[Owasp-leaders] [Owasp-community] Update: OWASP ZSC Version 1.1.0

Ali Razmjoo ali.razmjoo at owasp.org
Sat Jul 30 11:53:58 UTC 2016


Hello everyone,

Thank you Johanna for informing mail. first let me introduce this software
in short lines.

OWASP ZSC is open source software written in python which lets you generate
> customized shellcode and convert scripts to an obfuscated script. This
> software can be run on Windows/Linux/OSX with python.


This software was created to challenge antivirus technology, research new
encryption methods, and protect sensitive open source files which include
important data. At the beginning this project started with a few shellcodes
with none encryption, and after a while I could develop the linux x86
shellcodes and encryptions to more dynamics shellcodes, But it's now a
shellcode framework now, When project get improved, some new coders joined
us and contribute the software to an obfuscator framework  and now project
has some a few simple encoders for opensource (our priorities are
javascript and php).

Thanks for that. I'm quite familiar with shellcode. Could you connect the
> dots to OWASP's mission?



> So how does this educate developers or help improve security/secure
> development?


JavaScript encoders and obfuscated shellcodes could be used in some kind of
projects which are about penetration testing the clients through the web
 (such as beef project) and  php encoders could be useful in preventing
these <https://github.com/OWASP/phpsec/issues/108#issuecomment-159676446> kind
of problems (maybe not now but in near future with more poweful
encoders/encryptions). I can make another point and it's that many of
vulnerability scanners (crawlers) could be stopped by using javascript
encoders for your html outputs (using document.write()). and there are more
points and usages.

Right now project is improving with some of friends from India and other
part of world, and It's beginning to more powerful project that it is
with *your
feedback and suggestions*. We also doing preparation for defcon demo labs
in next few days, I hope we could learn more from there to find a better
path for contributing the project.



Sincerely yours,
Ali Razmjoo <https://twitter.com/Ali_Razmjo0>

Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
OWASP ZSC Project Leader
<https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project>


On Sat, Jul 30, 2016 at 3:39 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Hi,
> So how does this educate developers or help improve security/secure
> development?
> Thanks,
> Eoin.
>
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 30 Jul 2016, at 02:40, johanna curiel curiel <johanna.curiel at owasp.org>
> wrote:
>
> >>Could you connect the dots to OWASP's mission?
>
> Sure, and  thank you for your interest.
>
> You can use shellcode in multiple ways a you know, such as web payloads,
> that exploit misconfigurations of web servers (such as HTTP method
> PUT/DELETE methods). As explained on the OWASP top ten on the section
> Security Misconfigurations.
> https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
> A web payload loaded using a weakness in a misconfiguration (PUT method
> allowed and WebDav enabled) will allow you to connect using a reverse shell
> , all thanks to shellcode ;-)
> http://www.sans.org/security-resources/malwarefaq/webdav-exploit.php
>
> Or how Angler exploit kit works using a drive-by-download/web attack using
> obfuscated javascript code,:
> https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
> https://www.owasp.org/images/e/ec/OWASP_Dasient_11_10_10.pdf
>
> ZSC is not only a shellcoder but also an obfuscator for web files in PHP,
> Ruby, Javascript  and Python among different languages and obfuscation
> algorithms As an obfuscation tool that can be used during CTF games and
> more. Our dots with web security are also into the research of obfuscation
> as explained in this book:
>
>
> https://books.google.com/books?id=Znxa3zrJWJsC&pg=PA22&lpg=PA22&dq=complex+algorithms+obfuscation&source=bl&ots=0I0tEcgfyM&sig=oo0Ujkg-bHi9IhW77nkaf93r6Gs&hl=en&sa=X&ved=0ahUKEwjfgZjp_5nOAhWIbB4KHWCGClM4ChDoAQgbMAA#v=onepage&q=complex%20algorithms%20obfuscation&f=false
>
> In the upcoming modules, we are planning to program and experiment with
> more sophisticated obfuscation modules and explore the limits this area has
> to offer:
> https://eprint.iacr.org/2015/793.pdf
>
> http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/jhide-report.pdf
>
> Our goal is to provide more information on this subject which is related
> to web application security  but definitely with a strong link to network
> and OS security.
>
> On Fri, Jul 29, 2016 at 8:49 PM, Jeff Williams <jeff.williams at owasp.org>
> wrote:
>
>> Thanks for that. I'm quite familiar with shellcode. Could you connect the
>> dots to OWASP's mission?
>>
>> --Jeff
>> _____________________________
>> From: johanna curiel curiel <johanna.curiel at owasp.org>
>> Sent: Friday, July 29, 2016 8:12 PM
>> Subject: Re: [Owasp-leaders] Update: OWASP ZSC Version 1.1.0
>> To: Jeff Williams <jeff.williams at owasp.org>
>> Cc: <owasp-leaders at lists.owasp.org>, <owasp-community at lists.owasp.org>,
>> Pratik Patel <pratikpatel15133 at gmail.com>, Akash Trehan <
>> akash.trehan123 at gmail.com>, Paras Chetal <paras.chetal at gmail.com>
>>
>>
>>
>> Jeff
>>
>> The best would be to read the documentation to get a sense of what is
>> what the tool does
>>
>> Which is a shellcode generator, similar to msfvenom, off course , still
>> in development but with very interesting features:
>> https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details
>>
>>
>>
>> On Fri, Jul 29, 2016 at 6:27 PM, Jeff Williams <jeff.williams at owasp.org>
>> wrote:
>>
>>> Not sure I quite get this. Could you explain the field of use for this
>>> tool?  Thx,
>>>
>>> --Jeff
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jul 29, 2016 at 4:44 PM -0400, "johanna curiel curiel" <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>> Hi All,
>>>>
>>>> We kindly invite you to check out OWASP ZSC project ,some major rework
>>>> has been done lately:
>>>>
>>>> https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
>>>>
>>>> Thank you to all these amazing volunteers for their efforts:
>>>> https://magic.piktochart.com/output/15189094-owasp-zsc-team
>>>>
>>>> Please we invite you to try out the project and let us know your
>>>> experience.
>>>>
>>>> Your feedback is very important to us.
>>>>
>>>> Thank you for your time and consideration
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160730/c737f14c/attachment.html>


More information about the OWASP-Leaders mailing list