[OWASP-Raleigh, NC] June Meeting Recap

Enders, Hans hans.enders at hp.com
Thu Jun 11 16:39:23 EDT 2009

And two free ones I forgot from my own neck of the woods.  Both are obviously teasers from HP ASC, but may be useful for some here.

1. Scrawlr - site crawler that identifies SQLi vulns, "scrawl-er", no auth features, no exploitation features, June 2008.

	https://download.spidynamics.com/Products/scrawlr/ - fill out form to retrieve the MSI file (or I can send it out to you).

	This was sent out en masse to the Microsoft IIS developer community last year as a helper tool for the SQLi attacks that were sweeping the Net.

2.  SWFScan - decompiles and scans SWF Flash files (v9 and earlier) for vulnerabilities , "swiff-scan", March 2009.

	* Download Page: http://www.hp.com/go/swfscan 
	* Initial FAQ - http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2009/03/20/hp-swfscan-faq.aspx?jumpid=reg_R1002_USEN
	* On-going user forum - http://www.communities.hp.com/securitysoftware/forums/612.aspx 
	* Supporting Adobe security article - http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html 

"Habeas data"

-----Original Message-----
From: owasp-raleigh-bounces at lists.owasp.org [mailto:owasp-raleigh-bounces at lists.owasp.org] On Behalf Of Steve Pinkham
Sent: Thursday, June 11, 2009 11:56 AM
To: owasp-raleigh at lists.owasp.org
Subject: Re: [OWASP-Raleigh, NC] June Meeting Recap

A few more of my favorite things:

*VMs/livecds with many of the discussed tools installed and configured- great for testing out the tools without the headache:*
   Samurai Web Testing Framework:
   Owasp LiveCD:

*VMs with test vulnerable apps:

*Firefox Plugins*
   Foxy Proxy: another proxy switcher that can also selectively send traffic to proxies by matching w/ regexs.
   WinINet detour: Redirect single IE window to a proxy instead of the whole system. Works fine with IE 6 and 7, doesn't seem to work with IE8.

*W3af notes:*
If you want to try w3af, I highly recommend pulling from SVN.  The latest development code is of higher quality then the release.
Samurai WTF has w3af installed with one click SVN update.
The w3af users guide has good install docs and getting started info. 
Python 2.5 or 2.6 are now supported, but otherwise it's up to date.

*Related Books/Learning Resources:*
   Web Application Hackers Handbook- The gold standard in appsec books
   at the moment.  Lots of info on how to actually find flaws, as well as what the flaws are:

   Ajax Security: A less comprehensive but more approachable book then Web Application Hackers Handbook(WAHH).  Clear lay mens explanation of what the problems are. Makes an excellent intro book or something to give to your devs, where WAHH is geared more towards practitioners.

Both the above books are also available through the O'Reilly Safari service.  If you read a lot of tech books and can stand reading on the screen, it's a good buy...

   OWASP Testing Guide- Good, free, more discussion on SDLC then the others.  Most sections have references for more in depth details:
     This and many other OWASP resources are also available printed dirt cheap from Lulu, for dead tree fans:

Michael Menefee wrote:
> Thanks for everyone that showed up and participated in last night's 
> meeting. As promised, here is a list of the tools and resources we 
> either demonstrated or discussed:
> _*Proxy Servers:*_
> *WebScarab*: 
> http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project#Downlo
> ad
> *Burp:* http://www.portswigger.net/suite/download.html
> *Paros:* http://www.parosproxy.org/download.shtml
> _*Firefox Plugins:*_
> *Tamper Data:* https://addons.mozilla.org/en-US/firefox/addon/966
> *NoScript:* http://noscript.net/getit
> *ShowIP:* https://addons.mozilla.org/en-US/firefox/addon/590
> *SwitchProxy:* https://addons.mozilla.org/en-US/firefox/addon/125
> *SQL Inject Me*: https://addons.mozilla.org/en-US/firefox/addon/7597
> *XSS Me:* https://addons.mozilla.org/en-US/firefox/addon/7598
> *ViewStatePeeker*: https://addons.mozilla.org/en-US/firefox/addon/7167
> Many of these are included in a single plugin distribution here: 
> https://addons.mozilla.org/en-US/firefox/collection/webappsec
> _*Some SQL Injection Tools we Discussed:*_
> SQLMap: http://sqlmap.sourceforge.net/
> SQLNinja: http://sqlninja.sourceforge.net/
> Pangolin: http://www.nosec.org/en/pangolin.html
> _*Test Applications that wont land you in Prison:*_
> WebGoat: 
> http://sourceforge.net/project/showfiles.php?group_id=64424&package_id
> =61824&release_id=613045 
> <http://sourceforge.net/project/showfiles.php?group_id=64424&package_i
> d=61824&release_id=613045> Hacme Series: 
> http://www.foundstone.com/us/resources-free-tools.asp
> (look under SASS Tools)
>     * http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
>     * http://testasp.acunetix.com/Default.asp
>     * http://test.acunetix.com/
>     * http://hackme.ntobjectives.com/
>     * http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmebooks.htm
>     * http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
>     * http://zero.webappsecurity.com/
>     * http://www.hackertest.net/
>     * http://www.hackthissite.org/
>     * http://www.mavensecurity.com/WebMaven.php
>     * http://ha.ckers.org/challenge/
>     * http://ha.ckers.org/challenge2/
>     * http://demo.testfire.net/
>     * http://scanme.nmap.org/
>     * http://www.hellboundhackers.org/
>     * http://www.overthewire.org/wargames/
>     * http://roothack.org/
>     * http://heorot.net/
>     * 
> http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vu
> lnerable-php-owasp-top-10
>     * http://wocares.com/xsstester.php
>     * https://how2hack.net
>     * http://hax.tor.hu/
> Enjoy!
> Mike

  | Steven E. Pinkham                      |
  | GPG public key ID CD31CAFB             |
Owasp-raleigh mailing list
Owasp-raleigh at lists.owasp.org

More information about the Owasp-raleigh mailing list