[Owasp-leaders] Update: OWASP ZSC Version 1.1.0

Eoin Keary eoin.keary at owasp.org
Sat Jul 30 11:09:44 UTC 2016


Hi,
So how does this educate developers or help improve security/secure development?
Thanks,
Eoin.


Eoin Keary
OWASP Volunteer
@eoinkeary



> On 30 Jul 2016, at 02:40, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
> 
> >>Could you connect the dots to OWASP's mission?
> 
> Sure, and  thank you for your interest.
> 
> You can use shellcode in multiple ways a you know, such as web payloads, that exploit misconfigurations of web servers (such as HTTP method PUT/DELETE methods). As explained on the OWASP top ten on the section Security Misconfigurations.
> https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
> A web payload loaded using a weakness in a misconfiguration (PUT method allowed and WebDav enabled) will allow you to connect using a reverse shell , all thanks to shellcode ;-)
> http://www.sans.org/security-resources/malwarefaq/webdav-exploit.php
> 
> Or how Angler exploit kit works using a drive-by-download/web attack using obfuscated javascript code,:https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
> https://www.owasp.org/images/e/ec/OWASP_Dasient_11_10_10.pdf
> 
> ZSC is not only a shellcoder but also an obfuscator for web files in PHP, Ruby, Javascript  and Python among different languages and obfuscation algorithms As an obfuscation tool that can be used during CTF games and more. Our dots with web security are also into the research of obfuscation as explained in this book:
> 
> https://books.google.com/books?id=Znxa3zrJWJsC&pg=PA22&lpg=PA22&dq=complex+algorithms+obfuscation&source=bl&ots=0I0tEcgfyM&sig=oo0Ujkg-bHi9IhW77nkaf93r6Gs&hl=en&sa=X&ved=0ahUKEwjfgZjp_5nOAhWIbB4KHWCGClM4ChDoAQgbMAA#v=onepage&q=complex%20algorithms%20obfuscation&f=false
> 
> In the upcoming modules, we are planning to program and experiment with more sophisticated obfuscation modules and explore the limits this area has to offer:
> https://eprint.iacr.org/2015/793.pdf
> http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/jhide-report.pdf
> 
> Our goal is to provide more information on this subject which is related to web application security  but definitely with a strong link to network and OS security.
> 
>> On Fri, Jul 29, 2016 at 8:49 PM, Jeff Williams <jeff.williams at owasp.org> wrote:
>> Thanks for that. I'm quite familiar with shellcode. Could you connect the dots to OWASP's mission?
>> 
>> --Jeff
>> _____________________________
>> From: johanna curiel curiel <johanna.curiel at owasp.org>
>> Sent: Friday, July 29, 2016 8:12 PM
>> Subject: Re: [Owasp-leaders] Update: OWASP ZSC Version 1.1.0
>> To: Jeff Williams <jeff.williams at owasp.org>
>> Cc: <owasp-leaders at lists.owasp.org>, <owasp-community at lists.owasp.org>, Pratik Patel <pratikpatel15133 at gmail.com>, Akash Trehan <akash.trehan123 at gmail.com>, Paras Chetal <paras.chetal at gmail.com>
>> 
>> 
>> 
>> Jeff
>> 
>> The best would be to read the documentation to get a sense of what is what the tool does
>> 
>> Which is a shellcode generator, similar to msfvenom, off course , still in development but with very interesting features:
>> https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details
>> 
>> 
>> 
>>> On Fri, Jul 29, 2016 at 6:27 PM, Jeff Williams <jeff.williams at owasp.org> wrote:
>>> Not sure I quite get this. Could you explain the field of use for this tool?  Thx,
>>> 
>>> --Jeff
>>> 
>>> 
>>> 
>>> 
>>> 
>>>> On Fri, Jul 29, 2016 at 4:44 PM -0400, "johanna curiel curiel" <johanna.curiel at owasp.org> wrote:
>>>> 
>>>> Hi All,
>>>> 
>>>> We kindly invite you to check out OWASP ZSC project ,some major rework has been done lately:
>>>> 
>>>> https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
>>>> 
>>>> Thank you to all these amazing volunteers for their efforts:
>>>> https://magic.piktochart.com/output/15189094-owasp-zsc-team
>>>> 
>>>> Please we invite you to try out the project and let us know your experience.
>>>> 
>>>> Your feedback is very important to us.
>>>> 
>>>> Thank you for your time and consideration
>>>> 
>>>> Regards
>>>> 
>>>> Johanna
>> 
>> 
>> 
>> -- 
>> Johanna Curiel 
>> OWASP Volunteer
> 
> 
> 
> -- 
> Johanna Curiel 
> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160730/ca4d82a1/attachment-0001.html>


More information about the OWASP-Leaders mailing list