Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
-
Upload
drewz-lin -
Category
Technology
-
view
5.658 -
download
0
Transcript of Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
![Page 1: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/1.jpg)
OWASP Broken Web Applications (OWASP BWA): Beyond 1.0
![Page 2: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/2.jpg)
• Introductions• Project Background• Current Status• Future• Q & A
Agenda
2
![Page 3: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/3.jpg)
• Sr. Technical Director at Mandiant in DC• Application Security, Penetration Testing,
Source Code Analysis, Forensics, Incident Response, Research and Development
• Leader of OWASP Broken Web Applications project
• [email protected] • @chuckatsf
About Me
3
![Page 4: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/4.jpg)
Project Background
![Page 5: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/5.jpg)
• Looking for web applications with vulnerabilities where I could:– Test web application scanners– Test manual attack techniques– Test source code analysis tools– Look at the code that implements the
vulnerabilities– Modify code to fix vulnerabilities– Test web application firewalls– Examine evidence left by attacks
Problem
5
![Page 6: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/6.jpg)
• It is a great learning tool, but…
• It is a training environment, not a real application
• Same held for many other “training” applications
OWASP WebGoat
6
![Page 7: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/7.jpg)
• Realistic applications with vulnerabilities• Often closed source, which prevents some
uses• Can conflict with one another• Can be difficult to install• Licensing restrictions
Proprietary “Free” Apps
7
![Page 8: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/8.jpg)
• Free, Linux-based Virtual Machine • Contains a variety of web applications
– Some intentionally broken– Some old versions of open source
applications
• Pre-configured and ready to use / test• All applications are open source
– Allows for source code analysis– Allows users to modify the source to fix
vulnerabilities (or add new ones)
OWASP BWA Solution
8
![Page 9: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/9.jpg)
• Initial 0.9 release at AppSec DC 2009• 1.0 release in July 2012• Current version is 1.1.1
– Released in September 2013– Download links off www.owaspbwa.org– Some known issues
OWASP BWA History
9
![Page 10: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/10.jpg)
OWASP BWA Details
![Page 11: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/11.jpg)
• Available in VMware and OVA formats• Compatible with
– VMware Products• No-cost and commercial• OWASP BWA intentionally uses older VM format
– Oracle VirtualBox– Parallels Desktop
Virtual Machine
11
![Page 12: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/12.jpg)
• OS is Ubuntu Linux Server 10.04 LTS – No X-Windows / Graphical User Interface
• Managed via– Console – OpenSSH– Samba– phpMyAdmin
Base Operating System
12
![Page 13: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/13.jpg)
• Apache• PHP• Perl• MySQL• Tomcat• OpenJDK• Mono• Ruby • Rails
Base Software
13
![Page 14: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/14.jpg)
• SubVersion client• GIT client• PostgreSQL• ModSecurity and OWASP Core Rule Set• Custom scripts
Additional Software
14
![Page 15: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/15.jpg)
Applications
![Page 16: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/16.jpg)
• OWASP WebGoat (Java)• OWASP WebGoat.NET (ASP.NET/C#)• OWASP ESAPI Java SwingSet Interactive
(Java)• OWASP Mutillidae II (PHP)• OWASP RailsGoat (Ruby on Rails)• OWASP Bricks (PHP)• Damn Vulnerable Web Application (PHP)• Ghost (PHP)• Magical Code Injection Rainbow (PHP)
Training Applications
16
![Page 17: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/17.jpg)
• OWASP Vicnum (PHP/Perl)• OWASP 1-Liner (Java/JavaScript) • Google Gruyere (Python)• Hackxor (Java JSP)• WackoPicko (PHP)• BodgeIt (Java JSP) • Cyclone Transfers (Ruby on Rails) • Peruggia (PHP)
17
Realistic, Intentionally Broken Apps
![Page 18: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/18.jpg)
• WordPress 2.0.0 (PHP, released December 31, 2005)– myGallery plugin version 1.2– Spreadsheet for WordPress plugin version 0.6
• OrangeHRM version 2.4.2 (PHP, released May 7, 2009)• GetBoo version 1.04 (PHP, released April 7, 2008)• gtd-php version 0.7 (PHP, released September 30, 2006)• Yazd version 1.0 (Java, released February 20, 2002)• WebCalendar version 1.03 (PHP, released April 11, 2006)• TikiWiki version 1.9.5 (PHP, released September 5, 2006)• Gallery2 version 2.1 (PHP, released March 23, 2006)• Joomla version 1.5.15 (PHP, released November 4, 2009) • AWStats version 6.4 (Perl, released February 25, 2005)
18
Old Versions of Real Applications
![Page 19: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/19.jpg)
• Applications for Testing Tools– OWASP ZAP-WAVE (Java JSP) – WAVSEP (Java JSP) – WIVET (Java JSP)
• Demonstration Pages / Small Applications– OWASP CSRFGuard Test Application (Java)– Mandiant Struts Forms (Java/Struts)– Simple ASP.NET Forms (ASP.NET/C#)– Simple Form with DOM Cross Site Scripting
(HTML/JavaScript)
• OWASP Demonstration Applications– OWASP AppSensor Demo Application (Java)
19
Other Applications
![Page 20: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/20.jpg)
Other Features
![Page 21: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/21.jpg)
• Application code can be edited via SMB shares, SSH, or the console
• Updates to PHP, JSP, etc. application files will take place immediately
• Scripts provided to rebuild and redeploy applications that require it:– WebGoat– Yazd– CSRFGuard Test Apps– SwingSet Apps
Editing Applications
21
![Page 22: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/22.jpg)
• Scripts are provided to update VM from source code repositories– OWASP BWA specific files from Google Code
SVN repository– Application files from their SVN or GIT
repositories
• Can break applications due to changes in database schemas or dependencies
• Can allow for using updated versions of applications without waiting for a new version of OWASP BWA
Updating VM
22
![Page 23: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/23.jpg)
• Web server on OWASP BWA is running mod_security
• By default, no rules are enabled• Scripts are provided to:
– Enable logging using CRS: • owaspbwa-modsecurity-crs-log.sh
– Enable blocking using CRS: • owaspbwa-modsecurity-crs-block.sh
– Disable all rules: • owaspbwa-modsecurity-crs-off.sh
• Rules can be easily edited via SMB shares
OWASP ModSecurity Core Rule Set
23
![Page 24: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/24.jpg)
• Logging for the web and application servers are left in their default configuration– What you will most likely see when
responding to an incident
• Logs are available via SMB share• Logging settings can be easily edited• Logs are cleared when VM is packaged
Log Files
24
![Page 25: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/25.jpg)
• User Guide available on Google Code Wikihttps://code.google.com/p/owaspbwa/wiki/UserGuide
• Welcome any volunteers to contribute– Author– Review – Edit– Comment
User Guide
25
![Page 26: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/26.jpg)
Vulnerabilities
![Page 27: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/27.jpg)
• Don’t have a master list of vulnerabilities (yet)
• Looking for the community to contribute
• Using “Trac” issue tracker at SourceForge: http://sourceforge.net/apps/trac/owaspbwa/report/1
• Not intended to duplicate content within applications or application documentation
Where are the vulnerabilities?
27
![Page 28: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/28.jpg)
• Anyone can search issues
Tracking Known Vulnerabilities
28
![Page 29: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/29.jpg)
• Anyone can see details on issues
Tracking Known Vulnerabilities
29
![Page 30: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/30.jpg)
• Anyone can submit issues
• Considering a registration requirement in order to prevent spam
Tracking Known Vulnerabilities
30
![Page 31: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/31.jpg)
• Registered users can edit issues
Tracking Known Vulnerabilities
31
![Page 32: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/32.jpg)
The Future
![Page 33: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/33.jpg)
• Version 1.2 planned before the end of 2013– Bug fixes– Add bWAPP application– Update applications– Add ability to more easily update OWASP
Mutillidae
Near Term
33
![Page 34: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/34.jpg)
• Documentation can use some work
• Catalog of vulnerabilities can be expanded
Other Near Term Items
34
![Page 35: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/35.jpg)
• Will get increasingly difficult to support modern and old applications– Due to library and other dependency issues
• May move to multiple VMs• Would like to improve set of applications…
Longer Term
35
![Page 36: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/36.jpg)
• More applications in more languages– Compiled Java– ASP.NET– Python– Node.js
• Common frameworks and libraries
• Looking for feedback from people who use VM for developer training
Wish List
36
![Page 37: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/37.jpg)
• More modern UIs– Rich JavaScript – HTML5– Mobile optimized sites– Adobe Flash
Wish List
37
![Page 38: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/38.jpg)
• More database backends– PostgreSQL– SQLite– NoSQL
• Opportunity for someone– Create a small data driven application with
SQL injection– Make variants connected to different database
backends
Wish List
38
![Page 39: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/39.jpg)
• Improved set of real applications with security issues– More applications– More modern applications
Wish List
39
![Page 40: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/40.jpg)
• More web services– Mobile apps– Rich web UIs– Desktop thick clients
Wish List
40
![Page 41: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/41.jpg)
• Updated home page on VM– More intuitive layout– Refreshed appearance– Perhaps indicate applications based on
• Application’s scope• Application’s level of activity / updates• User’s role / level
• Looking for feedback from users
Wish List
41
![Page 42: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/42.jpg)
What do you want to see in OWASP BWA?
![Page 43: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/43.jpg)
We welcome any help, feedback, or broken apps you
can provide!
![Page 44: Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21](https://reader035.fdocuments.net/reader035/viewer/2022070313/554ba380b4c905b3618b4c79/html5/thumbnails/44.jpg)
• More information on the project can be found at http://www.owaspbwa.org/
• Join our Google Group: owaspbwa
• Follow us on Twitter @owaspbwa
• Submit bugs and security issues to the trackers
More Information and Getting Involved
44