Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav...
Transcript of Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav...
WebseclabElie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt
Hristo Bojinov Dan Boneh John C. MitchellStanford University
1
Elie Bursztein et al Webseclab http://ly.tl/t15
Web vs System
1186
2793
1528
996
1275
1095
2000 1951
1531
1647
Num
ber o
f vul
nera
bilit
ies
1000
2000
3000
2005 2006 2007 2008 2009
Evolution of the number of vulnerabilties by years
Web System
Elie Bursztein et al Webseclab http://ly.tl/t15
Web vulnerabilities breakdownN
umbe
r of v
ulne
rabi
lity
0
100
200
300
400
500
600
700
800
900
1000
2005 2006 2007 2008 2009
Evolution of the web vulnerabilities over the years by types
XSS SQLi XCS Session CSRF SSL Infomation Leak
Elie Bursztein et al Webseclab http://ly.tl/t15
BlackHat Training on Web security
012345678910
2005 2006 2007 2008 2009 2010
Elie Bursztein et al Webseclab http://ly.tl/t15
No bullet proof language
140
224
302
511
1170
1220
5070
pl
do
cfm
jsp
asp
aspx
php
0%10%20%30%40%50%60%70%80%90%100%
PHP ASP ASPX JSP CFM DO PL
Elie Bursztein et al Webseclab http://ly.tl/t15
Webseclab Goals
• Blending edge exercises
• Inclusive environment
• No setup
• Minimal learning curve
• Easy class management
Elie Bursztein et al Webseclab http://ly.tl/t15
Webseclab architecture
Cloud service
VM1 VM2
User 1
VM1 VM2
User 2
Elie Bursztein Slide deck 2010 http://ly.tl/t1
Key features
• Exercises
• Quizzes
• Projects
• Real case
• Class management
• Synchronization
• Realtime goal
• Quizzes push
• Analytics
VM Cloud
Elie Bursztein et al Webseclab http://ly.tl/t15
Elie Bursztein et al Webseclab http://ly.tl/t15
Elie Bursztein et al Webseclab http://ly.tl/t15
Webseclab VM architecture
Webseclab
Webseclab
Elie Bursztein et al Webseclab http://ly.tl/t15
Webseclab VM architecture
Virtual Machine
IDE
Sandbox
Firefox
WebSecLab
SQL via phpmyadmin
Categories
Exercise
Objective
Constraints
Pitch
Exercice rendered
Exercice code
Hints
Sync
Dashboard
Webseclab
Webseclab
Elie Bursztein et al Webseclab http://ly.tl/t15
Exercises repartition
Weseclab
Webseclab: exercises repartition
0
5
10
15
20
6
1
45
12
6
17
78
7
Introduction Browser security Mixing content XSSCSRF Session Phishing AuthenticationEmbedding SQL injections
Tuesday, May 18, 2010