OWASP Broken Web Applications (OWASP BWA): Beyond 1.0

• Introductions• Project Background• Current Status• Future• Q & A

Agenda

2

• Sr. Technical Director at Mandiant in DC• Application Security, Penetration Testing,

Source Code Analysis, Forensics, Incident Response, Research and Development

• Leader of OWASP Broken Web Applications project

• chuck.willis@mandiant.com • @chuckatsf

About Me

3

Project Background

• Looking for web applications with vulnerabilities where I could:– Test web application scanners– Test manual attack techniques– Test source code analysis tools– Look at the code that implements the

vulnerabilities– Modify code to fix vulnerabilities– Test web application firewalls– Examine evidence left by attacks

Problem

5

• It is a great learning tool, but…

• It is a training environment, not a real application

• Same held for many other “training” applications

OWASP WebGoat

6

• Realistic applications with vulnerabilities• Often closed source, which prevents some

uses• Can conflict with one another• Can be difficult to install• Licensing restrictions

Proprietary “Free” Apps

7

• Free, Linux-based Virtual Machine • Contains a variety of web applications

– Some intentionally broken– Some old versions of open source

applications

• Pre-configured and ready to use / test• All applications are open source

– Allows for source code analysis– Allows users to modify the source to fix

vulnerabilities (or add new ones)

OWASP BWA Solution

8

• Initial 0.9 release at AppSec DC 2009• 1.0 release in July 2012• Current version is 1.1.1

– Released in September 2013– Download links off www.owaspbwa.org– Some known issues

OWASP BWA History

9

OWASP BWA Details

• Available in VMware and OVA formats• Compatible with

– VMware Products• No-cost and commercial• OWASP BWA intentionally uses older VM format

– Oracle VirtualBox– Parallels Desktop

Virtual Machine

11

• OS is Ubuntu Linux Server 10.04 LTS – No X-Windows / Graphical User Interface

• Managed via– Console – OpenSSH– Samba– phpMyAdmin

Base Operating System

12

• Apache• PHP• Perl• MySQL• Tomcat• OpenJDK• Mono• Ruby • Rails

Base Software

13

• SubVersion client• GIT client• PostgreSQL• ModSecurity and OWASP Core Rule Set• Custom scripts

Additional Software

14

Applications

• OWASP WebGoat (Java)• OWASP WebGoat.NET (ASP.NET/C#)• OWASP ESAPI Java SwingSet Interactive

(Java)• OWASP Mutillidae II (PHP)• OWASP RailsGoat (Ruby on Rails)• OWASP Bricks (PHP)• Damn Vulnerable Web Application (PHP)• Ghost (PHP)• Magical Code Injection Rainbow (PHP)

Training Applications

16

• OWASP Vicnum (PHP/Perl)• OWASP 1-Liner (Java/JavaScript) • Google Gruyere (Python)• Hackxor (Java JSP)• WackoPicko (PHP)• BodgeIt (Java JSP) • Cyclone Transfers (Ruby on Rails) • Peruggia (PHP)

17

Realistic, Intentionally Broken Apps

• WordPress 2.0.0 (PHP, released December 31, 2005)– myGallery plugin version 1.2– Spreadsheet for WordPress plugin version 0.6

• OrangeHRM version 2.4.2 (PHP, released May 7, 2009)• GetBoo version 1.04 (PHP, released April 7, 2008)• gtd-php version 0.7 (PHP, released September 30, 2006)• Yazd version 1.0 (Java, released February 20, 2002)• WebCalendar version 1.03 (PHP, released April 11, 2006)• TikiWiki version 1.9.5 (PHP, released September 5, 2006)• Gallery2 version 2.1 (PHP, released March 23, 2006)• Joomla version 1.5.15 (PHP, released November 4, 2009) • AWStats version 6.4 (Perl, released February 25, 2005)

18

Old Versions of Real Applications

• Applications for Testing Tools– OWASP ZAP-WAVE (Java JSP) – WAVSEP (Java JSP) – WIVET (Java JSP)

• Demonstration Pages / Small Applications– OWASP CSRFGuard Test Application (Java)– Mandiant Struts Forms (Java/Struts)– Simple ASP.NET Forms (ASP.NET/C#)– Simple Form with DOM Cross Site Scripting

(HTML/JavaScript)

• OWASP Demonstration Applications– OWASP AppSensor Demo Application (Java)

19

Other Applications

Other Features

• Application code can be edited via SMB shares, SSH, or the console

• Updates to PHP, JSP, etc. application files will take place immediately

• Scripts provided to rebuild and redeploy applications that require it:– WebGoat– Yazd– CSRFGuard Test Apps– SwingSet Apps

Editing Applications

21

• Scripts are provided to update VM from source code repositories– OWASP BWA specific files from Google Code

SVN repository– Application files from their SVN or GIT

repositories

• Can break applications due to changes in database schemas or dependencies

• Can allow for using updated versions of applications without waiting for a new version of OWASP BWA

Updating VM

22

• Web server on OWASP BWA is running mod_security

• By default, no rules are enabled• Scripts are provided to:

– Enable logging using CRS: • owaspbwa-modsecurity-crs-log.sh

– Enable blocking using CRS: • owaspbwa-modsecurity-crs-block.sh

– Disable all rules: • owaspbwa-modsecurity-crs-off.sh

• Rules can be easily edited via SMB shares

OWASP ModSecurity Core Rule Set

23

• Logging for the web and application servers are left in their default configuration– What you will most likely see when

responding to an incident

• Logs are available via SMB share• Logging settings can be easily edited• Logs are cleared when VM is packaged

Log Files

24

• User Guide available on Google Code Wikihttps://code.google.com/p/owaspbwa/wiki/UserGuide

• Welcome any volunteers to contribute– Author– Review – Edit– Comment

User Guide

25

Vulnerabilities

• Don’t have a master list of vulnerabilities (yet)

• Looking for the community to contribute

• Using “Trac” issue tracker at SourceForge: http://sourceforge.net/apps/trac/owaspbwa/report/1

• Not intended to duplicate content within applications or application documentation

Where are the vulnerabilities?

27

• Anyone can search issues

Tracking Known Vulnerabilities

28

• Anyone can see details on issues

Tracking Known Vulnerabilities

29

• Anyone can submit issues

• Considering a registration requirement in order to prevent spam

Tracking Known Vulnerabilities

30

• Registered users can edit issues

Tracking Known Vulnerabilities

31

The Future

• Version 1.2 planned before the end of 2013– Bug fixes– Add bWAPP application– Update applications– Add ability to more easily update OWASP

Mutillidae

Near Term

33

• Documentation can use some work

• Catalog of vulnerabilities can be expanded

Other Near Term Items

34

• Will get increasingly difficult to support modern and old applications– Due to library and other dependency issues

• May move to multiple VMs• Would like to improve set of applications…

Longer Term

35

• More applications in more languages– Compiled Java– ASP.NET– Python– Node.js

• Common frameworks and libraries

• Looking for feedback from people who use VM for developer training

Wish List

36

• More modern UIs– Rich JavaScript – HTML5– Mobile optimized sites– Adobe Flash

Wish List

37

• More database backends– PostgreSQL– SQLite– NoSQL

• Opportunity for someone– Create a small data driven application with

SQL injection– Make variants connected to different database

backends

Wish List

38

• Improved set of real applications with security issues– More applications– More modern applications

Wish List

39

• More web services– Mobile apps– Rich web UIs– Desktop thick clients

Wish List

40

• Updated home page on VM– More intuitive layout– Refreshed appearance– Perhaps indicate applications based on

• Application’s scope• Application’s level of activity / updates• User’s role / level

• Looking for feedback from users

Wish List

41

What do you want to see in OWASP BWA?

We welcome any help, feedback, or broken apps you

can provide!

• More information on the project can be found at http://www.owaspbwa.org/

• Join our Google Group: owaspbwa

• Follow us on Twitter @owaspbwa

• Submit bugs and security issues to the trackers

More Information and Getting Involved

44