02 OWASP BNL10 Training - Tour of OWASP Projects V2

7/27/2019 02 OWASP BNL10 Training - Tour of OWASP Projects V2

1/39

Copyright 2010 - The OWASP FoundationThis work is available under the Creative Commons SA 2.5 license

The OWASP Foundation

OWASP

BeNeLux2010

http://www.owasp.org

Tour of OWASPs projects

Sebastien Deleersnyder

Dec 1, 2010


2/39

OWASP

OWASP Tools and Technology

2

VulnerabilityScanners

Static AnalysisTools

Fuzzing

AutomatedSecurity

Verification

PenetrationTesting Tools

Code ReviewTools

ManualSecurity

Verification

ESAPI

SecurityArchitecture

AppSec Libraries

ESAPI ReferenceImplementation

Guards andFilters

SecureCoding

Reporting Tools

AppSecManagement

Flawed Apps

LearningEnvironments

Live CD SiteGenerator

AppSecEducation


3/39

OWASP

OWASP Body of Knowledge

Core ApplicationSecurity

Knowledge Base

Acquiring andBuildingSecure

Applications

VerifyingApplication

Security

ManagingApplication

Security

ApplicationSecurity

Tools

AppSec

Education andCBT

Research toSecure New

Technologies

PrinciplesThreat Agents,

Attacks,Vulnerabilities,

Impacts, andCountermeasures

OWASP Foundation 501c3

OWASP Community Platform(wiki, forums, mailing lists)

Projects

Chapters

AppSecConferences

Guide to BuildingSecure Web

Applications andWeb Services

Guide to ApplicationSecurity Testing andGuide to Application

Security CodeReview

Tools for Scanning,Testing,

Simulating, andReporting Web

Application

Security Issues

Web BasedLearning

Environment andGuide for Learning

Application

Security

Guidance and Toolsfor Measuring and

ManagingApplication

Security

Research Projectsto Figure Out Howto Secure the Use

of NewTechnologies (like

Ajax)


4/39

Top level view


5/39

OWASP

There are a lot of OWASP projects


6/39

OWASP

Metrics

Categorizing and organizing projectsMaturity, activity level, quality, relevance

6


7/39

OWASP

Assessment Criteria

7


8/39

OWASP 8


9/39

OWASP 9


10/39

OWASP

Categories

PROTECT - These are tools and documents thatcan be used to guard against security-relateddesign and implementation flaws.

DETECT - These are tools and documents that

can be used to find security-related design andimplementation flaws.

LIFE CYCLE - These are tools and documents

that can be used to add security-relatedactivities into the Software Development LifeCycle (SDLC).

10


11/39

OWASP

OWASP projects by numbers

Total Projects: 122

Release quality: 19

Beta quality: 28

Alpha quality: 89Inactive: 6


12/39

OWASP

Dashboard

12


13/39

OWASP

Assessment details

13


14/39

Project Parade


15/39

OWASP

The Big 4 Documentation Projects

Building

Guide

Code

ReviewGuide

Testing

Guide

Application Security Desk Reference (ASDR)


16/39

OWASP

The Guide

ComplementsOWASP Top 10

310p Book

Free and open sourceGnu Free Doc License

Many contributors

Apps and web services

Most platformsExamples are J2EE, ASP.NET,

and PHPComprehensive

Project Leader and EditorAndrew van der Stock,

[email protected]
mailto:[email protected]:[email protected]


17/39

OWASP

Uses of the Guide

DevelopersUse for guidance on implementing security

mechanisms and avoiding vulnerabilities

Project ManagersUse for identifying activities (threat modeling, code

review, penetration testing) that need to occur

Security Teams

Use for structuring evaluations, learning aboutapplication security, remediation approaches


18/39

OWASP

Each Topic

Includes Basic Information (like OWASP T10)How to Determine If You Are Vulnerable

How to Protect Yourself

AddsObjectives

Environments Affected

Relevant COBIT Topics

Theory

Best Practices

Misconceptions

Code Snippets


19/39

OWASP 19

Testing Guide v3: Index

1. Frontispiece

2. Introduction

3. The OWASP Testing Framework

4. Web Application Penetration Testing

5. Writing Reports: value the real risk

Appendix A: Testing Tools

Appendix B: Suggested Reading

Appendix C: Fuzz Vectors


20/39

OWASP 20

Evolution V3

Information Gathering

Config. Management Testing

Business Logic TestingAuthentication Testing

Authorization Testing

Session Management Testing

Data Validation Testing

Denial of Service Testing

Web Services Testing

Ajax Testing

Encoded Appendix

Information GatheringBusiness Logic Testing

Authentication Testing

Session Management Testing

Data Validation Testing

Denial of Service TestingWeb Services Testing

Ajax Testing


21/39

OWASP 21

How the Guide helps the security industry

A structured approach to the testing activities

A checklist to be followed

A learning and training tool

Pen-testers

A tool to understand web vulnerabilities and their impact

A way to check the quality of the penetration tests theybuy

Organisations

More in general, the Guide aims to provide a pen-testing standard that creates a'common ground' between the pen-testing industry and its client.

This will raise the overall quality and understanding of this kind of activity and thereforethe general level of security in our infrastructures


22/39

OWASP

OWASP Application Security Verification Std

Standard for verifyingthe security of webapplications

Four levels

Automated

Manual

ArchitectureInternal

22


23/39

OWASP

OWASP Software Assurance Maturity Model

23


24/39

OWASP

Tools

http://www.owasp.org/index.php/Phoenix/ToolsBest known OWASP Tools

WebGoat

WebScarab

Remember:

A Fool with a Tool is still a Fool
http://www.owasp.org/index.php/Phoenix/Toolshttp://www.owasp.org/index.php/Phoenix/Toolshttp://www.owasp.org/index.php/Image:SoC_08_Logo.jpg


25/39

OWASP

Live CD

Project that collects some of the best opensource security projects in a single environment

http://www.owasp.org/index.php/LiveCD

Users can boot from Live CD and immediatelystart using all tools without any configuration

25
http://www.owasp.org/index.php/LiveCDhttp://www.owasp.org/index.php/Image:SoC_08_Logo.jpghttp://www.owasp.org/index.php/LiveCD


26/39

OWASP 26

Available Tools

25 significant tools

OWASPWebScarabv20090122

OWASPWebGoat v5.2

OWASPCAL9000 v2.0

OWASPJBroFuzz v1.2

OWASPDirBuster v0.12

OWASP SQLiXv1.0

OWASPWSFuzzer

v1.9.4

OWASP Wapitiv2.0.0-beta

Paros Proxyv3.2.13

nmap &Zenmap v 4.76

Wiresharkv1.0.5

tcpdump v4.0.0Firefox 3.06 +25 addons

Burp Suite v1.2Grendel Scanv1.0

Metasploit v3.2

(svn)

w3af + GUI svn

r2161

Netcats

original + GNU

Nikto v2.03Firece Domain

Scanner v1.0.3

Maltego CEv2-210

Httprint v301 SQLBrute v1.0Spike Proxyv1.4.8-4

Rat Proxyv1.53-beta

sqlmap v0.7-rc1 now included!


27/39

OWASP

OWASP WebGoat

27
http://www.owasp.org/images/f/f3/WebGoat-Bypass-Access-Control-Lesson.JPG


28/39

OWASP

OWASP WebScarab

28
http://www.owasp.org/index.php/Image:WebScarab_after_browsing.png


29/39

OWASP 29

Tools At Best 45%

MITRE found that all applicationsecurity tool vendorsclaims puttogether cover only 45% of the knownvulnerability types (over 600 in CWE)

They found very little overlap betweentools, so to get 45% you need them all(assuming their claims are true)


30/39

OWASP

The OWASP Enterprise Security API

30

Custom Enterprise Web Application

Enterprise Security API

Authenticator

User

Acce

ssController

Access

ReferenceMap

Validator

Encoder

HT

TPUtilities

E

ncryptor

EncryptedProperties

Randomizer

Excep

tionHandling

Logger

Intru

sionDetector

Securit

yConfiguration

Existing Enterprise Security Services/Libraries


31/39

OWASP

Create Your ESAPI Implementation

Your Security ServicesWrap your existing libraries and services

Extend and customize your ESAPI implementation

Fill in gaps with the reference implementation

Your Coding Guideline

Tailor the ESAPI coding guidelines

Retrofit ESAPI patterns to existing code

31


32/39

OWASP

OWASP CSRFTester

32


33/39

OWASP

Add Token

to HTML

OWASP CSRFGuard 2.0

33

User(Browser)

BusinessProcessing

OWASPCSRFGuard

Verify Token

Adds token to:

href attribute

src attribute

hidden field in all forms

Actions:

Log

Invalidate

Redirect

http://www.owasp.org/index.php/CSRFGuard
http://www.owasp.org/index.php/CSRFGuardhttp://www.owasp.org/index.php/CSRFGuard


34/39

OWASP 34

OWASP

Framework

SDLC & OWASP Guidelines


35/39

OWASP

Want More ?

OWASP .NET Project

OWASP ASDR Project OWASP AntiSamy Project

OWASP AppSec FAQ Project

OWASP Application Security Assessment Standards Project

OWASP Application Security Metrics Project

OWASP Application Security Requirements Project

OWASP CAL9000 Project

OWASP CLASP Project

OWASP CSRFGuard Project OWASP CSRFTester Project

OWASP Career Development Project

OWASP Certification Criteria Project

OWASP Certification Project

OWASP Code Review Project

OWASP Communications Project

OWASP DirBuster Project

OWASP Education Project OWASP Encoding Project

OWASP Enterprise Security API

OWASP Flash Security Project

OWASP Guide Project

OWASP Honeycomb Project

OWASP Insecure Web App Project

OWASP Interceptor Project

OWASP JBroFuzz

OWASP Java Project OWASP LAPSE Project

OWASP Legal Project

OWASP Live CD Project

OWASP Logging Project

OWASP Orizon Project

OWASP PHP Project

OWASP Pantera Web Assessment Studio Project

OWASP SASAP Project OWASP SQLiX Project

OWASP SWAAT Project

OWASP Sprajax Project

OWASP Testing Project

OWASP Tools Project

OWASP Top Ten Project

OWASP Validation Project

OWASP WASS Project OWASP WSFuzzer Project

OWASP Web Services Security Project

OWASP WebGoat Project

OWASP WebScarab Project

OWASP XML Security Gateway Evaluation Criteria Project

OWASP on the Move Project

35


36/39

OWASP

OWASP Research Grants

We support the

research that keepsyour organizationsafe!

36
http://www.owasp.org/index.php/Image:SpoC_007.jpghttp://www.owasp.org/index.php/Image:OWASP_AOC_Logo.jpghttp://www.owasp.org/index.php/Image:SoC_08_Logo.jpg


37/39

OWASP 37

OWASP Projects Are Alive!

2001

2003

2005

2007

2009
http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471128457/sr=8-3/qid=1169351746/ref=pd_bbs_sr_3/103-6175548-3897446?ie=UTF8&s=bookshttp://books.google.com/books?vid=ISBN0201440997&id=NHWRH3xXQpgC&pg=PP1&lpg=PP1&ots=uBTf_a0YcT&dq=computer+security&num=100&sig=HC69to8ZQFU6RnPepyU9likCLyghttp://books.google.com/books?vid=ISBN1565924029&id=nuhf5r_TL14C&pg=PP1&lpg=PP1&ots=GyKee8-_23&dq=cryptography&num=100&sig=JK8NV6zwR-Wsw47Hv0h2q_jPYY8http://books.google.com/books?vid=ISBN1932266658&id=79FMJAl_-qoC&pg=PP1&lpg=PP1&dq=owasp&num=100&sig=W6bbEaUrpKFQ3CAWpvu5P_G0_eQhttp://books.google.com/books?vid=ISBN0130355488&id=O3VB-zspJo4C&pg=PA716&lpg=PA716&dq=owasp&num=100&sig=_joUK2T4cwJO9075QLXOBvqw8XUhttp://books.google.com/books?vid=ISBN0072226307&id=npYOWjVR0q4C&pg=RA4-PA301&lpg=RA4-PA301&dq=owasp&num=100&sig=O6rHxhdcuFiGDPMMMkPN1GbWXsEhttp://books.google.com/books?vid=ISBN0596007248&id=5yiULnTkN6oC&pg=RA1-PA377&lpg=RA1-PA377&dq=owasp&num=100&sig=fASJI79UXTDdYiYjEI9YPMwEoR0http://books.google.com/books?vid=ISBN0596002424&id=-Qj5aMPujwMC&pg=RA2-PA194&lpg=RA2-PA194&dq=owasp&num=100&sig=6Dcl8qgL2dWy7SRviwtv8VqQQXchttp://books.google.com/books?vid=ISBN0849329981&id=tbo_JZ5IRKQC&pg=RA2-PA275&lpg=RA2-PA275&dq=owasp&num=100&sig=cV6tieHfrr9Eo_wuEfeyuC-Gwowhttp://books.google.com/books?vid=ISBN0596007949&id=iV8DRekYvg0C&pg=PA183&lpg=PA183&dq=owasp&num=100&sig=ViVx6MhMJRaokqE2QrCoJJKwcCMhttp://books.google.com/books?vid=ISBN1931836361&id=fKsc9NwsNpMC&pg=PA478&lpg=PA478&dq=owasp&num=100&sig=p23ci0e9s72yyc9q7F5cKipwuyYhttp://books.google.com/books?vid=ISBN0072227842&id=6T4jrz6PbjAC&pg=PP1&lpg=PP1&ots=dBoN7I40n0&dq=owasp&num=100&sig=LpexheevY0rqKxeFd8e5-LOkXe8http://books.google.com/books?vid=ISBN193226647X&id=i8j865qq7dYC&pg=PA260&lpg=PA260&ots=Mb5TcIyFKC&dq=owasp&num=100&sig=a4fd0jjbmWu48n_HMKzkfWzKjJEhttp://books.google.com/books?vid=ISBN059600611X&id=QvTzBiwehOoC&pg=PA96&lpg=PA96&ots=uscGD05ZSd&dq=owasp&num=100&sig=UzWqVHxlHNw984PTMgfGngzuvughttp://books.google.com/books?vid=ISBN0072227834&id=MDVTbFceXvwC&pg=RA7-PA134&lpg=RA7-PA134&ots=xrEpp_SM9R&dq=owasp&num=100&sig=Rp9XAMFxtQ2bDMq0RTXjddpkcKQhttp://www.amazon.com/Security-Development-Lifecycle-Michael-Howard/dp/0735622140/sr=8-36/qid=1169351879/ref=sr_1_36/103-6175548-3897446?ie=UTF8&s=books


38/39

OWASP

How to participate?

Start your own projectThe best OWASP projects are strategic get the

community involved / build a team

Contribute exising (open license)

Promotion!

Help an existing project


39/39

OWASP

Questions and Answers

Documents

02 OWASP BNL10 Training - Tour of OWASP Projects V2