Presentation is loading. Please wait.

Presentation is loading. Please wait.

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

Published byShannon Booker Modified over 8 years ago

Similar presentations

Presentation on theme: "April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden"— Presentation transcript:

1 April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden waldenj@nku.edu

2 April 14, 2008Secure Coding Faculty Workshop Approaches 1. Write your own web application Students evaluate and fix your code. 2. Students write a web application Students evaluate and fix their own code. 3. Construct exercises with 3 rd party tools i. Use a web security teaching tool (WebGoat) ii. Use a web application designed for learning about security (BadStore) iii. Analyze an open source web application with known vulnerabilities.

3 April 14, 2008Secure Coding Faculty Workshop Tools for Exercises Browser Plugins Modify HTTP headers + form parameters. Examples: Tamper Data for Firefox Proxy Suites Modify parameters + Spidering Fuzz testing. Session key analysis. Decoding. Examples: Burp Suite, Paros Proxy, WebScarab Static + Dynamic Analysis

4 April 14, 2008Secure Coding Faculty Workshop Write your own web application Most flexible approach. Also the most time-consuming. Can be used for Individual vulnerability education Penetration testing exercise Pen test + code maintenance exercise Framework for students to build upon.

5 April 14, 2008Secure Coding Faculty Workshop My web applications BlogEngine: PHP-based blog application with many types of vulnerabilities including access ctl, dir traversal, SQL injection, XSS. SQL Injection Demos: Perl-based SQL injection demonstrations, with 2 vulnerable perl CGI scripts, 3 fixed CGI scripts with different approaches to fixing.

6 April 14, 2008Secure Coding Faculty Workshop Distribution Issues 1. Compatibility Can the application run on students’ PCs? 2. Permissions Do students have rights to install + run? 3. Security If students can hack app, so can others. Need to isolate insecure app from Internet.

7 April 14, 2008Secure Coding Faculty Workshop Distribution Solutions Virtual Machines VM environment identical for all students. VM can be isolated to host-only network. VMWare Player free for Linux + Windows Used for SQL injection demos. XAMPP Apache + MySQL + PHP + Perl Easy to install distribution Linux, Windows, Mac OS X, Solaris Used for BlogEngine.

8 April 14, 2008Secure Coding Faculty Workshop Students write a web application Advantages Students see what bugs they write. Compare different implementations of app. Good technique for integrating into SwEng. Disadvantages Cannot predict vulnerabilities in advance. Limited by time students have to develop.

9 April 14, 2008Secure Coding Faculty Workshop Exercises Abuse Cases Use attack patterns to create abuse cases. Architectural Risk Analysis Draw + review DFDs for application. Risk analysis based on DFDs + abuse cases. Most useful after first iteration. Code Review + Static Analysis Use Fortify SCA to analyze source code. Code review: moderator, author Penetration Testing Find bugs in their own or another group’s project.

10 April 14, 2008Secure Coding Faculty Workshop Exercises with 3 rd party tools 1. Use a web security teaching tool 1. Exercises for specific vulnerabilities. 2. May include hints, completion tracking. 2. Use a web application designed for learning about security 1. Application designed with vulnerabilities. 2. Vary based on web platform, vuln types. 3. Analyze an open source web application with known vulnerabilities.

11 April 14, 2008Secure Coding Faculty Workshop Web Security Teaching Tools WebGoat GPL J2EE teaching application Hack This Site Online security exercises, incl web security. NTO Hackme Site Only two live lessons (XSS and SQL inject)

12 April 14, 2008Secure Coding Faculty Workshop Using Web Security Teaching Tools Focus on a single vulnerability Learn about single vulnerability in isolation. No need to understand entire application. Useful for In-class demonstrations of vulnerabilities. Single vulnerability assignments. Multi-vulnerability assignments for classes that have only a single unit on web security.

13 April 14, 2008Secure Coding Faculty Workshop Web Security Demo Apps BadStore GPL shopping app available as ISO image Hacme Bank, Books, and Travel J2EE, MS, and C++ apps for pen testing WebMaven (aka Buggy Bank) GPL bank app, MS install instructions only International Capture the Flag Annual competition focusing on web apps.

14 April 14, 2008Secure Coding Faculty Workshop Using Web Security Demo Apps Focus on penetration testing Broad range of web vulnerabilities. Requires > effort & skill than teaching tools Advantages Whole application security perspective. Provide a more authentic experience. Useful for Penetration testing assignments (find 10 vulnerabilities in the next week.)

15 April 14, 2008Secure Coding Faculty Workshop Using Open Source Web Apps Focus on testing and fixing vulnerabilities Not as many known vulnerabilities. May take effort to find insecure versions. Provides a more authentic experience. Useful for Penetration testing assignments. Code maintenance assignments. Static and dynamic analysis assignments.

16 April 14, 2008Secure Coding Faculty Workshop Key Points Write your own web application Flexible but time-consuming approach. Student-written applications Assignments throughout the SDLC. Cannot predict vulnerabilities in advance. Third party applications Use WebGoat to teach about vulnerabilities. Use BadStore to teach about vulnerabilities in semi- authentic context, penetration testing. Open source to teach about authentic vulnerabilities.

Download ppt "April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Windows Azure for SharePoint people Dennis – Solution Architect Microsoft Windows Azure.

Windows Azure for SharePoint people Dennis – Solution Architect Microsoft Windows Azure.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
By Josh Sokol. # whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application.

By Josh Sokol. # whoami  Josh Sokol  B.S. in Computer Science  Cisco Certified Network Associate (CCNA)  SANS GIAC in Web Application.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
3/10/07ACM SIGCSE'071 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin) Du Zhouxuan Teng & Ronghua Wang Department.

3/10/07ACM SIGCSE'071 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin) Du Zhouxuan Teng & Ronghua Wang Department.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT

The OWASP Foundation AppSec DC Learning by Breaking A New Project for Insecure Web Apps Chuck Willis Technical Director MANDIANT
1 Bringing P2P to the Web: Security and Privacy in the Firecoral Network Jeff Terrace Harold Laidlaw Hao Eric Liu Sean Stern Michael Freedman.

1 Bringing P2P to the Web: Security and Privacy in the Firecoral Network Jeff Terrace Harold Laidlaw Hao Eric Liu Sean Stern Michael Freedman.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.
CS 5150 1 CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.

CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Penetration testing – W3AF Tool

Penetration testing – W3AF Tool
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

Similar presentations

Ads by Google