Jul 132016
 
 July 13, 2016  Posted by at 6:20 am Databases, Not So Stupid Questions, Web  Add comments

I’m in lovely Budapest right now with work (Mindcamp). Every year Mindcamp does a company conference (sort of) with the employees. Last year was Toscana, this year Budapest. The idea with the week, aside from building a stronger common culture, is to have a week where we can spend time working on ideas that can be (but don’t have to be) related to work. We create a few tracks, and then group up. This was actually how the startup I’m working on/for, Konstrukt, was created. An idea child from a conference week a few years ago.

Mindcamp, dinner :)

Mindcamp, dinner 🙂

The tracks this year are:

R – Wiko’s track

Using R to work with real estate data.

Qlik in healthcare – Rasmus track

Look into how we can add more value to healthcare with our specialist knowledge in healthcare & Qlik

Qlik extensions – Tomas track

The title describes it all 🙂

Security and web applications 101 – OWASP top ten– My track

Walk through the OWASP top ten while we have fun with the WebGoat application. Then analyze how each applies to the startup product my team is working on and add some more depth.

And that brings us to the question(s) of the day. What is OWASP and the WebGoat project?

WebGoat is an OWASP project, and OWASP is a not-for-profit charitable project. OWASP stands for Open Web Application Security Project. The online community is concerned with web application security and provides all kind of resources to educate developers and non-developers on the topic. One of the ways they’ve gone ahead and done that is by creating a project called WebGoat. WebGoat is a web application that is rather insecure, and that is on purpose. With the web application follows a nice collection of various lessons that guides the developer/user to hack the application at different layer level. Here is are some examples, using the classic SQL injection. It’s quite basic, and although considered a noob error it still is a common problem according to OWASP.   Her is a grappy query showing it in action using the WebGoat.Net app. Base64’ing a password is something I really hope nobody is doing… The WebGoat.Net project isn’t maintained anymore AFAIK and there were a few problems so I’m putting together a similar web application to share on GitHub later.

But I'm more interested in all the other tables :D

Listing all tables

 

And I notice password is saved there, and only encoded- so a base 64 decode in the query gives me what I want

And I notice password is saved there, and only encoded- so a base 64 decode in the query gives me what I want

 

And that is to log in.

And that is to log in.

  2 Responses to “(Not so) Stupid Question 290-291: What is OWASP, and what is the WebGoat project?”

  1. OWASP = Open Web Application Security Project (missing ‘Security’)
    WebGoat is an OWASP project, and OWASP is a not-for-profit charitable project. OWASP stands for Open Web Application Project.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

What is 8 + 11 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)