Introduction to OWASP WebGoat and OWTF

by Pawel Rzepa

About MeSecurity Engineer in SoftServe Poland

Currently developing advanced fuzzing module in Spirent’s Cyberflood

OWASP member (OWASP Poland Chapter in Wroclaw)

AgendaProblem 1: efficient security training Solution: WebGoat Problem 2: efficient management of multiple penetration testing tasks Solution: Offensive Web Testing Framework

Problem of efficient security training

Security awareness training for developers are quite common, but reality shows they are still ineffective :(

…and XSS allows you

injecting such horrifying pop up windows!!!

Problem of efficient security training

What about…

…arranging internal hands-on labs for developers and testers, where they can deeply understand vulnerabilities by finding and fixing them?

Finally a security training which isn’t an online course to

fly through and forget!

Internal course that is free and

isn’t a corpo-bullshit?! Cannot

believe that…

TO THE RESCUE!!!

A deliberately insecure Java-based application, which allows you to test common vulnerabilities,

50+ lessons,

After finding a vulnerability, learn to fix it!

Easy manageable lessons via plugins,

You can create your own lessons without touching code.

Few words about WebGoat

…or .Net-based: https://www.owasp.org/

index.php/WebGoatFor.Net

Only web apps? Hell no!!!Ruby on Rails: https://www.owasp.org/index.php/OWASP_Rails_Goat_Project WebGoat PHP: https://www.owasp.org/index.php/WebGoatPHP Node.js: https://www.owasp.org/index.php/OWASP_Node_js_Goat_Project Android: https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project iOS: https://www.owasp.org/index.php/OWASP_iGoat_Project

How to run WebGoat?Prerequisites: Java VM 1.8

To start just follow these commands:

$> wget https://github.com/WebGoat/WebGoat/releases/download/7.0.1/webgoat-container-7.0.1-war-exec.jar

$> java -jar webgoat-container-7.0.1-war-exec.jar

open in you browser:

http://localhost:8080/WebGoat/

That’s all!

First view

lessons & labs

WebGoat Creating your own lesson

Plugin = lesson

Plugin is just a folder, which follows this format:

WebGoat Useful links

Project:

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Documentation:

https://github.com/WebGoat/WebGoat

Problem: how to efficiently manage outputs from many different

applications?

Each pentester uses many different applications (vuln scanner, web crawler, SSL/TLS tests, session management tests)

Running each of those tests consumes time, right?

It’s easy to automate those tasks, but analysing a consolidated output is much more difficult :(

And finally you have to form a readable report from all those tests…

…oooh… :(

Typical penetration testing process

<which generates lots of output>

<cpy/pst interesting parts>

…of course in notepad ;)

<creates a fancy & readable report>

(…)<runs a lot of tests>

TO THE RESCUE!!!

OFFENSIVE WEB TESTING FRAMEWORK

OWTF - an ideaA goal of OWTF is to use penetration testing time as efficient as possible. It’s done by:

Running different tools (Nikto/Arachni/w3af/etc)

Running direct tests (header searches/session tests/etc)

Knowledge repository (OWASP mapping/resource links)

Helping human analysis (flag severity/manage output)

In other words OWTF provides optimal balance between automation and human analysis

OWTF: InstallationWant to quickly start? Follow this one-liner:

$> wget -N https://raw.githubusercontent.com/owtf/bootstrap-script/master/bootstrap.sh; bash bootstrap.sh

OWTF

OWTF - Set a target

OWTF - Choose plugins and run!

sends normal traffic to target

active vulnerability probing

probing services (e.g. FTP/SMB )

assist manual testing

searches on HTTP transactions test via 3rd parties (no traffic to target)

Testing web apps

Testing network services

OWTF demo…

OWTF - Useful linksProject:

https://www.owasp.org/index.php/OWASP_OWTF

Documentation:

http://docs.owtf.org/en/latest/

Online passive scanner:

https://owtf.github.io/online-passive-scanner/

IRC channel (#owtf on Freenode)

Last but not least…There are lots of other cool open-source projects, e.g https://www.owasp.org/index.php/Category:OWASP_Project#tab=Project_Inventory

Don’t miss local initiatives focused on security like Technology Risk and Information Securityor OWASP meet ups ;)

Summary

Use OWASP WebGoat to provide efficient security trainings in your company.

Use OWASP OWTF to automate your penetration testing tasks. It allows you for easy test’s output analyse and create reports in a fast way.

Stay tuned - checkout other open-source projects and don’t miss local events!

Thank you

Questions? feedback? pawel.rzepa@owasp.org