Presentation is loading. Please wait.

Presentation is loading. Please wait.

The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT"— Presentation transcript:

1 The OWASP Foundation AppSec DC http://www.owasp.org Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT chuck.willis@mandiant.com November 12, 2009

2 OWASP About Me  MANDIANT  Commercial Services  Federal Services  Training and Education  Product – Mandiant Intelligent Response  My Experience  10+ years total experience in Information Security  Penetration Testing, Application Security, Source Code Analysis, Forensics, Incident Response, R&D  Member of OWASP DC Chapter (and CapSec)

3 OWASP Problem  I was looking for web applications with vulnerabilities where I could:  Test web application scanners  Test manual techniques  Test source code analysis tools  Look at the code that implements the vulnerabilities  Modify code to fix vulnerabilities  Test web application firewalls 3

4 OWASP Option – WebGoat  It is a great learning tool, but  It is a training environment, not a real application  Same holds for other “artificial” applications 4

5 OWASP Option – Proprietary “Free” Apps  Realistic applications with vulnerabilities  Often closed source, which prevents some uses  Can conflict with one another  Can be difficult to install  Licensing restrictions 5

6 OWASP Solution  Create a set of broken, open source applications  Put them all on a VMWare Virtual Machine  Donate it to OWASP  Profit? 6

7 OWASP Base Software  Based on Ubuntu Linux Server 9.10  No X-Windows  Apache  PHP  Perl  MySQL  PostgreSQL  Tomcat  OpenJDK  Mono 7

8 OWASP Management Software  OpenSSH  Samba  phpMyAdmin  Subversion Client 8

9 OWASP Intentionally Broken Apps  OWASP WebGoat version 5.3 (Java)  OWASP Vicnum version 1.3 (Perl)  Mutillidae version 1.3 (PHP)  Damn Vulnerable Web Application version 1.06 (PHP) 9

10 OWASP Intentionally Broken Apps  OWASP CSRFGuard Test Application version 2.2 (Java)  Mandiant Struts Forms (Java/Struts)  Simple ASP.NET Forms (ASP.NET/C#)  Simple Form with DOM Cross Site Scripting (HTML/JavaScript)  LOOKING FOR DONATIONS! 10

11 OWASP Old Versions of Real Applications  phpBB 2.0.0 (PHP, released April 4, 2002)  WordPress 2.0.0 (PHP, released December 31, 2005)  Yazd version 1.0 (Java, released February 20, 2002)  LOOKING FOR IDEAS! 11

12 OWASP Where are the vulnerabilities?  Don’t have a master list of vulnerabilities (yet)  Counting on the community to contribute  Experimenting with using the issue tracker at Google Code to allow the community to contribute vulnerabilities as they are found  May move to wiki page(s) on the OWASP site 12

13 OWASP What’s in a name?  Tentatively called “OWASP Broken Web Applications Project”  I’m open to suggestions 13

14 OWASP The Future  Establish as an OWASP project  Wiki page  Mailing list  Update project for collaboration  Create and maintain documentation  Push content to Google Code  Incorporate additional broken apps  The larger, the better  Would like more real / realistic applications  Adobe Flash (could use some help here)  Ruby on Rails? 14

15 OWASP More Information and Downloads  More information can be found at http://code.google.com/p/owaspbwa/  Version 0.9 of the VM has been released!  Linked from the blog at mandiant.com  I have a few CDs of the VM for anyone who wants them 15

16 OWASP 16 I welcome any help / broken apps you can provide!

17 OWASP 17 Questions?

18 The OWASP Foundation AppSec DC http://www.owasp.org Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT chuck.willis@mandiant.com November 12, 2009

Download ppt "The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT"

Similar presentations

Open Source and Free Software in Education

Open Source and Free Software in Education
The Web Wizards Guide to Freeware/Shareware Chapter Six Open Source Software.

The Web Wizards Guide to Freeware/Shareware Chapter Six Open Source Software.
PaperCut MF Reseller Resource Material An Introduction to PaperCut MF.

PaperCut MF Reseller Resource Material An Introduction to PaperCut MF.
Ixonos Plc Marko “Narsu” Rintamäki Senior Test Engineer NEST-IX V1.1 Project platform in Test Management.

Ixonos Plc Marko “Narsu” Rintamäki Senior Test Engineer NEST-IX V1.1 Project platform in Test Management.
OWASP Broken Web Applications (OWASP BWA): Beyond 1.0

OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
Jason Ming Sun ICT Academic Systems University of South Africa Government CIO Summit Towards reducing costs of doing business in government.

Jason Ming Sun ICT Academic Systems University of South Africa Government CIO Summit Towards reducing costs of doing business in government.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Research Notes Tool Chuck Connell, Tufts Univ.. Tufts University Computer Science22 Two Research Problems References… Many types – books, articles, web.

Research Notes Tool Chuck Connell, Tufts Univ.. Tufts University Computer Science22 Two Research Problems References… Many types – books, articles, web.
Content Management, Working with WordPress Pavel Ivanov Telerik Corporation www.telerik.com.

Content Management, Working with WordPress Pavel Ivanov Telerik Corporation
Ohio University Libraries Wikis in Libraries: Enhancing Services, Promoting Sources, and Building Community Internet Librarian October 28, 2007 Chad F.

Ohio University Libraries Wikis in Libraries: Enhancing Services, Promoting Sources, and Building Community Internet Librarian October 28, 2007 Chad F.
Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
1 The IIPC Web Curator Tool: Steve Knight The National Library of New Zealand Philip Beresford and Arun Persad The British Library An Open Source Solution.

1 The IIPC Web Curator Tool: Steve Knight The National Library of New Zealand Philip Beresford and Arun Persad The British Library An Open Source Solution.
The Apache Web Server  Started in April 1996 as an open source multiplatform web server (Windows, FreeBSD, UNIX, and Linux compatible).  Now the world’s.

The Apache Web Server  Started in April 1996 as an open source multiplatform web server (Windows, FreeBSD, UNIX, and Linux compatible).  Now the world’s.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Introduction to Linux Chapter 1. Operating Systems Operating System (OS) - most basic and important software on a computer Performs core tasks Organize.

Introduction to Linux Chapter 1. Operating Systems Operating System (OS) - most basic and important software on a computer Performs core tasks Organize.
PHP Scripting Language. Introduction “PHP” is an acronym for “PHP: Hypertext Preprocessor.” It is an interpreted, server-side scripting language. Originally.

PHP Scripting Language. Introduction “PHP” is an acronym for “PHP: Hypertext Preprocessor.” It is an interpreted, server-side scripting language. Originally.
On Ubuntu Linux. Servers installed SSH APACHE First compiled from source Later installed again with apt-get PHP VNC (ubuntu) Had to be activated in system.

On Ubuntu Linux. Servers installed SSH APACHE First compiled from source Later installed again with apt-get PHP VNC (ubuntu) Had to be activated in system.
OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.

OWASP Bricks. Web application security learning platform. Built with PHP and MySQL. Open source and free. ‘Break the Bricks’ and learn.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
Electronic Medical Record OpenEMR. Covered Topics 1 Getting Started 2 Setting up your clinic 3 Adding a new patient 4 Using your calendar.

Electronic Medical Record OpenEMR. Covered Topics 1 Getting Started 2 Setting up your clinic 3 Adding a new patient 4 Using your calendar.

Similar presentations

Ads by Google