[OWASP-Raleigh, NC] June Meeting Recap

Steve Pinkham steve.pinkham at gmail.com
Thu Jun 11 11:56:14 EDT 2009


A few more of my favorite things:

*VMs/livecds with many of the discussed tools installed and configured- 
great for testing out the tools without the headache:*
   Samurai Web Testing Framework:
     http://samurai.inguardians.com/
   Owasp LiveCD:
     http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

*VMs with test vulnerable apps:
   Moth:
     http://www.bonsai-sec.com/en/research/moth.php

*Firefox Plugins*
   Foxy Proxy: another proxy switcher that can also selectively send 
traffic to proxies by matching w/ regexs.
     https://addons.mozilla.org/en-US/firefox/addon/2464
   WinINet detour: Redirect single IE window to a proxy instead of the 
whole system. Works fine with IE 6 and 7, doesn't seem to work with IE8.
     http://portswigger.net/misc/

*W3af notes:*
If you want to try w3af, I highly recommend pulling from SVN.  The 
latest development code is of higher quality then the release.
Samurai WTF has w3af installed with one click SVN update.
The w3af users guide has good install docs and getting started info. 
http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/readme/EN/w3afUsersGuide.pdf
Python 2.5 or 2.6 are now supported, but otherwise it's up to date.

*Related Books/Learning Resources:*
   Web Application Hackers Handbook- The gold standard in appsec books
   at the moment.  Lots of info on how to actually find flaws, as well 
as what the flaws are:
http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778

   Ajax Security: A less comprehensive but more approachable book then 
Web Application Hackers Handbook(WAHH).  Clear lay mens explanation of 
what the problems are. Makes an excellent intro book or something to 
give to your devs, where WAHH is geared more towards practitioners.
     http://www.amazon.com/Ajax-Security-Billy-Hoffman/dp/0321491939/

Both the above books are also available through the O'Reilly Safari 
service.  If you read a lot of tech books and can stand reading on the 
screen, it's a good buy...

   OWASP Testing Guide- Good, free, more discussion on SDLC then the 
others.  Most sections have references for more in depth details:
     http://www.owasp.org/index.php/Category:OWASP_Testing_Project
     This and many other OWASP resources are also available printed dirt 
cheap from Lulu, for dead tree fans:
       http://stores.lulu.com/owasp


Michael Menefee wrote:
> Thanks for everyone that showed up and participated in last night's 
> meeting. As promised, here is a list of the tools and resources we 
> either demonstrated or discussed:
> 
> _*Proxy Servers:*_
> *WebScarab*: 
> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
> *Burp:* http://www.portswigger.net/suite/download.html
> *Paros:* http://www.parosproxy.org/download.shtml
> 
> _*Firefox Plugins:*_
> *Tamper Data:* https://addons.mozilla.org/en-US/firefox/addon/966
> *NoScript:* http://noscript.net/getit
> *ShowIP:* https://addons.mozilla.org/en-US/firefox/addon/590
> *SwitchProxy:* https://addons.mozilla.org/en-US/firefox/addon/125
> *SQL Inject Me*: https://addons.mozilla.org/en-US/firefox/addon/7597
> *XSS Me:* https://addons.mozilla.org/en-US/firefox/addon/7598
> *ViewStatePeeker*: https://addons.mozilla.org/en-US/firefox/addon/7167
> 
> Many of these are included in a single plugin distribution here: 
> https://addons.mozilla.org/en-US/firefox/collection/webappsec
> 
> _*Some SQL Injection Tools we Discussed:*_
> 
> SQLMap: http://sqlmap.sourceforge.net/
> SQLNinja: http://sqlninja.sourceforge.net/
> Pangolin: http://www.nosec.org/en/pangolin.html
> 
> _*Test Applications that wont land you in Prison:*_
> WebGoat: 
> http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045 
> <http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045>
> Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp 
> (look under SASS Tools)
> 
>     * http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>     * http://testasp.acunetix.com/Default.asp
>     * http://test.acunetix.com/
>     * http://hackme.ntobjectives.com/
>     * http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
>     * http://zero.webappsecurity.com/
>     * http://www.hackertest.net/
>     * http://www.hackthissite.org/
>     * http://www.mavensecurity.com/WebMaven.php
>     * http://ha.ckers.org/challenge/
>     * http://ha.ckers.org/challenge2/
>     * http://demo.testfire.net/
>     * http://scanme.nmap.org/
>     * http://www.hellboundhackers.org/
>     * http://www.overthewire.org/wargames/
>     * http://roothack.org/
>     * http://heorot.net/
>     * http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
> 
>     * http://wocares.com/xsstester.php
>     * https://how2hack.net
>     * http://hax.tor.hu/
> 
> 
> Enjoy!
> 
> Mike


-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |


More information about the Owasp-raleigh mailing list