overviewof’web’application’security’and’ setupmaterial(source(! owasp(testing(guide(v3(!...
TRANSCRIPT
Overview of Web Application Security and Setup
¡ Section Overview ¡ Where to get assistance ¡ Assignment #1 ¡ Infrastructure Setup ¡ Web Security Overview ¡ Web Application Evaluation & Testing ¡ Application Security Requirements ¡ Web Application Security Requirements
¡ Material Source § OWASP Testing Guide v3 § WebGoat
¡ Lab Goals § Learn real world skillz § Teach offensive and defensive security § Teach self-‐reliance and communication § Instill collaborative development and teamwork
¡ Developed and published by OWASP ¡ Application security testing guideline ¡ Breaks down testing
¡ Vulnerable web application used to teach web app security
¡ Our use is two-‐fold § Teach yourself how to exploit the vulnerabilities § Projects will require you to report and fix bugs
¡ GoogleGroups § https://groups.google.com/forum/?fromgroups#!forum/comp327-‐spring-‐2013
¡ OWASP Testing Guide § https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
¡ WebGoat Tutorial Videos § http://yehg.net/lab/pr0js/training/webgoat.php
¡ Email TAs
¡ Download project appliances from the site ¡ Setup Bitbucket accounts ¡ Create a private git repo ¡ Link the repo to the one on the VM ¡ Share your repo with the course TAs ¡ Reading Assignment
¡ Download the Virtual Appliances § http://markov.cs.rice.edu/comp327/ § Do it on campus with a wired connection!
¡ OWASP_BWA_Comp327.ova § Contains an instance of WebGoat § Used to test and learn how to exploit the vulnerabilities you will fix.
¡ webgoat_developer.ova § Development environment ▪ Eclipse with Java EE environment ▪ WebGoat source code in a git repo
¡ Download & Install VirtualBox § https://www.virtualbox.org/
¡ Import the Virtual Appliance § In class demo § Google if not in class § Ask questions on the forum if confused
¡ Configuring network for VMs § In class demo § Google if not in class § Ask questions on the forum if confused
¡ Create a Bitbucket Account § https://bitbucket.org/
¡ 1 person in each group needs to do this § Link the git repo on Webgoat_Developer with a new repo in BitBucket
§ Invite your partner to the repo and they will follow similar procedures outlined below
¡ Start the WebGoat_Development VM ¡ Login to the VM
§ User: webgoatdev § Pass: !webgoatdev
¡ Start a Terminal § Click the “Black Screen” in the bar
¡ Type ./eclipse/eclipse in the Terminal ¡ After Eclipse is started
§ Goto: Windows-‐>Open Perspective-‐>Other § Select: Git Repository Exploring
¡ Expand Webgoat [master] ¡ Right click Select: “Create Remote…” ¡ Type or copy in the git repo ¡ Type in the username and password ¡ Click Finish
¡ Right click on the origin under Remotes
¡ Click “Save and Push”
¡ Click on the progress bar in lower left to reveal upload progress
¡ When the push is complete …
¡ Once your Bitbucket repo is synched § Share (invite) the TAs to your repository § Theodore Book (tbook) § Adam Pridgen (apridgen)
¡ How do web applications work?
Source: http://www.simondelliott.com/blog/welcome/architecture-‐for-‐the-‐consumer/
¡ How do attack web attacks work?
Source: http://www.preventia.co.uk/application-‐penetration-‐testing-‐service.php
¡ Basic Vocabulary § Threat, Vulnerability, Risk, Mitigation § Attack vs. Defense § Client vs. Server § Web Proxy § Session Cookie § …
¡ Web Application Security Testing Overview § Manual Inspections & Reviews § Threat Modeling § Source Code Review § Penetration Testing
¡ Manual Inspections & Reviews § Review Technical decisions § Review Architectural designs § Review Security (configuration and coding) policies
§ Review Security requirements
¡ Manual Inspections & Reviews Advantages § Requires no supporting technology § Can be applied to a variety of situations § Flexible § Promotes teamwork § Early in the SDLC
¡ Manual Inspections & Reviews Disadvantages § Can be time consuming § Supporting material not always available § Requires extensive knowledge and experience
¡ Threat Modeling § Decomposing the application § Defining and classifying the assets § Exploring potential vulnerabilities § Exploring potential threats § Creating mitigation strategies
¡ Threat Modeling Advantages § Practical attacker's view of the system § Flexible § Early in the SDLC
¡ Threat Modeling Disadvantages § Extensive knowledge and experience required § Project or business names change over lifecyle
¡ Source Code Review § Evaluate data and control flow of application § Line by line analysis of source code § Read comments and intended functionality
¡ Source Code Review Advantages § Completeness and effectiveness § Potential accuracy § Manual and automated processes
¡ Source Code Review Disadvantages § Requires highly skilled security developers § Can miss issues in third-‐party libraries § Run-‐time errors may go unnoticed § Subtleties and knowledge of the underlying language
¡ Penetration Testing § Black box testing using attack tools § Mostly Develop an understanding based on ▪ Error messages ▪ Client and server technologies
§ Exploit the application ▪ Attempt to compromise users, functionality, and data
¡ Penetration Testing Advantages § Time boxed and scope limited § Tests code and functionality that is exposed
¡ Penetration Testing Disadvantages § Completeness of testing § Latent services or data manipulation and usage § Only tests code and functionality that is exposed
¡ User Management ¡ Authentication ¡ Authorization ¡ Data Confidentiality ¡ Integrity ¡ Accountability ¡ Session Management ¡ Transport Security ¡ Tiered System Segregation (Trust relationships) ¡ Privacy
¡ Web Application Security Testing Framework § Authentication & Access Control § Input Validation & Encoding § Data and Transport Encryption § User and Session Management § Error and Exception Handling § Auditing and Logging
1. OWASP Testing Guide v3, https://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
¡ Authentication & Access Control §
¡ Input Validation & Encoding
¡ Data and Transport Encryption
¡ User and Session Management
¡ Error and Exception Handling
¡ Auditing and Logging