1 / 18

What is OWASP OWASP Live CD Live Demo

What is OWASP OWASP Live CD Live Demo. Omar Sherin-OWASP Egypt. Few Facts and figures:. How Many Vulnerabilities Are Application Security Related? . What is OWASP?. Open Web Application Security Project Promotes secure software development

briana
Download Presentation

What is OWASP OWASP Live CD Live Demo

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. What is OWASPOWASP Live CD Live Demo Omar Sherin-OWASP Egypt

  2. Few Facts and figures: How Many Vulnerabilities Are Application Security Related?

  3. What is OWASP? • Open Web Application Security Project • Promotes secure software development • Oriented to the delivery of web oriented services • Focused primarily on the “back-end” than web-design issues • An open forum for discussion • A free resource for any development team

  4. 120+ Chapters Worldwide

  5. OWASP Sponsors

  6. OWASP Publications- All Free Top 10 Web Application Security Vulnerabilities Guide to Building Secure Web Applications Legal Project Metrics & Measurements Project Testing Project AppSecFaq www.owasp.org

  7. OWASP Software Major Applications WebGoat WebScarab .Net Projects oLab Projects

  8. OWASP Software - .NET Projects • .Net Projects • A collection of tools focused on securing ASP.NET projects • Include security analyzers and documentation projects • Current Projects • Asp.Net Baseline Security – a suite of tools to assist administrators in identifying common issues in Asp.Net deployments • SAM’SHE – Security Analyzer for Microsofts Shared Hosting Environments – toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments • ANSA – Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security • Asp.Net Security Guides – a set of documents covering the design and deployment of secure software in Asp.Net hosting environments • http://www.owasp.org/software/dotnet.html

  9. What is the OWASP Live CD • A bootable CD with loads of pre packaged Web security tools and toys • The Latest project of OWASP and the most talked about in the Web Security Community • Comes also as a Free VM Image

  10. Live CD Benefits and Tools List • It’s Free , Easy and Safe to use • Current Tools List • OWASP WebScarab • OWASP WebGoat • OWASP JBroFuzz • Paros Proxy • nmap • Wireshark • tcpdump • Firefox 3 • Burp Suite • Grenedel-Scan • OWASP DirBuster • OWASP SQLiX • OWASP WSFuzzer • Metasploit 3 • Future Tools List • nikto • Skavenger • sqlmap • sqlninja • Absinthe • webshag • httprint • BEEF • ProxyMon • Rat Proxy

  11. Tool Focus WebGoat • Start the WebGoat Server from the Main Menu • In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack • User Name: guest • Password: guest • Start Learning !!

  12. What is WebGoat • OWASP project with ~115,000 downloads so far • Deliberately insecure Java EE web application • Teaches common application vulnerabilities via a series of individual lessons

  13. Real World Examples • Cross site scripting • SQL Injection • Command Injection • Forced Browsing • Access Control • Data, presentation, business, & environmental layers • Authentication • AJAX • WebServices

  14. WebGoat Users • Used by Clients for source code analysis and web application security scanning. • Used by universities in security curriculum • Carnegie-Mellon • Using WebGoat as open source project option • University of Denver • Wouldn’t it be great if students contributed lessons as part of their class projects!! • OWASP Autumn 2006 and Spring of Code 2007 Projects • Used by many companies as a “safe”training tool • LOTS of emails from user community

  15. What’s New in 5.x • 5.0 – Autumn of Code 2006 Release • Many new lessons • AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing • 5.1 (Summer 2007) • Servlet that allows attacks to post data • Posted data is pushed back to originating lesson • XSS Phishing attack • Improved lesson content • Enhanced Documentation (A SpoC 2007 project)

  16. Work in Progress • Convert lessons to a common theme • HR System (WebGoat Financials) • Online Banking or Video Store

  17. Questions & Demo

  18. Thank You www.qcert.org

More Related