OWASP Broken Web Applications

crashclappergapSoftware and s/w Development

Dec 13, 2013 (3 years and 8 months ago)

134 views

OWASP
Broken Web Applications
(OWASP BWA
): Beyond 1.0


Introductions


Project Background


Current Status


Future


Q & A



Agenda

2


Sr. Technical
Director at Mandiant in DC


Application
Security, Penetration Testing,
Source Code Analysis, Forensics, Incident
Response,
Research and Development


Leader of OWASP Broken Web
Applications project


chuck.willis@mandiant.com


@
chuckatsf

About Me

3

Project Background




Looking for web applications with
vulnerabilities where I could:


Test web application scanners


Test manual attack techniques


Test source code analysis tools


Look at the code that implements the
vulnerabilities


Modify code to fix vulnerabilities


Test web application firewalls


Examine evidence left by
attacks

Problem

5


It is a great learning tool, but…



It is a training environment, not a real
application



Same
held for
many other
“training”
applications


OWASP
WebGoat

6


Realistic applications with vulnerabilities


Often closed source, which prevents some
uses


Can conflict with one another


Can be difficult to install


Licensing restrictions


Proprietary “Free” Apps

7


Free
, Linux
-
based Virtual Machine


Contains a variety of web applications


Some intentionally broken


Some old versions of open source
applications


Pre
-
configured and ready to use / test


All applications are open source


Allows for source code analysis


Allows users to modify the source to fix
vulnerabilities (or add new ones)


OWASP BWA Solution

8


Initial 0.9 release at
AppSec

DC 2009


1.0 release in July 2012


Current version is 1.1.1


Released in September 2013


Download links off www.owaspbwa.org


Some known issues



OWASP BWA History

9

OWASP BWA Details




Available in
VMware
and OVA formats


Compatible
with


VMware Products


No
-
cost
and
commercial


OWASP BWA intentionally
uses older
VM
format


Oracle
VirtualBox


Parallels Desktop

Virtual Machine

11


OS is Ubuntu Linux Server 10.04 LTS


No X
-
Windows / Graphical User Interface


Managed via


Console


OpenSSH


Samba


phpMyAdmin


Base Operating System

12


Apache


PHP


Perl


MySQL


Tomcat


OpenJDK


Mono


Ruby


Rails


Base Software

13


SubVersion

client


GIT client


PostgreSQL


ModSecurity

and OWASP Core Rule Set


Custom scripts


Additional Software

14

Applications




OWASP
WebGoat

(Java)


OWASP WebGoat.NET (ASP.NET/C#)


OWASP ESAPI Java
SwingSet

Interactive
(Java)


OWASP
Mutillidae

II (PHP)


OWASP
RailsGoat

(Ruby on Rails)


OWASP Bricks (PHP)


Damn Vulnerable Web Application (PHP)


Ghost (PHP)


Magical Code Injection Rainbow (PHP)

Training
Applications

16


OWASP
Vicnum

(PHP/Perl)


OWASP 1
-
Liner (Java/JavaScript)


Google Gruyere (Python)


Hackxor

(Java JSP)


WackoPicko

(PHP)


BodgeIt

(Java JSP)


Cyclone Transfers (Ruby on Rails)


Peruggia

(PHP
)

17

Realistic, Intentionally Broken Apps


WordPress 2.0.0 (PHP, released December 31, 2005)


myGallery

plugin version 1.2


Spreadsheet for WordPress plugin version 0.6


OrangeHRM

version 2.4.2 (PHP, released May 7, 2009)


GetBoo

version 1.04 (PHP, released April 7, 2008)


gtd
-
php

version 0.7 (PHP, released September 30, 2006)


Yazd version 1.0 (Java, released February 20, 2002)


WebCalendar

version 1.03 (PHP, released April 11, 2006)


TikiWiki

version 1.9.5 (PHP, released September 5, 2006)


Gallery2 version 2.1 (PHP, released March 23, 2006)


Joomla version 1.5.15 (PHP, released November 4, 2009)


AWStats

version 6.4 (Perl, released February 25, 2005)


18

Old Versions of Real
Applications


Applications for Testing Tools


OWASP ZAP
-
WAVE (Java JSP)


WAVSEP (Java JSP)


WIVET (Java JSP)


Demonstration Pages / Small Applications


OWASP
CSRFGuard

Test Application (Java)


Mandiant Struts Forms (Java/Struts)


Simple ASP.NET Forms (ASP.NET/C#)


Simple Form with DOM Cross Site Scripting
(HTML/JavaScript)


OWASP Demonstration Applications


OWASP
AppSensor

Demo Application (Java)

19

Other Applications

Other Features




Application code can be edited via SMB
shares, SSH, or the console


Updates to PHP, JSP, etc. application files
will take place immediately


Scripts provided to rebuild and redeploy
applications that require it
:


WebGoat


Yazd


CSRFGuard

Test Apps


SwingSet

Apps

Editing Applications

21


Scripts are provided to update VM from
source code repositories


OWASP BWA specific files from Google Code
SVN repository


Application files from their SVN or GIT
repositories


Can break applications due to changes in
database schemas or dependencies


Can allow for using updated versions of
applications without waiting for a new
version of OWASP
BWA

Updating VM

22


Web server on OWASP BWA is running
mod_security


By default, no rules are enabled


Scripts are provided to:


Enable logging using CRS:


owaspbwa
-
modsecurity
-
crs
-
log.sh


Enable blocking using CRS:


owaspbwa
-
modsecurity
-
crs
-
block.sh


Disable all rules:


owaspbwa
-
modsecurity
-
crs
-
off.sh


Rules can be easily edited via SMB shares


OWASP
ModSecurity

Core Rule
Set

23


Logging for the web and application
servers are left in their default
configuration


What you will most likely see when
responding to an incident


Logs are available via SMB share


Logging settings can be easily edited


Logs are cleared when VM is packaged


Log Files

24


User Guide
available on
Google Code Wiki

https://code.google.com/p/owaspbwa/wiki/UserGuide


Welcome any volunteers to
contribute


Author


Review


Edit


Comment


User Guide

25

Vulnerabilities




Don’t have a master list of vulnerabilities
(yet)



Looking for the
community to contribute



Using “
Trac
” issue tracker at
SourceForge
:



http
://
sourceforge.net/apps/trac/owaspbwa/report/1



Not intended to duplicate content within
applications or application documentation

Where are the vulnerabilities?

27


Anyone can search issues


Tracking Known Vulnerabilities

28


Anyone can see details on issues


Tracking Known Vulnerabilities

29


Anyone can submit
issues








Considering a registration requirement in
order to prevent spam



Tracking Known Vulnerabilities

30


Registered users can edit issues


Tracking Known Vulnerabilities

31

The Future




Version 1.2 planned before the end of
2013


Bug fixes


Add
bWAPP

application


Update applications


Add ability to more easily update OWASP
Mutillidae

Near Term

33


Documentation can use some work



Catalog of vulnerabilities can be expanded

Other Near Term Items

34


W
ill get increasingly difficult to support
modern and old applications


Due to library and other dependency
issues


May move to multiple VMs


Would like to improve set of applications…

Longer Term

35


More applications in more languages


Compiled Java


ASP.NET


Python


Node.js



Common
frameworks and
libraries



Looking for feedback from people who use
VM for developer training


Wish List

36


More modern UIs


Rich JavaScript


HTML5


Mobile optimized sites


Adobe Flash


Wish List

37


More database
backends


PostgreSQL


SQLite


NoSQL



Opportunity for someone


Create a small data driven application with
SQL injection


Make variants connected to different database
backends



Wish List

38


Improved set of real applications with
security issues


More applications


More modern
applications

Wish List

39


More web services


Mobile apps


Rich web UIs


Desktop thick clients


Wish List

40


Updated home page on VM


More intuitive layout


Refreshed appearance


Perhaps indicate applications based on


Application’s scope


Application’s level of activity / updates


User’s role / level



Looking for feedback from
users


Wish List

41

What do you want to see in
OWASP BWA?

We welcome any help,
feedback, or
broken
apps you
can provide!


More information on the project can be
found at http://www.owaspbwa.org/



Join our Google Group:
owaspbwa



Follow us on Twitter @
owaspbwa



Submit bugs and security issues to the
trackers

More Information and Getting Involved

44