• flickr
  • twitter
  • facebook
  • delicious
  • Google Buzz

FOSDEM 2008: About OWASP

by Christian Scholz on February 25, 2008

Rogan Dawes talked about the OWASP project. OWASP stands for “Open Web Application Security Project” and is a non-profit organization dedicated to “enabling organizations to develop, purchase, and maintain application that can be trusted” (cites from the website).

One important publication is the “OWASP Guide to Building Secure Web Applications” with examples in various programming languages.

OWASP Local Chapters

  • Encourage local discussion of application security around the world
  • Free and open to anyone
  • Meet monthly or quarterly

OWASP Conferences

Historically 2 annually (USA and Europe)

This year 3 (Australia (next week), Brussels in May, New York in October)

OWASP <Season> of Code

  • Modeled after Google’s Summer of Code
  • Encourages existing (and new) participants to work on OWASP projects
  • So far, “Autumn of Code”, “Spring of Code”
  • Examples: OWASP Testing Guide, OWASP Anti-Samy project (inspired by the myspace-Incident), OWASP WebGoat Solutions guide
  • More than $100,000 paid out

So what’s the problem again?

  • Many organizations simply trust their developers to produce secure code. Or they even don’t think about it at all.
  • In many cases, that trust is misplaced (search engines are part of the problem. Reason for this is because you google for examples of how to code something and copy it over. And you might not choose the complicated solution because there is a simpler looking around which might lack security though. Security is not usually mentioned and thus awareness is lacking.)
  • Lack of awareness of the problem is part of the problem.

How can this be fixed?

  • Education (Documentation, Training (WebGoat))
  • Code review
  • Penetration testing (WebScarab)

OWASP WebScarab

  • He worked on it from 2003 onwards.
  • Flagship OWASP tools
  • Written in Java, thus cross platform
  • Key features: Direct access tp te underlying HTTP protocol, Intercepting proxy (including SSL), Session history, Spider, Fuzzer (tries various input variations and checks what comes back from the server), WebServices, Scripting (BSF)
  • Drawbacks: Clunky, Memory Leaks

WebScarabNG

  • better User Interface
  • Proxy Toolbar (switch intercepting on/off) always on top
  • Different views of the same data now consistent
  • New ContentType editors
  • Dockable Views

under the hood:

  • Using proper DB (HSQLDB) to store history
  • Using Spring Framework (DB, internal wiring)
  • Fewer leaks – hopefully

Demo time!

What he demoed was WebGoat, a Java based set of web application which are aimed at people who want to learn about the various vulnerabilities. It is divided in lessons which tell you about XSS attacks, SQL injection and all the other things. WebGoat provides example applications with security flaws which you then have to exploit. They created this because testing these things on other people’s server can bring you all sorts of troubles (he gave an example of some guy who wanted to donate money and tested the site before if his credit card number is also securely stored. He was happy that he did not find any security flaws and provided his name and CC number. Unfortunately his tests triggered some alerts in the system and he was then convicted).

Rowan showed us many of the applications and also how you can use the proxy provided by WebScarab to interject the requests. Basically you then have a chance to change the data posted before it’s really posted to the server. This makes it easy to circumvent Javascript validation, put SQL injection in there and much more.

Everybody interested should have a look at WebGoat and WebScarab themselves.

He also noted that WebScarab-NG does not yet have all the modules available which the classic version does have but that they are ported one after another (or re-implemented).

Definitely an interesting talk and these tools seem rather good. Everybody doing web development should probably have a look at the guide and those tools esp. if you use web frameworks and basically have to build all of your forms etc. yourself. Some attacks are prevented already by the framework (e.g. SQL injection) but some others might not. Of course the same is true for people implementing such frameworks.

Technorati Tags: , , , , , , ,

3 comments

That's exactly why I (with assistance from others) wrote:
http://plone.org/about/security/overview/security

That's an overview of how Plone addresses each item in OWASP's top ten list. The list changes gradually now and then, so there might be new things on the list by now, but it was current as of mid-2007.

by Alexander Limi on 25.2.2008 at 04:47. #

I guess I missed this page back then but that's good to know (all I knew is that we had relatively few incidents but good to have numbers). Definitely also good marketing material.

by Christian Scholz on 25.2.2008 at 05:56. #

Very cool! Thanks for doing this.

I'm glad you enjoyed the talk.

by Rogan Dawes on 25.2.2008 at 11:26. #