Web Application Security

This course will become read-only in the near future. Tell us at community.p2pu.org if that is a problem.

Introduction, Tools, and HTTP Basics [Sept. 16, 2011, 11:27 a.m.]

Welcome to the study group where we’re going to explore some of the topics in web application security. We’re going to use the Open Web Application Security Project’s (OWASP) WebGoat tool for learning about web security. It works on multiple systems and runs using the Apache Tomcat server.

First, install the application:
https://www.owasp.org/index.php/WebGoat_Installation

If you have problems installing, please post here or you can also ask on the WebGoat mailing list: https://lists.owasp.org/mailman/listinfo/owasp-webgoat

Once you have OWASP WebGoat open, click “Introduction” on the left to open up the first lesson. Work through those. Please make sure and install WebScarab when you are on the “Useful Tools” lesson.

WebGoat will give you feedback when you have finished.

Once you finished the 4 tasks under “Introduction,” continue on to “General” and do “Http Basics” and “HTTP Splitting.” Click “Lesson Plan” to see the lecture material before doing the lab.

[screenshots coming...]

Lab

By the end of this first week, you should have installed WebGoat and WebScarab. You also should have worked through the labs under “General” with Http Basics and HTTP Splitting. If you have problems with any part of the lab, please post here on this task so we can work through the solution together.

Discuss

This week, let’s discuss a few things:

1) Please introduce yourself to your fellow participants. You can say as much or as little about yourself as you want, but hopefully at least what you hope to gain from the study group.

Would you like to meet online to discuss the week’s lesson or socialize with the rest of the group? Please feel out this doodle poll by Thursday the 22nd. http://www.doodle.com/hittwxnzxdb4atx3

2) If you have a blog that you will be posting your thoughts as you go through this semester, please post that as well. We can subscribe to it and give each other feedback there too!

3) Finally, discuss briefly your experience this week. Some ideas follow but you don’t have to answer all the questions. Did you learn something interesting? Was there something confusing in the lesson that you had to look up? If so, what was it? Did you have any issues installing the tools? Was it too much or too little work? Anything to add to it to make it better for the next round of students?

4) Because WebGoat focuses on Java, let's discuss some of the other languages and how to prevent this vulnerability in them. For your preferred language and/or framework, research and post how you can prevent the vulnerabilities discussed this week.

5) Anything else you’d like to discuss about this week’s lesson?

A discussion works best when there are at least two people involved so I encourage you to comment on other people’s posts!