webgoat v5 project: autumn of code 2006 project

Copyright © 2007 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/

The OWASP Foundation

6th OWASPAppSec

Conference

Milan - May 2007

http://www.owasp.org/

WebGoat v5 Project: Autumn of Code 2006 Project

Presenter: Dave WichersOWASP Conferences ChairCOO, Aspect Securitydave.wichers@aspectsecurity.com

WebGoat Project Lead: Bruce Mayhewwebgoat@owasp.org

6th OWASP AppSec Conference – Milan – May 2007

2

About the Speaker

Background IT Security Consultant for past 19 years Focus on application security for past 9 years Bachelor’s and Masters Degrees in Computer

Science CISSP, CISM

Aspect Security Founder and COO Specialists in application security Verify critical applications (~3 million LOC/month) Enable companies to reliably produce secure code

OWASP Foundation Coauthor of OWASP Top 10 Member of OWASP Board Conferences Chair for OWASP AppSec

Conferences Established OWASP as 501c3 not-for-profit in U.S.

6th OWASP AppSec Conference – Milan – May 2007

3

What’s a WebGoat

OWASP project with ~115,000 downloads Deliberately insecure Java EE web

application Teaches common application

vulnerabilities via a series of individual lessons

6th OWASP AppSec Conference – Milan – May 2007

History of WebGoat

Donated to OWASP by Aspect Security ~2002

Project Lead is Bruce Mayhew Started to receive outside contributions in

2005 v5 produced as AoC

2006 project

4

6th OWASP AppSec Conference – Milan – May 2007

5

WebGoat Demonstrates Vulnerabilities

WebGoat uses “goatified” real world examplesCross site scriptingSQL InjectionCommand InjectionForced BrowsingAccess Control

Data, presentation, business, & environmental layers

AuthenticationAJAXWebServices….

6th OWASP AppSec Conference – Milan – May 2007

6

Picking up Steam… Used by source code analysis and web

application security scanning vendors for demos Used by universities in security curriculum

Carnegie-Mellon Using WebGoat as open source project option

University of DenverWouldn’t it be great if students contributed lessons as

part of their class projects!!

OWASP Autumn 2006 and Spring of Code 2007 Projects

Used by many companies as a training tool LOTS of emails from user community

6th OWASP AppSec Conference – Milan – May 2007

7

What’s New in 5.X

5.0 – Autumn of Code 2006 ReleaseMany new lessons

AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing

5.1 (Goals – Summer 2007)Servlet that allows attacks to post data

Posted data is pushed back to originating lesson

XSS Phishing attack Improved lesson contentEnhanced Documentation (A SpoC 2007

project)

6th OWASP AppSec Conference – Milan – May 2007

8

Roadmap

Create database schema common to all lessons

Convert lessons to a common themeHR System (WebGoat Financials)Online Banking or Video Store

Make WebGoat more CBT likeTeach application security, not just demonstate

how to attack

Convert lessons to JSPs for easier content editing

6th OWASP AppSec Conference – Milan – May 2007

Demos – Lets go through some lessons!!

9

6th OWASP AppSec Conference – Milan – May 2007

AQ&Q U E S T I O N SQ U E S T I O N S

A N S W E R SA N S W E R S

Questions and Answers

6th OWASP AppSec Conference – Milan – May 2007

11

Share your ideas / Let us know you’re using it!

Bruce Mayhewwebgoat@owasp.org

http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

http://code.google.com/p/webgoat/