“Application Security – Awareness.” Martin works for OWASP, The Open Web Application Security Project, and they have created a lot of cool stuff. On the workshop we got an introduction to WebScarab and WebGoat, and for learning how a lot of software vulnerabilities work, they are great tools, and fun to play with.
WebScarab is a tool to analyze HTTP and HTTPS communication, and intercepts traffic as a proxy between your browser and the application you are analyzing, and let you look at and modify requests. WebScarab itself is not a training tool, but is supposed to be used for serious application analysis.
WebGoat is a Java web application hosted on a local tomcat server, which contains a lot of flaws and vulnerabilities. The application consists of a series of challenges, in which you use WebScarab to crack your way into the application.
The challenges range from very simple stuff like scanning through source code to look for hardcoded passwords, to more interesting things like Cross Site Scripting and SQL-injection for stealing credit card numbers.
Both tools can be downloaded for free from the OWASP download page, and since it is written in Java, it works on all platforms.
Just be sure to disconnect from the internet before starting WebGoat, since it opens up your computer to all the vulnerabilities it contains while it is running.
Learning web-security through penetration testing
At the ROOTS 2009 conference I attended a workshop with Martin Knobloch called
OWASP
“Application Security – Awareness.” Martin works for OWASP, The Open Web Application Security Project, and they have created a lot of cool stuff. On the workshop we got an introduction to WebScarab and WebGoat, and for learning how a lot of software vulnerabilities work, they are great tools, and fun to play with.
WebScarab is a tool to analyze HTTP and HTTPS communication, and intercepts traffic as a proxy between your browser and the application you are analyzing, and let you look at and modify requests. WebScarab itself is not a training tool, but is supposed to be used for serious application analysis.
WebGoat is a Java web application hosted on a local tomcat server, which contains a lot of flaws and vulnerabilities. The application consists of a series of challenges, in which you use WebScarab to crack your way into the application.
The challenges range from very simple stuff like scanning through source code to look for hardcoded passwords, to more interesting things like Cross Site Scripting and SQL-injection for stealing credit card numbers.
Both tools can be downloaded for free from the OWASP download page, and since it is written in Java, it works on all platforms.
Just be sure to disconnect from the internet before starting WebGoat, since it opens up your computer to all the vulnerabilities it contains while it is running.
Related posts: