1. Copyright © 2008 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP http://www.owasp.org WebGoat & WebScarab September 9, 2008 By Stephen Carter & Mike Nixon carter.stephen@gmail.com mnixxon@gmail.com

2. OWASP 2 Part 1 Introduction to WebGoat & WebScarab

3. OWASP 3 WebGoat  WebGoat is a deliberately insecure J2EE web application maintained by OWASP  Goal: Create a de-facto interactive teaching environment for web application security  Currently over 30 lessons  Anyone can create a lesson  Future “security benchmarking platform and Web site Honeypot”  Project Page: http://www.owasp.org/index.php/Category:OWASP_Web Goat_Project http://www.owasp.org/index.php/Category:OWASP_Web Goat_Project

4. OWASP WebGoat

5. OWASP WebGoat Installation  Obtaining WebGoat  http://sourceforge.net/project/showfiles.php?group_i d=64424&package_id=61824 http://sourceforge.net/project/showfiles.php?group_i d=64424&package_id=61824  Installation (Developer Version for Windows)  Download WebGoat-OWASP_Developer-5.2.zip  Unzip to C:\  Unzip Eclipse-Workspace.zip to C:\WebGoat-5.2  Double-click eclipse.bat  Open http://localhost/WebGoat/attackhttp://localhost/WebGoat/attack  Default username “guest”, password “guest”

6. OWASP WebScarab  WebScarab is a framework for analyzing applications that communicate using the HTTP and HTTPS protocols  Proxy, Fuzzer, Session ID Analyzer, Spider and more…  Disclaimer: “…it is a tool primarily designed to be used by people who can write code themselves…”  WebScarab-NG  Complete rewrite with focus on user-friendliness  Uses Spring RCP  Project Page: http://www.owasp.org/index.php/Category:OWASP_WebScarab_Pr oject

7. OWASP WebScarab Installation  Obtaining WebScarab  http://sourceforge.net/project/showfiles.php?group_i d=64424&package_id=61823 http://sourceforge.net/project/showfiles.php?group_i d=64424&package_id=61823  Installation (Windows)  Download  Double-click webscarab-installer-20070504-1631.jar  Next, Next, …  Start > Programs > WebScarab > WebScarab

8. OWASP WebScarab as a Proxy  Firefox  Tools > Options > Advanced > Network > Setting > Manual Proxy Configuration  Localhost, port 8008  WebScarab  Proxy > Intercept Requests

9. OWASP 9 Part 2 Using WebGoat & WebScarab

10. OWASP 10 WebGoat Tips  Helpful Tools  HTTP Proxy  OWASP WebScarab  Livehttpheaders  TamperData  Web Developer Tools  Firebug  Web Developer

11. OWASP 11 WebGoat Tips  Built-in help  Hints  Fight the urge  Show Params  HTTP Request Params  Show Cookies  HTTP Request Cookies  Lesson Plan  Goals & Objectives  Show Java  Underlying Java source code for the lesson  Solutions  Last resort!

12. OWASP Lab: Role Based Access Control  Stage 1: Bypassing business layer access control  Stage 2: Add business layer access control  Check that user is authorized for action  handleRequest() in RoleBasedAccessControl.java  Stage 3: Bypass data layer access control  Stage 4: Add data layer access control  Check that user is authorized for action on a certain employee  handleRequest() in RoleBasedAccessControl.java

13. OWASP Lab: Cross Site Scripting (XSS)  Stage 1 – Stored XSS  Stage 2 – Correct Stored XSS Vuln  Filter before it is written to the database  parseEmployeeProfile() in UpdateProfile.java  Stage 3 – Stored XSS revisited  Stage 4 – Correct Stored XSS Vuln  Encode/filter after retrieving from database, before displaying to the user  getEmployeeProfile() in ViewProfile.java  HtmlEncoder.encode()  Stage 5 – Reflected XSS  Stage 6 – Correct Reflected XSS Vuln  getRequestParameter() in FindProfile.java

14. OWASP

15. 15 Reminders  Next Meeting  December 2, 2008 6:00 PM – 8:00 PM  Presentations: TBD  Some ideas: Jakarta Commons/Struts Validator, SOA/Web Services Security, Web application security testing, ACEGI, mod_security  Location: Gevity, Lakewood Ranch  OWASP Conference & Training  http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference  Joe Jarzombek (Director for Software Assurance – DHS)  Howard Schmidt (White House Cyber-security Advisor)  Robert “Rsnake” Hansen, Jeremiah Grossman, and others

16. OWASP 16 Reminders  Becoming Involved  Participate in OWASP projects  Contribute to existing projects  Propose new projects  Spearhead new ventures  Support & Participate in the Suncoast Chapter  Present  Spread the word  Sponsorship  Mailing Lists  Open forums for discussion of any relevant web application security topics  Become a Member http://www.owasp.org/index.php/Membership

17. OWASP 17 Special thanks to John Hale & Gevity for the conference room! Thank you for attending!

18. OWASP References  RSA 2008 Breifing by J. Grossman  http://www.slideshare.net/guestdb261a/csrfrsa2008j eremiahgrossman-349028/