Friday, 25 July 2014

XXE Exposed Webinar Recording and Slides

In case someone is interested, I had the pleasure of giving a Webinar for eLearnSecurity on Tuesday this week:

  • Webinar Title: "XXE Exposed"
  • Summary:
Brief coverage of Web Service Types, SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation.Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing

          NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25 



Monday, 24 March 2014

OWASP GSoC: call for mentors/co-mentors plz RT!

OWASP received 88 proposals this year, but needs 50+ more mentors or some amazing students will be lost this year in the GSoC 2014, please don't let this happen, here is what you can do:

Case 1) Mentoring for OWASP projects that are not OWTF
If you are interested in mentoring/co-mentoring OWASP projects that are NOT OWTF:
Step 1) Decide what OWASP project to mentor from here:
https://www.owasp.org/index.php/GSoC2014_Ideas

Step 2) Contact Samantha (samantha.groves at owasp.org) or Kostas (konstantinos at owasp.org) ASAP!
More info: http://lists.owasp.org/pipermail/owasp_project_leader_list/2014-March/000128.html

Case 2) Mentoring for OWASP OWTF 
If you are interested in mentoring/co-mentoring for OWASP OWTF, here is the background:
Step 1) Choose one of the projects below

Step 2) Please contact me ASAP: name.surname@owasp.org -Minor thinking required ;)-

All the top OWASP OWTF candidates are already contributors and/or technically very strong, have solid plans, have a deep understanding of their projects (all of which were carefully discussed and reviewed by the team for feasibility in advance), and mentoring needs will be minimal (i.e. they know what to do).

At this point, we don't know slots or final ranking, but the projects/ideas that we believe that have a solid candidate to stand a chance (if the planets and other things align) are as follows:
What do you need to be an OWTF mentor?
  • Must have: 1 x email address @any_domain (i.e. @gmail.com, @owasp.org, etc.)
As stated earlier, OWTF top candidates are very unlikely to bother you with things like "I'm stuck", they are all contributors and/or technically very strong. Mentoring needs are very low, but some of the following would be nice: Infosec OR Python OR JavaScript OR Zest OR Plug-n-Hack knowledge.

Friday, 28 February 2014

Get paid, help OWASP, GSoC 2014 ideas UPDATED, plz RT

Yes folks, it is that awesome time of the year when Google rocks the open source world with their awesome Google Summer of Code again!

This is a quick blog post to let you know that the OWASP OWTF GSoC 2014 ideas have just been updated, there are a few more ideas and most of the existing ones have been improved!
Interested in OWTF? contact me NOW! :)
name.surname@owasp.org
WARNING: minor thinking required to break this pseudo-CAPTCHA! ;)

Not interested in OWTF? check other OWASP projects!
(lots of ideas this year!)


Monday, 13 January 2014

OWTF 0.45.0 "Winter Blizzard" released! plz RT!


OWASP OWTF is always looking for contributors, feedback and new ideas. If you find a bug or have an idea about what OWTF could do, please tell us in our github issue tracker. Thank you!

This is another a very significant release which includes the continued outstanding work of:

  1. The 4 x OWASP OWTF GSoC 2013 projects -including post-GSoC improvements- (Sponsored by Google. Thank you!)
  2. Marios Kourtesis's OWASP OWTF botnet mode project (Sponsored by BruCon. Thank you!)

OWASP OWTF GSoC 2014 projects

OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES by Bharadwaj Machiraju (Dedicated Mentor: Krzysztof Kotowicz, Co-Mentors: Javier Marcos de Prado, Martin Johns, Abraham Aranguren)


OWASP OWTF - Multiprocessing  by Ankush Jindal (Dedicated Mentor: Andrés Riancho, Co-Mentor: Abraham Aranguren)


OWASP OWTF - Reporting by Assem Chelli (Dedicated Mentor: Gareth Heyes, Co-Mentors: Johanna Curiel, Azeddine Islam Mennouchi, Hani Benhabiles, Abraham Aranguren)

OWASP OWTF - Unit Test Framework by Alessandro Fanio González (Dedicated Mentor: Andrés Morales, Co-Mentor: Abraham Aranguren)


Usual background + Disclaimer

OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Download the bleeding edge version of OWTF
- Download the latest stable version of OWTF
- Subscribe to the OWTF mailing list
- We're also on #owtf within freenode (IRC)

OWTF would just not be possible without all the people that contributed in one way or another. To all of you: Thank you!


Release Notes

Change log since OWTF 0.30 "Summer Storm II" (Full change log is here):


14/01/2014 - 0.45.0 "Winter Blizzard" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch), Bharadwaj Machiraju (@tunnelshade), Marios Kourtesis (@marioskourtesis) & their mentors: Andrés Morales, Andrés Riancho, Gareth Heyes, Krzysztof Kotowicz, and their co-mentors: Abraham Aranguren, Azeddine Islam Mennouchi, Hani Benhabiles, Javier Marcos de Prado, Johanna Curiel, Martin Johns.

Features :

  • OWTF can now be updated using a command line flag <=> Bharadwaj Machiraju (@tunnelshade)
  • Few tools are proxified through OWTF inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • Httprint signatures updated (still updating) <=> Azeddine Islam Mennouchi
  • Plug-n-Hack Phase I implemented in OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • Travis CI service is under usage for tests <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • OWTF Inbound proxy is made capable of websocket traffic proxying <=> Bharadwaj Machiraju (@tunnelshade)
  • HTTP AUTH support is implemented in OWTF Inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
  • User can run multiple instances of OWTF <=> Bharadwaj Machiraju (@tunnelshade)
  • Outbound socks proxy support implemented <=> Marios Kourtesis (@marioskourtesis)
  • Added nmap to WAF checks <=> Abraham Aranguren (@7a_)
  • Tor mode added to OWTF <=> Marios Kourtesis (@marioskourtesis)
  • New Installation procedure added to OWTF <=> Bharadwaj Machiraju (@tunnelshade)

Enhancements :

  • Spiders, Robots and Crawlers grep plugin added <=> Bharadwaj Machiraju (@tunnelshade)
  • Web Services passive discovery plugin improved <=> Bharadwaj Machiraju (@tunnelshade)
  • Added and fixed some tests for plugins <=> Alessandro Fanio Gonzalez (@alessandrofg)
  • 40+ Bug fixes

Wednesday, 11 December 2013

OWASP OWTF CFP funds contest WINNERS

Please contribute:
We are trying to release the new version of OWTF in the next few weeks (hopefully before 2014!). For that, we need your help to identify and report bugs. THANK YOU! :)

OWASP OWTF CFP funds contest WINNERS
I would like to let you know that, after a careful deliberation, the OWASP OWTF CFP Panel, selected the following projects for access to the available OWASP OWTF funds:

  • Alessandro Fanio González: OWTF Architectural improvements
  • Marios kourtesis: OWTF Botnet mode
  • Assem Chelli: OWTF Reporting improvements

Background on the decision process
I tried to be as neutral as possible due to the unavoidable conflict of interest issue:
Being friends with some of the people who submitted due to 3 months+ working together during the GSoC vs. those that were not. Thankfully, a panel of volunteers stepped up to solve this problem and chose (wisely in my opinion) the best projects given the limited money available. Thank you! -you know who you are ;)-










Sunday, 8 September 2013

OWASP OWTF CFP funds contest

As announced at AppSec EU recently. OWASP OWTF has (thank you!):
Instead of taking this to pay myself for working on OWTF in my spare time, I'm giving it away so that others are paid to work on OWTF: There is a contest to apply for this money and you can apply to all or part of it.

Timeline:
  • September 8th - October 15th: Call for OWASP OWTF Proposals
  • October 16th - 21st (might end sooner): Review of proposals by CFP panel
  • October 21st (might be earlier): Public winner(s) announcement
To apply please click here.
NOTE: You can change your proposal as many times as you want until October 15th.
NOTE 2: Each candidate can submit more than one proposal

Contest rules (IMPORTANT: Subject to minor modifications, keep an eye on this):
  • Project payment will be performed upon project completion
  • Contributing to OWASP OWTF in advance of acceptance will award extra points
  • The technical strength of the candidate will award extra points (especially with proof such as a github page)
  • Regarless of your technical strength a decent proposal will award extra points
  • The proposed project must be relevant to the OWASP OWTF mission: "To cover as much from the OWASP Testing Guide and the Penetration Testing Execution Standard as it is feasible"

Need help?
FAQ

Q: Does the proposal have to fit into the Google Form text box? or can I append a file with the fully-explained proposal?
A: If you can provide a link to a public but not searchable google document or PDF in dropbox or an alternative service, that's OK. This is probably better since you will be able to add some graphs to explain what you are proposing and the proposal will be easier to understand for reviewers then.

Q: Is it possible to start working in January 2014?
A: Yes, you can specify the start and end dates that suit you best in your proposal, these are mandatory fields in your submission.

Q: Is it necessary to have a CV?
A: Of course not! However, some proof of your skills would be nice (github account, prior involvement in open source projects, doing something for owtf and point to a pull request, whatever)

Sunday, 25 August 2013

AppSec EU: OWASP OWTF Summer Storm slides, demos and Plug-n-Hack support!

UPDATE 04/09/2013: Added link to AppSec EU video
UPDATE 26/08/2013: Added Plug-n-Hack support link.

OWASP AppSec EU 2013 and HackPra AllStars were both a blast this week:

I would like to use this opportunity to let you know that:
  1. OWASP OWTF is always actively looking for contributors, bug reports / ideas.
  2. The slides for the OWASP OWTF Summer Storm talks last week are now online here.
  3. OWASP OWTF supports the Plug-n-Hack mozilla standard now.

The demos, research and prototypes are all linked from the relevant slides within the presentation above.

NOTE: You can now see the OWASP OWTF Summer Storm AppSec EU video here.
NOTE 2: All AppSec EU + HackPra AllStarts video is here!.

The slides were used at OWASP AppSec EU in:

You can find members of the OWTF team on our:

Monday, 12 August 2013

OWTF 0.30 "Summer Storm II" released! plz RT!

IMPORTANT NOTE: Some of the new features require the use of the "--dev" flag, please report any issues you find in our github page. Thanks!

This is another a very significant release which includes the continued outstanding work of the following Google Summer of Code Projects:

OWASP OWTF - INBOUND PROXY WITH MiTM & CACHING CAPABILITIES by Bharadwaj Machiraju (Dedicated Mentor: Krzysztof Kotowicz, Co-Mentors: Javier Marcos de Prado, Martin Johns, Abraham Aranguren)


OWASP OWTF - Multiprocessing  by Ankush Jindal (Dedicated Mentor: Andrés Riancho, Co-Mentor: Abraham Aranguren)


OWASP OWTF - Reporting by Assem Chelli (Dedicated Mentor: Gareth Heyes, Co-Mentors: Johanna Curiel, Azeddine Islam Mennouchi, Hani Benhabiles, Abraham Aranguren)
  • Project Plan document <-- FEEDBACK Welcome!
  • The prototypes and voting poll will become public on Thursday this week, stay tuned :)

OWASP OWTF - Unit Test Framework by Alessandro Fanio González (Dedicated Mentor: Andrés Morales, Co-Mentor: Abraham Aranguren)

Usual background + Disclaimer:
OWASP OWTF, the Offensive (Web) Testing Framework, is an OWASP+PTES-focused try to unite great tools and make pen testing more efficient @owtfp http://owtf.org
WARNING: This tool unites many great tools, websites, knowledge and their associated power, please hack responsibly and always have permission. That being said, happy pwnage :)

Some links:
- Project page
- You will probably get the most out of this tool if you look at the Presentation Slides first.
- Download the bleeding edge version of OWTF
- Download the latest stable version of OWTF
- Subscribe to the OWTF mailing list
- We're also on #owtf within freenode (IRC)

OWTF would just not be possible without all the people that contributed in one way or another. All contributors to date got a T-shirt this year, to all of you: Thank you!


(Picture above is courtesy of @an_animal (Thanks!)


Change log since OWTF 0.20 "Summer Storm I" (Full change log is here):

09/08/2013 - 0.30 "Summer Storm II" alpha release: Dedicated to Alessandro Fanio Gonzalez (@alessandrofg), Ankush Jindal (@ankushjindal278), Assem Chelli (@assem-ch), Bharadwaj Machiraju (@tunnelshade), their mentors: Andrés Morales, Andrés Riancho, Gareth Heyes, Krzysztof Kotowicz, and their co-mentors: Abraham Aranguren, Azeddine Islam Mennouchi, Hani Benhabiles, Javier Marcos de Prado, Johanna Curiel, Martin Johns.
+ Extracting the HTML generated by the reporting system from Python modules into independent Jinja2 template files <==> Assem Chelli (@assem-ch)
+ Added some features to the Testing Framework. Added tests that cover approximately the 45% of the code of the OWTF Framework. <==> Alessandro Fanio Gonzalez (@alessandrofg)
+ Added support for test coverage reports and test logs in HTML. <==> Alessandro Fanio Gonzalez (@alessandrofg)
+ Spawing multiple processes on the basis of targets and then handling the input, stopping of the targets <==> Ankush Jindal(@ankushjindal278)
+ Centerlized log function <==> Ankush Jindal(@ankushjindal278)
+ Generic messaging system with pull and push facility differently and database handler to use messaging for DB transaction in multiprocessing<==> (@ankushjindal278)
+ Draft inbound proxy is replaced by a new inbound proxy <=> Bharadwaj Machiraju (@tunnelshade)
+ Inbound proxy is capable of caching and saving the transactions <=> Bharadwaj Machiraju (@tunnelshade)
+ Inbound proxy is capable of cookie filters. <=> Bharadwaj Machiraju (@tunnelshade)