Daniel is a business and technical systems analyst with a background in IT security and software development. He has four years of experience in the IT security field, including published academic research. His main areas of expertise include secure development, network security, and authentication. In addition to security, Daniel has a software development background in languages such as Java, PHP, SQL, and Perl. He also has over 12 years experience working with and administering various versions of Linux and related open-source software.
Secure Development - Web Application Sandbox Tools
May 05 2010
It's been a while since I've had the chance to put up a blog entry, mainly due to travel during the last few weeks. This post will take a quick break from the Top 10 series and introduce some useful tools you can use to get hands-on experience with web application vulnerabilities in a sandbox environment.
Traditionally, you would first have to spend a decent amount of time setting up a server, installing/configuring the applications (or worse, writing your own), generating fake data, and generally performing lots of sysadmin work that is really not related to IT security. These tools (along with many others), make this process much easier by providing ready-made environments where you can explore secure coding concepts and "get your hands dirty" on other people's programming mistakes (both intentional and unintentional).
- OWASP Broken Web Applications Project (BWA) - I introduced this great tool in my ShmooCon wrap-up post back in February: This is a pre-built VM that pulls together a variety of intentionally-created and (unintentionally bad) real-world web applications with known vulnerabilities. It currently includes 11 separate applications, covering the three major technologies: Java, PHP, and ASP.
- Google Jarlsberg - This is a brand-new entry into the sandbox space (released on May 4, 2010). It's a vulnerable Python web app implemented on top of Google's App Engine (a hosted service), which removes the need for a VM or bootable ISO image. I have not played with it very much, but it looks very promising and flexible.
- BadStore - This is a very small bootable LiveCD image (also usable in VMware), about 10 MB in size. It contains a very basic online store with many different vulnerabilities. Just like the BWA, it's a plug-and-hack solution where you don't need to spend time configuring services, generating fake data, etc.
- Many Others - This is not meant to be a comprehensive list, just a quick intro to the three that I've worked with and found to be useful, especially for quick demo/instructional purposes
I will be using these tools during my upcoming talk at the Richmond Java Users' Group (RJUG) to give real-world examples of the Top 10 vulnerabilities I have been covering in this blog.
Next time, I will resume the Top 10 series with a discussion of insecure storage issues.
© 2010 CapTech Ventures, Inc. All Rights Reserved. Legal Notices.