SlideShare ist ein Scribd-Unternehmen logo

Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21

D
drewz lin
Technologie
1 von 44
Downloaden Sie, um offline zu lesen
OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
Agenda • • • • • Introductions Project Background Current Status Future Q&A 2
About Me • Sr. Technical Director at Mandiant in DC • Application Security, Penetration Testing, Source Code Analysis, Forensics, Incident Response, Research and Development • Leader of OWASP Broken Web Applications project • chuck.willis@mandiant.com • @chuckatsf 3
Project Background
Problem • Looking for web applications with vulnerabilities where I could: – Test web application scanners – Test manual attack techniques – Test source code analysis tools – Look at the code that implements the vulnerabilities – Modify code to fix vulnerabilities – Test web application firewalls – Examine evidence left by attacks 5
OWASP WebGoat • It is a great learning tool, but… • It is a training environment, not a real application • Same held for many other “training” applications 6
Proprietary “Free” Apps • Realistic applications with vulnerabilities • Often closed source, which prevents some uses • Can conflict with one another • Can be difficult to install • Licensing restrictions 7
OWASP BWA Solution • Free, Linux-based Virtual Machine • Contains a variety of web applications – Some intentionally broken – Some old versions of open source applications • Pre-configured and ready to use / test • All applications are open source – Allows for source code analysis – Allows users to modify the source to fix vulnerabilities (or add new ones) 8
OWASP BWA History • Initial 0.9 release at AppSec DC 2009 • 1.0 release in July 2012 • Current version is 1.1.1 – Released in September 2013 – Download links off www.owaspbwa.org – Some known issues 9
OWASP BWA Details
Virtual Machine • Available in VMware and OVA formats • Compatible with – VMware Products • No-cost and commercial • OWASP BWA intentionally uses older VM format – Oracle VirtualBox – Parallels Desktop 11
Base Operating System • OS is Ubuntu Linux Server 10.04 LTS – No X-Windows / Graphical User Interface • Managed via – Console – OpenSSH – Samba – phpMyAdmin 12
Base Software • • • • • • • • • Apache PHP Perl MySQL Tomcat OpenJDK Mono Ruby Rails 13
Additional Software • • • • • SubVersion client GIT client PostgreSQL ModSecurity and OWASP Core Rule Set Custom scripts 14
Applications
Training Applications • OWASP WebGoat (Java) • OWASP WebGoat.NET (ASP.NET/C#) • OWASP ESAPI Java SwingSet Interactive (Java) • OWASP Mutillidae II (PHP) • OWASP RailsGoat (Ruby on Rails) • OWASP Bricks (PHP) • Damn Vulnerable Web Application (PHP) • Ghost (PHP) • Magical Code Injection Rainbow (PHP) 16
Realistic, Intentionally Broken Apps • • • • • • • • OWASP Vicnum (PHP/Perl) OWASP 1-Liner (Java/JavaScript) Google Gruyere (Python) Hackxor (Java JSP) WackoPicko (PHP) BodgeIt (Java JSP) Cyclone Transfers (Ruby on Rails) Peruggia (PHP) 17
Old Versions of Real Applications • WordPress 2.0.0 (PHP, released December 31, 2005) – myGallery plugin version 1.2 – Spreadsheet for WordPress plugin version 0.6 • • • • • • • • • OrangeHRM version 2.4.2 (PHP, released May 7, 2009) GetBoo version 1.04 (PHP, released April 7, 2008) gtd-php version 0.7 (PHP, released September 30, 2006) Yazd version 1.0 (Java, released February 20, 2002) WebCalendar version 1.03 (PHP, released April 11, 2006) TikiWiki version 1.9.5 (PHP, released September 5, 2006) Gallery2 version 2.1 (PHP, released March 23, 2006) Joomla version 1.5.15 (PHP, released November 4, 2009) AWStats version 6.4 (Perl, released February 25, 2005) 18
Other Applications • Applications for Testing Tools – OWASP ZAP-WAVE (Java JSP) – WAVSEP (Java JSP) – WIVET (Java JSP) • Demonstration Pages / Small Applications – – – – OWASP CSRFGuard Test Application (Java) Mandiant Struts Forms (Java/Struts) Simple ASP.NET Forms (ASP.NET/C#) Simple Form with DOM Cross Site Scripting (HTML/JavaScript) • OWASP Demonstration Applications – OWASP AppSensor Demo Application (Java) 19
Other Features
Editing Applications • Application code can be edited via SMB shares, SSH, or the console • Updates to PHP, JSP, etc. application files will take place immediately • Scripts provided to rebuild and redeploy applications that require it: – WebGoat – Yazd – CSRFGuard Test Apps – SwingSet Apps 21
Updating VM • Scripts are provided to update VM from source code repositories – OWASP BWA specific files from Google Code SVN repository – Application files from their SVN or GIT repositories • Can break applications due to changes in database schemas or dependencies • Can allow for using updated versions of applications without waiting for a new version of OWASP BWA 22
OWASP ModSecurity Core Rule Set • Web server on OWASP BWA is running mod_security • By default, no rules are enabled • Scripts are provided to: – Enable logging using CRS: • owaspbwa-modsecurity-crs-log.sh – Enable blocking using CRS: • owaspbwa-modsecurity-crs-block.sh – Disable all rules: • owaspbwa-modsecurity-crs-off.sh • Rules can be easily edited via SMB shares 23
Log Files • Logging for the web and application servers are left in their default configuration – What you will most likely see when responding to an incident • Logs are available via SMB share • Logging settings can be easily edited • Logs are cleared when VM is packaged 24
User Guide • User Guide available on Google Code Wiki https://code.google.com/p/owaspbwa/wiki/UserGuide • Welcome any volunteers to contribute – Author – Review – Edit – Comment 25
Vulnerabilities
Where are the vulnerabilities? • Don’t have a master list of vulnerabilities (yet) • Looking for the community to contribute • Using “Trac” issue tracker at SourceForge: http://sourceforge.net/apps/trac/owaspbwa/report/1 • Not intended to duplicate content within applications or application documentation 27
Tracking Known Vulnerabilities • Anyone can search issues 28
Tracking Known Vulnerabilities • Anyone can see details on issues 29
Tracking Known Vulnerabilities • Anyone can submit issues • Considering a registration requirement in order to prevent spam 30
Tracking Known Vulnerabilities • Registered users can edit issues 31
The Future
Near Term • Version 1.2 planned before the end of 2013 – Bug fixes – Add bWAPP application – Update applications – Add ability to more easily update OWASP Mutillidae 33
Other Near Term Items • Documentation can use some work • Catalog of vulnerabilities can be expanded 34
Longer Term • Will get increasingly difficult to support modern and old applications – Due to library and other dependency issues • May move to multiple VMs • Would like to improve set of applications… 35
Wish List • More applications in more languages – Compiled Java – ASP.NET – Python – Node.js • Common frameworks and libraries • Looking for feedback from people who use VM for developer training 36
Wish List • More modern UIs – Rich JavaScript – HTML5 – Mobile optimized sites – Adobe Flash 37
Wish List • More database backends – PostgreSQL – SQLite – NoSQL • Opportunity for someone – Create a small data driven application with SQL injection – Make variants connected to different database backends 38
Wish List • Improved set of real applications with security issues – More applications – More modern applications 39
Wish List • More web services – Mobile apps – Rich web UIs – Desktop thick clients 40
Wish List • Updated home page on VM – More intuitive layout – Refreshed appearance – Perhaps indicate applications based on • Application’s scope • Application’s level of activity / updates • User’s role / level • Looking for feedback from users 41
What do you want to see in OWASP BWA?
We welcome any help, feedback, or broken apps you can provide!
More Information and Getting Involved • More information on the project can be found at http://www.owaspbwa.org/ • Join our Google Group: owaspbwa • Follow us on Twitter @owaspbwa • Submit bugs and security issues to the trackers 44

Empfohlen

Oracle 12c Launch Event 02 ADF 12c and Maven in Jdeveloper / By Aino Andriessen
Oracle 12c Launch Event 02 ADF 12c and Maven in Jdeveloper / By Aino Andriessen Oracle 12c Launch Event 02 ADF 12c and Maven in Jdeveloper / By Aino Andriessen
Oracle 12c Launch Event 02 ADF 12c and Maven in Jdeveloper / By Aino Andriessen Getting value from IoT, Integration and Data Analytics
 
Best Practices for Enterprise Continuous Delivery of Oracle Fusion Middlewa...
Best Practices for Enterprise Continuous Delivery of Oracle Fusion Middlewa...Best Practices for Enterprise Continuous Delivery of Oracle Fusion Middlewa...
Best Practices for Enterprise Continuous Delivery of Oracle Fusion Middlewa...Getting value from IoT, Integration and Data Analytics
 
Database Migrations with Gradle and Liquibase
Database Migrations with Gradle and LiquibaseDatabase Migrations with Gradle and Liquibase
Database Migrations with Gradle and LiquibaseDan Stine
 
Monitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsMonitor Micro-service with MicroProfile metrics
Monitor Micro-service with MicroProfile metricsRudy De Busscher
 
Flyway
FlywayFlyway
FlywayKaunas Java User Group
 
Java dev mar_2021_keynote
Java dev mar_2021_keynoteJava dev mar_2021_keynote
Java dev mar_2021_keynoteSuyash Joshi
 
Keynote Oracle Fusion Middleware Summit_2020
Keynote Oracle Fusion Middleware Summit_2020Keynote Oracle Fusion Middleware Summit_2020
Keynote Oracle Fusion Middleware Summit_2020Michel Schildmeijer
 
What's New in OpenLDAP
What's New in OpenLDAPWhat's New in OpenLDAP
What's New in OpenLDAPLDAPCon
 

Weitere ähnliche Inhalte

Was ist angesagt?

Tips For Maintaining OSS Projects
Tips For Maintaining OSS ProjectsTips For Maintaining OSS Projects
Tips For Maintaining OSS ProjectsTaro L. Saito
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfileRudy De Busscher
 
2014 04-03 xyratex event
2014 04-03 xyratex event2014 04-03 xyratex event
2014 04-03 xyratex eventShawn Wells
 
Continuous delivery with Jenkins Enterprise and Deployit
Continuous delivery with Jenkins Enterprise and DeployitContinuous delivery with Jenkins Enterprise and Deployit
Continuous delivery with Jenkins Enterprise and DeployitXebiaLabs
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ projectLDAPCon
 
Build automation best practices
Build automation best practicesBuild automation best practices
Build automation best practicesCode Mastery
 
Effective cloud-ready apps with MicroProfile
Effective cloud-ready apps with MicroProfileEffective cloud-ready apps with MicroProfile
Effective cloud-ready apps with MicroProfilePayara
 
Microservices with WildFly Swarm - JavaSI 2016
Microservices with WildFly Swarm - JavaSI 2016Microservices with WildFly Swarm - JavaSI 2016
Microservices with WildFly Swarm - JavaSI 2016Charles Moulliard
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RSPayara
 
Database migrations with Flyway and Liquibase
Database migrations with Flyway and LiquibaseDatabase migrations with Flyway and Liquibase
Database migrations with Flyway and LiquibaseLars Östling
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornMiroslav Resetar
 
OSDC 2017 | Lessons from database failures by Colin Charles
OSDC 2017 | Lessons from database failures by Colin CharlesOSDC 2017 | Lessons from database failures by Colin Charles
OSDC 2017 | Lessons from database failures by Colin CharlesNETWAYS
 
Windows Server 2012 R2 Jump Start - WEB
Windows Server 2012 R2 Jump Start - WEBWindows Server 2012 R2 Jump Start - WEB
Windows Server 2012 R2 Jump Start - WEBPaulo Freitas
 
Lukáš Malý - Log management ELISA controlled by Zabbix | ZabConf2016
Lukáš Malý - Log management ELISA controlled by Zabbix | ZabConf2016Lukáš Malý - Log management ELISA controlled by Zabbix | ZabConf2016
Lukáš Malý - Log management ELISA controlled by Zabbix | ZabConf2016Zabbix
 

Was ist angesagt? (20)

Tips For Maintaining OSS Projects
Tips For Maintaining OSS ProjectsTips For Maintaining OSS Projects
Tips For Maintaining OSS Projects
 
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
DevSecCon London 2017: Permitting agility whilst enforcing security by Alina ...
 
Javantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin ToshevJavantura v4 - Security architecture of the Java platform - Martin Toshev
Javantura v4 - Security architecture of the Java platform - Martin Toshev
 
Gradual migration to MicroProfile
Gradual migration to MicroProfileGradual migration to MicroProfile
Gradual migration to MicroProfile
 
2014 04-03 xyratex event
2014 04-03 xyratex event2014 04-03 xyratex event
2014 04-03 xyratex event
 
Continuous delivery with Jenkins Enterprise and Deployit
Continuous delivery with Jenkins Enterprise and DeployitContinuous delivery with Jenkins Enterprise and Deployit
Continuous delivery with Jenkins Enterprise and Deployit
 
Maven Nexus
Maven NexusMaven Nexus
Maven Nexus
 
Update on the OpenDJ project
Update on the OpenDJ projectUpdate on the OpenDJ project
Update on the OpenDJ project
 
Build automation best practices
Build automation best practicesBuild automation best practices
Build automation best practices
 
Effective cloud-ready apps with MicroProfile
Effective cloud-ready apps with MicroProfileEffective cloud-ready apps with MicroProfile
Effective cloud-ready apps with MicroProfile
 
Microservices with WildFly Swarm - JavaSI 2016
Microservices with WildFly Swarm - JavaSI 2016Microservices with WildFly Swarm - JavaSI 2016
Microservices with WildFly Swarm - JavaSI 2016
 
Secure JAX-RS
Secure JAX-RSSecure JAX-RS
Secure JAX-RS
 
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir DžaferovićJavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
JavaCro'14 - Continuous deployment tool – Aleksandar Dostić and Emir Džaferović
 
Database migrations with Flyway and Liquibase
Database migrations with Flyway and LiquibaseDatabase migrations with Flyway and Liquibase
Database migrations with Flyway and Liquibase
 
Javantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript NashornJavantura 2014 - Java 8 JavaScript Nashorn
Javantura 2014 - Java 8 JavaScript Nashorn
 
OSDC 2017 | Lessons from database failures by Colin Charles
OSDC 2017 | Lessons from database failures by Colin CharlesOSDC 2017 | Lessons from database failures by Colin Charles
OSDC 2017 | Lessons from database failures by Colin Charles
 
Apereo OAE - Bootcamp
Apereo OAE - BootcampApereo OAE - Bootcamp
Apereo OAE - Bootcamp
 
Mini Training Flyway
Mini Training FlywayMini Training Flyway
Mini Training Flyway
 
Windows Server 2012 R2 Jump Start - WEB
Windows Server 2012 R2 Jump Start - WEBWindows Server 2012 R2 Jump Start - WEB
Windows Server 2012 R2 Jump Start - WEB
 
Lukáš Malý - Log management ELISA controlled by Zabbix | ZabConf2016
Lukáš Malý - Log management ELISA controlled by Zabbix | ZabConf2016Lukáš Malý - Log management ELISA controlled by Zabbix | ZabConf2016
Lukáš Malý - Log management ELISA controlled by Zabbix | ZabConf2016
 

Andere mochten auch

Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010SecurityTube.Net
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Aiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみるAiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみるIsao Takaesu
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 

Andere mochten auch (6)

Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First Security
 
Aiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみるAiにwebアプリ診断をやらせてみる
Aiにwebアプリ診断をやらせてみる
 
B wapp – bee bug – installation
B wapp – bee bug – installationB wapp – bee bug – installation
B wapp – bee bug – installation
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 

Ähnlich wie Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21

Open Audit
Open AuditOpen Audit
Open Auditncspa
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5mbaric
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
VMware - Application Portability
VMware - Application PortabilityVMware - Application Portability
VMware - Application PortabilityVMUG IT
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015WaveMaker, Inc.
 
IBM InterConnect 2015 - IIB in the Cloud
IBM InterConnect 2015 - IIB in the CloudIBM InterConnect 2015 - IIB in the Cloud
IBM InterConnect 2015 - IIB in the CloudAndrew Coleman
 
SSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJSSSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJSEugene Lazutkin
 
Best Practices for couchDB developers on Microsoft Azure
Best Practices for couchDB developers on Microsoft AzureBest Practices for couchDB developers on Microsoft Azure
Best Practices for couchDB developers on Microsoft AzureBrian Benz
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPSimon Bennetts
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Dinis Cruz
 
Google appenginejava.ppt
Google appenginejava.pptGoogle appenginejava.ppt
Google appenginejava.pptYoung Alista
 
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeDenis Gundarev
 
Cloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a CacheCloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a Cachecornelia davis
 
JDD2015: Java Everywhere Again—with DukeScript - Jaroslav Tulach
JDD2015: Java Everywhere Again—with DukeScript - Jaroslav TulachJDD2015: Java Everywhere Again—with DukeScript - Jaroslav Tulach
JDD2015: Java Everywhere Again—with DukeScript - Jaroslav TulachPROIDEA
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and dockerFabio Fumarola
 

Ähnlich wie Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21 (20)

Open Audit
Open AuditOpen Audit
Open Audit
 
Introduction to ASP.NET 5
Introduction to ASP.NET 5Introduction to ASP.NET 5
Introduction to ASP.NET 5
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
01 java intro
01 java intro01 java intro
01 java intro
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
VMware - Application Portability
VMware - Application PortabilityVMware - Application Portability
VMware - Application Portability
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
Effective DevSecOps
Effective DevSecOpsEffective DevSecOps
Effective DevSecOps
 
Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015Docker & aPaaS: Enterprise Innovation and Trends for 2015
Docker & aPaaS: Enterprise Innovation and Trends for 2015
 
IBM InterConnect 2015 - IIB in the Cloud
IBM InterConnect 2015 - IIB in the CloudIBM InterConnect 2015 - IIB in the Cloud
IBM InterConnect 2015 - IIB in the Cloud
 
SSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJSSSJS, NoSQL, GAE and AppengineJS
SSJS, NoSQL, GAE and AppengineJS
 
Best Practices for couchDB developers on Microsoft Azure
Best Practices for couchDB developers on Microsoft AzureBest Practices for couchDB developers on Microsoft Azure
Best Practices for couchDB developers on Microsoft Azure
 
Symantec SDN Deployment
Symantec SDN DeploymentSymantec SDN Deployment
Symantec SDN Deployment
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAPOWASP 2013 APPSEC USA Talk - OWASP ZAP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
 
Google appenginejava.ppt
Google appenginejava.pptGoogle appenginejava.ppt
Google appenginejava.ppt
 
Application Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternativeApplication Streaming is dead. A smart way to choose an alternative
Application Streaming is dead. A smart way to choose an alternative
 
Cloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a CacheCloud-native Data: Every Microservice Needs a Cache
Cloud-native Data: Every Microservice Needs a Cache
 
JDD2015: Java Everywhere Again—with DukeScript - Jaroslav Tulach
JDD2015: Java Everywhere Again—with DukeScript - Jaroslav TulachJDD2015: Java Everywhere Again—with DukeScript - Jaroslav Tulach
JDD2015: Java Everywhere Again—with DukeScript - Jaroslav Tulach
 
Linux containers and docker
Linux containers and dockerLinux containers and docker
Linux containers and docker
 

Mehr von drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiudrewz lin
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)drewz lin
 

Mehr von drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 
无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu无线App的性能分析和监控实践 rickyqiu
无线App的性能分析和监控实践 rickyqiu
 
网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)网易移动自动化测试实践(孔庆云)
网易移动自动化测试实践(孔庆云)
 

Kürzlich hochgeladen

A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 

Kürzlich hochgeladen (20)

A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 

Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21

  • 1. OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
  • 3. About Me • Sr. Technical Director at Mandiant in DC • Application Security, Penetration Testing, Source Code Analysis, Forensics, Incident Response, Research and Development • Leader of OWASP Broken Web Applications project • chuck.willis@mandiant.com • @chuckatsf 3
  • 5. Problem • Looking for web applications with vulnerabilities where I could: – Test web application scanners – Test manual attack techniques – Test source code analysis tools – Look at the code that implements the vulnerabilities – Modify code to fix vulnerabilities – Test web application firewalls – Examine evidence left by attacks 5
  • 6. OWASP WebGoat • It is a great learning tool, but… • It is a training environment, not a real application • Same held for many other “training” applications 6
  • 7. Proprietary “Free” Apps • Realistic applications with vulnerabilities • Often closed source, which prevents some uses • Can conflict with one another • Can be difficult to install • Licensing restrictions 7
  • 8. OWASP BWA Solution • Free, Linux-based Virtual Machine • Contains a variety of web applications – Some intentionally broken – Some old versions of open source applications • Pre-configured and ready to use / test • All applications are open source – Allows for source code analysis – Allows users to modify the source to fix vulnerabilities (or add new ones) 8
  • 9. OWASP BWA History • Initial 0.9 release at AppSec DC 2009 • 1.0 release in July 2012 • Current version is 1.1.1 – Released in September 2013 – Download links off www.owaspbwa.org – Some known issues 9
  • 11. Virtual Machine • Available in VMware and OVA formats • Compatible with – VMware Products • No-cost and commercial • OWASP BWA intentionally uses older VM format – Oracle VirtualBox – Parallels Desktop 11
  • 12. Base Operating System • OS is Ubuntu Linux Server 10.04 LTS – No X-Windows / Graphical User Interface • Managed via – Console – OpenSSH – Samba – phpMyAdmin 12
  • 14. Additional Software • • • • • SubVersion client GIT client PostgreSQL ModSecurity and OWASP Core Rule Set Custom scripts 14
  • 16. Training Applications • OWASP WebGoat (Java) • OWASP WebGoat.NET (ASP.NET/C#) • OWASP ESAPI Java SwingSet Interactive (Java) • OWASP Mutillidae II (PHP) • OWASP RailsGoat (Ruby on Rails) • OWASP Bricks (PHP) • Damn Vulnerable Web Application (PHP) • Ghost (PHP) • Magical Code Injection Rainbow (PHP) 16
  • 17. Realistic, Intentionally Broken Apps • • • • • • • • OWASP Vicnum (PHP/Perl) OWASP 1-Liner (Java/JavaScript) Google Gruyere (Python) Hackxor (Java JSP) WackoPicko (PHP) BodgeIt (Java JSP) Cyclone Transfers (Ruby on Rails) Peruggia (PHP) 17
  • 18. Old Versions of Real Applications • WordPress 2.0.0 (PHP, released December 31, 2005) – myGallery plugin version 1.2 – Spreadsheet for WordPress plugin version 0.6 • • • • • • • • • OrangeHRM version 2.4.2 (PHP, released May 7, 2009) GetBoo version 1.04 (PHP, released April 7, 2008) gtd-php version 0.7 (PHP, released September 30, 2006) Yazd version 1.0 (Java, released February 20, 2002) WebCalendar version 1.03 (PHP, released April 11, 2006) TikiWiki version 1.9.5 (PHP, released September 5, 2006) Gallery2 version 2.1 (PHP, released March 23, 2006) Joomla version 1.5.15 (PHP, released November 4, 2009) AWStats version 6.4 (Perl, released February 25, 2005) 18
  • 19. Other Applications • Applications for Testing Tools – OWASP ZAP-WAVE (Java JSP) – WAVSEP (Java JSP) – WIVET (Java JSP) • Demonstration Pages / Small Applications – – – – OWASP CSRFGuard Test Application (Java) Mandiant Struts Forms (Java/Struts) Simple ASP.NET Forms (ASP.NET/C#) Simple Form with DOM Cross Site Scripting (HTML/JavaScript) • OWASP Demonstration Applications – OWASP AppSensor Demo Application (Java) 19
  • 21. Editing Applications • Application code can be edited via SMB shares, SSH, or the console • Updates to PHP, JSP, etc. application files will take place immediately • Scripts provided to rebuild and redeploy applications that require it: – WebGoat – Yazd – CSRFGuard Test Apps – SwingSet Apps 21
  • 22. Updating VM • Scripts are provided to update VM from source code repositories – OWASP BWA specific files from Google Code SVN repository – Application files from their SVN or GIT repositories • Can break applications due to changes in database schemas or dependencies • Can allow for using updated versions of applications without waiting for a new version of OWASP BWA 22
  • 23. OWASP ModSecurity Core Rule Set • Web server on OWASP BWA is running mod_security • By default, no rules are enabled • Scripts are provided to: – Enable logging using CRS: • owaspbwa-modsecurity-crs-log.sh – Enable blocking using CRS: • owaspbwa-modsecurity-crs-block.sh – Disable all rules: • owaspbwa-modsecurity-crs-off.sh • Rules can be easily edited via SMB shares 23
  • 24. Log Files • Logging for the web and application servers are left in their default configuration – What you will most likely see when responding to an incident • Logs are available via SMB share • Logging settings can be easily edited • Logs are cleared when VM is packaged 24
  • 25. User Guide • User Guide available on Google Code Wiki https://code.google.com/p/owaspbwa/wiki/UserGuide • Welcome any volunteers to contribute – Author – Review – Edit – Comment 25
  • 27. Where are the vulnerabilities? • Don’t have a master list of vulnerabilities (yet) • Looking for the community to contribute • Using “Trac” issue tracker at SourceForge: http://sourceforge.net/apps/trac/owaspbwa/report/1 • Not intended to duplicate content within applications or application documentation 27
  • 28. Tracking Known Vulnerabilities • Anyone can search issues 28
  • 29. Tracking Known Vulnerabilities • Anyone can see details on issues 29
  • 30. Tracking Known Vulnerabilities • Anyone can submit issues • Considering a registration requirement in order to prevent spam 30
  • 31. Tracking Known Vulnerabilities • Registered users can edit issues 31
  • 33. Near Term • Version 1.2 planned before the end of 2013 – Bug fixes – Add bWAPP application – Update applications – Add ability to more easily update OWASP Mutillidae 33
  • 34. Other Near Term Items • Documentation can use some work • Catalog of vulnerabilities can be expanded 34
  • 35. Longer Term • Will get increasingly difficult to support modern and old applications – Due to library and other dependency issues • May move to multiple VMs • Would like to improve set of applications… 35
  • 36. Wish List • More applications in more languages – Compiled Java – ASP.NET – Python – Node.js • Common frameworks and libraries • Looking for feedback from people who use VM for developer training 36
  • 37. Wish List • More modern UIs – Rich JavaScript – HTML5 – Mobile optimized sites – Adobe Flash 37
  • 38. Wish List • More database backends – PostgreSQL – SQLite – NoSQL • Opportunity for someone – Create a small data driven application with SQL injection – Make variants connected to different database backends 38
  • 39. Wish List • Improved set of real applications with security issues – More applications – More modern applications 39
  • 40. Wish List • More web services – Mobile apps – Rich web UIs – Desktop thick clients 40
  • 41. Wish List • Updated home page on VM – More intuitive layout – Refreshed appearance – Perhaps indicate applications based on • Application’s scope • Application’s level of activity / updates • User’s role / level • Looking for feedback from users 41
  • 42. What do you want to see in OWASP BWA?
  • 43. We welcome any help, feedback, or broken apps you can provide!
  • 44. More Information and Getting Involved • More information on the project can be found at http://www.owaspbwa.org/ • Join our Google Group: owaspbwa • Follow us on Twitter @owaspbwa • Submit bugs and security issues to the trackers 44