does someone know where I can find webapplications, on which i can legaly try my pentesting skills like a dummy application or sth? I heard there were some on the OWASP page, but I cant find any. I'll write my thesis about pentesting web applications, and would like to do some tests.
Thanks,
katy
There is website pprovided by OWASP themselves, which is intended exactly for that. It is called WebGoat
WebGoat is a deliberately insecure web application maintained by OWASP
designed to teach web application security lessons. You can install
and practice with WebGoat in either J2EE (this page) or WebGoat for
.Net in ASP.NET. In each lesson, users must demonstrate their
understanding of a security issue by exploiting a real vulnerability
in the WebGoat applications. For example, in one of the lessons the
user must use SQL injection to steal fake credit card numbers. The
application is a realistic teaching environment, providing users with
hints and code to further explain the lesson.
Related
I need of an information. I'm new in develop web application. I should use php and javascritp but it 's possible, in the future, I could use other languase like Java. During these days I'm following a course on the best practice to write secure code.
Is there any guide/book or any other valid resource, where I can find an explanation about the differrent kind of attaks on a web application and the ways to solve them?
Thanks
Luca
If you're looking for resources to secure your applications on the internet, the first thing to try is OWASP, or Open Web Application Security Project. Here are some useful articles about what you're looking for:
OWASP: Web Security Testing Guide
OWASP: Cheatsheets
OWASP: General Information
All of the resources above will show you the recommended ways to secure your web application against threats. I think it's more than enough for the first step in the security world.
I want to develop a simple website that will have simple features: user management, online payment and some simple data management. On top, I want to develop an iPhone app that will interact with the users's data. And in a close future, I would develop an Androïd app.
Now I need to develop this application in a very secure way, from user authentication to data security.
I know a little of web frameworks like Symfony 1 and Django. And I'm a good Java programmer.
What would be your choice of technology to achieve my to goals of security and easy iApp interaction?
Thanks
I would learn Symfony 2. They took great efforts to improve the security for 2, including getting a security assessment for the core framework and doctrine. There are a lot of changes from sf1.x, but the jump isn't too bad (i just did it myself).
Symfony is a good base for a new project, but it wont make everything you do secure. That is far beyond the scope of a post on stackoverflow. My best advice: read some of the articles on http://owasp.org, maybe watch a few presentations on specific subjects you are worried about, and keep an eye on security blogs/mailing lists.
Hi does anybody know of any other programs similar to Webgoat for the demonstration of web application security flaws?
There are plenty of them. Some hosted, some for local installation. Some targeted more to teaching about web security, others for testing. Fortunately some folks already made some lists:
http://slogic.net/training/vulnerable-web-applications-to-learn-web-application-testing-skills
http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning
http://www.owasp.org/index.php/Phoenix/Tools#Testing_grounds
I personally would start with Google Gruyere (http://google-gruyere.appspot.com/).
There is a really good list in here:
http://ha.ckers.org/blog/20090406/hacking-without-all-the-jailtime/
The big ones I would think of would be Fortify and HP WebInspect.
Fortify will scan the source code and find potential vulnerabilities
HP WebInspect will scan/brute force a website in production and find/report actual vulnerabilities.
Both require a fairly expensive license.
Also take a look at Codebashing - They are a SaaS based elearning platform that provide interactive application security wargames.
http://www.dvwa.co.uk/
http://www.itsecgames.com/
https://www.owasp.org/index.php/OWASP_Bricks#tab=Main
https://sourceforge.net/projects/mutillidae/
Also I Like dawa And murillidae That is Realy Intresting.
Take a look at:
OWASP Testing Project
Acunetix Web Security Scanner
Acunetix WVS automatically checks your
web applications for SQL Injection,
XSS & other web vulnerabilities.
This may sound like a weird question but is there any where I can download a website that is vulnerable to sql injection the url kind not login bypass?
I'm making a vulnerability scanner and I want to learn some SQLi so i can include it in my project.
Thanks, it doesn't need to be fancy. Just enough to practice on.
OWASP WebGoat is the usual example. Includes SQL injection vulnerabilities.
No, you cannot download their site to test for injection vulnerabilities. You need to download their whole DB and configs to do what you are saying. If you want to benevolently go checking the security of various sites, you have to ask them about their system and model it on your own. OWASP works on systems not recently updated with patches, like the comment of tackline-its a first port.
OWAPS's WebGoat is an application that is built to be vulnerable to attack, it is a simulation of real world vulnerabilities. The Whitebox is a collection of real world vulnerabilities, it has 2 web applications that where abandoned because the applications where so insecure. It also has a set of challenges there are vulnerable code snips taken from real world applications. This project has real world sql injection as well more serious vulnerabilities.
Try scanning the vulnerable apps with Wapiti (open source) or Acunetix ($) or NTOSpider($$$). Then try using the applications, create blog posts ect, and then scan it again.
Also check out Damn Vulnerable Linux and Google Jarlsburg.
I am planning to get my website development outsourced to a third party developer. Need your help in deciding on how/ what technology to be used to make it very secure. Since I am not a techie I need the website developed in a way, so that it is easy for me to maintain it and modify content easily if required.
The main purpose of the website is to provide company information about services offered and then also to exchange documents and other file using FTP server. Will be sending out surevey and newletters sometime
Looking for your advice to guide me to the right direction
As I already said on another answer, security is not a product, it's a process.
There isn't a 'secure' software or language. What makes your website/application secure is how it is developed and how the website is maintained.
There is no ready-made solution that, one time or another, won't be hacked.
If the people you are outsourcing to don't understand this, outsource to someone else.
Making your web server "hardened" against attack is best left to the expert sys-admins at Server Fault. However regardless of what technology you use, there is one HUGE thing an end user can do to protect her/his online assets:
USE STRONG PASSWORDS
You can make a site secure using any technology/language/framework.
It's the code quality that makes a site insecure, not the technology/language/framework.
There is no single "correct" language to use -- it's possible to write an insecure website in any language.
The key is hiring staff that have the skill and experience in developing secure web solutions, and also making sure that the system is tested often by external specialists