Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(!...
Transcript of Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(!...
![Page 1: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/1.jpg)
Overview of Web Application Security and Setup
![Page 2: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/2.jpg)
¡ Section Overview ¡ Where to get assistance ¡ Assignment #1 ¡ Infrastructure Setup ¡ Web Security Overview ¡ Web Application Evaluation & Testing ¡ Application Security Requirements ¡ Web Application Security Requirements
![Page 3: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/3.jpg)
¡ Material Source § OWASP Testing Guide v3 § WebGoat
¡ Lab Goals § Learn real world skillz § Teach offensive and defensive security § Teach self-‐reliance and communication § Instill collaborative development and teamwork
![Page 4: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/4.jpg)
¡ Developed and published by OWASP ¡ Application security testing guideline ¡ Breaks down testing
![Page 5: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/5.jpg)
¡ Vulnerable web application used to teach web app security
¡ Our use is two-‐fold § Teach yourself how to exploit the vulnerabilities § Projects will require you to report and fix bugs
![Page 6: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/6.jpg)
¡ GoogleGroups § https://groups.google.com/forum/?fromgroups#!forum/comp327-‐spring-‐2013
¡ OWASP Testing Guide § https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
¡ WebGoat Tutorial Videos § http://yehg.net/lab/pr0js/training/webgoat.php
¡ Email TAs
![Page 7: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/7.jpg)
¡ Download project appliances from the site ¡ Setup Bitbucket accounts ¡ Create a private git repo ¡ Link the repo to the one on the VM ¡ Share your repo with the course TAs ¡ Reading Assignment
![Page 8: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/8.jpg)
¡ Download the Virtual Appliances § http://markov.cs.rice.edu/comp327/ § Do it on campus with a wired connection!
![Page 9: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/9.jpg)
¡ OWASP_BWA_Comp327.ova § Contains an instance of WebGoat § Used to test and learn how to exploit the vulnerabilities you will fix.
¡ webgoat_developer.ova § Development environment ▪ Eclipse with Java EE environment ▪ WebGoat source code in a git repo
![Page 10: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/10.jpg)
¡ Download & Install VirtualBox § https://www.virtualbox.org/
¡ Import the Virtual Appliance § In class demo § Google if not in class § Ask questions on the forum if confused
![Page 11: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/11.jpg)
¡ Configuring network for VMs § In class demo § Google if not in class § Ask questions on the forum if confused
![Page 12: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/12.jpg)
¡ Create a Bitbucket Account § https://bitbucket.org/
¡ 1 person in each group needs to do this § Link the git repo on Webgoat_Developer with a new repo in BitBucket
§ Invite your partner to the repo and they will follow similar procedures outlined below
![Page 13: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/13.jpg)
![Page 14: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/14.jpg)
![Page 15: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/15.jpg)
¡ Start the WebGoat_Development VM ¡ Login to the VM
§ User: webgoatdev § Pass: !webgoatdev
¡ Start a Terminal § Click the “Black Screen” in the bar
![Page 16: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/16.jpg)
¡ Type ./eclipse/eclipse in the Terminal ¡ After Eclipse is started
§ Goto: Windows-‐>Open Perspective-‐>Other § Select: Git Repository Exploring
![Page 17: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/17.jpg)
¡ Expand Webgoat [master] ¡ Right click Select: “Create Remote…” ¡ Type or copy in the git repo ¡ Type in the username and password ¡ Click Finish
![Page 18: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/18.jpg)
![Page 19: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/19.jpg)
![Page 20: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/20.jpg)
¡ Right click on the origin under Remotes
![Page 21: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/21.jpg)
![Page 22: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/22.jpg)
![Page 23: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/23.jpg)
¡ Click “Save and Push”
![Page 24: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/24.jpg)
¡ Click on the progress bar in lower left to reveal upload progress
![Page 25: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/25.jpg)
¡ When the push is complete …
![Page 26: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/26.jpg)
¡ Once your Bitbucket repo is synched § Share (invite) the TAs to your repository § Theodore Book (tbook) § Adam Pridgen (apridgen)
![Page 27: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/27.jpg)
¡ How do web applications work?
Source: http://www.simondelliott.com/blog/welcome/architecture-‐for-‐the-‐consumer/
![Page 28: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/28.jpg)
¡ How do attack web attacks work?
Source: http://www.preventia.co.uk/application-‐penetration-‐testing-‐service.php
![Page 29: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/29.jpg)
¡ Basic Vocabulary § Threat, Vulnerability, Risk, Mitigation § Attack vs. Defense § Client vs. Server § Web Proxy § Session Cookie § …
![Page 30: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/30.jpg)
¡ Web Application Security Testing Overview § Manual Inspections & Reviews § Threat Modeling § Source Code Review § Penetration Testing
![Page 31: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/31.jpg)
¡ Manual Inspections & Reviews § Review Technical decisions § Review Architectural designs § Review Security (configuration and coding) policies
§ Review Security requirements
![Page 32: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/32.jpg)
¡ Manual Inspections & Reviews Advantages § Requires no supporting technology § Can be applied to a variety of situations § Flexible § Promotes teamwork § Early in the SDLC
¡ Manual Inspections & Reviews Disadvantages § Can be time consuming § Supporting material not always available § Requires extensive knowledge and experience
![Page 33: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/33.jpg)
¡ Threat Modeling § Decomposing the application § Defining and classifying the assets § Exploring potential vulnerabilities § Exploring potential threats § Creating mitigation strategies
![Page 34: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/34.jpg)
¡ Threat Modeling Advantages § Practical attacker's view of the system § Flexible § Early in the SDLC
¡ Threat Modeling Disadvantages § Extensive knowledge and experience required § Project or business names change over lifecyle
![Page 35: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/35.jpg)
¡ Source Code Review § Evaluate data and control flow of application § Line by line analysis of source code § Read comments and intended functionality
![Page 36: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/36.jpg)
¡ Source Code Review Advantages § Completeness and effectiveness § Potential accuracy § Manual and automated processes
¡ Source Code Review Disadvantages § Requires highly skilled security developers § Can miss issues in third-‐party libraries § Run-‐time errors may go unnoticed § Subtleties and knowledge of the underlying language
![Page 37: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/37.jpg)
¡ Penetration Testing § Black box testing using attack tools § Mostly Develop an understanding based on ▪ Error messages ▪ Client and server technologies
§ Exploit the application ▪ Attempt to compromise users, functionality, and data
![Page 38: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/38.jpg)
¡ Penetration Testing Advantages § Time boxed and scope limited § Tests code and functionality that is exposed
¡ Penetration Testing Disadvantages § Completeness of testing § Latent services or data manipulation and usage § Only tests code and functionality that is exposed
![Page 39: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/39.jpg)
¡ User Management ¡ Authentication ¡ Authorization ¡ Data Confidentiality ¡ Integrity ¡ Accountability ¡ Session Management ¡ Transport Security ¡ Tiered System Segregation (Trust relationships) ¡ Privacy
![Page 40: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/40.jpg)
¡ Web Application Security Testing Framework § Authentication & Access Control § Input Validation & Encoding § Data and Transport Encryption § User and Session Management § Error and Exception Handling § Auditing and Logging
![Page 41: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/41.jpg)
1. OWASP Testing Guide v3, https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
![Page 42: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/42.jpg)
¡ Authentication & Access Control §
![Page 43: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/43.jpg)
¡ Input Validation & Encoding
![Page 44: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/44.jpg)
¡ Data and Transport Encryption
![Page 45: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/45.jpg)
¡ User and Session Management
![Page 46: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/46.jpg)
¡ Error and Exception Handling
![Page 47: Overviewof’Web’Application’Security’and’ SetupMaterial(Source(! OWASP(Testing(Guide(v3(! WebGoat(! Lab(Goals(! Learn(real(world(skillz(! Teach(offensive(and(defensive(security](https://reader033.fdocuments.net/reader033/viewer/2022041621/5e3f4bc90fcf196e23496c00/html5/thumbnails/47.jpg)
¡ Auditing and Logging