[Owasp-leaders] Web Application Vulnerability Examples

John Wilander john.wilander at owasp.org
Wed Dec 22 09:24:58 EST 2010


2010/12/22 eric sheridan <eric.sheridan at owasp.org>

> I'd be interested in this application as well. We really need a modern
> WebGoat replacement - something using technologies from within the past 5
> years :)
>

Thanks for the interest!

Is your application 'exercise' based? Open source? Is it at a point where
> you could have contributors?
>

I've been giving appsec training for a couple years so there will definitely
be labs / excersises. Let me try to explain my goals in bullets:

   - *Demo app*. I frequently give appsec talks and always need a demo
   engine. I want to show clickjacking, CSRF and XSS but also nice solutions
   such as AntiSamy, double-submit tokens and X-Frame-Options headers – all in
   a realistic environment with modern tools and frameworks. If the app is
   clearly a *training* environment it doesn't suit my *demo* needs. This is
   a gap I want to fill which is why it's currently called "OWASP Demo App".
   This is also the fit with Psiion's requirements – stable, known
   vulnerabilities to regression test with.
   - *Training app*. I find WebGoat too much web 1.0, too much "hack, not
   develop", and lacking modern tools and frameworks. My idea is a complete
   standalone app with labs and training through separate instructions (most
   probably standalone html pages). So when you look at the app it looks like
   something useful and nice, not obviously vulnerable or geared towards
   appsec.
   - *Sexy for developers*. I want the app to use sexy stuff such as CSS3
   and good unit testing so when you use it for training there's a goody bag in
   there to interest developers. I've found that discussing exception handling,
   logging strategies, the best mocking framework etc really helps during
   appsec training. It makes developers more confident in you and in the
   importance of application security since it happily lives alongside other
   quality measures.

I will get it set up at GitHub, document some stuff and then email you so
you can check it out. Just remember it's alfa so anything can happen :).

   /John


> -Eric
>
>
> On Wed, Dec 22, 2010 at 8:47 AM, psiinon <psiinon at gmail.com> wrote:
>
>> Hi John,
>>
>> That would be great :)
>>
>> Is it available now?
>> I'd be happy to help with the development of it.
>> The examples I've done so far are all JSP based, including some using
>> an in-memory SQL db :)
>> I'd also be very interested in using it for the training courses I run!
>>
>> Many thanks,
>>
>> Psiinon
>>
>> On Wed, Dec 22, 2010 at 1:39 PM, John Wilander <john.wilander at owasp.org>
>> wrote:
>> > Hi Psiion (and the rest)!
>> >
>> > I've been working on a joint "New Webgoat + OWASP Demo App" to use for
>> both
>> > training and demos. I used it for my two talks at IBWAS last week. Maybe
>> we
>> > could make it the tool you want?
>> > Java/jsp, Struts 2, JAX-RS, Spring, Mockito, JQuery, Maven, Jetty,
>> IntelliJ
>> > CE etc. Next in line are SQL and NOSQL persistence layers.
>> >    /John
>> >
>> > 2010/12/22 psiinon <psiinon at gmail.com>
>> >>
>> >> Hi folks,
>> >>
>> >> As part of the development of the Zed Attack Proxy I need a simple set
>> >> of web pages that exhibit standard vulnerabilities.
>> >> I know about the example vulnerable apps like Webgoat, DVWA, Gruyere,
>> >> Hackme etc.
>> >> However these are aimed at people.
>> >> I want a set of web pages for regression testing ZAP, so I'd like as
>> >> many examples and variants as possible, ideally with just one example
>> >> per page.
>> >>
>> >> Do any of you know of such examples?
>> >>
>> >> If not then I'll implement them myself (I've already made a start),
>> >> but if anyone else wants to get involved then I'd welcome the
>> >> assistance :)
>> >>
>> >> I guess these examples could be useful to other projects.
>> >> In theory such pages could be used to test the effectiveness of
>> >> vulnerability scanners, although my goal is to develop a regression
>> >> test suite for ZAP.
>> >> They could also be used as a training aid. (Not sure what a specific
>> >> vulnerability looks like in practice? Look here...)
>> >> So does anyone think they should be spun of into a new OWASP project,
>> >> either now or potentially later?
>> >>
>> >> Many thanks,
>> >>
>> >> Psiinon
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> >
>> > --
>> > John Wilander, https://twitter.com/johnwilander
>> > Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
>> > Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
>> > Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
<http://owaspsweden.blogspot.com>Co-organizer Global Summit,
http://www.owasp.org/index.php/Summit_2011
<http://www.owasp.org/index.php/Summit_2011>Conf Comm,
http://www.owasp.org/index.php/Global_Conferences_Committee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101222/64b587ca/attachment.html 


More information about the OWASP-Leaders mailing list