The OWASP Foundation
AppSec DC
http://www.owasp.org
Learning by Breaking
A New Project for Insecure Web Apps
Chuck Willis
Technical Director
MANDIANT
chuck.willis@mandiant.com
November 12, 2009
OWASP
About Me
MANDIANT
Commercial Services
Federal Services
Training and Education
Product
–
Mandiant Intelligent Response
My Experience
10+ years total experience in Information Security
Penetration Testing, Application Security, Source
Code Analysis, Forensics, Incident Response, R&D
Member of OWASP DC Chapter (and CapSec)
OWASP
Problem
I was looking for web applications with
vulnerabilities where I could:
Test web application scanners
Test manual techniques
Test source code analysis tools
Look at the code that implements the vulnerabilities
Modify code to fix vulnerabilities
Test web application firewalls
3
OWASP
Option
–
WebGoat
It is a great learning tool, but
It is a training environment, not a real
application
Same holds for other “artificial” applications
4
OWASP
Option
–
Proprietary “Free” Apps
Realistic applications with vulnerabilities
Often closed source, which prevents some uses
Can conflict with one another
Can be difficult to install
Licensing restrictions
5
OWASP
Solution
Create a set of broken, open source applications
Put them all on a VMWare Virtual Machine
Donate it to OWASP
Profit?
6
OWASP
Base Software
Based on Ubuntu Linux Server 9.10
No X
-
Windows
Apache
PHP
Perl
MySQL
PostgreSQL
Tomcat
OpenJDK
Mono
7
OWASP
Management Software
OpenSSH
Samba
phpMyAdmin
Subversion Client
8
OWASP
Intentionally Broken Apps
OWASP WebGoat version 5.3 (Java)
OWASP Vicnum version 1.3 (Perl)
Mutillidae version 1.3 (PHP)
Damn Vulnerable Web Application version 1.06
(PHP)
9
OWASP
Intentionally Broken Apps
OWASP
CSRFGuard
Test Application version 2.2 (Java)
Mandiant Struts Forms (Java/Struts)
Simple ASP.NET Forms (ASP.NET/C#)
Simple Form with DOM Cross Site Scripting
(HTML/JavaScript)
LOOKING FOR DONATIONS!
10
OWASP
Old Versions of Real Applications
phpBB 2.0.0 (PHP, released April 4, 2002)
WordPress 2.0.0 (PHP, released December 31,
2005)
Yazd version 1.0 (Java, released February 20,
2002)
LOOKING FOR IDEAS!
11
OWASP
Where are the vulnerabilities?
Don’t have a master list of vulnerabilities (yet)
Counting on the community to contribute
Experimenting with using the issue tracker at
Google Code to allow the community to
contribute vulnerabilities as they are found
May move to wiki page(s) on the OWASP site
12
OWASP
What’s in a name?
Tentatively called “OWASP Broken Web
Applications Project”
I’m open to suggestions
13
OWASP
The Future
Establish as an OWASP project
Wiki page
Mailing list
Update project for collaboration
Create and maintain documentation
Push content to Google Code
Incorporate additional broken apps
The larger, the better
Would like more real / realistic applications
Adobe Flash (could use some help here)
Ruby on Rails?
14
OWASP
More Information and Downloads
More information can be found at
http://code.google.com/p/owaspbwa/
Version 0.9 of the VM has been released!
Linked from the blog at mandiant.com
I have a few CDs of the VM for anyone who
wants them
15
OWASP
16
I welcome any help /
broken apps you can
provide!
OWASP
17
Questions?
The OWASP Foundation
AppSec DC
http://www.owasp.org
Learning by Breaking
A New Project for Insecure Web Apps
Chuck Willis
Technical Director
MANDIANT
chuck.willis@mandiant.com
November 12, 2009
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο