The OWASP Foundation

AppSec DC

http://www.owasp.org

Learning by BreakingA New Project for Insecure Web Apps

Chuck WillisTechnical DirectorMANDIANTchuck.willis@mandiant.com

November 12, 2009

OWASP

About Me

MANDIANTCommercial ServicesFederal ServicesTraining and EducationProduct – Mandiant Intelligent Response

My Experience10+ years total experience in Information SecurityPenetration Testing, Application Security, Source

Code Analysis, Forensics, Incident Response, R&D

Member of OWASP DC Chapter (and CapSec)

OWASP

Problem

I was looking for web applications with vulnerabilities where I could:Test web application scannersTest manual techniquesTest source code analysis toolsLook at the code that implements the

vulnerabilitiesModify code to fix vulnerabilitiesTest web application firewalls

3

OWASP

Option – WebGoat

It is a great learning tool, but

It is a training environment, not a real application

Same holds for other “artificial” applications

4

OWASP

Option – Proprietary “Free” Apps

Realistic applications with vulnerabilities

Often closed source, which prevents some uses

Can conflict with one another

Can be difficult to install

Licensing restrictions5

OWASP

Solution

Create a set of broken, open source applications

Put them all on a VMWare Virtual Machine

Donate it to OWASP

Profit?

6

OWASP

Base Software

Based on Ubuntu Linux Server 9.10 No X-WindowsApachePHPPerlMySQLPostgreSQLTomcatOpenJDKMono

7

OWASP

Management Software

OpenSSH

Samba

phpMyAdmin

Subversion Client

8

OWASP

Intentionally Broken Apps

OWASP WebGoat version 5.3 (Java)

OWASP Vicnum version 1.3 (Perl)

Mutillidae version 1.3 (PHP)

Damn Vulnerable Web Application version 1.06 (PHP)

9

OWASP

Intentionally Broken Apps

OWASP CSRFGuard Test Application version 2.2 (Java)

Mandiant Struts Forms (Java/Struts)

Simple ASP.NET Forms (ASP.NET/C#)

Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

LOOKING FOR DONATIONS!10

OWASP

Old Versions of Real Applications

phpBB 2.0.0 (PHP, released April 4, 2002)

WordPress 2.0.0 (PHP, released December 31, 2005)

Yazd version 1.0 (Java, released February 20, 2002)

LOOKING FOR IDEAS!

11

OWASP

Where are the vulnerabilities?

Don’t have a master list of vulnerabilities (yet)

Counting on the community to contribute

Experimenting with using the issue tracker at Google Code to allow the community to contribute vulnerabilities as they are found

May move to wiki page(s) on the OWASP site

12

OWASP

What’s in a name?

Tentatively called “OWASP Broken Web Applications Project”

I’m open to suggestions

13

OWASP

The Future

Establish as an OWASP projectWiki pageMailing list

Update project for collaborationCreate and maintain documentationPush content to Google Code

Incorporate additional broken appsThe larger, the betterWould like more real / realistic applicationsAdobe Flash (could use some help here)Ruby on Rails?

14

OWASP

More Information and Downloads

More information can be found at http://code.google.com/p/owaspbwa/

Version 0.9 of the VM has been released!

Linked from the blog at mandiant.com

I have a few CDs of the VM for anyone who wants them

15

OWASP 16

I welcome any help / broken apps you can

provide!

OWASP 17

Questions?

The OWASP Foundation

AppSec DC

http://www.owasp.org

Learning by BreakingA New Project for Insecure Web Apps

Chuck WillisTechnical DirectorMANDIANTchuck.willis@mandiant.com

November 12, 2009