Learning by Breaking A New Project for Insecure

arghtalentΔιαχείριση Δεδομένων

31 Ιαν 2013 (πριν από 4 χρόνια και 5 μήνες)

233 εμφανίσεις

The OWASP Foundation

AppSec DC

http://www.owasp.org


Learning by Breaking

A New Project for Insecure Web Apps

Chuck Willis

Technical Director

MANDIANT

chuck.willis@mandiant.com

November 12, 2009

OWASP

About Me


MANDIANT


Commercial Services


Federal Services


Training and Education


Product


Mandiant Intelligent Response


My Experience


10+ years total experience in Information Security


Penetration Testing, Application Security, Source
Code Analysis, Forensics, Incident Response, R&D


Member of OWASP DC Chapter (and CapSec)

OWASP

Problem


I was looking for web applications with
vulnerabilities where I could:


Test web application scanners


Test manual techniques


Test source code analysis tools


Look at the code that implements the vulnerabilities


Modify code to fix vulnerabilities


Test web application firewalls

3

OWASP

Option


WebGoat


It is a great learning tool, but



It is a training environment, not a real
application



Same holds for other “artificial” applications

4

OWASP

Option


Proprietary “Free” Apps


Realistic applications with vulnerabilities



Often closed source, which prevents some uses



Can conflict with one another



Can be difficult to install



Licensing restrictions


5

OWASP

Solution


Create a set of broken, open source applications



Put them all on a VMWare Virtual Machine



Donate it to OWASP



Profit?


6

OWASP

Base Software


Based on Ubuntu Linux Server 9.10


No X
-
Windows


Apache


PHP


Perl


MySQL


PostgreSQL


Tomcat


OpenJDK


Mono



7

OWASP

Management Software


OpenSSH



Samba



phpMyAdmin



Subversion Client

8

OWASP

Intentionally Broken Apps


OWASP WebGoat version 5.3 (Java)



OWASP Vicnum version 1.3 (Perl)



Mutillidae version 1.3 (PHP)



Damn Vulnerable Web Application version 1.06
(PHP)

9

OWASP

Intentionally Broken Apps


OWASP
CSRFGuard

Test Application version 2.2 (Java)



Mandiant Struts Forms (Java/Struts)



Simple ASP.NET Forms (ASP.NET/C#)



Simple Form with DOM Cross Site Scripting
(HTML/JavaScript)



LOOKING FOR DONATIONS!

10

OWASP

Old Versions of Real Applications


phpBB 2.0.0 (PHP, released April 4, 2002)



WordPress 2.0.0 (PHP, released December 31,
2005)



Yazd version 1.0 (Java, released February 20,
2002)



LOOKING FOR IDEAS!

11

OWASP

Where are the vulnerabilities?


Don’t have a master list of vulnerabilities (yet)



Counting on the community to contribute



Experimenting with using the issue tracker at
Google Code to allow the community to
contribute vulnerabilities as they are found



May move to wiki page(s) on the OWASP site


12

OWASP

What’s in a name?


Tentatively called “OWASP Broken Web
Applications Project”



I’m open to suggestions


13

OWASP

The Future


Establish as an OWASP project


Wiki page


Mailing list


Update project for collaboration


Create and maintain documentation


Push content to Google Code


Incorporate additional broken apps


The larger, the better


Would like more real / realistic applications


Adobe Flash (could use some help here)


Ruby on Rails?

14

OWASP

More Information and Downloads


More information can be found at
http://code.google.com/p/owaspbwa/



Version 0.9 of the VM has been released!



Linked from the blog at mandiant.com



I have a few CDs of the VM for anyone who
wants them


15

OWASP

16

I welcome any help /
broken apps you can
provide!

OWASP

17

Questions?

The OWASP Foundation

AppSec DC

http://www.owasp.org


Learning by Breaking

A New Project for Insecure Web Apps

Chuck Willis

Technical Director

MANDIANT

chuck.willis@mandiant.com

November 12, 2009