[Owasp-leaders] Update: OWASP ZSC Version 1.1.0

Reza Espargham reza.espargham at owasp.org
Sat Jul 30 13:37:17 UTC 2016


Hello,
I'm seeing an awesome perspective for this project in future if you develop
obfuscating part. Good job.

On Sat, Jul 30, 2016 at 6:10 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >>Could you connect the dots to OWASP's mission?
>
> Sure, and  thank you for your interest.
>
> You can use shellcode in multiple ways a you know, such as web payloads,
> that exploit misconfigurations of web servers (such as HTTP method
> PUT/DELETE methods). As explained on the OWASP top ten on the section
> Security Misconfigurations.
> https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
> A web payload loaded using a weakness in a misconfiguration (PUT method
> allowed and WebDav enabled) will allow you to connect using a reverse shell
> , all thanks to shellcode ;-)
> http://www.sans.org/security-resources/malwarefaq/webdav-exploit.php
>
> Or how Angler exploit kit works using a drive-by-download/web attack using
> obfuscated javascript code,:
> https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
> https://www.owasp.org/images/e/ec/OWASP_Dasient_11_10_10.pdf
>
> ZSC is not only a shellcoder but also an obfuscator for web files in PHP,
> Ruby, Javascript  and Python among different languages and obfuscation
> algorithms As an obfuscation tool that can be used during CTF games and
> more. Our dots with web security are also into the research of obfuscation
> as explained in this book:
>
>
> https://books.google.com/books?id=Znxa3zrJWJsC&pg=PA22&lpg=PA22&dq=complex+algorithms+obfuscation&source=bl&ots=0I0tEcgfyM&sig=oo0Ujkg-bHi9IhW77nkaf93r6Gs&hl=en&sa=X&ved=0ahUKEwjfgZjp_5nOAhWIbB4KHWCGClM4ChDoAQgbMAA#v=onepage&q=complex%20algorithms%20obfuscation&f=false
>
> In the upcoming modules, we are planning to program and experiment with
> more sophisticated obfuscation modules and explore the limits this area has
> to offer:
> https://eprint.iacr.org/2015/793.pdf
>
> http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/jhide-report.pdf
>
> Our goal is to provide more information on this subject which is related
> to web application security  but definitely with a strong link to network
> and OS security.
>
> On Fri, Jul 29, 2016 at 8:49 PM, Jeff Williams <jeff.williams at owasp.org>
> wrote:
>
>> Thanks for that. I'm quite familiar with shellcode. Could you connect the
>> dots to OWASP's mission?
>>
>> --Jeff
>> _____________________________
>> From: johanna curiel curiel <johanna.curiel at owasp.org>
>> Sent: Friday, July 29, 2016 8:12 PM
>> Subject: Re: [Owasp-leaders] Update: OWASP ZSC Version 1.1.0
>> To: Jeff Williams <jeff.williams at owasp.org>
>> Cc: <owasp-leaders at lists.owasp.org>, <owasp-community at lists.owasp.org>,
>> Pratik Patel <pratikpatel15133 at gmail.com>, Akash Trehan <
>> akash.trehan123 at gmail.com>, Paras Chetal <paras.chetal at gmail.com>
>>
>>
>>
>> Jeff
>>
>> The best would be to read the documentation to get a sense of what is
>> what the tool does
>>
>> Which is a shellcode generator, similar to msfvenom, off course , still
>> in development but with very interesting features:
>> https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details
>>
>>
>>
>> On Fri, Jul 29, 2016 at 6:27 PM, Jeff Williams <jeff.williams at owasp.org>
>> wrote:
>>
>>> Not sure I quite get this. Could you explain the field of use for this
>>> tool?  Thx,
>>>
>>> --Jeff
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jul 29, 2016 at 4:44 PM -0400, "johanna curiel curiel" <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>> Hi All,
>>>>
>>>> We kindly invite you to check out OWASP ZSC project ,some major rework
>>>> has been done lately:
>>>>
>>>> https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
>>>>
>>>> Thank you to all these amazing volunteers for their efforts:
>>>> https://magic.piktochart.com/output/15189094-owasp-zsc-team
>>>>
>>>> Please we invite you to try out the project and let us know your
>>>> experience.
>>>>
>>>> Your feedback is very important to us.
>>>>
>>>> Thank you for your time and consideration
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Mohammad Reza Espargham <http://www.reza.es>

Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
OWASP VBScan Project Leader
<http://owasp.org/index.php/OWASP_VBScan_Project>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160730/bd31e9f5/attachment.html>


More information about the OWASP-Leaders mailing list