Exploring OWASP: A Comprehensive Look at Application Security and Tools

Slide Note
Embed
Share

Delve into the world of OWASP (Open Web Application Security Project) to understand its mission, the significance of application security, available resources, global chapters, sponsors, publications, software projects, and the innovative OWASP Live CD. Discover the benefits and tools offered by OWASP for secure software development and vulnerability testing.


Uploaded on Mar 20, 2024 | 1 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt

  2. 2 Few Facts and figures: How Many Vulnerabilities Are Application Security Related? 2

  3. 3 What is OWASP? Open Web Application Security Project Promotes secure software development Oriented to the delivery of web oriented services Focused primarily on the back-end than web-design issues An open forum for discussion A free resource for any development team 3

  4. 4 120+ Chapters Worldwide

  5. 5 OWASP Sponsors

  6. 6 OWASP Publications- All Free Top 10 Web Application Security Vulnerabilities Guide to Building Secure Web Applications Legal Project Metrics & Measurements Project Testing Project AppSec Faq www.owasp.org 6

  7. 7 OWASP Software Major Applications WebGoat WebScarab .Net Projects oLab Projects 7

  8. 8 OWASP Software - .NET Projects .Net Projects A collection of tools focused on securing ASP.NET projects Include security analyzers and documentation projects Current Projects Asp.Net Baseline Security a suite of tools to assist administrators in identifying common issues in Asp.Net deployments SAM SHE Security Analyzer for Microsofts Shared Hosting Environments toolkit for administrators to identify issues in IIS 5 or 6 Asp.Net deployments ANSA Asp.Net Security Analyzer written in C# to identify configuration and software issues that impact security Asp.Net Security Guides a set of documents covering the design and deployment of secure software in Asp.Net hosting environments http://www.owasp.org/software/dotnet.html 8

  9. 9 What is the OWASP Live CD A bootable CD with loads of pre packaged Web security tools and toys The Latest project of OWASP and the most talked about in the Web Security Community Comes also as a Free VM Image

  10. 10 Live CD Benefits and Tools List It s Free , Easy and Safe to use Current Tools List OWASP WebScarab OWASP WebGoat OWASP JBroFuzz Paros Proxy nmap Wireshark tcpdump Firefox 3 Burp Suite Grenedel-Scan OWASP DirBuster OWASP SQLiX OWASP WSFuzzer Metasploit 3 Future Tools List nikto Skavenger sqlmap sqlninja Absinthe webshag httprint BEEF ProxyMon Rat Proxy

  11. 11 Tool Focus WebGoat Start the WebGoat Server from the Main Menu In Firefox Type : Http://127.0.0.1:8080\WebGoat\attack User Name: guest Password: guest Start Learning !!

  12. 12 What is WebGoat OWASP project with ~115,000 downloads so far Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of individual lessons

  13. 13 Real World Examples Cross site scripting SQL Injection Command Injection Forced Browsing Access Control Data, presentation, business, & environmental layers Authentication AJAX WebServices

  14. 14 WebGoat Users Used by Clients for source code analysis and web application security scanning. Used by universities in security curriculum Carnegie-Mellon Using WebGoat as open source project option University of Denver Wouldn t it be great if students contributed lessons as part of their class projects!! OWASP Autumn 2006 and Spring of Code 2007 Projects Used by many companies as a safe training tool LOTS of emails from user community

  15. 15 What s New in 5.x 5.0 Autumn of Code 2006 Release Many new lessons AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing 5.1 (Summer 2007) Servlet that allows attacks to post data Posted data is pushed back to originating lesson XSS Phishing attack Improved lesson content Enhanced Documentation (A SpoC 2007 project)

  16. 16 Work in Progress Convert lessons to a common theme HR System (WebGoat Financials) Online Banking or Video Store

  17. 17 Questions & Demo

  18. Thank You www.qcert.org

Related


More Related Content