| |||||
The most common software vulnerabilities are found exclusively in web applications: cross-site scripting (XSS) and SQL injection. The doubling of the number of reported software vulnerabilities since 2004 is largely a result of these bugs, examples of which are taught as good coding practice in many textbooks. Participants will learn penetration testing and code review techniques and tools for finding SQL injection and XSS vulnerabilities through hands-on exercises. They will also learn to write secure code that doesn't have such vulnerabilities. Participants should be familiar with developing web applications in a language like perl, PHP, ruby, or Java, but they do not need to have prior experience with secure programming or software security. | |||||
Topics
| |||||
Hardware and Software RequirementsTo complete the exercises, participants need to bring a laptop capable of running a live CD Linux distribution. We will be using the OWASP Live CD, which provides a variety of web application security tools on a single bootable CD that works on Intel-compatible processor machines, whether their OS is Linux, Mac OS X, or MS Windows. The OWASP Live CD is available for download from the link in this sentence. If you would like to use the live CD side by side with your other applications and you have a Linux or Windows laptop, you can use the live CD under a virtual machine with VMWare Server. You can download VMWare Server 1.0.8 (do not use VMWare Server 2) and a live CD player virtual machine from the links below. Full instructions for configuring the live CD virtual machine are available in the second link below. | |||||
ReferencesIf you want to get a head start on reading about web application security before the workshop or keep learning after the workshop, please see the following online references and tools.
| |||||
©2009 James Walden, Ph.D. |