[Owasp-leaders] Update: OWASP ZSC Version 1.1.0

johanna curiel curiel johanna.curiel at owasp.org
Sat Jul 30 16:40:34 UTC 2016


John

We are definitely going to work on a practical tutorial regarding how
misconfigurations in a web server leads to exploitation, just as explained
in the OWAPS top ten doc, and the role of shellcode and obfuscation.

While the OWASP top ten explains the issue, providing a real world example
can be quite effective for sys-admin and developers to understand the
importance of making sure that they don't leave their servers vulnerable
because certain HTTP methods are enabled.

While The OWASP testing guide also treats this subject, it does not explain
how the server is exploited  ;-) and that is where Shellcode and web
payloads come in the picture ;-)






https://www.owasp.org/images/4/4c/Introduction_to_shellcode_development.pdf



On Sat, Jul 30, 2016 at 11:39 AM, John Patrick Lita <
john.patrick.lita at owasp.org> wrote:

> Great Job Very useful in offensive security, testing Filters and other
> security misconfiguration :)
>
> if you can create a good tutorial and walkthrough this is a good resource
> to add on the OWASP Online Academy!
>
> *John Patrick Lita *
> Project Manager at Enterprise Linux Professional
> OWASP Manila chapter chairman
> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
> *https://www.owasp.org/index.php/Manila
> <https://www.owasp.org/index.php/Manila>*
> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>
> On Sat, Jul 30, 2016 at 9:37 PM, Reza Espargham <reza.espargham at owasp.org>
> wrote:
>
>> Hello,
>> I'm seeing an awesome perspective for this project in future if you
>> develop obfuscating part. Good job.
>>
>> On Sat, Jul 30, 2016 at 6:10 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >>Could you connect the dots to OWASP's mission?
>>>
>>> Sure, and  thank you for your interest.
>>>
>>> You can use shellcode in multiple ways a you know, such as web payloads,
>>> that exploit misconfigurations of web servers (such as HTTP method
>>> PUT/DELETE methods). As explained on the OWASP top ten on the section
>>> Security Misconfigurations.
>>> https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
>>> A web payload loaded using a weakness in a misconfiguration (PUT method
>>> allowed and WebDav enabled) will allow you to connect using a reverse shell
>>> , all thanks to shellcode ;-)
>>> http://www.sans.org/security-resources/malwarefaq/webdav-exploit.php
>>>
>>> Or how Angler exploit kit works using a drive-by-download/web attack
>>> using obfuscated javascript code,:
>>> https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
>>> https://www.owasp.org/images/e/ec/OWASP_Dasient_11_10_10.pdf
>>>
>>> ZSC is not only a shellcoder but also an obfuscator for web files in
>>> PHP, Ruby, Javascript  and Python among different languages and obfuscation
>>> algorithms As an obfuscation tool that can be used during CTF games and
>>> more. Our dots with web security are also into the research of obfuscation
>>> as explained in this book:
>>>
>>>
>>> https://books.google.com/books?id=Znxa3zrJWJsC&pg=PA22&lpg=PA22&dq=complex+algorithms+obfuscation&source=bl&ots=0I0tEcgfyM&sig=oo0Ujkg-bHi9IhW77nkaf93r6Gs&hl=en&sa=X&ved=0ahUKEwjfgZjp_5nOAhWIbB4KHWCGClM4ChDoAQgbMAA#v=onepage&q=complex%20algorithms%20obfuscation&f=false
>>>
>>> In the upcoming modules, we are planning to program and experiment with
>>> more sophisticated obfuscation modules and explore the limits this area has
>>> to offer:
>>> https://eprint.iacr.org/2015/793.pdf
>>>
>>> http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/jhide-report.pdf
>>>
>>> Our goal is to provide more information on this subject which is related
>>> to web application security  but definitely with a strong link to network
>>> and OS security.
>>>
>>> On Fri, Jul 29, 2016 at 8:49 PM, Jeff Williams <jeff.williams at owasp.org>
>>> wrote:
>>>
>>>> Thanks for that. I'm quite familiar with shellcode. Could you connect
>>>> the dots to OWASP's mission?
>>>>
>>>> --Jeff
>>>> _____________________________
>>>> From: johanna curiel curiel <johanna.curiel at owasp.org>
>>>> Sent: Friday, July 29, 2016 8:12 PM
>>>> Subject: Re: [Owasp-leaders] Update: OWASP ZSC Version 1.1.0
>>>> To: Jeff Williams <jeff.williams at owasp.org>
>>>> Cc: <owasp-leaders at lists.owasp.org>, <owasp-community at lists.owasp.org>,
>>>> Pratik Patel <pratikpatel15133 at gmail.com>, Akash Trehan <
>>>> akash.trehan123 at gmail.com>, Paras Chetal <paras.chetal at gmail.com>
>>>>
>>>>
>>>>
>>>> Jeff
>>>>
>>>> The best would be to read the documentation to get a sense of what is
>>>> what the tool does
>>>>
>>>> Which is a shellcode generator, similar to msfvenom, off course , still
>>>> in development but with very interesting features:
>>>> https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details
>>>>
>>>>
>>>>
>>>> On Fri, Jul 29, 2016 at 6:27 PM, Jeff Williams <jeff.williams at owasp.org
>>>> > wrote:
>>>>
>>>>> Not sure I quite get this. Could you explain the field of use for this
>>>>> tool?  Thx,
>>>>>
>>>>> --Jeff
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jul 29, 2016 at 4:44 PM -0400, "johanna curiel curiel" <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>> Hi All,
>>>>>>
>>>>>> We kindly invite you to check out OWASP ZSC project ,some major
>>>>>> rework has been done lately:
>>>>>>
>>>>>> https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
>>>>>>
>>>>>> Thank you to all these amazing volunteers for their efforts:
>>>>>> https://magic.piktochart.com/output/15189094-owasp-zsc-team
>>>>>>
>>>>>> Please we invite you to try out the project and let us know your
>>>>>> experience.
>>>>>>
>>>>>> Your feedback is very important to us.
>>>>>>
>>>>>> Thank you for your time and consideration
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>> Mohammad Reza Espargham <http://www.reza.es>
>>
>> Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
>> OWASP VBScan Project Leader
>> <http://owasp.org/index.php/OWASP_VBScan_Project>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160730/f4905934/attachment-0001.html>


More information about the OWASP-Leaders mailing list