Web Application Security: Exercise Development Approaches



Similar documents
Integrating Web Application Security into the IT Curriculum

Integrating Web Application Security into the IT Curriculum

Testing for Security

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

(WAPT) Web Application Penetration Testing

Using Nessus In Web Application Vulnerability Assessments

Security Tools - Hands On

Hands-on Security Tools

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Web Security Testing Cookbook*

Secure Web Development Teaching Modules 1. Threat Assessment

Web attacks and security: SQL injection and cross-site scripting (XSS)

Evaluation of Penetration Testing Software. Research

Application Code Development Standards

Web Application Penetration Testing

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

HackMiami Web Application Scanner 2013 PwnOff

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Using Free Tools To Test Web Application Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Course Modules for Software Security

Adobe Systems Incorporated

Application Security Testing

Ethical Hacking and Attack Tools

Learning security through insecurity

Web Application Vulnerability Testing with Nessus

SYWorks Vulnerable Web Applications Compilation For Penetration Testing Installation Guide

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Hacking for Fun and Profit

Web Application Security

Essential IT Security Testing

OWASP Top Ten Tools and Tactics

State of Web Application Security. Ralph Durkee Durkee Consulting, Inc. Rochester ISSA & OWASP Chapters rd@rd1.net

Data Breaches and Web Servers: The Giant Sucking Sound

A Network Administrator s Guide to Web App Security

Integrating Tools Into the SDLC

Designing and Coding Secure Systems

Bypassing Internet Explorer s XSS Filter

Web application security: Testing for vulnerabilities

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Lecture 11 Web Application Security (part 1)

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

SAST, DAST and Vulnerability Assessments, = 4

Penetration Testing with Selenium. OWASP 14 January The OWASP Foundation

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Technical Description Web Security Contest

Penetration Testing. Types Black Box. Methods Automated Manual Hybrid. oless productive, more difficult White Box

Security Products Development. Leon Juranic

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Report

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Open Audit. The Automation of Network Inventory

Web Application Attacks And WAF Evasion

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Learning objectives for today s session

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Chapter 1 Web Application (In)security 1

List of Scanner Features (3 of 3)

Turning the Battleship: How to Build Secure Software in Large Organizations. Dan Cornell May 11 th, 2006

Cyber Security Workshop Ethical Web Hacking

Create a Virtual Test Environment

Security Innovation Application Security Education Curriculum. Courses to Help Build and Deploy more Secure Software and Information Systems

inforouter V8.0 Server & Client Requirements

Bust a cap in a web app with OWASP ZAP

Security Solutions & Training. Exploit-Me. Open Source Firefox Plug-Ins for Penetration Testing

Testnet Summerschool. Web Application Security Testing. Dave van Stein

Secure development and the SDLC. Presented By Jerry

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

ensuring security the way how we do it

Web application testing

WebGoat for testing your Application Security tools

Executive Summary On IronWASP

OWASP OWASP. The OWASP Foundation Selected vulnerabilities in web management consoles of network devices

Integrigy Corporate Overview

Secure Coding in Node.js

WEB APPLICATION HACKING. Part 2: Tools of the Trade (and how to use them)

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Drupal Performance Tuning

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Attack and Penetration Testing 101

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Security Testing Of (Web) Applications. Erwin Geirmaert Security Innovation

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

Source Code Review Using Static Analysis Tools

Software Security. Group project: application security verification using OWASP ASVS

Transcription:

Web Application Security: Exercise Development Approaches James Walden waldenj@nku.edu

Approaches 1. Write your own web application Students evaluate and fix your code. 2. Students write a web application Students evaluate and fix their own code. Construct exercises with 3 rd party tools i. Use a web security teaching tool (WebGoat) ii. Use a web application designed for learning about security (BadStore) iii. Analyze an open source web application with known vulnerabilities.

Tools for Exercises Browser Plugins Modify HTTP headers + form parameters. Examples: Tamper Data for Firefox Proxy Suites Modify parameters + Spidering Fuzz testing. Session key analysis. Decoding. Examples: Burp Suite, Paros Proxy, WebScarab Static + Dynamic Analysis

Write your own web application Most flexible approach. Also the most time-consuming. Can be used for Individual vulnerability education Penetration testing exercise Pen test + code maintenance exercise Framework for students to build upon.

My web applications BlogEngine: PHP-based blog application with many types of vulnerabilities including access ctl, dir traversal, SQL injection, XSS. SQL Injection Demos: Perl-based SQL injection demonstrations, with 2 vulnerable perl CGI scripts, 3 fixed CGI scripts with different approaches to fixing.

Distribution Issues 1. Compatibility Can the application run on students PCs? 2. Permissions Do students have rights to install + run? 3. Security If students can hack app, so can others. Need to isolate insecure app from Internet.

Distribution Solutions Virtual Machines VM environment identical for all students. VM can be isolated to host-only network. VMWare Player free for Linux + Windows Used for SQL injection demos. XAMPP Apache + MySQL + PHP + Perl Easy to install distribution Linux, Windows, Mac OS X, Solaris Used for BlogEngine.

Students write a web application Advantages Students see what bugs they write. Compare different implementations of app. Good technique for integrating into SwEng. Disadvantages Cannot predict vulnerabilities in advance. Limited by time students have to develop.

Exercises Abuse Cases Use attack patterns to create abuse cases. Architectural Risk Analysis Draw + review DFDs for application. Risk analysis based on DFDs + abuse cases. Most useful after first iteration. Code Review + Static Analysis Use Fortify SCA to analyze source code. Code review: moderator, author Penetration Testing Find bugs in their own or another group s project.

Exercises with 3 rd party tools 1. Use a web security teaching tool Exercises for specific vulnerabilities. May include hints, completion tracking. 2. Use a web application designed for learning about security Application designed with vulnerabilities. Vary based on web platform, vuln types. Analyze an open source web application with known vulnerabilities.

Web Security Teaching Tools WebGoat GPL J2EE teaching application Hack This Site Online security exercises, incl web security. NTO Hackme Site Only two live lessons (XSS and SQL inject)

Using Web Security Teaching Tools Focus on a single vulnerability Learn about single vulnerability in isolation. No need to understand entire application. Useful for In-class demonstrations of vulnerabilities. Single vulnerability assignments. Multi-vulnerability assignments for classes that have only a single unit on web security.

Web Security Demo Apps BadStore GPL shopping app available as ISO image Hacme Bank, Books, and Travel J2EE, MS, and C++ apps for pen testing WebMaven (aka Buggy Bank) GPL bank app, MS install instructions only International Capture the Flag Annual competition focusing on web apps.

Using Web Security Demo Apps Focus on penetration testing Broad range of web vulnerabilities. Requires > effort & skill than teaching tools Advantages Whole application security perspective. Provide a more authentic experience. Useful for Penetration testing assignments (find 10 vulnerabilities in the next week.)

Using Open Source Web Apps Focus on testing and fixing vulnerabilities Not as many known vulnerabilities. May take effort to find insecure versions. Provides a more authentic experience. Useful for Penetration testing assignments. Code maintenance assignments. Static and dynamic analysis assignments.

Key Points Write your own web application Flexible but time-consuming approach. Student-written applications Assignments throughout the SDLC. Cannot predict vulnerabilities in advance. Third party applications Use WebGoat to teach about vulnerabilities. Use BadStore to teach about vulnerabilities in semiauthentic context, penetration testing. Open source to teach about authentic vulnerabilities.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information