1. Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation 6 th OWASP AppSec Conference Milan - May 2007 http://www.owasp.org/ WebGoat v5 Project: Autumn of Code 2006 Project Presenter: Dave Wichers OWASP Conferences Chair COO, Aspect Security dave.wichers@aspectsecurity.com WebGoat Project Lead: Bruce Mayhew webgoat@owasp.org

2. 6 th OWASP AppSec Conference – Milan – May 2007 2 About the Speaker  Background  IT Security Consultant for past 19 years  Focus on application security for past 9 years  Bachelor’s and Masters Degrees in Computer Science  CISSP, CISM  Aspect Security Founder and COO  Specialists in application security  Verify critical applications (~3 million LOC/month)  Enable companies to reliably produce secure code  OWASP Foundation  Coauthor of OWASP Top 10  Member of OWASP Board  Conferences Chair for OWASP AppSec Conferences  Established OWASP as 501c3 not-for-profit in U.S.

3. 6 th OWASP AppSec Conference – Milan – May 2007 3 What’s a WebGoat  OWASP project with ~115,000 downloads  Deliberately insecure Java EE web application  Teaches common application vulnerabilities via a series of individual lessons

4. 6 th OWASP AppSec Conference – Milan – May 2007 History of WebGoat  Donated to OWASP by Aspect Security ~2002  Project Lead is Bruce Mayhew  Started to receive outside contributions in 2005  v5 produced as AoC 2006 project 4

5. 6 th OWASP AppSec Conference – Milan – May 2007 5 WebGoat Demonstrates Vulnerabilities  WebGoat uses “goatified” real world examples  Cross site scripting  SQL Injection  Command Injection  Forced Browsing  Access Control  Data, presentation, business, & environmental layers  Authentication  AJAX  WebServices  ….

6. 6 th OWASP AppSec Conference – Milan – May 2007 6 Picking up Steam…  Used by source code analysis and web application security scanning vendors for demos  Used by universities in security curriculum  Carnegie-Mellon  Using WebGoat as open source project option  University of Denver  Wouldn’t it be great if students contributed lessons as part of their class projects!!  OWASP Autumn 2006 and Spring of Code 2007 Projects  Used by many companies as a training tool  LOTS of emails from user community

7. 6 th OWASP AppSec Conference – Milan – May 2007 7 What’s New in 5.X  5.0 – Autumn of Code 2006 Release  Many new lessons  AJAX, JSON, HTTP response splitting, CSRF, cache poisoning, log poisoning, XML & XPATH Injection, forced browsing  5.1 (Goals – Summer 2007)  Servlet that allows attacks to post data  Posted data is pushed back to originating lesson  XSS Phishing attack  Improved lesson content  Enhanced Documentation (A SpoC 2007 project)

8. 6 th OWASP AppSec Conference – Milan – May 2007 8 Roadmap  Create database schema common to all lessons  Convert lessons to a common theme  HR System (WebGoat Financials)  Online Banking or Video Store  Make WebGoat more CBT like  Teach application security, not just demonstate how to attack  Convert lessons to JSPs for easier content editing

9. 6 th OWASP AppSec Conference – Milan – May 2007 Demos – Lets go through some lessons!! 9

10. 6 th OWASP AppSec Conference – Milan – May 2007 A Q & Q U E S T I O N S A N S W E R S Questions and Answers

11. 6 th OWASP AppSec Conference – Milan – May 2007 11 Share your ideas / Let us know you’re using it! Bruce Mayhew webgoat@owasp.org http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project http://code.google.com/p/webgoat/