Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP LAPSE+ Project

Bruno Motta Regobmr@attom.com.br

June 2011

OWASP 2

Agenda

Introduction Vulnerabilities Detected Goals Hands On Case Challenges

OWASP 3

Introduction

LAPSE+ is a static analysis of code Eclipse plugin for detecting vulnerabilities of untrusted data injection in Java EE Applications.

LAPSE+ is inspired by existing lightweight security auditing tools such as FlawFinder.

Developed by Group of Stanford University.

GPL Software.

OWASP 4

Vulnerabilities Detected

URL Tampering Cookie Poisoning Parameter Tampering Header Manipulation Cross-site Scripting (XSS) HTTP Response Splitting Injections (SQL, Command, XPath, XML,

LDAP) Path Traversal

OWASP 5

Goals

Practical Understanding Challenges

OWASP 6

Hands On

OWASP 7

LAPSE+ Installation

Eclipse Helios http://www.eclipse.org/downloads/

LAPSE+ 2.8.1 plugin for Eclipse Helios. http://evalues.es/downloads/owasp/LapsePlus_2.8.1.jar

OWASP 8

LAPSE+ Configuration

Drag and DropCopy it in the plugins folder of our Eclipse

Helios

OWASP 9

LAPSE+ Steps

Vulnerability Source

Vulnerability Sink

Provenance Tracker

OWASP 10

Challenges

RequirementsEclipse Helios Java 1.6 or higher

SupportSenior ManagementDevelopers approve and use

LAPSE+ ProjectTroughput down

OWASP 11

Case

OWASP 12

Software Security Challenge

Total Cost of Development

OWASP 13

Questions and Answers