1 / 24

OWASP Lab Projects Overview

Ahmed Saafan Software Security and Data Protection Consultant. OWASP Lab Projects Overview. 12/4/2014. Agenda. Introduction to OWASP Projects’ Process Tools Projects Walk-through Documentation Projects Walk-through Demos. Introduction. What Falls Under OWASP Labs

pekelo
Télécharger la présentation

OWASP Lab Projects Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ahmed Saafan Software Security and Data Protection Consultant OWASP Lab Projects Overview 12/4/2014

  2. Agenda • Introduction to OWASP Projects’ Process • Tools Projects Walk-through • Documentation Projects Walk-through • Demos

  3. Introduction • What Falls Under OWASP Labs • Significant-value code committed • Not production ready • Can remain in labs forever • Tagged inactive after 6 months

  4. Introduction • Benefits of Being a Labs Projects • Promotion support • Resources priority over incubators • Travel funding

  5. Introduction • Project Review Process • Technical committee • Feedback every 6 months • Health • Quality • Usability • Graduation

  6. Introduction • Types of Projects • Tools • Documentation

  7. Tools

  8. Projects: Tools • OWASP DoS HTTP POST • Layer 7 Resource Depletion Attack • Send large POSTs slowly • Only 20k POSTs to crash an 8-Cores 16GB RAM Web Server • Demo

  9. Projects: Tools • OWASP EnDe • Advanced Encoding / Decoding • Obfuscation and Reversing • Demo

  10. Projects: Tools • OWASP CSRFTester • Test for CSRF • Create CSRF Payloads • Auto-post JS • Demo

  11. Projects: Tools • YASCA • Yet Another Source Code Auditor! • Based on Open Source Engines • FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, Pixy, FxCop, RATS…etc • .Net, Java, Python and PHP • Good for automation and finding the hanging fruits

  12. Projects: Tools • OWASP Mantra • A bundle of security oriented browser extensions • Based on Chromium • Demo

  13. Projects: Tools • O2 Platform • Security reviews and KB Platform • SDLC workflow support • Visual studio integration

  14. Projects: Tools • OWASP Broken Web Applications • A collection of vulnerable Web Apps • Basic, advanced and realistic sections • VMware image • Demo

  15. Projects: Tools • OWASP Hackademic Challenges • Basic web attacks challenges • Sep 2011 • Demo

  16. Projects: Tools • Mutillidae • A vulnerable web application • Covering OWASP Top 10 flaws • Vicnum • A vulnerable web application • Used for games and minors education

  17. Projects: Tools • OWASP CTF • Actual CTF engine used in OWASP events • Challenges code is not open (obviously!) • Old unused challenges are opened regularly

  18. Documentation

  19. Projects: Documentation • OWASP Appsec Tutorial Series • Video tutorials • Basic concepts (XSS, SQLi, HSTS…) • On going effort with lots to do

  20. Projects: Documentation • OWASP App Sensor • Conceptual framework and methodology • Attack detection points and response actions • Demo

  21. Projects: Documentation • OWASP Legal • Legal documentation framework • Security in software contracts • Terminology and definitions

  22. Projects: Documentation • OWASP Virtual Patching Guide • Best practices for virtual patching • Types, definitions and justification

  23. Question: What is the name of the browser extension that analyzes web applications to detect frameworks, plugins and versions?

  24. Questions? Thank you

More Related