1 / 0

What is OWASP OWASP Live CD Live Demo

What is OWASP OWASP Live CD Live Demo. Omar Sherin-OWASP Egypt. Few Facts and figures:. How Many Vulnerabilities Are Application Security Related? . What is OWASP?. Open Web Application Security Project Promotes secure software development

regina
Download Presentation

What is OWASP OWASP Live CD Live Demo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What is OWASPOWASP Live CD Live Demo

    Omar Sherin-OWASP Egypt
  2. Few Facts and figures: How Many Vulnerabilities Are Application Security Related?
  3. What is OWASP? Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services Focused primarily on the “back-end” than web-design issues An open forum for discussion A free resource for any development team
  4. 120+ Chapters Worldwide
  5. OWASP Sponsors
  6. OWASP Publications- All Free Top 10 Web Application Security Vulnerabilities Guide to Building Secure Web Applications Legal Project Metrics & Measurements Project Testing Project AppSecFaq www.owasp.org
  7. OWASP Software Major Applications WebGoat WebScarab .Net Projects oLab Projects
  8. OWASP Software - .NET Projects .Net Projects A collection of tools focused on securing ASP.NET projects Include security analyzers and documentation projects Current Projects Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments http://www.owasp.org/software/dotnet.html
  9. What is the OWASP Live CD A bootable CD with loads of pre packaged Web security tools and toys The Latest project of OWASP and the most talked about in the Web Security Community Comes also as a Free VM Image
  10. Live CD Benefits and Tools List It’s Free , Easy and Safe to use Current Tools List OWASP WebScarab OWASP WebGoat OWASP JBroFuzz Paros Proxy nmap Wireshark tcpdump Firefox 3 Burp Suite Grenedel-Scan OWASP DirBuster OWASP SQLiX OWASP WSFuzzer Metasploit 3 Future Tools List nikto Skavenger sqlmap sqlninja Absinthe webshag httprint BEEF ProxyMon Rat Proxy
  11. Tool Focus WebGoat Start the WebGoat Server from the Main Menu In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack User Name: guest Password: guest Start Learning !!
  12. What is WebGoat OWASP project with ~115,000 downloads so far Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of individual lessons
  13. Real World Examples Cross site scripting SQL Injection Command Injection Forced Browsing Access Control Data, presentation, business, & environmental layers Authentication AJAX WebServices
  14. WebGoat Users Used by Clients for source code analysis and web application security scanning. Used by universities in security curriculum Carnegie-Mellon Using WebGoat as open source project option University of Denver Wouldn’t it be great if students contributed lessons as part of their class projects!! OWASP Autumn 2006 and Spring of Code 2007 Projects Used by many companies as a “safe”training tool LOTS of emails from user community
  15. What’s New in 5.x 5.0 – Autumn of Code 2006 Release Many new lessons AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing 5.1 (Summer 2007) Servlet that allows attacks to post data Posted data is pushed back to originating lesson XSS Phishing attack Improved lesson content Enhanced Documentation (A SpoC 2007 project)
  16. Work in Progress Convert lessons to a common theme HR System (WebGoat Financials) Online Banking or Video Store
  17. Questions & Demo
  18. Thank You www.qcert.org
More Related