110 likes | 218 Views
WebGoat v5 Project: Autumn of Code 2006 Project. Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security dave.wichers@aspectsecurity.com WebGoat Project Lead: Bruce Mayhew webgoat@owasp.org. About the Speaker. Background IT Security Consultant for past 19 years
E N D
WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security dave.wichers@aspectsecurity.com WebGoat Project Lead: Bruce Mayhew webgoat@owasp.org
About the Speaker • Background • IT Security Consultant for past 19 years • Focus on application security for past 9 years • Bachelor’s and Masters Degrees in Computer Science • CISSP, CISM • Aspect Security Founder and COO • Specialists in application security • Verify critical applications (~3 million LOC/month) • Enable companies to reliably produce secure code • OWASP Foundation • Coauthor of OWASP Top 10 • Member of OWASP Board • Conferences Chair for OWASP AppSec Conferences • Established OWASP as 501c3 not-for-profit in U.S.
What’s a WebGoat • OWASP project with ~115,000 downloads • Deliberately insecure Java EE web application • Teaches common application vulnerabilities via a series of individual lessons
History of WebGoat • Donated to OWASP by Aspect Security ~2002 • Project Lead is Bruce Mayhew • Started to receive outside contributions in 2005 • v5 produced as AoC 2006 project
WebGoat Demonstrates Vulnerabilities • WebGoat uses “goatified” real world examples • Cross site scripting • SQL Injection • Command Injection • Forced Browsing • Access Control • Data, presentation, business, & environmental layers • Authentication • AJAX • WebServices • ….
Picking up Steam… • Used by source code analysis and web application security scanning vendors for demos • Used by universities in security curriculum • Carnegie-Mellon • Using WebGoat as open source project option • University of Denver • Wouldn’t it be great if students contributed lessons as part of their class projects!! • OWASP Autumn 2006 and Spring of Code 2007 Projects • Used by many companies as a training tool • LOTS of emails from user community
What’s New in 5.X • 5.0 – Autumn of Code 2006 Release • Many new lessons • AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing • 5.1 (Goals – Summer 2007) • Servlet that allows attacks to post data • Posted data is pushed back to originating lesson • XSS Phishing attack • Improved lesson content • Enhanced Documentation (A SpoC 2007 project)
Roadmap • Create database schema common to all lessons • Convert lessons to a common theme • HR System (WebGoat Financials) • Online Banking or Video Store • Make WebGoat more CBT like • Teach application security, not just demonstate how to attack • Convert lessons to JSPs for easier content editing
Q & Q U E S T I O N S A N S W E R S Questions and Answers A
Share your ideas / Let us know you’re using it! Bruce Mayhew webgoat@owasp.org http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://code.google.com/p/webgoat/