learning by breaking owasp bwa doug wilson shmoo 2010
TRANSCRIPT
![Page 1: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/1.jpg)
LEARNING BY BREAKINGA NEW PROJECT FOR INSECURE WEB APPS
Doug WilsonPrincipal Consultant
MANDIANT
ShmooConFebruary 5th, 2010
![Page 2: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/2.jpg)
About . . .
Doug Wilson
− IT geek and “security guy” since 1999
− Co-Chair OWASP DC, organizer CapSec DC
− Organizer AppSecDC 2009 (and 2010?)
− Incident Response and Forensics
− Proactive, Research, and Training
− Commercial and Federal Services
− Product – Mandiant Intelligent Response
2
![Page 3: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/3.jpg)
OWASP
Open Web Application Security Project
− OWASP Top Ten
− ESAPI / ESAPI WAF / AntiSamy
− OpenSAMM / ASVS
− Dev / Testing / Code Review Guides
− XSS / SQLi / CSRF Cheat Sheets
http://www.owasp.org
3
![Page 4: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/4.jpg)
So you want to learn about
Web Application Security?
Not everyone starts out L33T
Most don’t start out in Web App Sec
Learn best by doing
There should be stuff in the intarwebs . . . . Right?
Well . . .
4
![Page 5: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/5.jpg)
Existing Options
Let’s assume you are not a “Black Hat”
Real Apps
− Some obvious problems here
Training Apps− OWASP: WebGoat, Vicnum, etc
− Damn Vulnerable Web App, Mutillidae, Badstore
Similar Projects
− Moth by Bonsai – mainly focused on w3af
− Matt Johansen – WebGoat/mutillidae/DVWA
5
![Page 6: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/6.jpg)
Similar Problems Exist
If you want to test scanners
If you want to test code review tools
If you want to test WAFs
If you want to have a testbed, it’s a lot of
sysadmin work.
6
![Page 7: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/7.jpg)
How to Solve Several Problems?
We were looking for web applications with vulnerabilities where we could test:
− Manual Attack Techniques
− Scanners
− Source Code Analysis
And
− Look at the “Bad Code”
− Modify/Fix Code
− Examine evidence left by attacks
− Test web application firewalls / IDS systems
7
![Page 8: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/8.jpg)
Solution? OWASP BWA
Assemble a set of broken, open source
applications
Figure out all the configuration headaches
Put them all on a Virtual Machine
Donate it to OWASP
Step Five: Profit?
8
![Page 9: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/9.jpg)
Base Software
Based on Ubuntu Linux Server 9.10
− No X-Windows or GUI
− Apache
− PHP
− Perl
− MySQL
− PostgreSQL
− Tomcat
− OpenJDK
− Mono
9
![Page 10: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/10.jpg)
Management Software
OpenSSH
Samba
phpMyAdmin
Subversion Client
10
![Page 11: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/11.jpg)
Intentionally Broken Apps (v 0.9)
OWASP WebGoat version 5.3 (Java)
OWASP Vicnum version 1.3 (Perl)
Mutillidae version 1.3 (PHP)
Damn Vulnerable Web Application version
1.06 (PHP)
OWASP CSRFGuard Test Application
version 2.2 (Java)
11
![Page 12: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/12.jpg)
Intentionally Broken Apps (v 0.9)
Mandiant Struts Forms (Java/Struts)
Simple ASP.NET Forms (ASP.NET/C#)
Simple Form with DOM Cross Site
Scripting (HTML/JavaScript)
More identified and planned for 1.0
release
LOOKING FOR DONATIONS!
12
![Page 13: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/13.jpg)
Old Versions of Real Apps (v 0.9)
phpBB 2.0.0 (PHP, released April 4, 2002)
WordPress 2.0.0 (PHP, released
December 31, 2005)
Yazd version 1.0 (Java, released February
20, 2002)
More identified and planned for 1.0
release
LOOKING FOR IDEAS!
13
![Page 14: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/14.jpg)
Challenges
Organization and Roadmap
Finding more apps
Documentation and Education
Making this a cohesive tool, rather than
just a collection
− Documenting Vulnerabilities
− Gathering Evidence
Different levels of logging
Integration w/ WAFs, mod_security, ESAPI WAF,
PHP-IDS
15
![Page 15: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/15.jpg)
The Future
GET PEOPLE INVOLVED!
Update project for collaboration
− Figure out how to distribute tasks
− Create and maintain documentation
− Push content to Google Code
Incorporate additional broken apps
− The larger, the better
− Would like more real / realistic applications
− Adobe Flash / Drupal / Ruby on Rails
16
![Page 16: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/16.jpg)
More Information and Downloads
More information can be found at
http://owaspbwa.org or on Google Code.
Google Group available for support /
discussion
Version 0.9 released at AppSecDC
− Mostly functional, just fewer applications than
we would like
− Couple bugs (that we know of)
Version 1.0 will be released later in 2010
17
![Page 17: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/17.jpg)
We welcome any help, broken
applications, and feedback you
can provide!
owaspbwa.org
18
![Page 18: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/18.jpg)
Questions?
owaspbwa.org / owasp.org
OWASP DC / CapSec DC
AppSecDC . . . Maybe again in 2010?
mandiant.com
19
![Page 19: Learning By Breaking Owasp Bwa Doug Wilson Shmoo 2010](https://reader030.vdocuments.pub/reader030/viewer/2022020217/555a4d4cd8b42a47748b46da/html5/thumbnails/19.jpg)
LEARNING BY BREAKINGA NEW PROJECT FOR INSECURE WEB APPS
Doug WilsonPrincipal Consultant
MANDIANT
ShmooCon 2010February 5th, 2010