[Owasp-leaders] Update: OWASP ZSC Version 1.1.0

johanna curiel curiel johanna.curiel at owasp.org
Sat Jul 30 01:40:09 UTC 2016


>>Could you connect the dots to OWASP's mission?

Sure, and  thank you for your interest.

You can use shellcode in multiple ways a you know, such as web payloads,
that exploit misconfigurations of web servers (such as HTTP method
PUT/DELETE methods). As explained on the OWASP top ten on the section
Security Misconfigurations.
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
A web payload loaded using a weakness in a misconfiguration (PUT method
allowed and WebDav enabled) will allow you to connect using a reverse shell
, all thanks to shellcode ;-)
http://www.sans.org/security-resources/malwarefaq/webdav-exploit.php

Or how Angler exploit kit works using a drive-by-download/web attack using
obfuscated javascript code,:
https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
https://www.owasp.org/images/e/ec/OWASP_Dasient_11_10_10.pdf

ZSC is not only a shellcoder but also an obfuscator for web files in PHP,
Ruby, Javascript  and Python among different languages and obfuscation
algorithms As an obfuscation tool that can be used during CTF games and
more. Our dots with web security are also into the research of obfuscation
as explained in this book:

https://books.google.com/books?id=Znxa3zrJWJsC&pg=PA22&lpg=PA22&dq=complex+algorithms+obfuscation&source=bl&ots=0I0tEcgfyM&sig=oo0Ujkg-bHi9IhW77nkaf93r6Gs&hl=en&sa=X&ved=0ahUKEwjfgZjp_5nOAhWIbB4KHWCGClM4ChDoAQgbMAA#v=onepage&q=complex%20algorithms%20obfuscation&f=false

In the upcoming modules, we are planning to program and experiment with
more sophisticated obfuscation modules and explore the limits this area has
to offer:
https://eprint.iacr.org/2015/793.pdf
http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/jhide-report.pdf

Our goal is to provide more information on this subject which is related to
web application security  but definitely with a strong link to network and
OS security.

On Fri, Jul 29, 2016 at 8:49 PM, Jeff Williams <jeff.williams at owasp.org>
wrote:

> Thanks for that. I'm quite familiar with shellcode. Could you connect the
> dots to OWASP's mission?
>
> --Jeff
> _____________________________
> From: johanna curiel curiel <johanna.curiel at owasp.org>
> Sent: Friday, July 29, 2016 8:12 PM
> Subject: Re: [Owasp-leaders] Update: OWASP ZSC Version 1.1.0
> To: Jeff Williams <jeff.williams at owasp.org>
> Cc: <owasp-leaders at lists.owasp.org>, <owasp-community at lists.owasp.org>,
> Pratik Patel <pratikpatel15133 at gmail.com>, Akash Trehan <
> akash.trehan123 at gmail.com>, Paras Chetal <paras.chetal at gmail.com>
>
>
>
> Jeff
>
> The best would be to read the documentation to get a sense of what is what
> the tool does
>
> Which is a shellcode generator, similar to msfvenom, off course , still in
> development but with very interesting features:
> https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details
>
>
>
> On Fri, Jul 29, 2016 at 6:27 PM, Jeff Williams <jeff.williams at owasp.org>
> wrote:
>
>> Not sure I quite get this. Could you explain the field of use for this
>> tool?  Thx,
>>
>> --Jeff
>>
>>
>>
>>
>>
>> On Fri, Jul 29, 2016 at 4:44 PM -0400, "johanna curiel curiel" <
>> johanna.curiel at owasp.org> wrote:
>>
>> Hi All,
>>>
>>> We kindly invite you to check out OWASP ZSC project ,some major rework
>>> has been done lately:
>>>
>>> https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
>>>
>>> Thank you to all these amazing volunteers for their efforts:
>>> https://magic.piktochart.com/output/15189094-owasp-zsc-team
>>>
>>> Please we invite you to try out the project and let us know your
>>> experience.
>>>
>>> Your feedback is very important to us.
>>>
>>> Thank you for your time and consideration
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>>
>>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160729/aede2dc6/attachment.html>


More information about the OWASP-Leaders mailing list