[Owasp-leaders] Web Application Vulnerability Examples

eric sheridan eric.sheridan at owasp.org
Wed Dec 22 11:25:57 EST 2010


John,

This is great! Let us know when its up on github. I'd be interested in
integrating OWASP CSRFGuard as a CSRF solution in your Demo App. I'd also be
interested in contributing to the exercises. I don' have the resources to be
a 'primary contributor' but would like to help add a few select pieces to
the overall project.

-Eric

On Wed, Dec 22, 2010 at 9:53 AM, psiinon <psiinon at gmail.com> wrote:

> Hi Stephen,
>
> That was the way I was thinking, although I have no problem with an
> app that can provide both :)
>
> While I understand its a lot easier faking vulnerabilities sometimes,
> for some reason it just doesnt 'feel right' to me.
> However you can sometimes get away without a back end - I've written
> SQL injection examples in one JSP page which use an in-memory HSQLDB -
> first check to see if the table you need is there, if it isnt then
> create it, etc etc
> So in this case theres no dependencies on any other services running
> and no complicated setup either. Both of which I think are useful.
> Happy to provide the examples to anyone whos interested...
>
> Cheers,
>
> Psiinon
>
>
> On Wed, Dec 22, 2010 at 2:43 PM, Stephen de Vries
> <stephen at twisteddelight.org> wrote:
> >
> > I think this could almost be 2 different projects, one aimed at humans
> and the other at automated tools.  WebGoat for demo and training as
> described by John, then another simpler minimal app only for performing
> regression tests on scanners.  Could even be used as a fit for purpose test
> for web scanners, where you could develop test cases that typically trip up
> automated tools but are easy for a human to perform.  No need for a UI or
> anything fancy, just the bare essentials to see whether the scanner can
> detect all the variants of known security issues.
> > It probably doesn't even need a database on the backend, it can just fake
> responses specific to the test.
> >
> >
> > Stephen
> >
> > On Dec 22, 2010, at 3:24 PM, John Wilander wrote:
> >
> >> 2010/12/22 eric sheridan <eric.sheridan at owasp.org>
> >> I'd be interested in this application as well. We really need a modern
> WebGoat replacement - something using technologies from within the past 5
> years :)
> >>
> >> Thanks for the interest!
> >>
> >> Is your application 'exercise' based? Open source? Is it at a point
> where you could have contributors?
> >>
> >> I've been giving appsec training for a couple years so there will
> definitely be labs / excersises. Let me try to explain my goals in bullets:
> >>       • Demo app. I frequently give appsec talks and always need a demo
> engine. I want to show clickjacking, CSRF and XSS but also nice solutions
> such as AntiSamy, double-submit tokens and X-Frame-Options headers – all in
> a realistic environment with modern tools and frameworks. If the app is
> clearly a training environment it doesn't suit my demo needs. This is a gap
> I want to fill which is why it's currently called "OWASP Demo App". This is
> also the fit with Psiion's requirements – stable, known vulnerabilities to
> regression test with.
> >>       • Training app. I find WebGoat too much web 1.0, too much "hack,
> not develop", and lacking modern tools and frameworks. My idea is a complete
> standalone app with labs and training through separate instructions (most
> probably standalone html pages). So when you look at the app it looks like
> something useful and nice, not obviously vulnerable or geared towards
> appsec.
> >>       • Sexy for developers. I want the app to use sexy stuff such as
> CSS3 and good unit testing so when you use it for training there's a goody
> bag in there to interest developers. I've found that discussing exception
> handling, logging strategies, the best mocking framework etc really helps
> during appsec training. It makes developers more confident in you and in the
> importance of application security since it happily lives alongside other
> quality measures.
> >> I will get it set up at GitHub, document some stuff and then email you
> so you can check it out. Just remember it's alfa so anything can happen :).
> >>
> >>    /John
> >>
> >>
> >> -Eric
> >>
> >>
> >> On Wed, Dec 22, 2010 at 8:47 AM, psiinon <psiinon at gmail.com> wrote:
> >> Hi John,
> >>
> >> That would be great :)
> >>
> >> Is it available now?
> >> I'd be happy to help with the development of it.
> >> The examples I've done so far are all JSP based, including some using
> >> an in-memory SQL db :)
> >> I'd also be very interested in using it for the training courses I run!
> >>
> >> Many thanks,
> >>
> >> Psiinon
> >>
> >> On Wed, Dec 22, 2010 at 1:39 PM, John Wilander <john.wilander at owasp.org>
> wrote:
> >> > Hi Psiion (and the rest)!
> >> >
> >> > I've been working on a joint "New Webgoat + OWASP Demo App" to use for
> both
> >> > training and demos. I used it for my two talks at IBWAS last week.
> Maybe we
> >> > could make it the tool you want?
> >> > Java/jsp, Struts 2, JAX-RS, Spring, Mockito, JQuery, Maven, Jetty,
> IntelliJ
> >> > CE etc. Next in line are SQL and NOSQL persistence layers.
> >> >    /John
> >> >
> >> > 2010/12/22 psiinon <psiinon at gmail.com>
> >> >>
> >> >> Hi folks,
> >> >>
> >> >> As part of the development of the Zed Attack Proxy I need a simple
> set
> >> >> of web pages that exhibit standard vulnerabilities.
> >> >> I know about the example vulnerable apps like Webgoat, DVWA, Gruyere,
> >> >> Hackme etc.
> >> >> However these are aimed at people.
> >> >> I want a set of web pages for regression testing ZAP, so I'd like as
> >> >> many examples and variants as possible, ideally with just one example
> >> >> per page.
> >> >>
> >> >> Do any of you know of such examples?
> >> >>
> >> >> If not then I'll implement them myself (I've already made a start),
> >> >> but if anyone else wants to get involved then I'd welcome the
> >> >> assistance :)
> >> >>
> >> >> I guess these examples could be useful to other projects.
> >> >> In theory such pages could be used to test the effectiveness of
> >> >> vulnerability scanners, although my goal is to develop a regression
> >> >> test suite for ZAP.
> >> >> They could also be used as a training aid. (Not sure what a specific
> >> >> vulnerability looks like in practice? Look here...)
> >> >> So does anyone think they should be spun of into a new OWASP project,
> >> >> either now or potentially later?
> >> >>
> >> >> Many thanks,
> >> >>
> >> >> Psiinon
> >> >> _______________________________________________
> >> >> OWASP-Leaders mailing list
> >> >> OWASP-Leaders at lists.owasp.org
> >> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> >
> >> >
> >> >
> >> > --
> >> > John Wilander, https://twitter.com/johnwilander
> >> > Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> >> > Co-organizer Global Summit,
> http://www.owasp.org/index.php/Summit_2011
> >> > Conf Comm,
> http://www.owasp.org/index.php/Global_Conferences_Committee
> >> >
> >> > _______________________________________________
> >> > OWASP-Leaders mailing list
> >> > OWASP-Leaders at lists.owasp.org
> >> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >> >
> >> >
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >> --
> >> John Wilander, https://twitter.com/johnwilander
> >> Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
> >> Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011
> >> Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee
> >>
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101222/3bcefb2d/attachment.html 


More information about the OWASP-Leaders mailing list