Upload
magno-logan
View
43
Download
1
Embed Size (px)
DESCRIPTION
AppSec DC 2009 - Learning by breaking by Chuck Willis
Citation preview
The OWASP Foundation
AppSec DC
http://www.owasp.org
Learning by BreakingA New Project for Insecure Web Apps
Chuck WillisTechnical [email protected]
November 12, 2009
OWASP
About Me
MANDIANTCommercial ServicesFederal ServicesTraining and EducationProduct – Mandiant Intelligent Response
My Experience10+ years total experience in Information SecurityPenetration Testing, Application Security, Source
Code Analysis, Forensics, Incident Response, R&D
Member of OWASP DC Chapter (and CapSec)
OWASP
Problem
I was looking for web applications with vulnerabilities where I could:Test web application scannersTest manual techniquesTest source code analysis toolsLook at the code that implements the
vulnerabilitiesModify code to fix vulnerabilitiesTest web application firewalls
3
OWASP
Option – WebGoat
It is a great learning tool, but
It is a training environment, not a real application
Same holds for other “artificial” applications
4
OWASP
Option – Proprietary “Free” Apps
Realistic applications with vulnerabilities
Often closed source, which prevents some uses
Can conflict with one another
Can be difficult to install
Licensing restrictions5
OWASP
Solution
Create a set of broken, open source applications
Put them all on a VMWare Virtual Machine
Donate it to OWASP
Profit?
6
OWASP
Base Software
Based on Ubuntu Linux Server 9.10 No X-WindowsApachePHPPerlMySQLPostgreSQLTomcatOpenJDKMono
7
OWASP
Management Software
OpenSSH
Samba
phpMyAdmin
Subversion Client
8
OWASP
Intentionally Broken Apps
OWASP WebGoat version 5.3 (Java)
OWASP Vicnum version 1.3 (Perl)
Mutillidae version 1.3 (PHP)
Damn Vulnerable Web Application version 1.06 (PHP)
9
OWASP
Intentionally Broken Apps
OWASP CSRFGuard Test Application version 2.2 (Java)
Mandiant Struts Forms (Java/Struts)
Simple ASP.NET Forms (ASP.NET/C#)
Simple Form with DOM Cross Site Scripting (HTML/JavaScript)
LOOKING FOR DONATIONS!10
OWASP
Old Versions of Real Applications
phpBB 2.0.0 (PHP, released April 4, 2002)
WordPress 2.0.0 (PHP, released December 31, 2005)
Yazd version 1.0 (Java, released February 20, 2002)
LOOKING FOR IDEAS!
11
OWASP
Where are the vulnerabilities?
Don’t have a master list of vulnerabilities (yet)
Counting on the community to contribute
Experimenting with using the issue tracker at Google Code to allow the community to contribute vulnerabilities as they are found
May move to wiki page(s) on the OWASP site
12
OWASP
What’s in a name?
Tentatively called “OWASP Broken Web Applications Project”
I’m open to suggestions
13
OWASP
The Future
Establish as an OWASP projectWiki pageMailing list
Update project for collaborationCreate and maintain documentationPush content to Google Code
Incorporate additional broken appsThe larger, the betterWould like more real / realistic applicationsAdobe Flash (could use some help here)Ruby on Rails?
14
OWASP
More Information and Downloads
More information can be found at http://code.google.com/p/owaspbwa/
Version 0.9 of the VM has been released!
Linked from the blog at mandiant.com
I have a few CDs of the VM for anyone who wants them
15
OWASP 16
I welcome any help / broken apps you can
provide!
OWASP 17
Questions?
The OWASP Foundation
AppSec DC
http://www.owasp.org
Learning by BreakingA New Project for Insecure Web Apps
Chuck WillisTechnical [email protected]
November 12, 2009