[Owasp-leaders] Fwd: OWASP iGoat 2.2 released

Kenneth R. van Wyk ken at krvw.com
Wed Sep 10 21:02:59 UTC 2014

OWASP Leaders,

FYI, OWASP iGoat 2.2 has been released with the addition of an exercise on certificate pinning. Thanks to Jonathan Carter for all his efforts on this!

Further details below.



Begin forwarded message:

> From: "Kenneth R. van Wyk" <ken at krvw.com>
> Subject: OWASP iGoat 2.2 released
> Date: September 10, 2014 at 5:00:48 PM EDT
> To: owasp-igoat-project at lists.owasp.org
> Greetings iGoat users,
> FYI, there's a new OWASP iGoat release available immediately for download via the download page at https://code.google.com/p/owasp-igoat/  
> Release details follow.
> New in 2.2 is a certificate pinning exercise.
> This one was difficult to present in the form of an iGoat exercise. As iGoat users know, the way we present the exercises is with an initially flawed module. In most cases, the user finds a specific flaw in each exercise by exploiting the weakness. Once the problem has been found, the user then goes into the source code and implements a remediation for it, and then verifies the fix works.
> We like this work flow a lot, but it presented a couple of problems for certificate pinning. For one thing, we wanted to stick with the simple Ruby-based server that we already use for a couple exercises. That enables people to run the exercise from within the iPhone Simulator on a Mac via XCode, as the Ruby server runs on the localhost interface only. That said, when an adversary exploits a weakly SSL-validated app, the adversary generally sends the app off to a malicious server by exploiting weaknesses in DNS. Not so easy to simulate on localhost...
> So, we made a couple of compromises to make the exercise seem as realistic as possible. The remediation, on the other hand, is a very real example of how one can implement certificate pinning in an iOS app by re-writing the certificate validation delegate method.
> So check it out and let us know what you think.
> We also have a couple other things planned for iGoat's near-term future. These are highly likely to include the use of some of the excellent work being done by the iMAS team at MITRE. All still open source of course, but there should be some more fun stuff to look at before long in iGoat. We don't have any release dates yet, however.
> Enjoy your iGoating! As always, I welcome feedback from users as well as trainers who have incorporated iGoat into their own courseware. (I use it extensively in my own courseware and would be happy to share lessons learned with anyone interested.)
> Again, thanks to Jonathan Carter for all his hard work on the OWASP iGoat project!
> Cheers,
> Ken
> -----
> Kenneth R. van Wyk
> KRvW Associates, LLC
> http://www.KRvW.com
> Follow us on Twitter at: @KRvW or @KRvW_Associates

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140910/0fc06a52/attachment.pgp>

More information about the OWASP-Leaders mailing list