Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit The OWASP Foundation 6 th OWASP AppSec Conference Milan - May WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security WebGoat Project Lead: Bruce Mayhew

6 th OWASP AppSec Conference – Milan – May About the Speaker  Background  IT Security Consultant for past 19 years  Focus on application security for past 9 years  Bachelor’s and Masters Degrees in Computer Science  CISSP, CISM  Aspect Security Founder and COO  Specialists in application security  Verify critical applications (~3 million LOC/month)  Enable companies to reliably produce secure code  OWASP Foundation  Coauthor of OWASP Top 10  Member of OWASP Board  Conferences Chair for OWASP AppSec Conferences  Established OWASP as 501c3 not-for-profit in U.S.

6 th OWASP AppSec Conference – Milan – May What’s a WebGoat  OWASP project with ~115,000 downloads  Deliberately insecure Java EE web application  Teaches common application vulnerabilities via a series of individual lessons

6 th OWASP AppSec Conference – Milan – May 2007 History of WebGoat  Donated to OWASP by Aspect Security ~2002  Project Lead is Bruce Mayhew  Started to receive outside contributions in 2005  v5 produced as AoC 2006 project 4

6 th OWASP AppSec Conference – Milan – May WebGoat Demonstrates Vulnerabilities  WebGoat uses “goatified” real world examples  Cross site scripting  SQL Injection  Command Injection  Forced Browsing  Access Control  Data, presentation, business, & environmental layers  Authentication  AJAX  WebServices  ….

6 th OWASP AppSec Conference – Milan – May Picking up Steam…  Used by source code analysis and web application security scanning vendors for demos  Used by universities in security curriculum  Carnegie-Mellon  Using WebGoat as open source project option  University of Denver  Wouldn’t it be great if students contributed lessons as part of their class projects!!  OWASP Autumn 2006 and Spring of Code 2007 Projects  Used by many companies as a training tool  LOTS of s from user community

6 th OWASP AppSec Conference – Milan – May What’s New in 5.X  5.0 – Autumn of Code 2006 Release  Many new lessons  AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing  5.1 (Goals – Summer 2007)  Servlet that allows attacks to post data  Posted data is pushed back to originating lesson  XSS Phishing attack  Improved lesson content  Enhanced Documentation (A SpoC 2007 project)

6 th OWASP AppSec Conference – Milan – May Roadmap  Create database schema common to all lessons  Convert lessons to a common theme  HR System (WebGoat Financials)  Online Banking or Video Store  Make WebGoat more CBT like  Teach application security, not just demonstate how to attack  Convert lessons to JSPs for easier content editing

6 th OWASP AppSec Conference – Milan – May 2007 Demos – Lets go through some lessons!! 9

6 th OWASP AppSec Conference – Milan – May 2007 A Q & Q U E S T I O N S A N S W E R S Questions and Answers

6 th OWASP AppSec Conference – Milan – May Share your ideas / Let us know you’re using it! Bruce Mayhew