Iris Classon
Iris Classon - In Love with Code

(Not so) Stupid Question 290-291: What is OWASP, and what is the WebGoat project?

I’m in lovely Budapest right now with work (Mindcamp). Every year Mindcamp does a company conference (sort of) with the employees. Last year was Toscana, this year Budapest. The idea with the week, aside from building a stronger common culture, is to have a week where we can spend time working on ideas that can be (but don’t have to be) related to work. We create a few tracks, and then group up. This was actually how the startup I’m working on/for, Konstrukt, was created. An idea child from a conference week a few years ago.

Mindcamp, dinner :)

The tracks this year are:

R – Wiko’s track

Using R to work with real estate data.

Qlik in healthcare – Rasmus track

Look into how we can add more value to healthcare with our specialist knowledge in healthcare & Qlik

Qlik extensions – Tomas track

The title describes it all :)

Security and web applications 101 – OWASP top ten– My track

Walk through the OWASP top ten while we have fun with the WebGoat application. Then analyze how each applies to the startup product my team is working on and add some more depth.

And that brings us to the question(s) of the day. What is OWASP and the WebGoat project?

WebGoat is an OWASP project, and OWASP is a not-for-profit charitable project. OWASP stands for Open Web Application Security Project. The online community is concerned with web application security and provides all kind of resources to educate developers and non-developers on the topic. One of the ways they’ve gone ahead and done that is by creating a project called WebGoat. WebGoat is a web application that is rather insecure, and that is on purpose. With the web application follows a nice collection of various lessons that guides the developer/user to hack the application at different layer level. Here is are some examples, using the classic SQL injection. It’s quite basic, and although considered a noob error it still is a common problem according to OWASP. Her is a grappy query showing it in action using the WebGoat.Net app. Base64’ing a password is something I really hope nobody is doing… The WebGoat.Net project isn’t maintained anymore AFAIK and there were a few problems so I’m putting together a similar web application to share on GitHub later.

Listing all tables

 

And I notice password is saved there, and only encoded- so a base 64 decode in the query gives me what I want

 

And that is to log in.

Comments

Leave a comment below, or by email.
pnowosie
7/14/2016 4:32:11 AM
OWASP = Open Web Application Security Project (missing 'Security')
WebGoat is an OWASP project, and OWASP is a not-for-profit charitable project. OWASP stands for Open Web Application Project.  
Iris Classon
7/16/2016 4:39:19 AM
Reply to: pnowosie
Thanks for pointing out my typo :)) 


Last modified on 2016-07-13

comments powered by Disqus