WebGoat Plus: Uma Extensão da Ferramenta WebGoat
Resumo
Atividades práticas de exploração de vulnerabilidades podem trazer um melhor entendimento ao aluno sobre falhas de segurança. Assim, o presente artigo se propôs a disponibilizar uma extensão à aplicação WebGoat que permita o aprendizado prático sobre a vulnerabilidade OS Injection. Neste trabalho foram realizados testes com nove alunos que utilizaram e avaliaram a aplicação. Ao avaliar a quantidade de atividades concluídas foi percebido que 80% dos alunos resolveram ao menos 60% das atividades. Quanto a satisfação dos usuários 88% deles recomendariam a aplicação para um terceiro. Sendo assim, é possível concluir que a aplicação contribuiu no ensino da vulnerabilidade OS Injection.
Palavras-chave:
Ensino de vulnerabilidades, OS injection, WebGoat
Referências
Associação Brasileira de Normas Técnicas (2005) “NBR ISO/IEC 27002:2005: Tecnologia da informação – Técnicas de segurança – Código de prática para a gestão da segurança da informação”. Rio de Janeiro, 2005. 120 p.
Chin, John P.; Diehl, Virginia A.; Norman, Kent L (1998) “Development of an instrument measuring user satisfaction of the human-computer interface”. In: SIGCHI Conference on Human Factors in Computing System, [S.I], 1988, Washington. Proceedings, Association for Computing Machinery. p. 213-218.
Common Weakness Enumeration (2020a) “2020 CWE Top 25 Most Dangerous Software Weaknesses”. Disponível em: https://cwe.mitre.org/top25/archive/2020/2020cwetop25.html. Acesso em: 04 out. 2020.
Common Weakness Enumeration (2021) “CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')”. Disponível em: https://cwe.mitre.org/data/definitions/77.html. Acesso em: 28 jun. 2021.
Common Weakness Enumeration (2020b) CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Disponível em: https://cwe.mitre.org/data/definitions/78.html. Acesso em: 20 nov. 2020.
Federal Bureau of Investigation (2021) “2020 Internet Crime Report”. Disponível em: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. Acesso em: 03 jul. 2021.
Hartley, Regina D. (2015) “Ethical Hacking Pedagogy: an analysis and overview of teaching students to hack”. Journal Of International Technology And Information Management, [S.I.], ano 4, v. 24, p. 95-104, Disponível em: https://scholarworks.lib.csusb.edu/jitim/vol24/iss4/6/. Acesso em: 15 jun. 2021.
Howard, Michael; Leblanc, David; Viega, John. (2010) “24 DEADLY SINS OF SOFTWARE SECURITY: programming flaws and how to fix them”. New York: McGraw Hill.
Logan, Patricia Y.; Clarkson, Allen. (2005) “Teaching students to hack: curriculum issues in information security”. In: 36th SIGCSE Techinical Symposium on
Computer Science Education. 36, Nova Iorque. Proceedings. Association for Computing Machinery, 2005. p. 157-161.
Lund, Arnold M. (2001) “Measuring usability with the USE questionnaire”. Usability interface, [S.I.] v. 8, n. 2, p. 3-6.
Open Web Application Security Project (OWASP) (2020) “OWASP WebGoat”. Disponível em: https://owasp.org/www-project-webgoat/. Acesso em: 04 out. 2020.
Pashel, B. A (2006) “Teaching Students to Hack: Ethical Implications in Teaching Students to Hack at the University Level”. In: Annual Conference on Information Security Curriculum Development, 3. 2006, Kennesaw, Proceedings, Association for Computing Machinery. p. 197–200. https://doi.org/10.1145/1231047.1231088
Rowe, Dale C.; Lunt, Barry M.; Ekstrom, Joseph J. (2011) “The role of cyber-security in information technology education”. In: 2011 Conference on Information Technology Education. 3. 2011, Nova Yorque. Proceedings, Association for Computing Machinery. p. 113-122.
Stasinopoulos, Anastasios; Ntantogian, Christoforos ; Xenakis, Christos. (2015) “Commix: Detecting and exploiting command injection flaws”. In: Blackhat Europe 2015, Amsterdam. Proceedings, Blackhat, [9] p., Disponível em: [link]. Acesso em: 13 junho 2021.
Stefinko, Yaroslav; Piskozub, Andrian; Banakh, Roman. (2016) “Manual and automated penetration testing. Benefits and drawbacks. Modern tendency”. In: 13th International Conference on Modern Problems of Radio Engineering, Telecommunications And Computer Science (TCSET), 13, 2016, Liviv. Proceedings, IEEE. p. 488-491.
Trabelsi, Zouheir; McCoey, Margaret. (2016) “Ethical Hacking in Information Security Curricula”. International Journal Of Information And Communication Technology Education (IJICTE), [S.L.], ano 1, v. 12, p. 1-10.
Vigna G. (2003) “Teaching Network Security through Live Exercises” In: Security Education and Critical Infrastructures. WISE 2003. IFIP Advances in Information and Communication Technology, vol 125, p. 3-18.
Xie, Jing; Lipford, Heather Richter; Chu, Bill (2011) “Why do programmers make security errors?”. In: 2011 IEEE Symposium on Visual Languages And Human-centric Computing (VL/HCC). [S.I], 2011, Pittsburgh. Proceedings IEEE. p. 161-164. DOI 10.1109/VLHCC.2011.6070393.
Whitman, Michael E; Mattord, Herbert J (2017) “Principles of Information Security”. 6. ed. Boston: Cengage Learning. 656 p.
Chin, John P.; Diehl, Virginia A.; Norman, Kent L (1998) “Development of an instrument measuring user satisfaction of the human-computer interface”. In: SIGCHI Conference on Human Factors in Computing System, [S.I], 1988, Washington. Proceedings, Association for Computing Machinery. p. 213-218.
Common Weakness Enumeration (2020a) “2020 CWE Top 25 Most Dangerous Software Weaknesses”. Disponível em: https://cwe.mitre.org/top25/archive/2020/2020cwetop25.html. Acesso em: 04 out. 2020.
Common Weakness Enumeration (2021) “CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')”. Disponível em: https://cwe.mitre.org/data/definitions/77.html. Acesso em: 28 jun. 2021.
Common Weakness Enumeration (2020b) CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Disponível em: https://cwe.mitre.org/data/definitions/78.html. Acesso em: 20 nov. 2020.
Federal Bureau of Investigation (2021) “2020 Internet Crime Report”. Disponível em: https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. Acesso em: 03 jul. 2021.
Hartley, Regina D. (2015) “Ethical Hacking Pedagogy: an analysis and overview of teaching students to hack”. Journal Of International Technology And Information Management, [S.I.], ano 4, v. 24, p. 95-104, Disponível em: https://scholarworks.lib.csusb.edu/jitim/vol24/iss4/6/. Acesso em: 15 jun. 2021.
Howard, Michael; Leblanc, David; Viega, John. (2010) “24 DEADLY SINS OF SOFTWARE SECURITY: programming flaws and how to fix them”. New York: McGraw Hill.
Logan, Patricia Y.; Clarkson, Allen. (2005) “Teaching students to hack: curriculum issues in information security”. In: 36th SIGCSE Techinical Symposium on
Computer Science Education. 36, Nova Iorque. Proceedings. Association for Computing Machinery, 2005. p. 157-161.
Lund, Arnold M. (2001) “Measuring usability with the USE questionnaire”. Usability interface, [S.I.] v. 8, n. 2, p. 3-6.
Open Web Application Security Project (OWASP) (2020) “OWASP WebGoat”. Disponível em: https://owasp.org/www-project-webgoat/. Acesso em: 04 out. 2020.
Pashel, B. A (2006) “Teaching Students to Hack: Ethical Implications in Teaching Students to Hack at the University Level”. In: Annual Conference on Information Security Curriculum Development, 3. 2006, Kennesaw, Proceedings, Association for Computing Machinery. p. 197–200. https://doi.org/10.1145/1231047.1231088
Rowe, Dale C.; Lunt, Barry M.; Ekstrom, Joseph J. (2011) “The role of cyber-security in information technology education”. In: 2011 Conference on Information Technology Education. 3. 2011, Nova Yorque. Proceedings, Association for Computing Machinery. p. 113-122.
Stasinopoulos, Anastasios; Ntantogian, Christoforos ; Xenakis, Christos. (2015) “Commix: Detecting and exploiting command injection flaws”. In: Blackhat Europe 2015, Amsterdam. Proceedings, Blackhat, [9] p., Disponível em: [link]. Acesso em: 13 junho 2021.
Stefinko, Yaroslav; Piskozub, Andrian; Banakh, Roman. (2016) “Manual and automated penetration testing. Benefits and drawbacks. Modern tendency”. In: 13th International Conference on Modern Problems of Radio Engineering, Telecommunications And Computer Science (TCSET), 13, 2016, Liviv. Proceedings, IEEE. p. 488-491.
Trabelsi, Zouheir; McCoey, Margaret. (2016) “Ethical Hacking in Information Security Curricula”. International Journal Of Information And Communication Technology Education (IJICTE), [S.L.], ano 1, v. 12, p. 1-10.
Vigna G. (2003) “Teaching Network Security through Live Exercises” In: Security Education and Critical Infrastructures. WISE 2003. IFIP Advances in Information and Communication Technology, vol 125, p. 3-18.
Xie, Jing; Lipford, Heather Richter; Chu, Bill (2011) “Why do programmers make security errors?”. In: 2011 IEEE Symposium on Visual Languages And Human-centric Computing (VL/HCC). [S.I], 2011, Pittsburgh. Proceedings IEEE. p. 161-164. DOI 10.1109/VLHCC.2011.6070393.
Whitman, Michael E; Mattord, Herbert J (2017) “Principles of Information Security”. 6. ed. Boston: Cengage Learning. 656 p.
Publicado
04/10/2021
Como Citar
BIZON, Artur Ricardo; JUSTINO, Gilvan.
WebGoat Plus: Uma Extensão da Ferramenta WebGoat . In: WORKSHOP DE TRABALHOS DE INICIAÇÃO CIENTÍFICA E DE GRADUAÇÃO - SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 21. , 2021, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 138-150.
DOI: https://doi.org/10.5753/sbseg_estendido.2021.17348.