Download OWASP_WebGoat

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
Document related concepts
no text concepts found
Transcript 
OWASP WebGoat v5
<Presenter>
OWASP
16 April 2010
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
What’s a WebGoat
OWASP project with ~115,000 downloads
Deliberately insecure Java EE web application
Teaches common application vulnerabilities via a
series of individual lessons
OWASP
2
History of WebGoat
Donated to OWASP by Aspect Security ~2002
Project Lead is Bruce Mayhew
Started to receive outside contributions in 2005
v5 produced as AoC
2006 project
OWASP
3
WebGoat Demonstrates Vulnerabilities
WebGoat uses “goatified” real world
examples
Cross site scripting
SQL Injection
Command Injection
Forced Browsing
Access Control
 Data, presentation, business, & environmental
layers
Authentication
AJAX
WebServices
….
OWASP
4
Picking up Steam…
Used by source code analysis and web
application security scanning vendors for demos
Used by universities in security curriculum
Carnegie-Mellon
 Using WebGoat as open source project option
University of Denver
Wouldn’t it be great if students contributed lessons as
part of their class projects!!
OWASP Autumn 2006 and Spring of Code 2007
Projects
Used by many companies as a training tool
LOTS of emails from user community
OWASP
5
What’s New in 5.X
5.0 – Autumn of Code 2006 Release
Many new lessons
 AJAX, JSON, HTTP response splitting, CSRF, cache poisoning,
log poisoning, XML & XPATH Injection, forced browsing
5.2 – current release
Introduction and WebGoat instructions
Multi Level Login Lesson
Session Fixation Lesson
Insecure Login Lesson
Lesson Solution Videos
Bug Report Feature
OWASP
6
Roadmap
Create database schema common to all lessons
Convert lessons to a common theme
HR System (WebGoat Financials)
Online Banking or Video Store
Make WebGoat more CBT like
Teach application security, not just demonstate how
to attack
Convert lessons to JSPs for easier content
editing
OWASP
7
Demos – Lets go through some lessons!!
OWASP
8
Questions and Answers
QUESTIONS
ANSWERS
OWASP
Related documents
View Report - PDF
View Report - PDF
Advanced SQL Injection - Victor Chapela
Advanced SQL Injection - Victor Chapela
Workshop 3 Web Application Security - comp
Workshop 3 Web Application Security - comp
Slide 1
Slide 1
Do`s and Don`ts for web application developers
Do`s and Don`ts for web application developers
OWASP Education Project
OWASP Education Project
Alternative authorisation strategies
Alternative authorisation strategies
Slide 1
Slide 1
OWASP`s Ten Most Critical Web Application Security Vulnerabilities
OWASP`s Ten Most Critical Web Application Security Vulnerabilities
OWASP_Flyer_Sep06
OWASP_Flyer_Sep06
OWASPEU_SourceReview
OWASPEU_SourceReview
Secure Coding Practices
Secure Coding Practices
What is SQL Injection?
What is SQL Injection?
Colinwatson-a-new-ontology-of-unwanted-automation
Colinwatson-a-new-ontology-of-unwanted-automation
OWASP_Academies_Meeting_GR_presented
OWASP_Academies_Meeting_GR_presented
AppSecEU08-ReformAndCanoodle-Eddington
AppSecEU08-ReformAndCanoodle-Eddington
OWASP_ellak-Greece
OWASP_ellak-Greece
OWASP Top 10 2007
OWASP Top 10 2007
AppSecEU08-SRF_Simon_Roses
AppSecEU08-SRF_Simon_Roses
Web Application Security Vulnerabilities Yen
Web Application Security Vulnerabilities Yen
Project Plan Template
Project Plan Template
ppt - owasp
ppt - owasp