[OWASP-Raleigh, NC] Owasp-raleigh Digest, Vol 7, Issue 6

Fred Williams Fred.Williams at sas.com
Thu Jun 11 12:22:22 EDT 2009


Thanks for the recap.... I had a family emergency and was unable to attend.  I will be at next month's meeting so I will be a little behind the group.

fred


-----Original Message-----
From: owasp-raleigh-bounces at lists.owasp.org [mailto:owasp-raleigh-bounces at lists.owasp.org] On Behalf Of owasp-raleigh-request at lists.owasp.org
Sent: Thursday, June 11, 2009 12:00 PM
To: owasp-raleigh at lists.owasp.org
Subject: Owasp-raleigh Digest, Vol 7, Issue 6

Send Owasp-raleigh mailing list submissions to
	owasp-raleigh at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.owasp.org/mailman/listinfo/owasp-raleigh
or, via email, send a message with subject or body 'help' to
	owasp-raleigh-request at lists.owasp.org

You can reach the person managing the list at
	owasp-raleigh-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Owasp-raleigh digest..."


Today's Topics:

   1. June Meeting Recap (Michael Menefee)
   2. Re: June Meeting Recap (Steve Pinkham)


----------------------------------------------------------------------

Message: 1
Date: Thu, 11 Jun 2009 08:26:25 -0400
From: Michael Menefee <mmenefee at gmail.com>
Subject: [OWASP-Raleigh, NC] June Meeting Recap
To: "owasp-raleigh at lists.owasp.org" <owasp-raleigh at lists.owasp.org>
Message-ID: <4A30F7F1.3050209 at wireheadsecurity.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Thanks for everyone that showed up and participated in last night's 
meeting. As promised, here is a list of the tools and resources we 
either demonstrated or discussed:

_*Proxy Servers:*_
*WebScarab*: 
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
*Burp:* http://www.portswigger.net/suite/download.html
*Paros:* http://www.parosproxy.org/download.shtml

_*Firefox Plugins:*_
*Tamper Data:* https://addons.mozilla.org/en-US/firefox/addon/966
*NoScript:* http://noscript.net/getit
*ShowIP:* https://addons.mozilla.org/en-US/firefox/addon/590
*SwitchProxy:* https://addons.mozilla.org/en-US/firefox/addon/125
*SQL Inject Me*: https://addons.mozilla.org/en-US/firefox/addon/7597
*XSS Me:* https://addons.mozilla.org/en-US/firefox/addon/7598
*ViewStatePeeker*: https://addons.mozilla.org/en-US/firefox/addon/7167

Many of these are included in a single plugin distribution here: 
https://addons.mozilla.org/en-US/firefox/collection/webappsec

_*Some SQL Injection Tools we Discussed:*_

SQLMap: http://sqlmap.sourceforge.net/
SQLNinja: http://sqlninja.sourceforge.net/
Pangolin: http://www.nosec.org/en/pangolin.html

_*Test Applications that wont land you in Prison:*_
WebGoat: 
http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045 
<http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045>
Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp 
(look under SASS Tools)

    * http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
    * http://testasp.acunetix.com/Default.asp
    * http://test.acunetix.com/
    * http://hackme.ntobjectives.com/
    * http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
    * http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
    * http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
    * http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
    * http://zero.webappsecurity.com/
    * http://www.hackertest.net/
    * http://www.hackthissite.org/
    * http://www.mavensecurity.com/WebMaven.php
    * http://ha.ckers.org/challenge/
    * http://ha.ckers.org/challenge2/
    * http://demo.testfire.net/
    * http://scanme.nmap.org/
    * http://www.hellboundhackers.org/
    * http://www.overthewire.org/wargames/
    * http://roothack.org/
    * http://heorot.net/
    * http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10

    * http://wocares.com/xsstester.php
    * https://how2hack.net
    * http://hax.tor.hu/


Enjoy!

Mike
-- 
Michael S. Menefee, CISSP (#43728)
Principal Consultant, WireHead Security
North Carolina OWASP Chapter Leader
Phone: (919) 863-4373
Cell: (919) 271-8883
Fax: (919) 882-8044
Email: mmenefee at wireheadsecurity.com <mailto:mmenefee at wireheadsecurity.com>
Website: www.wireheadsecurity.com <http://www.wireheadsecurity.com/>



------------------------------

Message: 2
Date: Thu, 11 Jun 2009 11:56:14 -0400
From: Steve Pinkham <steve.pinkham at gmail.com>
Subject: Re: [OWASP-Raleigh, NC] June Meeting Recap
To: "owasp-raleigh at lists.owasp.org" <owasp-raleigh at lists.owasp.org>
Message-ID: <4A31291E.60509 at gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

A few more of my favorite things:

*VMs/livecds with many of the discussed tools installed and configured- 
great for testing out the tools without the headache:*
   Samurai Web Testing Framework:
     http://samurai.inguardians.com/
   Owasp LiveCD:
     http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project

*VMs with test vulnerable apps:
   Moth:
     http://www.bonsai-sec.com/en/research/moth.php

*Firefox Plugins*
   Foxy Proxy: another proxy switcher that can also selectively send 
traffic to proxies by matching w/ regexs.
     https://addons.mozilla.org/en-US/firefox/addon/2464
   WinINet detour: Redirect single IE window to a proxy instead of the 
whole system. Works fine with IE 6 and 7, doesn't seem to work with IE8.
     http://portswigger.net/misc/

*W3af notes:*
If you want to try w3af, I highly recommend pulling from SVN.  The 
latest development code is of higher quality then the release.
Samurai WTF has w3af installed with one click SVN update.
The w3af users guide has good install docs and getting started info. 
http://w3af.svn.sourceforge.net/viewvc/w3af/trunk/readme/EN/w3afUsersGuide.pdf
Python 2.5 or 2.6 are now supported, but otherwise it's up to date.

*Related Books/Learning Resources:*
   Web Application Hackers Handbook- The gold standard in appsec books
   at the moment.  Lots of info on how to actually find flaws, as well 
as what the flaws are:
http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778

   Ajax Security: A less comprehensive but more approachable book then 
Web Application Hackers Handbook(WAHH).  Clear lay mens explanation of 
what the problems are. Makes an excellent intro book or something to 
give to your devs, where WAHH is geared more towards practitioners.
     http://www.amazon.com/Ajax-Security-Billy-Hoffman/dp/0321491939/

Both the above books are also available through the O'Reilly Safari 
service.  If you read a lot of tech books and can stand reading on the 
screen, it's a good buy...

   OWASP Testing Guide- Good, free, more discussion on SDLC then the 
others.  Most sections have references for more in depth details:
     http://www.owasp.org/index.php/Category:OWASP_Testing_Project
     This and many other OWASP resources are also available printed dirt 
cheap from Lulu, for dead tree fans:
       http://stores.lulu.com/owasp


Michael Menefee wrote:
> Thanks for everyone that showed up and participated in last night's 
> meeting. As promised, here is a list of the tools and resources we 
> either demonstrated or discussed:
> 
> _*Proxy Servers:*_
> *WebScarab*: 
> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Download
> *Burp:* http://www.portswigger.net/suite/download.html
> *Paros:* http://www.parosproxy.org/download.shtml
> 
> _*Firefox Plugins:*_
> *Tamper Data:* https://addons.mozilla.org/en-US/firefox/addon/966
> *NoScript:* http://noscript.net/getit
> *ShowIP:* https://addons.mozilla.org/en-US/firefox/addon/590
> *SwitchProxy:* https://addons.mozilla.org/en-US/firefox/addon/125
> *SQL Inject Me*: https://addons.mozilla.org/en-US/firefox/addon/7597
> *XSS Me:* https://addons.mozilla.org/en-US/firefox/addon/7598
> *ViewStatePeeker*: https://addons.mozilla.org/en-US/firefox/addon/7167
> 
> Many of these are included in a single plugin distribution here: 
> https://addons.mozilla.org/en-US/firefox/collection/webappsec
> 
> _*Some SQL Injection Tools we Discussed:*_
> 
> SQLMap: http://sqlmap.sourceforge.net/
> SQLNinja: http://sqlninja.sourceforge.net/
> Pangolin: http://www.nosec.org/en/pangolin.html
> 
> _*Test Applications that wont land you in Prison:*_
> WebGoat: 
> http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045 
> <http://sourceforge.net/project/showfiles.php?group_id=64424&package_id=61824&release_id=613045>
> Hacme Series: http://www.foundstone.com/us/resources-free-tools.asp 
> (look under SASS Tools)
> 
>     * http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>     * http://testasp.acunetix.com/Default.asp
>     * http://test.acunetix.com/
>     * http://hackme.ntobjectives.com/
>     * http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
>     * http://zero.webappsecurity.com/
>     * http://www.hackertest.net/
>     * http://www.hackthissite.org/
>     * http://www.mavensecurity.com/WebMaven.php
>     * http://ha.ckers.org/challenge/
>     * http://ha.ckers.org/challenge2/
>     * http://demo.testfire.net/
>     * http://scanme.nmap.org/
>     * http://www.hellboundhackers.org/
>     * http://www.overthewire.org/wargames/
>     * http://roothack.org/
>     * http://heorot.net/
>     * http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
> 
>     * http://wocares.com/xsstester.php
>     * https://how2hack.net
>     * http://hax.tor.hu/
> 
> 
> Enjoy!
> 
> Mike


-- 
  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |


------------------------------

_______________________________________________
Owasp-raleigh mailing list
Owasp-raleigh at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-raleigh


End of Owasp-raleigh Digest, Vol 7, Issue 6
*******************************************



More information about the Owasp-raleigh mailing list