OWASP WebGoat v5 <Presenter> 16 April 2010

What’s a WebGoat OWASP project with ~115,000 downloads Deliberately insecure Java EE web application Teaches common application vulnerabilities via a series of individual lessons

History of WebGoat Donated to OWASP by Aspect Security ~2002 Project Lead is Bruce Mayhew Started to receive outside contributions in 2005 v5 produced as AoC 2006 project

WebGoat Demonstrates Vulnerabilities WebGoat uses “goatified” real world examples Cross site scripting SQL Injection Command Injection Forced Browsing Access Control Data, presentation, business, & environmental layers Authentication AJAX WebServices ….

Used by universities in security curriculum Picking up Steam… Used by source code analysis and web application security scanning vendors for demos Used by universities in security curriculum Carnegie-Mellon Using WebGoat as open source project option University of Denver Wouldn’t it be great if students contributed lessons as part of their class projects!! OWASP Autumn 2006 and Spring of Code 2007 Projects Used by many companies as a training tool LOTS of emails from user community

5.0 – Autumn of Code 2006 Release What’s New in 5.X 5.0 – Autumn of Code 2006 Release Many new lessons AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing 5.2 – current release Introduction and WebGoat instructions Multi Level Login Lesson Session Fixation Lesson Insecure Login Lesson Lesson Solution Videos Bug Report Feature

Create database schema common to all lessons Roadmap Create database schema common to all lessons Convert lessons to a common theme HR System (WebGoat Financials) Online Banking or Video Store Make WebGoat more CBT like Teach application security, not just demonstate how to attack Convert lessons to JSPs for easier content editing

Demos – Lets go through some lessons!!

Questions and Answers Q & Q U E S T I O N S A N S W E R S A