[Owasp-leaders] OWASP Proxy

dinis cruz dinis.cruz at owasp.org
Fri Dec 12 18:42:45 EST 2008


Hey Rogan,
Why do you think this project needs to be 'approved by the OWASP Board'?

Is because of the name 'OWASP Proxy'?

Part of OWASP world is the innovation created by the freely creation of
projects and ideas. As long as those new projects are compatible with our
values, OWASP should receive them with open arms.

The only rules of engagement are the ones created by the OWASP Project
Assessment Criteria (see
http://www.owasp.org/index.php/Category:OWASP_Project_Assessment) which is
designed to raise OWASP project's quality and professionalism.

What we have to achieve is a a good balance between focusing on improving
existing projects (for example  'sorting up' all current OWASP projects
(see http://www.owasp.org/index.php/Category:OWASP_Project) ) and creating
an environment for new ideas to be developed and explored.

Dinis Cruz

2008/12/12 Rogan Dawes <lists at dawes.za.net>

> Hi folks,
>
> I am happy to announce the development of a new project, which I am
> tentatively calling "OWASP Proxy", subject to approval by the OWASP board.
>
> Many security researchers want a reliable intercepting HTTP proxy that
> they can use to build their own tools around. Some have resorted to
> ripping bits out of existing OWASP tools, such as WebScarab, but this
> has not really been a pleasant process, due to the baggage that the
> existing tools drag along with them.
>
> OWASP Proxy is a ground-up rewrite of a dead-simple proxy, that provides
> application developers a (currently only lightly-) tested library that
> they can easily extend to obtain their required functionality. It
> provides a number of extension points whereby developers can be notified
> of events such as a new Request, the retrieval of the Response headers,
> as well as the Response body, and of course, any errors along the way.
>
> It also supports streaming of large responses, so it is relatively
> performant when the responses are not being intercepted. For example,
> flash movies start playing immediately, rather than having to wait for
> the entire movie to be retrieved by the proxy. Of course, if you want to
> intercept a response, that streaming can be disabled.
>
> One big reason to use OWASP Proxy is that it is binary clean to the best
> of my ability. Things such as using two spaces instead of 1 between a
> header and its value will persist through the proxy. The basic object is
> the HTTP Message, represented by byte[] message. Of course there are
> utility methods that work with the underlying byte[], and these may
> normalise the parameters passed to them, but if you need the message to
> be exactly what you set it to, that is entirely possible.
>
> Enough of the intro, the code is available in a git repository on my
> personal site. You can view the code and grab a snapshot at
>
> <
> http://dawes.za.net/gitweb.cgi?p=rogan/owasp-proxy/owasp-proxy.git;a=summary
> >
>
> or if you use git, you can clone the repo:
>
>   $ git clone http://dawes.za.net/rogan/owasp-proxy/owasp-proxy.git/
>
> The main class is org.owasp.proxy.daemon.Listener, and from there
> everything should be fairly simple to understand. You can also look at
> the testcases (very skimpy at the moment) to get some ideas on how
> things are supposed to work.
>
> Feedback is welcomed, either on the WebScarab list
> (owasp-webscarab at lists.owasp.org), or directly to me.
>
> Regards,
>
> Rogan
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-leaders/attachments/20081212/2d548146/attachment.html 


More information about the OWASP-Leaders mailing list