What is OWASPOWASP Live CD Live Demo Omar Sherin-OWASP Egypt

2

2

Few Facts and figures:How Many Vulnerabilities Are Application Security Related?

3

3

What is OWASP?

Open Web Application Security Project●Promotes secure software development●Oriented to the delivery of web oriented services●Focused primarily on the “back-end” than web-design

issues●An open forum for discussion●A free resource for any development team

4

120+ Chapters Worldwide

5

OWASP Sponsors

6

6

OWASP Publications- All Free

Top 10 Web Application Security VulnerabilitiesGuide to Building Secure Web Applications

Legal ProjectMetrics & Measurements Project

Testing ProjectAppSec Faq

www.owasp.org

7

7

OWASP Software

Major ApplicationsWebGoat

WebScarab.Net ProjectsoLab Projects

8

8

OWASP Software - .NET Projects

.Net Projects● A collection of tools focused on securing ASP.NET projects● Include security analyzers and documentation projects● Current Projects

� Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments

� SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments

� ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security

� Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments

● http://www.owasp.org/software/dotnet.html

9

What is the OWASP Live CD

A bootable CD with loads of pre packaged Web security tools and toys

The Latest project of OWASP and the most talked about in the Web Security Community

Comes also as a Free VM Image

10

Live CD Benefits and Tools List

It’s Free , Easy and Safe to use Current Tools List

● OWASP WebScarab ● OWASP WebGoat ● OWASP JBroFuzz ● Paros Proxy ● nmap ● Wireshark ● tcpdump ● Firefox 3 ● Burp Suite ● Grenedel-Scan ● OWASP DirBuster ● OWASP SQLiX ● OWASP WSFuzzer ● Metasploit 3

Future Tools List● nikto ● Skavenger● sqlmap ● sqlninja ● Absinthe● webshag ● httprint ● BEEF ● ProxyMon ● Rat Proxy

11

Tool Focus

WebGoat

Start the WebGoat Server from the Main Menu In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack User Name: guest Password: guest Start Learning !!

12

What is WebGoat

OWASP project with ~115,000 downloads so far Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of

individual lessons

13

Real World Examples

● Cross site scripting● SQL Injection● Command Injection● Forced Browsing● Access Control

� Data, presentation, business, & environmental layers

● Authentication● AJAX● WebServices

14

WebGoat Users Used by Clients for source code analysis and web application

security scanning. Used by universities in security curriculum

● Carnegie-Mellon � Using WebGoat as open source project option

● University of Denver● Wouldn’t it be great if students contributed lessons as part of their class

projects!! OWASP Autumn 2006 and Spring of Code 2007 Projects Used by many companies as a “safe”training tool LOTS of emails from user community

15

What’s New in 5.x

5.0 – Autumn of Code 2006 Release● Many new lessons

� AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing

5.1 (Summer 2007)● Servlet that allows attacks to post data

� Posted data is pushed back to originating lesson

● XSS Phishing attack● Improved lesson content● Enhanced Documentation (A SpoC 2007 project)

16

Work in Progress

Convert lessons to a common theme●HR System (WebGoat Financials)●Online Banking or Video Store

17

Questions & Demo

Thank Youwww.qcert.org