Date post: | 23-Dec-2015 |
Category: |
Documents |
Upload: | stuart-woods |
View: | 232 times |
Download: | 0 times |
What is OWASPOWASP Live CD Live Demo Omar Sherin-OWASP Egypt
2
2
Few Facts and figures:How Many Vulnerabilities Are Application Security Related?
3
3
What is OWASP?
Open Web Application Security Project●Promotes secure software development●Oriented to the delivery of web oriented services●Focused primarily on the “back-end” than web-design
issues●An open forum for discussion●A free resource for any development team
4
120+ Chapters Worldwide
5
OWASP Sponsors
6
6
OWASP Publications- All Free
Top 10 Web Application Security VulnerabilitiesGuide to Building Secure Web Applications
Legal ProjectMetrics & Measurements Project
Testing ProjectAppSec Faq
www.owasp.org
7
7
OWASP Software
Major Applications
WebGoatWebScarab.Net ProjectsoLab Projects
8
8
OWASP Software - .NET Projects
.Net Projects● A collection of tools focused on securing ASP.NET projects● Include security analyzers and documentation projects● Current Projects
� Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments
� SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments
� ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security
� Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments
● http://www.owasp.org/software/dotnet.html
9
What is the OWASP Live CD
A bootable CD with loads of pre packaged Web security tools and toys
The Latest project of OWASP and the most talked about in the Web Security Community
Comes also as a Free VM Image
10
Live CD Benefits and Tools List
It’s Free , Easy and Safe to use Current Tools List
● OWASP WebScarab ● OWASP WebGoat ● OWASP JBroFuzz ● Paros Proxy ● nmap ● Wireshark ● tcpdump ● Firefox 3 ● Burp Suite ● Grenedel-Scan ● OWASP DirBuster ● OWASP SQLiX ● OWASP WSFuzzer ● Metasploit 3
Future Tools List● nikto ● Skavenger● sqlmap ● sqlninja ● Absinthe● webshag ● httprint ● BEEF ● ProxyMon
● Rat Proxy
11
Tool Focus
WebGoat
Start the WebGoat Server from the Main Menu In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack User Name: guest Password: guest Start Learning !!
12
What is WebGoat
OWASP project with ~115,000 downloads so far Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of
individual lessons
13
Real World Examples
● Cross site scripting● SQL Injection● Command Injection● Forced Browsing● Access Control
� Data, presentation, business, & environmental layers
● Authentication● AJAX● WebServices
14
WebGoat Users
Used by Clients for source code analysis and web application security scanning.
Used by universities in security curriculum● Carnegie-Mellon
� Using WebGoat as open source project option
● University of Denver● Wouldn’t it be great if students contributed lessons as part of their class
projects!! OWASP Autumn 2006 and Spring of Code 2007 Projects Used by many companies as a “safe”training tool LOTS of emails from user community
15
What’s New in 5.x
5.0 – Autumn of Code 2006 Release● Many new lessons
� AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing
5.1 (Summer 2007)● Servlet that allows attacks to post data
� Posted data is pushed back to originating lesson
● XSS Phishing attack● Improved lesson content● Enhanced Documentation (A SpoC 2007 project)
16
Work in Progress
Convert lessons to a common theme●HR System (WebGoat Financials)●Online Banking or Video Store
17
Questions & Demo
Thank Youwww.qcert.org