Download Alternative authorisation strategies

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts
no text concepts found
Transcript 
WebGoat & WebScarab
September 9, 2008
By Stephen Carter & Mike Nixon
[email protected]
[email protected]
OWASP
Copyright © 2008 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
http://www.owasp.org
Part 1
Introduction to WebGoat & WebScarab
OWASP
2
WebGoat
WebGoat is a deliberately insecure J2EE web
application maintained by OWASP
Goal: Create a de-facto interactive teaching
environment for web application security
Currently over 30 lessons
 Anyone can create a lesson
Future “security benchmarking platform and Web site
Honeypot”
Project Page:
http://www.owasp.org/index.php/Category:OWASP_Web
Goat_Project
OWASP
3
WebGoat
OWASP
WebGoat Installation
Obtaining WebGoat
http://sourceforge.net/project/showfiles.php?group_i
d=64424&package_id=61824
Installation (Developer Version for Windows)
Download WebGoat-OWASP_Developer-5.2.zip
Unzip to C:\
Unzip Eclipse-Workspace.zip to C:\WebGoat-5.2
Double-click eclipse.bat
Open http://localhost/WebGoat/attack
Default username “guest”, password “guest”
OWASP
WebScarab
 WebScarab is a framework for analyzing applications
that communicate using the HTTP and HTTPS protocols
 Proxy, Fuzzer, Session ID Analyzer, Spider and more…
 Disclaimer: “…it is a tool primarily designed to be used by
people who can write code themselves…”
 WebScarab-NG
 Complete rewrite with focus on user-friendliness
 Uses Spring RCP
 Project Page:
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Pr
oject
OWASP
WebScarab Installation
Obtaining WebScarab
http://sourceforge.net/project/showfiles.php?group_i
d=64424&package_id=61823
Installation (Windows)
Download
Double-click webscarab-installer-20070504-1631.jar
Next, Next, …
Start > Programs > WebScarab > WebScarab
OWASP
WebScarab as a Proxy
Firefox
Tools > Options > Advanced > Network > Setting >
Manual Proxy Configuration
 Localhost, port 8008
WebScarab
Proxy > Intercept Requests
OWASP
Part 2
Using WebGoat & WebScarab
OWASP
9
WebGoat Tips
Helpful Tools
HTTP Proxy
 OWASP WebScarab
 Livehttpheaders
 TamperData
Web Developer Tools
 Firebug
 Web Developer
OWASP
10
WebGoat Tips
Built-in help
Hints
 Fight the urge
Show Params
 HTTP Request Params
Show Cookies
 HTTP Request Cookies
Lesson Plan
 Goals & Objectives
Show Java
 Underlying Java source code for the lesson
Solutions
 Last resort!
OWASP
11
Lab: Role Based Access Control
Stage 1: Bypassing business layer access control
Stage 2: Add business layer access control
Check that user is authorized for action
handleRequest() in RoleBasedAccessControl.java
Stage 3: Bypass data layer access control
Stage 4: Add data layer access control
Check that user is authorized for action on a certain
employee
handleRequest() in RoleBasedAccessControl.java
OWASP
Lab: Cross Site Scripting (XSS)
 Stage 1 – Stored XSS
 Stage 2 – Correct Stored XSS Vuln
 Filter before it is written to the database
 parseEmployeeProfile() in UpdateProfile.java
 Stage 3 – Stored XSS revisited
 Stage 4 – Correct Stored XSS Vuln
 Encode/filter after retrieving from database, before displaying to
the user
 getEmployeeProfile() in ViewProfile.java
 HtmlEncoder.encode()
 Stage 5 – Reflected XSS
 Stage 6 – Correct Reflected XSS Vuln
 getRequestParameter() in FindProfile.java
OWASP
OWASP
Reminders
 Next Meeting
 December 2, 2008 6:00 PM – 8:00 PM
 Presentations: TBD
 Some ideas: Jakarta Commons/Struts Validator, SOA/Web Services Security, Web
application security testing, ACEGI, mod_security
 Location: Gevity, Lakewood Ranch
 OWASP Conference & Training




http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Joe Jarzombek (Director for Software Assurance – DHS)
Howard Schmidt (White House Cyber-security Advisor)
Robert “Rsnake” Hansen, Jeremiah Grossman, and others
OWASP
15
Reminders
Becoming Involved
Participate in OWASP projects
 Contribute to existing projects
 Propose new projects
 Spearhead new ventures
Support & Participate in the Suncoast Chapter
 Present
 Spread the word
 Sponsorship
Mailing Lists
 Open forums for discussion of any relevant web application
security topics
Become a Member
http://www.owasp.org/index.php/Membership
OWASP
16
Special thanks to John Hale &
Gevity for the conference room!
Thank you for attending!
OWASP
17
References
RSA 2008 Breifing by J. Grossman
http://www.slideshare.net/guestdb261a/csrfrsa2008j
eremiahgrossman-349028/
OWASP
Related documents
OWASP_WebGoat
OWASP_WebGoat
Advanced SQL Injection - Victor Chapela
Advanced SQL Injection - Victor Chapela
View Report - PDF
View Report - PDF
Workshop 3 Web Application Security - comp
Workshop 3 Web Application Security - comp
Slide 1
Slide 1
Do`s and Don`ts for web application developers
Do`s and Don`ts for web application developers
OWASP Education Project
OWASP Education Project
網站安全 - 國立暨南國際大學
網站安全 - 國立暨南國際大學
Slide 1
Slide 1
OWASP`s Ten Most Critical Web Application Security Vulnerabilities
OWASP`s Ten Most Critical Web Application Security Vulnerabilities
OWASP_Flyer_Sep06
OWASP_Flyer_Sep06
OWASPEU_SourceReview
OWASPEU_SourceReview