[Owasp-leaders] Update: OWASP ZSC Version 1.1.0

John Patrick Lita john.patrick.lita at owasp.org
Sun Jul 31 02:23:49 UTC 2016


Johanna

Great! in real world exploitation, tester have their own approach in
testing a web and mobile application. a better explanation with the cause
and effect would be helpful.

*John Patrick Lita *
Project Manager at Enterprise Linux Professional
OWASP Manila chapter chairman
FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
*https://www.owasp.org/index.php/Manila
<https://www.owasp.org/index.php/Manila>*
<https://lists.owasp.org/mailman/listinfo/owasp-manila>

On Sun, Jul 31, 2016 at 12:40 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> John
>
> We are definitely going to work on a practical tutorial regarding how
> misconfigurations in a web server leads to exploitation, just as explained
> in the OWAPS top ten doc, and the role of shellcode and obfuscation.
>
> While the OWASP top ten explains the issue, providing a real world example
> can be quite effective for sys-admin and developers to understand the
> importance of making sure that they don't leave their servers vulnerable
> because certain HTTP methods are enabled.
>
> While The OWASP testing guide also treats this subject, it does not
> explain how the server is exploited  ;-) and that is where Shellcode and
> web payloads come in the picture ;-)
>
>
>
>
>
>
> https://www.owasp.org/images/4/4c/Introduction_to_shellcode_development.pdf
>
>
>
> On Sat, Jul 30, 2016 at 11:39 AM, John Patrick Lita <
> john.patrick.lita at owasp.org> wrote:
>
>> Great Job Very useful in offensive security, testing Filters and other
>> security misconfiguration :)
>>
>> if you can create a good tutorial and walkthrough this is a good resource
>> to add on the OWASP Online Academy!
>>
>> *John Patrick Lita *
>> Project Manager at Enterprise Linux Professional
>> OWASP Manila chapter chairman
>> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
>> *https://www.owasp.org/index.php/Manila
>> <https://www.owasp.org/index.php/Manila>*
>> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>>
>> On Sat, Jul 30, 2016 at 9:37 PM, Reza Espargham <reza.espargham at owasp.org
>> > wrote:
>>
>>> Hello,
>>> I'm seeing an awesome perspective for this project in future if you
>>> develop obfuscating part. Good job.
>>>
>>> On Sat, Jul 30, 2016 at 6:10 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> >>Could you connect the dots to OWASP's mission?
>>>>
>>>> Sure, and  thank you for your interest.
>>>>
>>>> You can use shellcode in multiple ways a you know, such as web
>>>> payloads, that exploit misconfigurations of web servers (such as HTTP
>>>> method PUT/DELETE methods). As explained on the OWASP top ten on the
>>>> section Security Misconfigurations.
>>>> https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration
>>>> A web payload loaded using a weakness in a misconfiguration (PUT method
>>>> allowed and WebDav enabled) will allow you to connect using a reverse shell
>>>> , all thanks to shellcode ;-)
>>>> http://www.sans.org/security-resources/malwarefaq/webdav-exploit.php
>>>>
>>>> Or how Angler exploit kit works using a drive-by-download/web attack
>>>> using obfuscated javascript code,:
>>>> https://blogs.sophos.com/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
>>>> https://www.owasp.org/images/e/ec/OWASP_Dasient_11_10_10.pdf
>>>>
>>>> ZSC is not only a shellcoder but also an obfuscator for web files in
>>>> PHP, Ruby, Javascript  and Python among different languages and obfuscation
>>>> algorithms As an obfuscation tool that can be used during CTF games and
>>>> more. Our dots with web security are also into the research of obfuscation
>>>> as explained in this book:
>>>>
>>>>
>>>> https://books.google.com/books?id=Znxa3zrJWJsC&pg=PA22&lpg=PA22&dq=complex+algorithms+obfuscation&source=bl&ots=0I0tEcgfyM&sig=oo0Ujkg-bHi9IhW77nkaf93r6Gs&hl=en&sa=X&ved=0ahUKEwjfgZjp_5nOAhWIbB4KHWCGClM4ChDoAQgbMAA#v=onepage&q=complex%20algorithms%20obfuscation&f=false
>>>>
>>>> In the upcoming modules, we are planning to program and experiment with
>>>> more sophisticated obfuscation modules and explore the limits this area has
>>>> to offer:
>>>> https://eprint.iacr.org/2015/793.pdf
>>>>
>>>> http://profs.sci.univr.it/~giaco/download/Watermarking-Obfuscation/jhide-report.pdf
>>>>
>>>> Our goal is to provide more information on this subject which is
>>>> related to web application security  but definitely with a strong link to
>>>> network and OS security.
>>>>
>>>> On Fri, Jul 29, 2016 at 8:49 PM, Jeff Williams <jeff.williams at owasp.org
>>>> > wrote:
>>>>
>>>>> Thanks for that. I'm quite familiar with shellcode. Could you connect
>>>>> the dots to OWASP's mission?
>>>>>
>>>>> --Jeff
>>>>> _____________________________
>>>>> From: johanna curiel curiel <johanna.curiel at owasp.org>
>>>>> Sent: Friday, July 29, 2016 8:12 PM
>>>>> Subject: Re: [Owasp-leaders] Update: OWASP ZSC Version 1.1.0
>>>>> To: Jeff Williams <jeff.williams at owasp.org>
>>>>> Cc: <owasp-leaders at lists.owasp.org>, <owasp-community at lists.owasp.org>,
>>>>> Pratik Patel <pratikpatel15133 at gmail.com>, Akash Trehan <
>>>>> akash.trehan123 at gmail.com>, Paras Chetal <paras.chetal at gmail.com>
>>>>>
>>>>>
>>>>>
>>>>> Jeff
>>>>>
>>>>> The best would be to read the documentation to get a sense of what is
>>>>> what the tool does
>>>>>
>>>>> Which is a shellcode generator, similar to msfvenom, off course ,
>>>>> still in development but with very interesting features:
>>>>> https://www.gitbook.com/book/ali-razmjoo/owasp-zsc/details
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Jul 29, 2016 at 6:27 PM, Jeff Williams <
>>>>> jeff.williams at owasp.org> wrote:
>>>>>
>>>>>> Not sure I quite get this. Could you explain the field of use for
>>>>>> this tool?  Thx,
>>>>>>
>>>>>> --Jeff
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jul 29, 2016 at 4:44 PM -0400, "johanna curiel curiel" <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>> Hi All,
>>>>>>>
>>>>>>> We kindly invite you to check out OWASP ZSC project ,some major
>>>>>>> rework has been done lately:
>>>>>>>
>>>>>>> https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
>>>>>>>
>>>>>>> Thank you to all these amazing volunteers for their efforts:
>>>>>>> https://magic.piktochart.com/output/15189094-owasp-zsc-team
>>>>>>>
>>>>>>> Please we invite you to try out the project and let us know your
>>>>>>> experience.
>>>>>>>
>>>>>>> Your feedback is very important to us.
>>>>>>>
>>>>>>> Thank you for your time and consideration
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> Mohammad Reza Espargham <http://www.reza.es>
>>>
>>> Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
>>> OWASP VBScan Project Leader
>>> <http://owasp.org/index.php/OWASP_VBScan_Project>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160731/2fcdbf91/attachment.html>


More information about the OWASP-Leaders mailing list