Chuck Willis OWASP AppSec DC April 4, 2012

Similar documents
SYWorks Vulnerable Web Applications Compilation For Penetration Testing Installation Guide

Metasploit Pro Getting Started Guide

Web Application Security: Exercise Development Approaches

OpenShift on you own cloud. Troy Dawson OpenShift Engineer, Red Hat November 1, 2013

KonyOne Server Installer - Linux Release Notes

JAVA IN THE CLOUD PAAS PLATFORM IN COMPARISON

How to Create a Simple Content Management Solution with Joomla! in a vcloud Environment. A VMware Cloud Evaluation Reference Document

Managing Web & Application Security with OWASP bringing it all together. Tobias Gondrom (OWASP Project Leader)

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

iweb Management Packages - List of supported services and software

Virtual Machine daloradius Administrator Guide Version 0.9-9

VPS Cloud Hosting. Call (02)

Source Control Systems

A Guide to Preparing for the GSM Capstone Exam

Download Virtualization Software Download a Linux-based OS Creating a Virtual Machine using VirtualBox: VM name

How to Create an Enterprise Content Management Solution Based on Alfresco in a vcloud Environment. A VMware Cloud Evaluation Reference Document

STATE OF WASHINGTON DEPARTMENT OF SOCIAL AND HEALTH SERVICES P.O. Box 45810, Olympia, Washington October 21, 2013

How to Use a LAMP Stack on vcloud for Optimal PHP Application Performance. A VMware Cloud Evaluation Reference Document

OrangeHRM Web Installation Guide for Windows

Developer Workshop Marc Dumontier McMaster/OSCAR-EMR

1 Download & Installation Usernames and... Passwords

Bigstep Server Management Service Details

JUSTIN J. LITTLE Build and Release Engineer

Tobias Gondrom (OWASP Global Board Member)

Penetration Testing LAB Setup Guide

HW9 WordPress & Google Analytics

Sahana Training Program Day Schedule v0.5

How to Create a Flexible CRM Solution Based on SugarCRM in a vcloud Environment. A VMware Cloud Evaluation Reference Document

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Microsoft Azure: Opção de Nuvem para Todo o Desenvolvedor. Danilo Bordini & Osvaldo Daibert

Java/J2EE or Web Developer. Formal Education. Technical knowledge. Spoken Languages

Preparing for the Cross Site Request Forgery Defense

How to Create a Multi-user Content Management Platform with Drupal in a vcloud Environment. A VMware Cloud Evaluation Reference Document

CDH installation & Application Test Report

Plexxi Control Installation Guide Release 2.1.0

Virtual machine W4M- Galaxy: Installation guide

Trollhättan, Sweden

OpenNebula Cloud Platform for Data Center Virtualization

inforouter V8.0 Server & Client Requirements

DTWMS Required Software Engineers. 1. Senior Java Programmer (3 Positions) Responsibilities:

Evaluation of Penetration Testing Software. Research

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Deployment - post Xserve

Still Aren't Doing. Frank Kim

The AppSec How-To: Achieving Security in DevOps

ALERT installation setup

Building & Measuring Security in Web Applications. Fabio Cerullo Cycubix Limited 30 May Belfast

Open Source Technologies on Microsoft Azure

Security Tools - Hands On

User Manual of the Pre-built Ubuntu 9 Virutal Machine

Measurably reducing risk through collaboration, consensus & practical security management CIS Security Benchmarks 1

How To Run A Hello World On Android (Jdk) On A Microsoft Ds.Io (Windows) Or Android Or Android On A Pc Or Android 4 (

Directions for VMware Ready Testing for Application Software

Managed Servers ASA Extract FY14

EOP ASSIST: A Software Application for K 12 Schools and School Districts Installation Manual

Guide to Shared Hosting

How to hack a website with Metasploit

INUVIKA OVD INSTALLING INUVIKA OVD ON RHEL 6

Linux VPS with cpanel. Getting Started Guide

Database Build and Release will get started soon

A New Era. A New Edge. Phishing within your company

How To Fix A Snare Server On A Linux Server On An Ubuntu (Amd64) (Amd86) (For Ubuntu) (Orchestra) (Uniden) (Powerpoint) (Networking

Using Nessus In Web Application Vulnerability Assessments

Bitrix Site Manager. VMBitrix Virtual Machine. Quick Start And Usage Guide

Gabriel Iuga. London, United Kingdom Tel: ; Website:

ModSecurity as Universal Cross-platform Web Protection Tool

Interoperabilnost LINUX-Windows. It is easily possible for Linux & Windows to coexist & even work together.

Snare System Version Release Notes

OCS Virtual image. User guide. Version: Viking Edition

App Central: Developer's Guide. For APKG 2.0

Snare System Version Release Notes

How to Install Multicraft on a VPS or Dedicated Server (Ubuntu bit)

Nipper Studio Beginner s Guide

Virtual Desktop Infrastructure in

User Manual of the Pre-built Ubuntu Virutal Machine

6 CURRENT JOB OPENINGS:

The Open Cyber Challenge Platform *

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

ZABBIX. An Enterprise-Class Open Source Distributed Monitoring Solution. Takanori Suzuki MIRACLE LINUX CORPORATION October 22, 2009

ITEC 495 Capstone Project Ideas

FEATURE HACK THE WEB. Hack safely do it on VirtualBox

Small-Scale Cyber Security Competitions

Installation & Upgrade Guide

Security Testing for Developers using OWASP ZAP

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Enterprise Network Deployment, 10,000 25,000 Users

Table of Contents Introduction and System Requirements 9 Installing VMware Server 35

Accessing RCS IBM Console in Windows Using Linux Virtual Machine

Matt Renfro. Frisco, TX. Overview:

Pro Puppet. Jeffrey McCune. James TurnbuII. Apress* m in

Online Vulnerability Scanner Quick Start Guide

Transcription:

OWASP BROKEN WEB APPLICATIONS (OWASP BWA) 1.0 Release (Candidate) Chuck Willis chuck.willis@mandiant.com OWASP AppSec DC April 4, 2012

About Me Technical Director at Mandiant in DC Leader of OWASP Broken Web Applications project 12+ years total experience in Information Security Application Security, Penetration Testing, Source Code Analysis, Forensics, Incident Response, R&D Contact: chuck.willis@mandiant.com @chuckatsf Attend OWASP DC Chapter meetings and CapSec (occasionally) 2

We are MANDIANT VISA Qualified Incident Response Assessor (QIRA) APT and CDT experts Application and Network Security Evaluations Located in Washington New York Los Angeles San Francisco Professional and managed services, software and education We are Hiring! 3

Motivation

Problem Looking for web applications with vulnerabilities where I could: Test web application scanners Test manual attack techniques Test source code analysis tools Look at the code that implements the vulnerabilities Modify code to fix vulnerabilities Test web application firewalls Examine evidence left by attacks 5

OWASP WebGoat It is a great learning tool, but It is a training environment, not a real application Same holds for many other artificial applications 6

Proprietary Free Apps Realistic applications with vulnerabilities Often closed source, which prevents some uses Can conflict with one another Can be difficult to install Licensing restrictions 7

Solution Created free, Linux-based Virtual Machine Contains a variety of web applications Some intentionally broken Some old versions of open source applications Pre-configured and ready to use / test All applications are open source Allows for source code analysis Allows users to modify the source to fix vulnerabilities (or add new ones) 8

OWASP BWA History Initial 0.9 release at OWASP AppSec DC 2009 New version released once or twice a year 0.94 released in July 2011 1.0 release candidate 1 released today Full 1.0 release after short review and bug fix period 9

OWASP BWA Details

Virtual Machine Project distributes a Virtual Machine in VMware format Compatible with no-cost VMware Player and VMware Server (and VMware commercial products) Intentionally uses older virtual machine format (compatible with Workstation 5.0+ and ESX 3.0+) Should work in other virtualization solutions Welcome any volunteers to test this 11

Base Operating System OS is Ubuntu Linux Server 10.04 LTS No X-Windows / Graphical User Interface Managed via Console OpenSSH Samba phpmyadmin 12

Base Software Apache PHP Perl MySQL Tomcat OpenJDK Mono 13

Additional Software SubVersion client GIT client PostgreSQL ModSecurity and OWASP Core Rule Set Custom scripts 14

Training Applications

Intentionally Broken Training Apps OWASP WebGoat version 5.4.x (Java) OWASP WebGoat.NET (C#) OWASP ESAPI SwingSet 05b2.x (Java) OWASP ESAPI SwingSet Interactive 1.0.1.x (Java) OWASP ZAP-WAVE 0.2.x (Java JSP) Mutillidae version 2.1.18 (PHP) Damn Vulnerable Web Application version 1.8.x (PHP) Ghost (PHP) Highlighted items are updates in OWASP BWA 1.0 16

Realistic Applications

Realistic, Intentionally Broken Apps OWASP Vicnum version 1.4 (PHP/Perl) Jotto (PHP/Perl) Peruggia version 1.2 (PHP) Google Gruyere version 2010-07-15 (Python) Hackxor (Java JSP) WackoPicko version 2011-07-12 (PHP) BodgeIt 1.3.x (Java JSP) 18

Old Applications

Old Versions of Real Applications WordPress 2.0.0 (PHP, released December 31, 2005) GetBoo version 1.04 (PHP, released April 7, 2008) Yazd version 1.0 (Java, released February 20, 2002) WebCalendar version 1.03 (PHP, released April 11, 2006) TikiWiki version 1.9.5 (PHP, released September 5, 2006) AWStats version 6.4 (Perl, released February 25,2005) OrangeHRM version 2.4.2 (PHP, released May 7, 2009) gtd-php version 0.7 (PHP, released September 30, 2006) Gallery2 version 2.1 (PHP, released March 23, 2006) Joomla version 1.5.15 (PHP, released November 4, 2009) 20

Other Applications

Other Applications Demonstration Pages / Small Applications OWASP CSRFGuard Test Application version 2.2 (Java) Mandiant Struts Forms (Java/Struts) Simple ASP.NET Forms (ASP.NET/C#) Simple Form with DOM Cross Site Scripting (HTML/JavaScript) OWASP Demonstration Applications OWASP AppSensor Demo Application (Java) 22

Other Features

Editing Applications Application code can be edited via SMB shares, SSH, or the console Updates to PHP, JSP, etc. application files will take place immediately Scripts provided to rebuild and redeploy applications that require it: (new) WebGoat Yazd CSRFGuard Test Apps SwingSet Apps 24

Updating VM (new) Scripts are provided to update VM from source code repositories OWASP BWA specific files from Google Code SVN repository Application files from their SVN or GIT repositories Can break applications due to changes in database schemas or dependencies Can allow for using updated versions of applications without waiting for a new version of OWASP BWA 25

OWASP ModSecurity Core Rule Set (CRS) Web server on OWASP BWA is running mod_security By default, no rules are enabled Scripts are provided to: Enable logging using CRS: owaspbwa-modsecurity-crs-log.sh Enable blocking using CRS: owaspbwa-modsecurity-crs-block.sh Disable all rules: owaspbwa-modsecurity-crs-off.sh Rules can be easily edited via SMB shares 26

Log Files Logging for the web and application servers are left in their default configuration What you will most likely see when responding to an incident Logs are available via SMB share Logging settings can be easily edited Logs are cleared when VM is packaged 27

User Guide (new) User Guide has been started on Google Code Wiki https://code.google.com/p/owaspbwa/wiki/userguide Welcome any volunteers to contribute to this 28

Vulnerabilities

Where are the vulnerabilities? Don t have a master list of vulnerabilities (yet) Counting on the community to contribute Using Trac issue tracker at SourceForge: http://sourceforge.net/apps/trac/owaspbwa/report/1 30

Tracking Known Vulnerabilities Anyone can browse issues 31

Tracking Known Vulnerabilities Anyone can search issues 32

Tracking Known Vulnerabilities Anyone can see details on issues 33

Tracking Known Vulnerabilities Anyone can submit issues 34

Tracking Known Vulnerabilities Registered users can edit issues 35

Present and Future

New Release and Downloads Version 1.0rc1 of the VM has been released today! Fixes some bugs, updates some applications, and adds some applications from the 0.94 release Download link off http://www.owaspbwa.org/ Version 1.0 final will be released after people have had a bit of time to look at the release candidate 37

The Future Continue documenting project (User Guide) Continue cataloging vulnerabilities into a master list Incorporate additional broken apps as they are suggested 38

We welcome any help, feedback, or broken apps you can provide! 39

More Information and Getting Involved More information on the project can be found at http://www.owaspbwa.org/ Join our Google Group: owaspbwa Follow us on Twitter @owaspbwa Submit bugs and security issues to the trackers 40

OWASP BROKEN WEB APPLICATIONS (OWASP BWA) 1.0 Release (Candidate) Chuck Willis chuck.willis@mandiant.com OWASP AppSec DC April 4, 2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information