[Owasp-leaders] Update: OWASP ZSC Version 1.1.0

John Patrick Lita john.patrick.lita at owasp.org
Sat Jul 30 15:39:16 UTC 2016


Great Job Very useful in offensive security, testing Filters and other
security misconfiguration :)

if you can create a good tutorial and walkthrough this is a good resource
to add on the OWASP Online Academy!

*John Patrick Lita *
Project Manager at Enterprise Linux Professional
OWASP Manila chapter chairman
FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
*https://www.owasp.org/index.php/Manila
<https://www.owasp.org/index.php/Manila>*
<https://lists.owasp.org/mailman/listinfo/owasp-manila>

On Sat, Jul 30, 2016 at 9:37 PM, Reza Espargham <reza.espargham at owasp.org>
wrote:

> Hello,
> I'm seeing an awesome perspective for this project in future if you
> develop obfuscating part. Good job.
>
> On Sat, Jul 30, 2016 at 6:10 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> >>Could you connect the dots to OWASP's mission?
>>
>> Sure, and  thank you for your interest.
>>
>> You can use shellcode in multiple ways a you know, such as web payloads,
>> that exploit misconfigurations of web servers (such as HTTP method
>> PUT/DELETE methods). As explained on the OWASP top ten on the section
>> Security Misconfigurations.
>> https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
>> A web payload loaded using a weakness in a misconfiguration (PUT method
>> allowed and WebDav enabled) will allow you to connect using a reverse shell
>> , all thanks to shellcode ;-)
>> http://www.sans.org/security-resources/malwarefaq/webdav-exploit.php
>>
>> Or how Angler exploit kit works using a drive-by-download/web attack
>> using obfuscated javascript code,:
>> https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
>> https://www.owasp.org/images/e/ec/OWASP_Dasient_11_10_10.pdf
>>
>> ZSC is not only a shellcoder but also an obfuscator for web files in PHP,
>> Ruby, Javascript  and Python among different languages and obfuscation
>> algorithms As an obfuscation tool that can be used during CTF games and
>> more. Our dots with web security are also into the research of obfuscation
>> as explained in this book:
>>
>>
>> https://books.google.com/books?id=Znxa3zrJWJsC&pg=PA22&lpg=PA22&dq=complex+algorithms+obfuscation&source=bl&ots=0I0tEcgfyM&sig=oo0Ujkg-bHi9IhW77nkaf93r6Gs&hl=en&sa=X&ved=0ahUKEwjfgZjp_5nOAhWIbB4KHWCGClM4ChDoAQgbMAA#v=onepage&q=complex%20algorithms%20obfuscation&f=false
>>
>> In the upcoming modules, we are planning to program and experiment with
>> more sophisticated obfuscation modules and explore the limits this area has
>> to offer:
>> https://eprint.iacr.org/2015/793.pdf
>>
>> http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/jhide-report.pdf
>>
>> Our goal is to provide more information on this subject which is related
>> to web application security  but definitely with a strong link to network
>> and OS security.
>>
>> On Fri, Jul 29, 2016 at 8:49 PM, Jeff Williams <jeff.williams at owasp.org>
>> wrote:
>>
>>> Thanks for that. I'm quite familiar with shellcode. Could you connect
>>> the dots to OWASP's mission?
>>>
>>> --Jeff
>>> _____________________________
>>> From: johanna curiel curiel <johanna.curiel at owasp.org>
>>> Sent: Friday, July 29, 2016 8:12 PM
>>> Subject: Re: [Owasp-leaders] Update: OWASP ZSC Version 1.1.0
>>> To: Jeff Williams <jeff.williams at owasp.org>
>>> Cc: <owasp-leaders at lists.owasp.org>, <owasp-community at lists.owasp.org>,
>>> Pratik Patel <pratikpatel15133 at gmail.com>, Akash Trehan <
>>> akash.trehan123 at gmail.com>, Paras Chetal <paras.chetal at gmail.com>
>>>
>>>
>>>
>>> Jeff
>>>
>>> The best would be to read the documentation to get a sense of what is
>>> what the tool does
>>>
>>> Which is a shellcode generator, similar to msfvenom, off course , still
>>> in development but with very interesting features:
>>> https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details
>>>
>>>
>>>
>>> On Fri, Jul 29, 2016 at 6:27 PM, Jeff Williams <jeff.williams at owasp.org>
>>> wrote:
>>>
>>>> Not sure I quite get this. Could you explain the field of use for this
>>>> tool?  Thx,
>>>>
>>>> --Jeff
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Jul 29, 2016 at 4:44 PM -0400, "johanna curiel curiel" <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>> Hi All,
>>>>>
>>>>> We kindly invite you to check out OWASP ZSC project ,some major rework
>>>>> has been done lately:
>>>>>
>>>>> https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
>>>>>
>>>>> Thank you to all these amazing volunteers for their efforts:
>>>>> https://magic.piktochart.com/output/15189094-owasp-zsc-team
>>>>>
>>>>> Please we invite you to try out the project and let us know your
>>>>> experience.
>>>>>
>>>>> Your feedback is very important to us.
>>>>>
>>>>> Thank you for your time and consideration
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> Mohammad Reza Espargham <http://www.reza.es>
>
> Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
> OWASP VBScan Project Leader
> <http://owasp.org/index.php/OWASP_VBScan_Project>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160730/e4c6bbf0/attachment-0001.html>


More information about the OWASP-Leaders mailing list