[Owasp-leaders] Update: OWASP ZSC Version 1.1.0

Ali Razmjoo ali.razmjoo at owasp.org
Sat Jul 30 16:31:35 UTC 2016


Thanks @Reza, @John for your feedbacks

@John, It's a great idea, We can start working on it right after demo labs.

Sincerely yours,
Ali Razmjoo <https://twitter.com/Ali_Razmjo0>

Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
OWASP ZSC Project Leader
<https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project>


On Sat, Jul 30, 2016 at 8:09 PM, John Patrick Lita <
john.patrick.lita at owasp.org> wrote:

> Great Job Very useful in offensive security, testing Filters and other
> security misconfiguration :)
>
> if you can create a good tutorial and walkthrough this is a good resource
> to add on the OWASP Online Academy!
>
> *John Patrick Lita *
> Project Manager at Enterprise Linux Professional
> OWASP Manila chapter chairman
> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
> *https://www.owasp.org/index.php/Manila
> <https://www.owasp.org/index.php/Manila>*
> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>
> On Sat, Jul 30, 2016 at 9:37 PM, Reza Espargham <reza.espargham at owasp.org>
> wrote:
>
>> Hello,
>> I'm seeing an awesome perspective for this project in future if you
>> develop obfuscating part. Good job.
>>
>> On Sat, Jul 30, 2016 at 6:10 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >>Could you connect the dots to OWASP's mission?
>>>
>>> Sure, and  thank you for your interest.
>>>
>>> You can use shellcode in multiple ways a you know, such as web payloads,
>>> that exploit misconfigurations of web servers (such as HTTP method
>>> PUT/DELETE methods). As explained on the OWASP top ten on the section
>>> Security Misconfigurations.
>>> https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
>>> A web payload loaded using a weakness in a misconfiguration (PUT method
>>> allowed and WebDav enabled) will allow you to connect using a reverse shell
>>> , all thanks to shellcode ;-)
>>> http://www.sans.org/security-resources/malwarefaq/webdav-exploit.php
>>>
>>> Or how Angler exploit kit works using a drive-by-download/web attack
>>> using obfuscated javascript code,:
>>> https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
>>> https://www.owasp.org/images/e/ec/OWASP_Dasient_11_10_10.pdf
>>>
>>> ZSC is not only a shellcoder but also an obfuscator for web files in
>>> PHP, Ruby, Javascript  and Python among different languages and obfuscation
>>> algorithms As an obfuscation tool that can be used during CTF games and
>>> more. Our dots with web security are also into the research of obfuscation
>>> as explained in this book:
>>>
>>>
>>> https://books.google.com/books?id=Znxa3zrJWJsC&pg=PA22&lpg=PA22&dq=complex+algorithms+obfuscation&source=bl&ots=0I0tEcgfyM&sig=oo0Ujkg-bHi9IhW77nkaf93r6Gs&hl=en&sa=X&ved=0ahUKEwjfgZjp_5nOAhWIbB4KHWCGClM4ChDoAQgbMAA#v=onepage&q=complex%20algorithms%20obfuscation&f=false
>>>
>>> In the upcoming modules, we are planning to program and experiment with
>>> more sophisticated obfuscation modules and explore the limits this area has
>>> to offer:
>>> https://eprint.iacr.org/2015/793.pdf
>>>
>>> http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/jhide-report.pdf
>>>
>>> Our goal is to provide more information on this subject which is related
>>> to web application security  but definitely with a strong link to network
>>> and OS security.
>>>
>>> On Fri, Jul 29, 2016 at 8:49 PM, Jeff Williams <jeff.williams at owasp.org>
>>> wrote:
>>>
>>>> Thanks for that. I'm quite familiar with shellcode. Could you connect
>>>> the dots to OWASP's mission?
>>>>
>>>> --Jeff
>>>> _____________________________
>>>> From: johanna curiel curiel <johanna.curiel at owasp.org>
>>>> Sent: Friday, July 29, 2016 8:12 PM
>>>> Subject: Re: [Owasp-leaders] Update: OWASP ZSC Version 1.1.0
>>>> To: Jeff Williams <jeff.williams at owasp.org>
>>>> Cc: <owasp-leaders at lists.owasp.org>, <owasp-community at lists.owasp.org>,
>>>> Pratik Patel <pratikpatel15133 at gmail.com>, Akash Trehan <
>>>> akash.trehan123 at gmail.com>, Paras Chetal <paras.chetal at gmail.com>
>>>>
>>>>
>>>>
>>>> Jeff
>>>>
>>>> The best would be to read the documentation to get a sense of what is
>>>> what the tool does
>>>>
>>>> Which is a shellcode generator, similar to msfvenom, off course , still
>>>> in development but with very interesting features:
>>>> https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details
>>>>
>>>>
>>>>
>>>> On Fri, Jul 29, 2016 at 6:27 PM, Jeff Williams <jeff.williams at owasp.org
>>>> > wrote:
>>>>
>>>>> Not sure I quite get this. Could you explain the field of use for this
>>>>> tool?  Thx,
>>>>>
>>>>> --Jeff
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jul 29, 2016 at 4:44 PM -0400, "johanna curiel curiel" <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>> Hi All,
>>>>>>
>>>>>> We kindly invite you to check out OWASP ZSC project ,some major
>>>>>> rework has been done lately:
>>>>>>
>>>>>> https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
>>>>>>
>>>>>> Thank you to all these amazing volunteers for their efforts:
>>>>>> https://magic.piktochart.com/output/15189094-owasp-zsc-team
>>>>>>
>>>>>> Please we invite you to try out the project and let us know your
>>>>>> experience.
>>>>>>
>>>>>> Your feedback is very important to us.
>>>>>>
>>>>>> Thank you for your time and consideration
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Mohammad Reza Espargham <http://www.reza.es>
>>
>> Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
>> OWASP VBScan Project Leader
>> <http://owasp.org/index.php/OWASP_VBScan_Project>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160730/c8566bc3/attachment.html>


More information about the OWASP-Leaders mailing list