OWASP - User contributions [en]

Category:OWASP CAL9000 Project

2006-12-08T19:00:47Z

Cal9000: /* Downloads */

'''Welcome to the OWASP CAL9000 project...'''
[[Image:httpRequests.jpg|thumb|300px|right|CAL9000 in action]]
== Overview ==

CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

CAL9000 is written in Javascript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features (like executing cross-domain xmlHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a server.

Take a few moments to check out the CAL9000 built-in Help file for information about all of the new features and some potential gotchas (browser quirks, xmlHttpRequest limitations, etc.)

Please only use this tool for testing your own applications or those that you have been authorized to test.

== Features ==

* XSS Attacks - This is a listing of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
* Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Encode only with MD4 and SHA1. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
* Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
* Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
* Scratchpad - A place to save code snippets, notes, results, etc.
* Cheatsheets - Collection of references for various web-related platforms and languages.
* IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
* String Generator - Create character strings of almost any length.
* Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
* Testing Tips - Collection of testing ideas for assessments.
* Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
* AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
* Store/Restore - Temporarily hold and retrieve textarea and text field contents.
* Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
* Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents.

== Downloads ==

LATEST RELEASE - Version 2.0 released November 16, 2006. See the [[OWASP CAL9000 Project Roadmap]] for release notes.

* Click [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool.
* Click [http://owasp-code-central.googlecode.com/svn/trunk/labs/cal9000/ here] to view the CAL9000 source code.

== Project Contributors ==

Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:cal9000tool@mac.com here] or submitted via the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 mailing list].

Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.

== Feedback and Participation: ==

We hope that you find the OWASP CAL9000 Project useful. Please contribute to the Project by volunteering for one of the Tasks and/or sending your comments, questions and suggestions to owasp@owasp.org. To join the OWASP CAL9000 Project mailing list or to view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 subscription page].

== Roadmap ==
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Tool]]

Testing for Cross site scripting

2006-11-22T16:59:39Z

Cal9000: /* References */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Cross Site Scripting (CSS for short, but sometimes abbreviated as XSS) is one of the most common application level attacks that hackers use to sneak into web applications today. It should be stressed that although the vulnerability exists at the web site, at no time is the web site directly harmed

== Description of the Issue ==

Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!

Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the <Script> tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.
Cross site scripting is used in many Phishing attacks.

==Black Box testing and example==

One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser: 

'''/testcgi.exe?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>'''

The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.
All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application

The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:
* Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.
* Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.
* Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “<” to “<>.
* If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.
* Keep up with the latest security vulnerabilities and bugs for all production applications and servers.
* Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.
The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:
* Validate Input
* Encode output
Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.
There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.
The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser. 
'''> < ( ) [ ] ' " ; : / |'''

PHP
The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:
* '''Strip_tags()''' removes HTML and PHP scripting tags from a string.
* '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.
* '''Htmlspecialcharacters()''' turns characters such as '''&,>,<,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.
* '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks. For example:
'''" style="background:url(JavaScript:alert(Malicious Content));'''

ASP.NET
With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:
* Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.
* Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.
* Use the '''HttpOnly cookie''' option for added protection.
* As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.

== Gray Box testing and example ==

== References ==

'''Whitepapers''' 
* Paul Lindner: "Preventing Cross-site Scripting Attacks" - http://www.perl.com/pub/a/2002/02/20/css.html

* CERT: "CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests" - http://www.cert.org/advisories/CA-2000-02.html

* RSnake: "XSS (Cross Site Scripting) Cheat Sheet" - http://ha.ckers.org/xss.html

'''Tools''' 
* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.

 
{{Category:OWASP Testing Project AoC}}

Appendix A: Testing Tools

2006-11-21T04:33:23Z

Cal9000: /* Open Source Black Box Testing tools */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

==Open Source Black Box Testing tools==

* '''OWASP WebScarab''' - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 

* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts. Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.

* '''OWASP Pantera''' - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 

* SPIKE - http://www.immunitysec.com
* Paros - http://www.proofsecure.com
* Burp Proxy - http://www.portswigger.net
* Achilles Proxy - http://www.mavensecurity.com/achilles
* Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
* Webstretch Proxy - http://sourceforge.net/projects/webstretch 
* Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
* Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html

=== Testing for specific vulnerabilities ===

'''Testing AJAX ''' 
* OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project
'''Testing for SQL Injection ''' 
* OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
* Multiple DBMS Sql Injection tool - [SQL Power Injector]
* MySql Blind Injection Bruteforcing, Reversing.org - [sqlbftools]
* Antonio Parata: Dump Files by sql inference on Mysql - [SqlDumper]
* icesurfer: sqlninja
* SQLmap - http://www.linux.it/~belch/creations/sqlmap-0.0.1.tgz
* Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/ 
'''Testing Oracle'''
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad
'''Testing SSL ''' 
* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
'''Testing for Brute Force Password'''
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
'''Testing for HTTP Methods'''
* NetCat - http://www.vulnwatch.org/netcat
'''Testing Buffer Overflow'''
* OllyDbg: "A windows based debugger used for analyzing buffer overflow vulnerabilities" - http://www.ollydbg.de
* Spike, A fuzzer framework that can be used to explore vulnerabilities and perform length testing - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
* Brute Force Binary Tester (BFB), A proactive binary checker - http://bfbtester.sourceforge.net/
* Metasploit, A rapid exploit development and Testing frame work - http://www.metasploit.com/projects/Framework/
'''Fuzzer''' 
* OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
'''Googling''' 
* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

==Commercial Black Box Testing tools==

* Watchfire AppScan - http://www.watchfire.com
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php 
* SPI Dynamics WebInspect - http://www.spidynamics.com
* Burp Intruder - http://portswigger.net/intruder 
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com/ 
* ScanDo - http://www.kavado.com
* WebSleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php 
* Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester 
* Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/ 
* MaxPatrol Security Scanner - http://www.maxpatrol.com/ 
* Ecyware GreenBlue Inspector - http://www.ecyware.com/ 
* Parasoft WebKing (more QA-type tool) 

==Source Code Analyzers==

===Open Source / Freeware===

* http://www.securesoftware.com
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
* Split - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

===Commercial ===

* Fortify - http://www.fortifysoftware.com
* Ounce labs Prexis - http://www.ouncelabs.com
* GrammaTech - http://www.grammatech.com
* ParaSoft - http://www.parasoft.com
* ITS4 - http://www.cigital.com/its4
* CodeWizard - http://www.parasoft.com/products/wizard

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

===Binary Analysis===

* BugScam - http://sourceforge.net/projects/bugscam
* BugScan - http://www.hbgary.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

'''Site Mirroring'''
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu - http://home.snafu.de/tilman/xenulink.html

{{Category:OWASP Testing Project AoC}}

Category:OWASP CAL9000 Project

2006-11-18T18:47:49Z

Cal9000: /* Features */

'''Welcome to the OWASP CAL9000 project...'''
[[Image:httpRequests.jpg|thumb|300px|right|CAL9000 in action]]
== Overview ==

CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

CAL9000 is written in Javascript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features (like executing cross-domain xmlHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a server.

Take a few moments to check out the CAL9000 built-in Help file for information about all of the new features and some potential gotchas (browser quirks, xmlHttpRequest limitations, etc.)

Please only use this tool for testing your own applications or those that you have been authorized to test.

== Features ==

* XSS Attacks - This is a listing of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
* Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Encode only with MD4 and SHA1. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
* Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
* Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
* Scratchpad - A place to save code snippets, notes, results, etc.
* Cheatsheets - Collection of references for various web-related platforms and languages.
* IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
* String Generator - Create character strings of almost any length.
* Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
* Testing Tips - Collection of testing ideas for assessments.
* Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
* AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
* Store/Restore - Temporarily hold and retrieve textarea and text field contents.
* Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
* Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents.

== Downloads ==

LATEST RELEASE - Version 2.0 released November 16, 2006. See the [[OWASP CAL9000 Project Roadmap]] for release notes.

* Click [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool.

== Project Contributors ==

Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:cal9000tool@mac.com here] or submitted via the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 mailing list].

Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.

== Feedback and Participation: ==

We hope that you find the OWASP CAL9000 Project useful. Please contribute to the Project by volunteering for one of the Tasks and/or sending your comments, questions and suggestions to owasp@owasp.org. To join the OWASP CAL9000 Project mailing list or to view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 subscription page].

== Roadmap ==
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Tool]]

OWASP Autumn of Code 2006 - Projects: CAL9000

2006-11-16T21:10:38Z

Cal9000:

'''AoC Candidate:''' Chris

'''Project Coordinator:''' Andrew van der Stock

'''Project Progress:''' 100% Complete - [[OWASP_Autumn_of_Code_2006_-_Projects:_CAL9000_-_Progress|Progress Page]]

== Background and Motivation ==

'''History Behind Project'''
* I got tired of hunting around for information and tools that I needed in order to do assessments, so I thought that it wouldn't be too hard (ha!) to put them all together into one tool.

'''Problem to be Addressed'''
* Helps take some of the monotony and guesswork out of manual testing.

'''Benefit to OWASP Members and Community'''
* CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. It gives testers flexibility and functionality for more effective manual testing efforts.

== Goals and Deliverables ==

'''Plan of Approach'''
* Get up. Code. Drink. Sleep. Repeat 100 times.

'''Deliverables'''
Listed below are the upgrades that I guarantee that I would be able to implement by year-end 2006.

XSS Attack Library Page -
* Allow filtering of attacks based upon what browsers they are effective in.
* Allow users to create/edit/delete their own attacks that will persist even if the RSnake XSS attack file is updated.
* Allow display of all user-defined attacks in a print-ready format.
* Enhance RegEx testing functionality. At a minimum, allow user-defined regex flags and replacement strings. Include show/replace/split matches and the ability to test the regex against code.

HTTP Requests Page -
* Give users (near)full control over generating and sending HTTP Requests. (There are some browser-dependent restrictions)
* Allow users to define HTTP Method Type,Authentication Type w/values, Schema, FQDN, Port, Absolute path of URL, Parameter, Query String, Request Headers/Body.
* Allow Quick encoding of an entire request field or selected text(Url, Hex, Unicode, Base64, Md5 encoding types).
* Allow users to quickly include from a list of Header Names and common Header Values, depending on the Name. (Or use their own)
* Allow users to quickly include Browser-specific Headers/Values.
* Allow users to quickly include Method-specific Headers/Values.
* Allow users to include Request Name/Value pairs and add them to the Query String or the Response Body.
* All Request/Response results will be saved in persistent History and easily redisplayed.

HTTP Responses Page -
* Display Target URL, Response Status/Headers/Body.
* Allow users to view Response Body as it would appear in a browser.
* Allow users to extract and view Scripts/Forms/Cookies from the response.
* Allow users to delete Scripts and Forms from Response Body and view the effect on the rendering of the page.
* Allow display of Request/Response pairs in a print-ready format.

Misc Tools Page -
* Allow user-defined characters for the String Generator.

Testing Checklist Page -
* Retain the current testing tips and add a testing checklist based on the OWASP Testing Guide. Include the ability for users to create/edit/delete their own checklist items and also create/edit/delete their results/notes for each test.
* Allow display of all checklist items and results in a print-ready format.

Automater Page -
* Allow users to create/edit/delete lists of attack strings and define the insertion points in a request. CAL9000 will automatically send a request for each attack string. Results will be available for review in the History. (Basically, this is a scanner where the user gets to define the tests)

== Risks and Rewards ==

'''Main Risks'''
* No social life for several months.

'''Rewards of Successful Project'''
* Get an AoC t-shirt.

OWASP CAL9000 Project Roadmap

2006-11-16T19:42:57Z

Cal9000: /* Version History */

The project's overall goal is to...

Provide a centralized framework for the organization and use of a variety of tools that can
assist web application security testers with their manual testing efforts.

In the near term, we are focused on the following tactical goals...

# Gathering user feedback.

== Version History ==

Nov 16, 2006 - v2.0:
* XSS Attacks Page:
** Filter attacks by browser support
** Create/edit/save/delete your own attacks
** Display user-defined attacks in print-ready list
** Expanded Regex functionality - Added show/replace/split on matches
* Encoder/Decoder:
** Added types md4 and sha1 (encode only)
** Define Base64 special characters and padding character
* HTTP Requests:
** Added (almost) total control of request components
** Quickly add request headers (single, by browser, by method)
** Split/concatenate request parameters and get character count
** Added AutoAttack feature (send multiple requests at once)
** Quick encode request components (Url, hex, Unicode, Base64, md5)
** Requests/responses saved to History file
** Added History list navigation and functions (delete, print-ready)
* HTTP Responses:
** Displays target Url, response status codes, headers and body
** Split out scripts, forms and cookies
** Display request body in new window as it would appear in browser
** Added History list navigation and functions (delete, print-ready)
* String Generator:
** Define character used for string generation
* Testing Checklist:
** Old testing checklist included as testing tips
** Added true testing checklist - Create/edit/save/delete checklist items
* AutoAttack List Editor:
** Create/edit/save/delete attack lists and items
** Display attack lists in print-ready format
** Quick encode checklist items (Url, hex, Unicode, Base64, md5)

July 30, 2006 - v1.1:
* Focus of this Release: Upgrade Encode/Decode function.
* Added Uppercase check box
* Added Trailing Character text field
* Added Delimiter text field
* Added Include Unselected Text check box
* Added Wrappers
* Added several Encoding/Decoding types
* Added ability to Encode/Decode selected text only
* Added Store/Restore functionality
* Added Selected Text processing
* Added Error/Informational Message functionality
* String Generator can handle larger string sizes
* Minor Bugfixes w/ URL Encoding
* Minor Bugfixes w/ Save State processing

May 18, 2006 - v1.0.

== Wish List ==
* What features would you like to see added?

[[Category:OWASP CAL9000 Project]]

Category:OWASP CAL9000 Project

2006-11-16T19:42:09Z

Cal9000: /* Downloads */

'''Welcome to the OWASP CAL9000 project...'''
[[Image:httpRequests.jpg|thumb|300px|right|CAL9000 in action]]
== Overview ==

CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

CAL9000 is written in Javascript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features (like executing cross-domain xmlHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a server.

Take a few moments to check out the CAL9000 built-in Help file for information about all of the new features and some potential gotchas (browser quirks, xmlHttpRequest limitations, etc.)

Please only use this tool for testing your own applications or those that you have been authorized to test.

== Features ==

* XSS Attacks - This is a listing of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
* Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Encode only with MD4 and SHA1. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
* Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
* Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
* Scratchpad - A place to save code snippets, notes, results, etc.
* Cheatsheets - Collection of references for various web-related platforms and languages.
* Page Info - Splits out the Forms in a target page, as well as the source for internal and external Scripts.
* IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
* String Generator - Create character strings of almost any length.
* Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
* Testing Tips - Collection of testing ideas for assessments.
* Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
* AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
* Store/Restore - Temporarily hold and retrieve textarea and text field contents.
* Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
* Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents.

== Downloads ==

LATEST RELEASE - Version 2.0 released November 16, 2006. See the [[OWASP CAL9000 Project Roadmap]] for release notes.

* Click [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool.

== Project Contributors ==

Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:cal9000tool@mac.com here] or submitted via the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 mailing list].

Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.

== Feedback and Participation: ==

We hope that you find the OWASP CAL9000 Project useful. Please contribute to the Project by volunteering for one of the Tasks and/or sending your comments, questions and suggestions to owasp@owasp.org. To join the OWASP CAL9000 Project mailing list or to view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 subscription page].

== Roadmap ==
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Tool]]

Category:OWASP CAL9000 Project

2006-11-16T19:39:57Z

Cal9000:

'''Welcome to the OWASP CAL9000 project...'''
[[Image:httpRequests.jpg|thumb|300px|right|CAL9000 in action]]
== Overview ==

CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

CAL9000 is written in Javascript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features (like executing cross-domain xmlHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a server.

Take a few moments to check out the CAL9000 built-in Help file for information about all of the new features and some potential gotchas (browser quirks, xmlHttpRequest limitations, etc.)

Please only use this tool for testing your own applications or those that you have been authorized to test.

== Features ==

* XSS Attacks - This is a listing of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
* Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Encode only with MD4 and SHA1. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
* Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
* Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
* Scratchpad - A place to save code snippets, notes, results, etc.
* Cheatsheets - Collection of references for various web-related platforms and languages.
* Page Info - Splits out the Forms in a target page, as well as the source for internal and external Scripts.
* IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
* String Generator - Create character strings of almost any length.
* Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
* Testing Tips - Collection of testing ideas for assessments.
* Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
* AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
* Store/Restore - Temporarily hold and retrieve textarea and text field contents.
* Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
* Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents.

== Downloads ==

LATEST RELEASE - Version 2.0 released November 16, 2006. See the [[OWASP CAL9000 Project Roadmap]] for release notes.

* RightClick [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool.

== Project Contributors ==

Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:cal9000tool@mac.com here] or submitted via the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 mailing list].

Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.

== Feedback and Participation: ==

We hope that you find the OWASP CAL9000 Project useful. Please contribute to the Project by volunteering for one of the Tasks and/or sending your comments, questions and suggestions to owasp@owasp.org. To join the OWASP CAL9000 Project mailing list or to view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 subscription page].

== Roadmap ==
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Tool]]

File:HttpRequests.jpg

2006-11-16T19:35:11Z

Cal9000:

Category:OWASP CAL9000 Project

2006-11-15T03:53:18Z

Cal9000: /* Downloads */

'''Welcome to the OWASP CAL9000 project...'''
[[Image:xssAttacks.jpg|thumb|300px|right|CAL9000 in action]]
== Overview ==

CAL9000 brings together a host of web application security testing tools into one convenient package. It is designed to be used in the Firefox browser. CAL9000 functionality may be limited when used with other browsers.

CAL9000 is written in Javascript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features(like executing cross-domain XMLHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a web server.

While using CAL9000, the Firefox browser may pop up windows asking you to grant exceptions to its security policy. These are normal and may be safely accepted. If you are reluctant to approve these requests, you can review the source code until you are comfortable with CAL9000's functionality. I can say with reasonable certainty that CAL9000 will not go crazy and try to kill you.

Please only use this tool for testing your own applications or those that you have been authorized to test.

== Features ==

* XSS Attacks - This is a library of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can also try testing the various attacks or using RegEx filters against them.
* Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
* Simple Http Requests - Send GET, POST, HEAD, TRACE, OPTIONS, PUT and DELETE requests and see the results.
* Scratchpad - A place to save code snippets, notes, results, etc.
* Cheatsheets - Collection of references for various web-related platforms and languages.
* Page Info - Splits out the Forms in a target page, as well as the source for internal and external Scripts.
* IP Encoder/Decoder - Go to/from IP, Dword, Hex and Octal addresses.
* String Generator - Create alpha(i), numeric(1) or special(!) strings of almost any length.
* Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
* Testing Checklist - Collection of testing ideas for assessments.
* Save State/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
* Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents of a textarea.

== Downloads ==

LATEST RELEASE - Version 1.1 released July 30, 2006. See the [[OWASP CAL9000 Project Roadmap]] for details.

* RightClick [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool.
* RightClick [http://ha.ckers.org/xssAttacks.xml here] to download the latest XSS Attack List XML file from [http://ha.ckers.org/xss.html RSnake's site]. Replace the file of the same name in your "CAL9000/files/xml/" folder.

== Project Contributors ==

Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:cal9000tool@mac.com here] or submitted via the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 mailing list].

Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.

== Feedback and Participation: ==

We hope you find the OWASP CAL9000 Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP CAL9000 Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 subscription page.]

== Roadmap ==
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Tool]]

Category:OWASP CAL9000 Project

2006-11-15T03:51:55Z

Cal9000: /* Project Contributors */

'''Welcome to the OWASP CAL9000 project...'''
[[Image:xssAttacks.jpg|thumb|300px|right|CAL9000 in action]]
== Overview ==

CAL9000 brings together a host of web application security testing tools into one convenient package. It is designed to be used in the Firefox browser. CAL9000 functionality may be limited when used with other browsers.

CAL9000 is written in Javascript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features(like executing cross-domain XMLHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a web server.

While using CAL9000, the Firefox browser may pop up windows asking you to grant exceptions to its security policy. These are normal and may be safely accepted. If you are reluctant to approve these requests, you can review the source code until you are comfortable with CAL9000's functionality. I can say with reasonable certainty that CAL9000 will not go crazy and try to kill you.

Please only use this tool for testing your own applications or those that you have been authorized to test.

== Features ==

* XSS Attacks - This is a library of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can also try testing the various attacks or using RegEx filters against them.
* Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
* Simple Http Requests - Send GET, POST, HEAD, TRACE, OPTIONS, PUT and DELETE requests and see the results.
* Scratchpad - A place to save code snippets, notes, results, etc.
* Cheatsheets - Collection of references for various web-related platforms and languages.
* Page Info - Splits out the Forms in a target page, as well as the source for internal and external Scripts.
* IP Encoder/Decoder - Go to/from IP, Dword, Hex and Octal addresses.
* String Generator - Create alpha(i), numeric(1) or special(!) strings of almost any length.
* Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
* Testing Checklist - Collection of testing ideas for assessments.
* Save State/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
* Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents of a textarea.

== Downloads ==

LATEST RELEASE - Version 1.1 released July 30, 2006. See the [[OWASP CAL9000 Project Roadmap]] for details.

* RightClick [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool.
* RightClick [http://ha.ckers.org/xssAttacks.xml here] to download the latest XSS Attack List XML file from [http://ha.ckers.org/xss.html RSnake's site]. Replace the file of the same name in your "CAL9000/files/xml/" folder.

The online help for CAL9000 can be found [http://www.digilantesecurity.com/CAL9000/help.html here].

== Project Contributors ==

Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:cal9000tool@mac.com here] or submitted via the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 mailing list].

Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.

== Feedback and Participation: ==

We hope you find the OWASP CAL9000 Project useful. Please contribute to the Project by volunteering for one of the Tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP CAL9000 Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 subscription page.]

== Roadmap ==
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Tool]]

OWASP CAL9000 Project Roadmap

2006-11-15T03:42:30Z

Cal9000:

The project's overall goal is to...

Provide a centralized framework for the organization and use of a variety of tools that can
assist web application security testers with their manual testing efforts.

In the near term, we are focused on the following tactical goals...

# Gathering user feedback.

== Version History ==

Nov 15, 2006 - v2.0:
* XSS Attacks Page:
** Filter attacks by browser support
** Create/edit/save/delete your own attacks
** Display user-defined attacks in print-ready list
** Expanded Regex functionality - Added show/replace/split on matches
* Encoder/Decoder:
** Added types md4 and sha1 (encode only)
** Define Base64 special characters and padding character
* HTTP Requests:
** Added (almost) total control of request components
** Quickly add request headers (single, by browser, by method)
** Split/concatenate request parameters and get character count
** Added AutoAttack feature (send multiple requests at once)
** Quick encode request components (Url, hex, Unicode, Base64, md5)
** Requests/responses saved to History file
** Added History list navigation and functions (delete, print-ready)
* HTTP Responses:
** Displays target Url, response status codes, headers and body
** Split out scripts, forms and cookies
** Display request body in new window as it would appear in browser
** Added History list navigation and functions (delete, print-ready)
* String Generator:
** Define character used for string generation
* Testing Checklist:
** Old testing checklist included as testing tips
** Added true testing checklist - Create/edit/save/delete checklist items
* AutoAttack List Editor:
** Create/edit/save/delete attack lists and items
** Display attack lists in print-ready format
** Quick encode checklist items (Url, hex, Unicode, Base64, md5)

July 30, 2006 - v1.1:
* Focus of this Release: Upgrade Encode/Decode function.
* Added Uppercase check box
* Added Trailing Character text field
* Added Delimiter text field
* Added Include Unselected Text check box
* Added Wrappers
* Added several Encoding/Decoding types
* Added ability to Encode/Decode selected text only
* Added Store/Restore functionality
* Added Selected Text processing
* Added Error/Informational Message functionality
* String Generator can handle larger string sizes
* Minor Bugfixes w/ URL Encoding
* Minor Bugfixes w/ Save State processing

May 18, 2006 - v1.0.

== Wish List ==
* What features would you like to see added?

[[Category:OWASP CAL9000 Project]]

OWASP CAL9000 Project Roadmap

2006-11-15T03:40:54Z

Cal9000: /* Version History */

The project's overall goal is to...

Provide a centralized framework for the organization and use of a variety of tools that can
assist web application security testers with their manual testing efforts.

In the near term, we are focused on the following tactical goals...

# Implementing major upgrade to the HTTP Requests function.

== Version History ==

Nov 15, 2006 - v2.0:
* XSS Attacks Page:
** Filter attacks by browser support
** Create/edit/save/delete your own attacks
** Display user-defined attacks in print-ready list
** Expanded Regex functionality - Added show/replace/split on matches
* Encoder/Decoder:
** Added types md4 and sha1 (encode only)
** Define Base64 special characters and padding character
* HTTP Requests:
** Added (almost) total control of request components
** Quickly add request headers (single, by browser, by method)
** Split/concatenate request parameters and get character count
** Added AutoAttack feature (send multiple requests at once)
** Quick encode request components (Url, hex, Unicode, Base64, md5)
** Requests/responses saved to History file
** Added History list navigation and functions (delete, print-ready)
* HTTP Responses:
** Displays target Url, response status codes, headers and body
** Split out scripts, forms and cookies
** Display request body in new window as it would appear in browser
** Added History list navigation and functions (delete, print-ready)
* String Generator:
** Define character used for string generation
* Testing Checklist:
** Old testing checklist included as testing tips
** Added true testing checklist - Create/edit/save/delete checklist items
* AutoAttack List Editor:
** Create/edit/save/delete attack lists and items
** Display attack lists in print-ready format
** Quick encode checklist items (Url, hex, Unicode, Base64, md5)

July 30, 2006 - v1.1:
* Focus of this Release: Upgrade Encode/Decode function.
* Added Uppercase check box
* Added Trailing Character text field
* Added Delimiter text field
* Added Include Unselected Text check box
* Added Wrappers
* Added several Encoding/Decoding types
* Added ability to Encode/Decode selected text only
* Added Store/Restore functionality
* Added Selected Text processing
* Added Error/Informational Message functionality
* String Generator can handle larger string sizes
* Minor Bugfixes w/ URL Encoding
* Minor Bugfixes w/ Save State processing

May 18, 2006 - v1.0.

== Wish List ==
* What features would you like to see added?

[[Category:OWASP CAL9000 Project]]

OWASP CAL9000 Project Roadmap

2006-11-15T03:27:21Z

Cal9000: /* Wish List */

OWASP CAL9000 Project Roadmap

2006-07-31T14:47:08Z

Cal9000:

Category:OWASP CAL9000 Project

2006-07-31T14:31:23Z

Cal9000:

'''Welcome to the OWASP CAL9000 project...'''
[[Image:xssAttacks.jpg|thumb|300px|right|CAL9000 in action]]
== Overview ==

CAL9000 brings together a host of web application security testing tools into one convenient package. It is designed to be used in the Firefox browser. CAL9000 functionality may be limited when used with other browsers.

CAL9000 is written in Javascript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features(like executing cross-domain XMLHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a web server.

While using CAL9000, the Firefox browser may pop up windows asking you to grant exceptions to its security policy. These are normal and may be safely accepted. If you are reluctant to approve these requests, you can review the source code until you are comfortable with CAL9000's functionality. I can say with reasonable certainty that CAL9000 will not go crazy and try to kill you.

Please only use this tool for testing your own applications or those that you have been authorized to test.

== Features ==

* XSS Attacks - This is a library of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can also try testing the various attacks or using RegEx filters against them.
* Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
* Simple Http Requests - Send GET, POST, HEAD, TRACE, OPTIONS, PUT and DELETE requests and see the results.
* Scratchpad - A place to save code snippets, notes, results, etc.
* Cheatsheets - Collection of references for various web-related platforms and languages.
* Page Info - Splits out the Forms in a target page, as well as the source for internal and external Scripts.
* IP Encoder/Decoder - Go to/from IP, Dword, Hex and Octal addresses.
* String Generator - Create alpha(i), numeric(1) or special(!) strings of almost any length.
* Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
* Testing Checklist - Collection of testing ideas for assessments.
* Save State/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
* Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents of a textarea.

== Downloads ==

LATEST RELEASE - Version 1.1 released July 30, 2006. See the [[OWASP CAL9000 Project Roadmap]] for details.

* RightClick [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool.
* RightClick [http://ha.ckers.org/xssAttacks.xml here] to download the latest XSS Attack List XML file from [http://ha.ckers.org/xss.html RSnake's site]. Replace the file of the same name in your "CAL9000/files/xml/" folder.

The online help for CAL9000 can be found [http://www.digilantesecurity.com/CAL9000/help.html here].

== Project Contributors ==

Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:cal9000tool@mac.com here] or submitted via the Discussion Tab above.

Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.

== Roadmap ==
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.

[[Category:OWASP Project]]
[[Category:OWASP Download]]
[[Category:OWASP Tool]]