[OWASP-Bangalore] OWASP-Bangalore Digest, Vol 82, Issue 10

sandeep sivanandan sandi_siva at yahoo.com
Wed Nov 19 15:00:36 UTC 2014


Hi , Is there anyway there are recorded sessions available or an archive that we can go back and dig through…?
_Thanks,Sandeep 

     On Wednesday, November 19, 2014 8:14 PM, "owasp-bangalore-request at lists.owasp.org" <owasp-bangalore-request at lists.owasp.org> wrote:
   

 Send OWASP-Bangalore mailing list submissions to
    owasp-bangalore at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.owasp.org/mailman/listinfo/owasp-bangalore
or, via email, send a message with subject or body 'help' to
    owasp-bangalore-request at lists.owasp.org

You can reach the person managing the list at
    owasp-bangalore-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OWASP-Bangalore digest..."


Today's Topics:

  1. Re: Welcome New Members (Marudhamaran Gunasekaran)
  2. Re: Welcome New Members (Anant Shrivastava)
  3. Burp - ZAP proxy chain (Sagar Belure)


----------------------------------------------------------------------

Message: 1
Date: Wed, 19 Nov 2014 19:13:20 +0530
From: Marudhamaran Gunasekaran <gmaran23 at gmail.com>
To: OWASP Bangalore Mailing List <owasp-bangalore at lists.owasp.org>
Subject: Re: [OWASP-Bangalore] Welcome New Members
Message-ID:
    <CADAZoiSEKxbaeOtENhOC_8YjAKPsHL_mQxbYxihSONjOeLKnog at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi,

I am Maran (leave my complete name Marudhamaran Gunasekaran to the
government id cards and office registers;), a relative stranger at this
mailing list. Computer programming and Security fascinates me, and the
monthly nul/OWASP/G4H meets/webcasts/groups are my chances to meet like
minded fascinating professionals.

In the coming meet on Nov 22, I am going to demonstrate OWASP ZAP - an easy
to use penetration testing (read as vulnerability analysis) tool. I am a
ZAP Evangelist - a non-coding contributor to the OWASP ZAP project. With a
sample vulnerable application, I very excited to cover cover pen test
scenarios and how ZAP features come to aid. It doesn't matter if you work
for IT infra, sw development, or information security, ZAP is suitable for
all audiences. If it interests you below are the features that are waiting
for the premiere. Looking forward to meet everyone this Saturday.

---------------------------------------------------------------
*OWASP ZAP tool demonstration - Agenda*
---------------------------------------------------------------
ZAP history
ZAP principles
ZAP statistics
Quick Start
Browser configuration
Intercepting proxy ? breakpoints
Passive scanner
Auto tagging
Parameters
New Alert
Dynamic Certificates
Forced browsing
Spiders
Fuzzing
Zap Marketplace
Https Information
Comparing requests/responses
Text Wizards
Manual request editor
Scan Options
Active scan
Reports
..........................
*time for questions or more feature demonstrations*



On Wed, Nov 19, 2014 at 11:07 AM, Akash Mahajan <akash.mahajan at owasp.org>
wrote:

> Hi,
>
> Recently we have had many new folks join the mailing list. It will be
> great if they can introduce themselves to the list.
>
> If you are not sure how to cover it, please feel free to use the following
> format
>
> 1. Start with your Name
> 2. Tell us about where you work/study
> 3. What prompted your interest in OWASP and application security?
> 4. How did you get to hear about the mailing list?
> 5. What would you like to learn with us or even better teach us?
> 6. Anything else you would like to share with us.
>
> Thank you so much for contributing to the community. :)
>
>
> --
> Warm regards,
> Akash Mahajan
>
> *That Web Application Security Guy* | +91 99 805 271 82
> akashm.com | *@makash* on twitter | linkd.in/webappsecguy
> *OWASP Bangalore Chapter Lead | null Community Manager*
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> Twitter : @owaspbangalore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20141119/a6959b03/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 19 Nov 2014 19:58:37 +0530
From: Anant Shrivastava <anant.shrivastava at gmail.com>
To: OWASP Bangalore Mailing List <owasp-bangalore at lists.owasp.org>
Subject: Re: [OWASP-Bangalore] Welcome New Members
Message-ID:
    <CAE5KnOcxRKve5fDS1L2TdwWy02_KbWMDhNzk0hQXA6g5RBYuxA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hi Everyone,

I am Anant Shrivastava, Recently joined bangalore mailing list (in
bangalore for past 2yrs), been active in multiple information security
forums like Null, garage4hackers and now at OWASP bangalore too i am
planing to to play an active role.

Professionally I am working as an Independent Security Consultant. Where i
help organizations with securing  *Mobile and web applications, and
Infrastructure.* I keep blogging about my adventures over at
http://blog.anantshri.info/

>From OWASP prospective, I am active with OWASP OWTF project, co-mentored
one GSoC student this year. I am also one of the contributing author for
OWASP Testing Guide v4.0.

I also lead 2 non-OWASP Projects

1) *Android Tamer* : A live ISO environment specifically created for
android users. This Environment allows people to work on large array of
android security related task?s ranging from Malware Analysis, Penetration
Testing and Reverse Engineering. (http://androidtamer.com/)

2) *CodeVigilant* : Code Vigilant project is created out of the need to
have a more secure open source software. It is a known fact that a large
number of users use opensource software but a very few of them contribute
back in terms of identifying and making these opensource software a more
secure piece of software. We are slowly but steadily making progress in
this project. (http://codevigilant.com/)

Feel free to contact me regarding any discussions, doubts or suggestions
for Mobile, Web application or Infrastructure or any of the above listed
projects..

Looking forward to meet all of you in next meet.

Anant Shrivastava
Web : http://anantshri.info

On Wed, Nov 19, 2014 at 7:13 PM, Marudhamaran Gunasekaran <
gmaran23 at gmail.com> wrote:

> Hi,
>
> I am Maran (leave my complete name Marudhamaran Gunasekaran to the
> government id cards and office registers;), a relative stranger at this
> mailing list. Computer programming and Security fascinates me, and the
> monthly nul/OWASP/G4H meets/webcasts/groups are my chances to meet like
> minded fascinating professionals.
>
> In the coming meet on Nov 22, I am going to demonstrate OWASP ZAP - an
> easy to use penetration testing (read as vulnerability analysis) tool. I am
> a ZAP Evangelist - a non-coding contributor to the OWASP ZAP project. With
> a sample vulnerable application, I very excited to cover cover pen test
> scenarios and how ZAP features come to aid. It doesn't matter if you work
> for IT infra, sw development, or information security, ZAP is suitable for
> all audiences. If it interests you below are the features that are waiting
> for the premiere. Looking forward to meet everyone this Saturday.
>
> ---------------------------------------------------------------
> *OWASP ZAP tool demonstration - Agenda*
> ---------------------------------------------------------------
> ZAP history
> ZAP principles
> ZAP statistics
> Quick Start
> Browser configuration
> Intercepting proxy ? breakpoints
> Passive scanner
> Auto tagging
> Parameters
> New Alert
> Dynamic Certificates
> Forced browsing
> Spiders
> Fuzzing
> Zap Marketplace
> Https Information
> Comparing requests/responses
> Text Wizards
> Manual request editor
> Scan Options
> Active scan
> Reports
> ..........................
> *time for questions or more feature demonstrations*
>
>
>
> On Wed, Nov 19, 2014 at 11:07 AM, Akash Mahajan <akash.mahajan at owasp.org>
> wrote:
>
>> Hi,
>>
>> Recently we have had many new folks join the mailing list. It will be
>> great if they can introduce themselves to the list.
>>
>> If you are not sure how to cover it, please feel free to use the
>> following format
>>
>> 1. Start with your Name
>> 2. Tell us about where you work/study
>> 3. What prompted your interest in OWASP and application security?
>> 4. How did you get to hear about the mailing list?
>> 5. What would you like to learn with us or even better teach us?
>> 6. Anything else you would like to share with us.
>>
>> Thank you so much for contributing to the community. :)
>>
>>
>> --
>> Warm regards,
>> Akash Mahajan
>>
>> *That Web Application Security Guy* | +91 99 805 271 82
>> akashm.com | *@makash* on twitter | linkd.in/webappsecguy
>> *OWASP Bangalore Chapter Lead | null Community Manager*
>>
>> _______________________________________________
>> OWASP-Bangalore mailing list
>> OWASP-Bangalore at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
>> Twitter : @owaspbangalore
>>
>>
>
> _______________________________________________
> OWASP-Bangalore mailing list
> OWASP-Bangalore at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-bangalore
> Twitter : @owaspbangalore
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20141119/1ed0e76e/attachment-0001.html>

------------------------------

Message: 3
Date: Wed, 19 Nov 2014 20:09:14 +0530
From: Sagar Belure <sagar.belure at gmail.com>
To: owasp-bangalore at lists.owasp.org
Subject: [OWASP-Bangalore] Burp - ZAP proxy chain
Message-ID:
    <CAOQeMO3Nbsdo24R9MrVvhs2nQwfBsFqJGZEuFY+wxSDER+xb7A at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Hello all,

First to with introduction, my name is Sagar Belure, a security
professional, windows/linux admin, open source enthusiast. Mostly work on
Web/Network side of information security. A beginner in Digital Forensics
world of information security domain.

All right, going with query -
I have configured proxy chains in following way -
Web server -> Burp -> ZAP -> web browser

This works perfectly fine for non-SSL traffic, if I configure upstream
proxy in ZAP, pointing to burp running on different system.
1. I tried with checking "Enable unsafe SSL/TLS negotiation" under Tools ->
Options -> Certificate in ZAP, with no luck.
2. Also, tried importing burp certificate into ZAP, again no luck.

Is there any way, ZAP (or IronWASP) could be configured to upstream proxy
with SSL connection.

The error I get on firefox - "The connection was interrupted".

PS: Q. Why do I want to do that? Ans: There are few reasons. Primary and
important being, to route my traffic from my home network to target
network. Burp and ZAP are running on two separate systems. And then there
are some other reasons too.

Regards,
Sagar Belure
sagar.belure.com | blog.belure.com
@sagarbelure
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20141119/c634d7fb/attachment.html>

------------------------------

_______________________________________________
OWASP-Bangalore mailing list
OWASP-Bangalore at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-bangalore
Twitter : @owaspbangalore


End of OWASP-Bangalore Digest, Vol 82, Issue 10
***********************************************


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-bangalore/attachments/20141119/d9d76664/attachment-0001.html>


More information about the OWASP-Bangalore mailing list