequestParameter() in FindProfile.java
OWASP
15 Reminders Next Meeting December 2, :00 PM – 8:00 PM Presentations: TBD Some ideas: Jakarta Commons/Struts Validator, SOA/Web Services Security, Web application security testing, ACEGI, mod_security Location: Gevity, Lakewood Ranch OWASP Conference & Training Joe Jarzombek (Director for Software Assurance – DHS) Howard Schmidt (White House Cyber-security Advisor) Robert “Rsnake” Hansen, Jeremiah Grossman, and others
OWASP 16 Reminders Becoming Involved Participate in OWASP projects Contribute to existing projects Propose new projects Spearhead new ventures Support & Participate in the Suncoast Chapter Present Spread the word Sponsorship Mailing Lists Open forums for discussion of any relevant web application security topics Become a Member
OWASP 17 Special thanks to John Hale & Gevity for the conference room! Thank you for attending!
OWASP References RSA 2008 Breifing by J. Grossman eremiahgrossman /