james tsao owasp exco member and program …gary kung, scbcd, scwcd, scws, ocp owasp exco member and...
TRANSCRIPT
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP (Hong Kong Chapter)(The Open Web Application Security Project)WebGoat & WebScarab
James TsaoOWASP Exco member and Program [email protected]
Gary Kung, SCBCD, SCWCD, SCWS, OCPOWASP Exco member and Program Committee [email protected]
OWASP
Developer’s Viewpoint
Disconcerting and worrying – web apps seems so easy to break!Fortunately – ways to combat them ☺Developer’s Best Friends
Know your HTTPBecome familiar with methods of exploits (e.g. come to OWASP seminar)Tools to help you debug and test against vulnerabilities
OWASP
Know Your HTTP
Browser / HTML based appsWAP / WML based appsiMode / cHTML based appsWeb Services
OWASP
WebScarab
OWASP ProjectHTTP and HTTPS analyzer (proxy)Developer’s debug tool, Security Specialist vulnerability inspection toolUse it with the right intentions!http://www.owasp.org/software/webscarab.html
OWASP
Plugins
ProxyingManual InterceptReveal Hidden Fields (create example)Spider
… many more
OWASP
WebScarab
Standalone mode, download and execute using java –jar
OWASP
WebGoat
OWASP Projecthttp://www.owasp.org/software/webgoat.htmlFully featured Java Web Application (Tomcat)Useful ‘toy’ for you to learn, and exploit (safe in the fact that no one will sue you for hacking ☺)Tutorial style – lesson by lesson.Break the Challenge!
OWASP
WebGoat from OWASP (www.owasp.org)
OWASP
Good Design is Worth it!
Ease development of combative measuresEnterprise Developer Vs Hobbyist Developer
Apply sound software design patternsDon’t reinvent the wheel -use popular application
frameworks!Don’t get distracted by the ‘quick & dirty’ way to
code production apps, they will come back and haunt you (and your bosses).