The most common software vulnerabilities are found exclusively in web applications: cross-site scripting (XSS) and SQL injection. The doubling of the number of reported software vulnerabilities since 2004 is largely a result of these bugs, examples of which are taught as good coding practice in many textbooks. Participants will learn penetration testing and code review techniques and tools for finding SQL injection and XSS vulnerabilities through hands-on exercises. They will also learn to write secure code that doesn't have such vulnerabilities. Participants should be familiar with developing web applications in a language like perl, PHP, ruby, or Java, but they do not need to have prior experience with secure programming or software security.

Topics

1. Overview of Web Application Security
   1. State of Web Application Security
   2. Top Ten Vulnerabilities
   3. Dangers of Web Input
   4. Web Testing Proxies
2. SQL Injection
   1. Attack Patterns
   2. Demonstration
   3. SQL Injection Exercise
   4. Input Filtering Techniques
   5. Prepared Queries
   6. Other Injection Vulnerabilities
3. SQL Injection Exercise
4. Break (20 minutes)
5. Cross-site Scripting (XSS)
   1. Anatomy of an XSS Attack
   2. Cross-site Scripting Exercise
   3. Output Encoding Techniques
   4. XSS Demonstration
6. XSS Exercise

Hardware and Software Requirements

To complete the exercises, participants need to bring a laptop capable of running a live CD Linux distribution. We will be using the OWASP Live CD, which provides a variety of web application security tools on a single bootable CD that works on Intel-compatible processor machines, whether their OS is Linux, Mac OS X, or MS Windows. The OWASP Live CD is available for download from the link in this sentence.

If you would like to use the live CD side by side with your other applications and you have a Linux or Windows laptop, you can use the live CD under a virtual machine with VMWare Server. You can download VMWare Server 1.0.8 (do not use VMWare Server 2) and a live CD player virtual machine from the links below. Full instructions for configuring the live CD virtual machine are available in the second link below.

1. VMWare Server
2. LiveCD Virtual Machine

References

If you want to get a head start on reading about web application security before the workshop or keep learning after the workshop, please see the following online references and tools.

1. OWASP (see Top 10, Guide, Testing Guide)
2. BadStore, web application demo software.