Post on 06-Jan-2016
description
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP LAPSE+ Project
Bruno Motta Regobmr@attom.com.br
June 2011
OWASP 2
Agenda
Introduction Vulnerabilities Detected Goals Hands On Case Challenges
OWASP 3
Introduction
LAPSE+ is a static analysis of code Eclipse plugin for detecting vulnerabilities of untrusted data injection in Java EE Applications.
LAPSE+ is inspired by existing lightweight security auditing tools such as FlawFinder.
Developed by Group of Stanford University.
GPL Software.
OWASP 4
Vulnerabilities Detected
URL Tampering Cookie Poisoning Parameter Tampering Header Manipulation Cross-site Scripting (XSS) HTTP Response Splitting Injections (SQL, Command, XPath, XML,
LDAP) Path Traversal
OWASP 5
Goals
Practical Understanding Challenges
OWASP 6
Hands On
OWASP 7
LAPSE+ Installation
Eclipse Helios http://www.eclipse.org/downloads/
LAPSE+ 2.8.1 plugin for Eclipse Helios. http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar
OWASP 8
LAPSE+ Configuration
Drag and DropCopy it in the plugins folder of our Eclipse
Helios
OWASP 9
LAPSE+ Steps
Vulnerability Source
Vulnerability Sink
Provenance Tracker
OWASP 10
Challenges
RequirementsEclipse Helios Java 1.6 or higher
SupportSenior ManagementDevelopers approve and use
LAPSE+ ProjectTroughput down
OWASP 11
Case
OWASP 12
Software Security Challenge
Total Cost of Development
OWASP 13
Questions and Answers