Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.

The OWASP Foundation

OWASP

http://www.owasp.org

OWASP (Hong Kong Chapter)(The Open Web Application Security Project)WebGoat & WebScarab

James TsaoOWASP Exco member and Program Committeejames@interbiztech.com

Gary Kung, SCBCD, SCWCD, SCWS, OCPOWASP Exco member and Program Committee Gary.kung@gmail.com

OWASP

Developer’s Viewpoint

Disconcerting and worrying – web apps seems so easy to break!Fortunately – ways to combat them ☺Developer’s Best Friends

Know your HTTPBecome familiar with methods of exploits (e.g. come to OWASP seminar)Tools to help you debug and test against vulnerabilities

OWASP

Know Your HTTP

Browser / HTML based appsWAP / WML based appsiMode / cHTML based appsWeb Services

OWASP

WebScarab

OWASP ProjectHTTP and HTTPS analyzer (proxy)Developer’s debug tool, Security Specialist vulnerability inspection toolUse it with the right intentions!http://www.owasp.org/software/webscarab.html

OWASP

Plugins

ProxyingManual InterceptReveal Hidden Fields (create example)Spider

… many more

OWASP

WebScarab

Standalone mode, download and execute using java –jar

OWASP

WebGoat

OWASP Projecthttp://www.owasp.org/software/webgoat.htmlFully featured Java Web Application (Tomcat)Useful ‘toy’ for you to learn, and exploit (safe in the fact that no one will sue you for hacking ☺)Tutorial style – lesson by lesson.Break the Challenge!

OWASP

WebGoat from OWASP (www.owasp.org)

OWASP

Good Design is Worth it!

Ease development of combative measuresEnterprise Developer Vs Hobbyist Developer

Apply sound software design patternsDon’t reinvent the wheel -use popular application

frameworks!Don’t get distracted by the ‘quick & dirty’ way to

code production apps, they will come back and haunt you (and your bosses).