webgoat v5 project: autumn of code 2006 project
DESCRIPTION
WebGoat v5 Project: Autumn of Code 2006 Project. Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security [email protected] WebGoat Project Lead: Bruce Mayhew [email protected]. About the Speaker. Background IT Security Consultant for past 19 years - PowerPoint PPT PresentationTRANSCRIPT
Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/
The OWASP Foundation
6th OWASPAppSec
Conference
Milan - May 2007
http://www.owasp.org/
WebGoat v5 Project: Autumn of Code 2006 Project
Presenter: Dave WichersOWASP Conferences ChairCOO, Aspect [email protected]
WebGoat Project Lead: Bruce [email protected]
6th OWASP AppSec Conference – Milan – May 2007
2
About the Speaker
Background IT Security Consultant for past 19 years Focus on application security for past 9 years Bachelor’s and Masters Degrees in Computer
Science CISSP, CISM
Aspect Security Founder and COO Specialists in application security Verify critical applications (~3 million LOC/month) Enable companies to reliably produce secure code
OWASP Foundation Coauthor of OWASP Top 10 Member of OWASP Board Conferences Chair for OWASP AppSec
Conferences Established OWASP as 501c3 not-for-profit in U.S.
6th OWASP AppSec Conference – Milan – May 2007
3
What’s a WebGoat
OWASP project with ~115,000 downloads Deliberately insecure Java EE web
application Teaches common application
vulnerabilities via a series of individual lessons
6th OWASP AppSec Conference – Milan – May 2007
History of WebGoat
Donated to OWASP by Aspect Security ~2002
Project Lead is Bruce Mayhew Started to receive outside contributions in
2005 v5 produced as AoC
2006 project
4
6th OWASP AppSec Conference – Milan – May 2007
5
WebGoat Demonstrates Vulnerabilities
WebGoat uses “goatified” real world examplesCross site scriptingSQL InjectionCommand InjectionForced BrowsingAccess Control
Data, presentation, business, & environmental layers
AuthenticationAJAXWebServices….
6th OWASP AppSec Conference – Milan – May 2007
6
Picking up Steam… Used by source code analysis and web
application security scanning vendors for demos Used by universities in security curriculum
Carnegie-Mellon Using WebGoat as open source project option
University of DenverWouldn’t it be great if students contributed lessons as
part of their class projects!!
OWASP Autumn 2006 and Spring of Code 2007 Projects
Used by many companies as a training tool LOTS of emails from user community
6th OWASP AppSec Conference – Milan – May 2007
7
What’s New in 5.X
5.0 – Autumn of Code 2006 ReleaseMany new lessons
AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing
5.1 (Goals – Summer 2007)Servlet that allows attacks to post data
Posted data is pushed back to originating lesson
XSS Phishing attack Improved lesson contentEnhanced Documentation (A SpoC 2007
project)
6th OWASP AppSec Conference – Milan – May 2007
8
Roadmap
Create database schema common to all lessons
Convert lessons to a common themeHR System (WebGoat Financials)Online Banking or Video Store
Make WebGoat more CBT likeTeach application security, not just demonstate
how to attack
Convert lessons to JSPs for easier content editing
6th OWASP AppSec Conference – Milan – May 2007
Demos – Lets go through some lessons!!
9
6th OWASP AppSec Conference – Milan – May 2007
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S
Questions and Answers
6th OWASP AppSec Conference – Milan – May 2007
11
Share your ideas / Let us know you’re using it!
Bruce [email protected]
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://code.google.com/p/webgoat/