Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell Stanford University 1
Web vs System Evolution of the number of vulnerabilties by years 3000 2793 Web System Number of vulnerabilities 2000 1951 2000 1647 1528 1531 1275 1186 1095 1000 996 2005 2006 2007 2008 2009 Elie Bursztein et al Webseclab http://ly.tl/t15
Web vulnerabilities breakdown Evolution of the web vulnerabilities over the years by types 1000 XSS SQLi 900 XCS Session 800 CSRF SSL 700 Infomation Leak Number of vulnerability 600 500 400 300 200 100 0 2005 2006 2007 2008 2009 Elie Bursztein et al Webseclab http://ly.tl/t15
BlackHat Training on Web security 10 9 8 7 6 5 4 3 2 1 0 2005 2006 2007 2008 2009 2010 Elie Bursztein et al Webseclab http://ly.tl/t15
No bullet proof language php 5070 aspx 1220 asp 1170 jsp 511 cfm 302 100% 90% do 224 80% pl 140 70% 60% 50% 40% 30% 20% 10% 0% PHP ASP ASPX JSP CFM DO PL Elie Bursztein et al Webseclab http://ly.tl/t15
Webseclab Goals • Blending edge exercises • Inclusive environment • No setup • Minimal learning curve • Easy class management Elie Bursztein et al Webseclab http://ly.tl/t15
Webseclab architecture Cloud service User 1 User 2 VM1 VM2 VM1 VM2 Elie Bursztein et al Webseclab http://ly.tl/t15
Key features VM Cloud • Class management • Exercises • Synchronization • Quizzes • Realtime goal • Projects • Quizzes push • Real case • Analytics Elie Bursztein Slide deck 2010 http://ly.tl/t1
Elie Bursztein et al Webseclab http://ly.tl/t15
Elie Bursztein et al Webseclab http://ly.tl/t15
Webseclab VM architecture Webseclab Webseclab Elie Bursztein et al Webseclab http://ly.tl/t15
Webseclab VM architecture Virtual ¡Machine Firefox WebSecLab Exercise Webseclab Exercice ¡ Categories Objective Webseclab rendered Exercice ¡ Sync Constraints code Dashboard Pitch Hints SQL ¡via ¡phpmyadmin Sandbox IDE Elie Bursztein et al Webseclab http://ly.tl/t15
Exercises repartition 20 17 15 12 10 8 7 7 6 6 5 5 4 1 0 Introduction Browser security Mixing content XSS CSRF Session Phishing Authentication Embedding SQL injections Elie Bursztein et al Webseclab http://ly.tl/t15
Recommend
More recommend