James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and...
Transcript of James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and...
![Page 1: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/1.jpg)
Copyright © 2004 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP (Hong Kong Chapter)(The Open Web Application Security Project)WebGoat & WebScarab
James TsaoOWASP Exco member and Program [email protected]
Gary Kung, SCBCD, SCWCD, SCWS, OCPOWASP Exco member and Program Committee [email protected]
![Page 2: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/2.jpg)
OWASP
Developer’s Viewpoint
Disconcerting and worrying – web apps seems so easy to break!Fortunately – ways to combat them ☺Developer’s Best Friends
Know your HTTPBecome familiar with methods of exploits (e.g. come to OWASP seminar)Tools to help you debug and test against vulnerabilities
![Page 3: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/3.jpg)
OWASP
Know Your HTTP
Browser / HTML based appsWAP / WML based appsiMode / cHTML based appsWeb Services
![Page 4: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/4.jpg)
OWASP
WebScarab
OWASP ProjectHTTP and HTTPS analyzer (proxy)Developer’s debug tool, Security Specialist vulnerability inspection toolUse it with the right intentions!http://www.owasp.org/software/webscarab.html
![Page 5: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/5.jpg)
OWASP
Plugins
ProxyingManual InterceptReveal Hidden Fields (create example)Spider
… many more
![Page 6: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/6.jpg)
OWASP
WebScarab
Standalone mode, download and execute using java –jar
![Page 7: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/7.jpg)
OWASP
WebGoat
OWASP Projecthttp://www.owasp.org/software/webgoat.htmlFully featured Java Web Application (Tomcat)Useful ‘toy’ for you to learn, and exploit (safe in the fact that no one will sue you for hacking ☺)Tutorial style – lesson by lesson.Break the Challenge!
![Page 8: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/8.jpg)
OWASP
WebGoat from OWASP (www.owasp.org)
![Page 9: James Tsao OWASP Exco member and Program …Gary Kung, SCBCD, SCWCD, SCWS, OCP OWASP Exco member and Program Committee Gary.kung@gmail.com. OWASP Developer’s Viewpoint Disconcerting](https://reader031.fdocuments.in/reader031/viewer/2022022006/5ac67c3e7f8b9ae06c8e5d79/html5/thumbnails/9.jpg)
OWASP
Good Design is Worth it!
Ease development of combative measuresEnterprise Developer Vs Hobbyist Developer
Apply sound software design patternsDon’t reinvent the wheel -use popular application
frameworks!Don’t get distracted by the ‘quick & dirty’ way to
code production apps, they will come back and haunt you (and your bosses).