Web Application Security

Learning Resources

Documents

Video Training

Lynda: Foundations of Programming: Web Security with Kevin Skoglund
PluralSight: Web Security and the OWASP Top 10: The Big Picture by Troy Hunt
Security Compass: Free OWASP Top 10 CBT

Software

WebGoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application is a realistic teaching environment, providing users with hints and code to further explain the lesson.

Websites, Blogs, Articles

Common Security Mistakes in Web Applications
4 HTTP Security Headers You Should Always Be Using
Brian Krebs On Security Former Washington Post staffer Brian Krebs writes on cyber crime and other Internet security topics.
Troy Hunt has several conference talks available on YouTube that provide intro to web application security and the OWASP Top 10.
Bruce Schneier on Security

Test Your Knowledge

OWASP Top Ten Threats and Mitigations Exam

Incidents

Web Hacking Incident Database

Penetration Test Tools

OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Netsparker is the only False-positive-free web application security scanner. Simply point it at your website and it will automatically discover the flaws that could leave you dangerously exposed.

Netsparker Community Edition is a SQL Injection Scanner. It's a free edition of our web vulnerability scanner for the community so you can start securing your website now. It's user friendly, fast, smart and as always False-Positive-Free. It shares many features with professional edition. It can detect SQL Injection vulnerabilities better than many other scanners (if not all), and it's completely FREE.

Portswigger Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment.

Paros Proxy is an open source scanner.

Web Application Security Tools

Wireshark is a network protocol analyzer that can sniff network traffic and gather useful information.

Backtrack-Linux.org BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.

Check Your HTTP Security Headers allows you to view and evaluate your website's security headers.

Retire JS helps you detect the use of older versions of JavaScript libraries with known vulnerabilities.

Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java and .NET dependencies are supported; however, support for Node.JS, client side JavaScript libraries, etc. is planned. This tool can be part of the solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.

Havij Advanced SQL Injection is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. By using this software, a user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. The distinctive power of Havij that differentiates it from similar tools lies in its unique methods of injection. The success rate of attack on vulnerable targets using Havij is above 95%. The user friendly GUI (Graphical User Interface) of Havij and its automated configuration and heuristic detections make it easy to use for everyone-- even amateurs.

HackBar is a Firefox extension for penetration testers. Hackbar extends the address bar of Firefox and thus provides enough space for long injection URLs during penetration testing. Hackbar also has some additional features including the ability to perform encryption, encoding, decryption, POST data manipulation, inject code generation etc.

Tamper Data is a Firefox extension which allows you to view and modify HTTP/HTTPS headers and post parameters.

Metasploit Framework is a tool for developing and executing exploit code against a remote target machine.

Browser Exploitation Framework (BeEF) is a penetration testing tool that focuses on the web browser.

Fiddler Fiddler is a free web debugging proxy which logs all HTTP(s) traffic between your computer and the Internet. Use it to debug traffic from virtually any application that supports a proxy like IE, Chrome, Safari, Firefox, Opera and more.

FireSheep Firesheep is an extension for the Firefox web browser that uses a packet sniffer to intercept unencrypted cookies from websites such as Facebook and Twitter. As cookies are transmitted over networks, packet sniffing is used to discover identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.

Hack ME Hack.me is a FREE, community based project powered by eLearnSecurity. The community can build, host and share vulnerable web application code for educational and research purposes. It aims to be the largest collection of "runnable" vulnerable web applications, code samples and CMS's online.

ModSecurity is an open source, cross-platform web application firewall (WAF) module. Known as the "Swiss Army Knife" of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.

Libraries

ESAPI (the OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.

OWASP AntiSamy project is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. It's an API that helps you make sure that clients don't supply malicious cargo code (usually JavaScript) in the HTML they supply for their profile, comments, etc., that get persisted on the server.

OWASP CSRFGuard is a library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.

Java, .NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP

The Reform library provides a solid set of functions for encoding output for the most common context targets in web applications (e.g. HTML, XML, JavaScript, etc).