[Owasp-live-cd-2008-project] New Release of the OWASP Live CD & More
OWASP Live CD 2008 Project
owasp-live-cd-2008-project at lists.owasp.org
Mon Feb 21 07:41:59 EST 2011
Matt,
On Sun, Feb 20, 2011 at 11:22 PM, OWASP Live CD 2008 Project
<owasp-live-cd-2008-project at lists.owasp.org> wrote:
> Answers inline
>
> On Sun, Feb 20, 2011 at 2:08 PM, OWASP Live CD 2008 Project
> <owasp-live-cd-2008-project at lists.owasp.org> wrote:
>> Matt,
>>
>> After some more tries, I was able to run it. Here are some comments:
>>
>> * w3af revision 4041 is installed, which is awesome because it has its
>> auto_update feature embedded and will help users avoid already fixed
>> bugs.
> I lurk on w3af-users and w3af-developers so I was thrilled to find
> that the auto_update feature was being added. That also saved me from
> writing my own. ;)
>
>> * I was able to perform an update without being root, which was a nice
>> thing to find (nicely done in get-w3af)
> That was something I figured out fairly early in the conversion
> process while I was working on the update script your auto_update made
> unnecessary. Thanks for noticing.
>
>> * Both the console and GUI version seem to work very well
>> * I would recommend changing the default screen resolution to
>> 1024x768, I really don't think that there are many users that will use
>> the liveCD in that resolution.
>
> Agreed. I'm happy that I have feature parity with the previous SLAX
> version but still have some polishing to do - especially with the ISO.
> I use the VirtualBox .vdi so that was is the most complete :) Look
> for those changes in the next release.
>
>>
>> I'm curious... where can I see the contents of owasp-wte-w3af ?
> I created .debs for all the bits I added to Ubuntu. For w3af, you can
> see the package "source" here:
> http://code.google.com/p/owasp-wte/source/browse/#svn%2Fconversion%2Fw3af%2Fcontents
Couple of comments about DEBIAN/control:
* python-beautifulsoup is not needed anymore
* There are nicer ways to do it if we compare it with
"w3af-svn.tar.bz" , but it's working for the users, and that's what
matters :)
> and get the .deb here:
> http://appseclive.org/apt/stable/
>
> If you look at the DEBIAN/control file, I specifically put "Conflicts:
> w3af, w3af-console" so that my package doesn't fight with the ones in
> the official Ubuntu repos.
> http://code.google.com/p/owasp-wte/source/browse/conversion/w3af/contents/DEBIAN/control
Agreed, its a good idea.
> All the old SLAX stuff started under /conversion in svn while I was
> doing the migration. Now that it is complete, I'll be making a
> directory per package under truck in svn and using tags to snapshot
> specific releases.
>
> I am probably violating some Debian packaging rules because I tarball
> w3af's source after doing a svn checkout. Then, during package
> installation, I extract the tarball into /opt/owasp/w3af so that the
> svn meta-data is kept and your auto_update can work (or the old school
> "svn update" works as well).
Yep, I'm sure you're violating lots of rules by doing that :) Also, in
Debian, some of the plugins have been removed because of their
policies. This package would never make it to Debian repos, but that
was not the objective.
> A package that updates itself probably goes against the idea of
> getting packages from a repository but I felt the increased usability
> for WTE users was worth breaking a few packaging rules.
Agreed. This was something we discussed internally when writing the
auto-update feature, and we decided that in most cases the guy running
auto_update would be also "root", and could run the auto_update
whenever he wanted to update a "global w3af install". Also important,
the new packages will only need to be created when new dependencies
are added to the package.
> Not to
> mention that the WTE svn doesn't like when you try to check in w3af's
> svn data. ;)
Hah! I've never thought about that! But it makes sense :) SVN metadata
inside SVN metadata.... hmmmm, the world is going to explode!
> You can also do a "sudo apt-get install owasp-wte-w3af" if you add the
> repo to your /etc/apt/sources.list - more details will follow later.
> If you're good with Ubuntu/Debian, I'm sure you can figure it out
> before I get a chance to document in on AppSecLive.
I don't want to break my ubuntu install, so I'd better not try that :)
>>
>> Great work :)
>>
>
> Thanks for the complement. Since you're w3f's project lead, I'm glad
> you're happy with the packaging for WTE.
:)
> Cheers!
>
> --
> -- Matt Tesauro
> OWASP Board Member
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
>
>
>> Regards,
>>
>> On Sat, Feb 19, 2011 at 12:15 PM, OWASP Live CD 2008 Project
>> <owasp-live-cd-2008-project at lists.owasp.org> wrote:
>>> Hey Andres,
>>>
>>> It works for me, albeit a bit slower than usual.
>>>
>>>
>>> -Brad Causey
>>> CISSP, MCSE, C|EH, CIFI, CGSP
>>>
>>> http://www.owasp.org
>>> --
>>> "Si vis pacem, para bellum"
>>> --
>>>
>>>
>>> On Sat, Feb 19, 2011 at 8:45 AM, OWASP Live CD 2008 Project
>>> <owasp-live-cd-2008-project at lists.owasp.org> wrote:
>>>>
>>>> Matt,
>>>>
>>>> On Fri, Feb 18, 2011 at 6:08 PM, OWASP Live CD 2008 Project
>>>> <owasp-live-cd-2008-project at lists.owasp.org> wrote:
>>>> > Some of you may have already caught wind that I've finally completed
>>>> > the conversion of the OWASP Live CD to Ubuntu from SLAX.
>>>> >
>>>> > This is the semi-quiet pre-announcement only to the project list. I'm
>>>> > hoping to have some more QA / testing done over the weekend but there
>>>> > are no issues with what's now available of which I am aware.
>>>> >
>>>> > I've pushed the OWASP Live CD under an umbrella project - OWASP Web
>>>> > Testing Environment (WTE).
>>>> >
>>>> > OWASP WTE consists of:
>>>> > (1) .deb package repositories
>>>> > (2) .iso image
>>>> > (3) .vdi file (VirtualBox)
>>>> > (4) .vmdk file (VMware)
>>>> >
>>>> > For early adopters, the above are available now. I'll actually link
>>>> > them up on the downloads page on Monday after a weekend of final
>>>> > testing.
>>>> >
>>>> > You can get the .iso, .vdi and .vmdk images here:
>>>> > http://appseclive.org/apt/downloads/
>>>> >
>>>> > ** YOU WANT THE .rar FILES NAMED owasp-wte-Feb-2011.*.rar **
>>>>
>>>> I tried to download these files from two different workstations, and
>>>> two different internet connections of different ISPs, and it always
>>>> fails to finish the download. Could you please check? I would love to
>>>> test the new liveCD. Thanks!
>>>>
>>>> > The .rar files contain the specified file type (iso/vdi/vmdk) with a
>>>> > MD5 sum so you can check integrity after its unrar'ed.
>>>> >
>>>> > The other files there are an older version missing a 4 tools including
>>>> > WebGoat.
>>>> >
>>>> > More info on setting up the repo on your stock Ubuntu install is
>>>> > forthcoming.
>>>> >
>>>> > If you find problems, please let me know on the list or on the
>>>> > AppSecLive forums.
>>>> >
>>>> > Cheers!
>>>> >
>>>> > --
>>>> > -- Matt Tesauro
>>>> > OWASP Board Member
>>>> > OWASP WTE Project Lead
>>>> > http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>>>> > http://AppSecLive.org - Community and Download site
>>>> > _______________________________________________
>>>> > Owasp-live-cd-2008-project mailing list
>>>> > Owasp-live-cd-2008-project at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-live-cd-2008-project
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Director of Web Security at Rapid7 LLC
>>>> Founder at Bonsai Information Security
>>>> Project Leader at w3af
>>>> _______________________________________________
>>>> Owasp-live-cd-2008-project mailing list
>>>> Owasp-live-cd-2008-project at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-live-cd-2008-project
>>>
>>>
>>> _______________________________________________
>>> Owasp-live-cd-2008-project mailing list
>>> Owasp-live-cd-2008-project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-live-cd-2008-project
>>>
>>>
>>
>>
>>
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>> _______________________________________________
>> Owasp-live-cd-2008-project mailing list
>> Owasp-live-cd-2008-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-live-cd-2008-project
>>
> _______________________________________________
> Owasp-live-cd-2008-project mailing list
> Owasp-live-cd-2008-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-live-cd-2008-project
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
More information about the Owasp-live-cd-2008-project
mailing list