Difference between revisions of "OWASP Faux Bank Project"

From OWASP
Jump to: navigation, search
m
Line 15: Line 15:
  
 
== Project Leader ==
 
== Project Leader ==
[mailto:davie.elliott@owaps.org Davie Elliott]
+
[mailto:davie.elliott@owasp.org Davie Elliott]
  
 
I am a web developer with 9 years commercial experience, currently in a Technical Director position for a small website company. I have an avid interest in security; network and web application development, and have written numerous pieces security software and also trained developers on how to write secure code. I have my own website: [http://www.thatcoderguy.co.uk www.thatcoderguy.co.uk] which also hosts my bi-weekly blog where I write about security and web development.
 
I am a web developer with 9 years commercial experience, currently in a Technical Director position for a small website company. I have an avid interest in security; network and web application development, and have written numerous pieces security software and also trained developers on how to write secure code. I have my own website: [http://www.thatcoderguy.co.uk www.thatcoderguy.co.uk] which also hosts my bi-weekly blog where I write about security and web development.

Revision as of 14:15, 9 July 2014

[edit]

OWASP Project Header.jpg

Owaspfauxbanklogo-big.png

OWASP Faux Bank is a real-world type system with all 10 of OWASPs top 10 vulnerabilities implemented. The idea behind this project is to have a website with vulnerabilities that developers can play with an exploit, and then view the source code to see the site is vulnerable. OWASP Faux Bank also features a "secure mode", which prevents exploits, so that developers can also see how these vulnerabilities can be prevented within web applications.

The full source code is available from GitHub at: github.com/thatcoderguy/owasp-faux-bank

Currently OWASP Faux Bank is written in Classic ASP, but eventually there will also be PHP and .Net versions written, so that developers of these languages can also see how the vulnerabilities work.

OWASP Faux Bank is also running at: www.fauxbank.co.uk with all of the vulnerabilities implemented.

Project Leader

Davie Elliott

I am a web developer with 9 years commercial experience, currently in a Technical Director position for a small website company. I have an avid interest in security; network and web application development, and have written numerous pieces security software and also trained developers on how to write secure code. I have my own website: www.thatcoderguy.co.uk which also hosts my bi-weekly blog where I write about security and web development.

Licensing

OWASP Faux Bank is free to use. It is licensed under the Apache 2.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

Email List

Sign Up!


As of 7th July, there are 5 vulnerabilities implemented in the Classic ASP version of OWASP Faux Bank.

The immediate road map for the classic ASP Version is as follows:

A10 – Unvalidated Redirects and Forwards - 22nd July
A9 - Using Components with Known Vulnerabilities - 5th August
A6 – Sensitive Data Exposure - 19th August
A5 – Security Misconfiguration - 2nd September
A4 – Insecure Direct Object References - 16th September

The PHP version is looking to be completed by October 30th, and the .Net version is looking to be completed by December.

If you'd like to get involved, why not contact me, or if you'd like to write the PHP or .Net versions (which haven't been started yet), why not just create a fork on GitHub and create your own version and upload it.

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Faux Bank Project
Purpose: Faux bank has all 10 of the top vulnerabilities implemented, as well as fixes for these vulnerabilities. The idea is that developers can see a real-world system with vulnerabilities, so that they can see what to look for and how to write secure code.
License: Apache 2.0 license
who is working on this project?
Project Leader(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: [owasp_faux_bank Mailing List Archives]
Project Roadmap: Not Yet Created
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
OWASP Faux Bank v0.5 - 5th June 2014 - (download)
Release description:
  • 5 of the 10 vulnerabilities have been implemented in the Classic ASP version.
Rating: Projects/OWASP Faux Bank Project/GPC/Assessment/OWASP Faux Bank v0.5
last reviewed release
Not Yet Reviewed


other releases