OWASP - User contributions [en]

Summit 2011 Working Sessions/Session052

2011-02-09T12:20:33Z

Cmartorella:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>Summit 2011 Working Sessions test tab</noinclude>
|-

| summit_session_attendee_name1 = Nishi Kumar
| summit_session_attendee_email1 = nishi.kumar@owasp.org
| summit_session_attendee_username1 =
| summit_session_attendee_company1= FIS
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=

| summit_session_attendee_name2 = Cecil Su
| summit_session_attendee_email2 = cecil.su@owasp.org
| summit_session_attendee_username2 =
| summit_session_attendee_company2= GT
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=

| summit_session_attendee_name3 = Lucas C. Ferreira
| summit_session_attendee_email3 = lucas.ferreira@owasp.org
| summit_session_attendee_username3 =
| summit_session_attendee_company3=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=

| summit_session_attendee_name4 = Keith Turpin
| summit_session_attendee_email4 = keith.turpin@owasp.org
| summit_session_attendee_username4 = Keith_Turpin
| summit_session_attendee_company4=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=

| summit_session_attendee_name5 = Achim Hoffmann
| summit_session_attendee_email5 = achim@owasp.org
| summit_session_attendee_username5 = Achim
| summit_session_attendee_company5= sic[!]sec
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=

| summit_session_attendee_name6 = Tom Neaves
| summit_session_attendee_email6 = tom.neaves@verizonbusiness.com
| summit_session_attendee_username6 =
| summit_session_attendee_company6 = Verizon Business
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6 =

| summit_session_attendee_name7 = Vishal Garg
| summit_session_attendee_email7 = vishalgrg@gmail.com
| summit_session_attendee_username7 =
| summit_session_attendee_company7= AppSecure Labs
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=

| summit_session_attendee_name8 = Giorgio Fedon
| summit_session_attendee_email8 = giorgio.fedon@mindedsecurity.com
| summit_session_attendee_username8 =
| summit_session_attendee_company8= Minded Security
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=

| summit_session_attendee_name9 = Stefano Di Paola
| summit_session_attendee_email9 = stefano@owasp.org
| summit_session_attendee_username9 =
| summit_session_attendee_company9= Minded Security
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=

| summit_session_attendee_name10 = Pavol Luptak
| summit_session_attendee_email10 = pavol.luptak@nethemba.com
| summit_session_attendee_username10 =
| summit_session_attendee_company10= Nethemba
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=

| summit_session_attendee_name11 = Andre Gironda
| summit_session_attendee_email11 = andregATthegmail
| summit_session_attendee_username11 = Dre
| summit_session_attendee_company11=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11= Will be available remotely

| summit_session_attendee_name12 = Edward Bonver
| summit_session_attendee_email12 = edward@owasp.org
| summit_session_attendee_username12 = Edward Bonver
| summit_session_attendee_company12= Symantec
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=

| summit_session_attendee_name13 = Wojciech Dworakowski
| summit_session_attendee_email13 = wojciech.dworakowski@securing.pl
| summit_session_attendee_username13 = Wojciech Dworakowski
| summit_session_attendee_company13= SecuRing
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=

| summit_session_attendee_name14 = Vlatko Kosturjak
| summit_session_attendee_email14 = vlatko.kosturjak@owasp.org
| summit_session_attendee_username14 = kost
| summit_session_attendee_company14=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14=

| summit_session_attendee_name15 = Antonio Fontes
| summit_session_attendee_email15 = antonio.fontes@owasp.org
| summit_session_attendee_username15 =
| summit_session_attendee_company15= L7 Sécurité
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=

| summit_session_attendee_name16 = Christian Martorella
| summit_session_attendee_email16 = christian.martorella@verizonbusiness.com
| summit_session_attendee_username16 =
| summit_session_attendee_company16= Verizon Business
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=

| summit_session_attendee_name17 =
| summit_session_attendee_email17 =
| summit_session_attendee_username17 =
| summit_session_attendee_company17=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=

| summit_session_attendee_name18 =
| summit_session_attendee_email18 =
| summit_session_attendee_username18 =
| summit_session_attendee_company18=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=

| summit_session_attendee_name19 =
| summit_session_attendee_email19 =
| summit_session_attendee_username19 =
| summit_session_attendee_company19=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=

| summit_session_attendee_name20 =
| summit_session_attendee_email20 =
| summit_session_attendee_username20 =
| summit_session_attendee_company20=
| summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=

|-
| summit_track_logo = [[Image:T._individual_projects.jpg]]
| summit_ws_logo = [[Image:WS._individual_projects.jpg]]
| summit_session_name = OWASP Testing Guide
| summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session052
| mailing_list =
|-
| short_working_session_description= We need to define: 
 - an updated vulnerability list to test (from the OWASP Common Vulnerabiltity list)
 - Create a more readable guide, eliminating some sections that are not
really useful,
 - Insert new testing techniques: HTTP Verb tampering, HTTP Parameter
Pollutions, etc.,
 - Rationalize some sections as Session Management Testing,
 - Debate if create a new section: Client side security and Firefox
extensions testing.

|-

| related_project_name1 = OWASP Testing Project
| related_project_url_1 = http://www.owasp.org/index.php/Category:OWASP_Testing_Project

| related_project_name2 =
| related_project_url_2 =

| related_project_name3 =
| related_project_url_3 =

| related_project_name4 =
| related_project_url_4 =

| related_project_name5 =
| related_project_url_5 =

|-

| summit_session_objective_name1= Show the v3, and debating what we need to create an excellent v4

| summit_session_objective_name2 =

| summit_session_objective_name3 =

| summit_session_objective_name4 =

| summit_session_objective_name5 =

|-

| working_session_date_and_time = TODO

|-

| discussion_model = participants and attendees

|-

| operational_resources = Projector, whiteboards, markers, Internet connectivity, power

|-

| working_session_additional_details = The presence of participants on the Working Session [[Summit 2011 Working Sessions/Session085|'''Common structure and numbering for all guides''']] is advisable.

|-

|summit_session_deliverable_name1 = An updated outline for the testing guide that is tied into the OWASP common numbering scheme

|summit_session_deliverable_name2 = A short white paper with ideas for revisions to the Testing Guide for evaluation and discussion by the community at large.

|summit_session_deliverable_name3 = A committed project manager who can reach out to experts to get the document completed.

|summit_session_deliverable_name4 =

|summit_session_deliverable_name5 =

|summit_session_deliverable_name6 =

|summit_session_deliverable_name7 =

|summit_session_deliverable_name8 =

|-

| summit_session_leader_name1 = Matteo Meucci
| summit_session_leader_email1 = matteo.meucci@owasp.org

| summit_session_leader_name2 =
| summit_session_leader_email2 =
| summit_session_leader_username2 =

| summit_session_leader_name3 =
| summit_session_leader_email3 =
| summit_session_leader_username3 =
|-

| operational_leader_name1 = Giorgio Fedon
| operational_leader_email1 =

|-

| meeting_notes =

|-
| session_name_mask =  Session052
| session_home_page =  Summit_2011_Working_Sessions/Session052
}}

Summit 2011 Attendee/Attendee084

2010-12-23T10:37:16Z

Cmartorella:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP 2011 Global Summit Attendee Tab</noinclude>
|-
| summit_attendee_name1 = Christian Martorella
| summit_attendee_email1 = cmartorella@edge-security.com
| summit_attendee_wiki_username1 = cmartorella
|-
| summit_attendee_company = Verizon Business
|-
| summit_attendee_current_owasp_involvement_name1 = Web Slayer Project Leader
| summit_attendee_current_owasp_involvement_url_1 = http://www.owasp.org/index.php/Category:OWASP_Webslayer_Project
| summit_attendee_current_owasp_involvement_name2 =
| summit_attendee_current_owasp_involvement_url_2 =
| summit_attendee_current_owasp_involvement_name3 =
| summit_attendee_current_owasp_involvement_url_3 =
| summit_attendee_current_owasp_involvement_name4 =
| summit_attendee_current_owasp_involvement_url_4 =
| summit_attendee_current_owasp_involvement_name5 =
| summit_attendee_current_owasp_involvement_url_5 =
|-
| summit_attendee_reason_for_summit_participation_name1 = Owasp training
| summit_attendee_reason_for_summit_participation_url_1 = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session041
| notes_reason_for_participating_issues_to_be_discussed_1 =
| summit_attendee_reason_for_summit_participation_name2 = Metrics
| summit_attendee_reason_for_summit_participation_url_2 =
| notes_reason_for_participating_issues_to_be_discussed_2 =
| summit_attendee_reason_for_summit_participation_name3 =
| summit_attendee_reason_for_summit_participation_url_3 =
| notes_reason_for_participating_issues_to_be_discussed_3 =
| summit_attendee_reason_for_summit_participation_name4 =
| summit_attendee_reason_for_summit_participation_url_4 =
| notes_reason_for_participating_issues_to_be_discussed_4 =
| summit_attendee_reason_for_summit_participation_name5 =
| summit_attendee_reason_for_summit_participation_url_5 =
| notes_reason_for_participating_issues_to_be_discussed_5 =
|-
| summit_attendee_owasp_sponsor =
|-
| summit_attendee_summit_time_paid_by_name1 = [[Image:VerizonB.jpeg |180x80 px| link=http://www.verizonbusiness.com]]
| summit_attendee_summit_time_paid_by_url_1 =
| summit_attendee_summit_time_paid_by_name2 =
| summit_attendee_summit_time_paid_by_url_2 =
|-
| summit_attendee_summit_expenses_paid_by_name1 = [[Image:VerizonB.jpeg |180x80 px| link=http://www.verizonbusiness.com]]
| summit_attendee_summit_expenses_paid_by_url_1 =
| summit_attendee_summit_expenses_paid_by_name2 =
| summit_attendee_summit_expenses_paid_by_url_2 =
|-
| reason_for_sponsorship =
|-
| status = Confirmed, funded, not booked
|-
| letter sent to sponsor =
|-
| notes for Kate
|-
| attendee_name_mask =  Attendee084
| attendee_home_page =  Summit_2011_Attendee/Attendee084
}}

File:Verizon.gif

2010-12-23T10:34:27Z

Cmartorella:

File:VerizonB.jpeg

2010-12-23T10:29:50Z

Cmartorella:

File:Verizonbusiness.jpg

2010-12-23T10:13:08Z

Cmartorella:

Project Information:template Webslayer Project

2010-12-15T00:24:44Z

Cmartorella:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Webslayer Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
WebSlayer is a tool designed for brute forcing Web Applications, it can be used to discover not linked resources (directories, servlets, scripts, etc), brute force GET and POST parameters, brute force forms parameters (User/Password), fuzzing, etc.

The tools has a powerful payload generator and a easy and flexible results analyzer.

|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:cmartorella(at)edge-security.com '''Christian Martorella''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:cdelojo(at)edge-security.com '''Carlos del Ojo''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-webslayer-project '''Mailing List/Subscribe'''] [mailto:owasp-webslayer-project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:andres@neurofuzz.com '''Andres Andreu''']
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:name(at)name '''TBD'''] 
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[http://www.edge-security.com/webslayer.php - The tool's url]

|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* If any, add link.
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|Sponsor name, if applicable
| style="width:50%; background:#cccccc" align="center"|[[:Category:OWASP Webslayer Project Roadmap|'''Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''First Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Not yet''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - Self Evaluation - A|See&Edit: First Review/SelfEvaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Not yet''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - First Reviewer - B|See&Edit: First Review/1st Reviewer (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - Second Reviewer - C|See&Edit: First Review/2nd Reviewer (C)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - OWASP Board Member - D|See/Edit: First Review/Board Member (D)]]
|-
|}

Category:OWASP Webslayer Project

2010-12-15T00:20:27Z

Cmartorella:

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Webslayer Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Webslayer Project}}
[[Category:OWASP Project|Webslayer Project]]

== Overview ==

WebSlayer is a tool designed for brute forcing Web Applications, it can be used to discover not linked resources (directories, servlets, scripts, etc), brute force GET and POST parameters, brute force Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer to aid the tester in all the brute force tests.

It's possible to perform attacks like:

* Predictable resource locator (File and directories discovery)
* Login forms brute force
* Session brute force
* Parameters brute force
* Parameter fuzzing and Injection (XSS, SQL, etc)
* Basic and Ntml brute forcing

== Features ==

Some features are:

* Encodings: 15 encodings supported
* All parameters attack: the tool will inject the payload in every parameter (Headers, Get, Post)
* Authentication: Webslayer supports Ntml and Basic authentication, also you can brute force the authentication
* Multiple payloads: you can use 2 paylods in different parts
* Proxy support (authentication supported)
* Live filters: You can change the filters as the attack is taking place
* Multiple threads: You can set how many threads to use in the attack
* Session import/export: Allows you to save the session and to continue working with the results
* Integrated web browser: a full fledge webkit browser is included to analyze the results
* Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver, www.open-labs.org)
* Payload Generator (custom payload generator)
* Time delay between requests
* Attack balancing across multiple proxies

===For Resource Location prediction===

* Recursion: When discovering directories, you can set how deep to go
* Non standard code error checking: Webslayer will detect NoN Standard Code, to avoid presenting useless results
* Extensions: You can add a list of file extensions to a dictionary

==Results analysis==

The power of Webslayer resides in the way you can work with the results, for every attack you will have all the responses, and for each ;
request you will have:

* Html results
* Source code
* Headers
* Web browser view (it will replay the request via the browser)

Multiple filters for improving the performance and for producing better results for the analyst

* Return Code
* Characters length
* Words length
* Lines length
* MD5
* Regular expression

Webslayer will maintain all the attacks in the session so you can work with them, compare, check later, etc.

[[Image:Webslayer-analysis.jpg]]

==Payload Generator==

Another interesting feature of WebSlayer is the Payload Generator, with this tool you can create your custom payloads, for all your needs. It has some basic functions like:

* Files: You can load dictionaries and encode the content.
* Numeric Ranges: Allow the creation of a numeric payload given a chosen range. Also allow to use a fixed width. Eg: "01","02",..,"09"
* Block: You can create characters block, given a string or set of characters. Eg: "A" "AA" AAA" "AAAA"
* Permutation: Given a charset and a width it will create all possibles permutations. Eg: "ABC", "ACB", "BAC" ..., "CBA"
* Credit Cards: You can create well formed credit card numbers for testing shopping carts, and payment modules
* Usernames: Given some names, it will create all the possibles combinations used in account naming patterns. Eg: John Doe: "j.doe","john.doe","johndoe", etc.

After you have some Generators, you can concatenate and create your final Payload, in the screenshot we created a Permutation of "abcaeiou" with a width of 5 characters, and for the final payload we concatenated the word "-owasp08" to the generator. The pattern to create the Payload is: [@PPerm00@]-owasp08
Yo can drag'n'drop the temporal generator, to the Payload creator pattern:

[[Image:Webslayer-payload.jpg]]

==Getting Started==

===Downloading===

At the moment WebSlayer is available in google code subversion:

svn checkout http://webslayer.googlecode.com/svn/trunk/ webslayer-read-only

Grab the latest version from here: http://code.google.com/p/webslayer/downloads/list

===Installing===

It works fine with the OWASP LIVE CD, and Backtrack R2, just make sure you install:

python-qt4
python-pycurl

===Launching a basic attack===

First of all, you must understand that the tool is based in replacing the Keyword "FUZZ" or "FUZ2Z" by the payload that you have chosen.

So lets start using the application for discovering directories in a website:

* 1- In the Attack tab, insert the website URL that you want to brute force, with the keyword FUZZ in the end so WebSlayer will insert the content of the payload in that position. Eg:
<pre>
http://www.mysite.com/FUZZ
</pre>
* 2- Next we are going to choose the payload type, we will leave "Dictionary", and we are going to choose a dictionary file, in this case i recommend to use the file "common.txt", which is located in the wordlists folder.

* 3- Now click the "Start attack" button

==Future Developments==

We are working on the new release of WebSlayer, which will have a complete engine redesign, and some changes in the GUI.

Also we are working in:

* Adding more generators in the Payload Generator
* The possibility to have more than 2 payloads
* Changing the payload keyword convention (instead of ussing FUZZ, we will allow the use of @mypayload@)
* Improving the logs
* Multiple target URLS, ip range support for massive attacks
* Responses diffing
* Check for backups of detected files (.bak,.old,.txt,etc)

Also we are working in the release of packages for Linux and OS X

==Contacting us==

There are two ways of getting information on WebSlayer. The mailing list, and contacting the project leader directly.

Mailing list: https://lists.owasp.org/mailman/listinfo/owasp-webslayer-project

For content which is not appropriate for the public mailing list, you can alternatively contact Christian Martorella, at [cmartorella] at the [edge-security.com]

==FAQ's==

* a) Once a panel is detached how can i attach it again?
You can attach the panel again by double clicking on the title bar

==Project Contributors==

The WebSlayer project is run by Christian Martorella and Carlos del Ojo from Edge-Security

OWASP/Training/OWASP Webslayer Project

2010-12-15T00:04:18Z

Cmartorella:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Training Modules</noinclude>
| Module_designation = [[Category:OWASP Webslayer Project|OWASP Webslayer Project]]
| Module_Overview_Goal =
WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc.

The tools have a payload generator and a easy and powerful results analyzer.

 

Some features are:

* Encodings: 15 encodings supported
* All parameters attack: the tool will inject the payload in every parameter (Headers, Get, Post)
* Authentication: Webslayer supports Ntml and Basic authentication, also you can brute force the authentication
* Multiple payloads: you can use 2 paylods in different parts
* Proxy support (authentication supported)
* Live filters: You can change the filters as the attack is taking place
* Multiple threads: You can set how many threads to use in the attack
* Session import/export: Allows you to save the session and to continue working with the results
* Integrated web browser: a full fledge webkit browser is included to analyze the results
* Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver, www.open-labs.org)
* Payload Generator (custom payload generator)

| Content =
The training will show how to use the tool and will cover the following topics:

*Interface overview
*Basic Payloads overview
*Basic directory discovery setup
*Advance directory and file discovery
*Login form brute force attack
*Basic authentication attack
*Custom payload generation
*Advanced uses

 
| Material =
The training is a hands on course, so it is recommended to bring your own laptop (it´s possible to follow the training without a computer)

The latest version of Webslayer can be downloaded from google code subversion:

*[http://code.google.com/p/webslayer/downloads/list Webslayer]

}}

OWASP/Training/OWASP Webslayer Project

2010-12-07T15:40:25Z

Cmartorella:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Training Modules</noinclude>
| Module_designation = [[Category:OWASP Webslayer Project|OWASP Webslayer Project]]
| Module_Overview_Goal =
WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc.

The tools have a payload generator and a easy and powerful results analyzer.

 

Some features are:

* Encodings: 15 encodings supported
* All parameters attack: the tool will inject the payload in every parameter (Headers, Get, Post)
* Authentication: Webslayer supports Ntml and Basic authentication, also you can brute force the authentication
* Multiple payloads: you can use 2 paylods in different parts
* Proxy support (authentication supported)
* Live filters: You can change the filters as the attack is taking place
* Multiple threads: You can set how many threads to use in the attack
* Session import/export: Allows you to save the session and to continue working with the results
* Integrated web browser: a full fledge webkit browser is included to analyze the results
* Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver, www.open-labs.org)
* Payload Generator (custom payload generator)

| Content =
The training will show how to use the tool and will cover the following topics:

-Interface overview
-Basic Payloads overview
-Basic directory discovery setup
-Advance directory and file discovery
-Login form brute force attack
-Basic authentication attack
-Custom payload generation
-Advanced uses

 
| Material =
The training is a hands on course, so it is recommended to bring your own laptop.

The latest version of Webslayer can be downloaded from:

[http://code.google.com/p/webslayer/downloads/list Webslayer]

}}

OWASP/Training/OWASP Webslayer Project

2010-12-07T15:26:20Z

Cmartorella:

{{Template:<includeonly>{{{1}}}</includeonly><noinclude>OWASP Training Modules</noinclude>
| Module_designation = [[Category:OWASP Webslayer Project|OWASP Webslayer Project]]
| Module_Overview_Goal =
WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc.

The tools have a payload generator and a easy and powerful results analyzer.

 
Some features are:
* Encodings: 15 encodings supported
* All parameters attack: the tool will inject the payload in every parameter (Headers, Get, Post)
* Authentication: Webslayer supports Ntml and Basic authentication, also you can brute force the authentication
* Multiple payloads: you can use 2 paylods in different parts
* Proxy support (authentication supported)
* Live filters: You can change the filters as the attack is taking place
* Multiple threads: You can set how many threads to use in the attack
* Session import/export: Allows you to save the session and to continue working with the results
* Integrated web browser: a full fledge webkit browser is included to analyze the results
* Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver, www.open-labs.org)
* Payload Generator (custom payload generator)

| Content =
The training will show how to use the tool and will cover the following topics:

-Interface overview
-Basic Payloads overview
-Basic directory discovery setup
-Advance directory and file discovery
-Login form brute force attack
-Basic authentication attack
-Custom payload generation
-Advanced uses

 
| Material =
The training is a hands on course, so it is recommended to bring your own laptop.

The latest version of Webslayer can be downloaded from:

[http://code.google.com/p/webslayer/downloads/list Webslayer]

}}

User:Cmartorella

2010-11-28T23:00:54Z

Cmartorella:

'''Christian Martorella'''

Christian Martorella has been working in the field of information security for the last 10 years, starting his career in Argentina IRS as security consultant, now he's Practice Leader in Threat and Vulnerability - EMEA in Verizon Business. He is cofounder an active member of Edge-Security team, where security tools and research is released. He has been speaker at What The Hack!, NoConName, FIST Conferences, OWASP Summit 2008 and OWASP Spain IV & VI, Source Conference Barcelona and Hack.LU. Christian has contributed with open source assessment tools like OWASP WebSlayer and Metagoofil. He likes all related to Information Gathering and Penetration testing. Christian currently holds the President position at the FIST Conferences board, and in the past taught Ethical Hacking at the IT Security Master of La Salle University.

Contact: cmartorella_at_edge-security.com

Category:OWASP Webslayer Project

2008-11-04T23:17:32Z

Cmartorella:

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Webslayer Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Webslayer Project}}
[[Category:OWASP Project]]

== Overview ==

WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer.

It's possible to perform attacks like:

* Predictable resource locator (File and directories discovery)
* Login forms brute force
* Session brute force
* Parameters brute force
* Parameter fuzzing and Injection (XSS, SQL, etc)
* Basic and Ntml Bruteforcing

== Features ==

Some features are:

* Encodings: 15 encodings supported
* All parameters attack: the tool will inject the payload in every parameter (Headers, Get, Post)
* Authentication: Webslayer supports Ntml and Basic authentication, also you can brute force the authentication
* Multiple payloads: you can use 2 paylods in different parts
* Proxy support (authentication supported)
* Live filters: You can change the filters as the attack is taking place
* Multiple threads: You can set how many threads to use in the attack
* Session import/export: Allows you to save the session and to continue working with the results
* Integrated web browser: a full fledge webkit browser is included to analyze the results
* Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver, www.open-labs.org)
* Payload Generator (custom payload generator)

===For Resource Location prediction===

* Recursion: When discovering directories, you can set how deep to go
* Non standard code error checking: Webslayer will detect NoN Standard Code, to avoid presenting trash results
* Extensions: You can add a list of extensions to try with a dictionary

==Results analysis==

The power of Webslayer resides in the way you can work with the results, for every attack you will have all the responses, and for each ;
request you will have:

* Html results
* Source code
* Headers
* Web browser view (it will replay the request via the browser)

Multiple filters for improving the performance and for producing better results for the analyst

* Return Code
* Characters length
* Words length
* Lines length
* MD5
* Regular expression

Webslayer will maintain all the attacks in the session so you can work with them, compare, check later, etc.

[[Image:Webslayer-analysis.jpg]]

==Payload Generator==

Another interesting feature of WebSlayer is the Payload Generator, with this tool you can create your custom payloads, for all your needs. It has some basic functions like:

* Files: You can load dictionaries and encode the content.
* Numeric Ranges: Allow the creation of a numeric payload given a chosen range. Also allow to use a fixed width. Eg: "01","02",..,"09"
* Block: You can create characters block, given a string or set of characters. Eg: "A" "AA" AAA" "AAAA"
* Permutation: Given a charset and a width it will create all possibles permutations. Eg: "ABC", "ACB", "BAC" ..., "CBA"
* Credit Cards: You can create well formed credit card numbers for testing shopping carts, and payment modules
* Usernames: Given some names, it will create all the possibles combinations used in account naming patterns. Eg: John Doe: "j.doe","john.doe","johndoe", etc.

After you have some Generators, you can concatenate and create your final Payload, in the screenshot we created a Permutation of "abcaeiou" with a width of 5 characters, and for the final payload we concatenated the word "-owasp08" to the generator. The pattern to create the Payload is: [@PPerm00@]-owasp08
Yo can drag'n'drop the temporal generator, to the Payload creator pattern:

[[Image:Webslayer-payload.jpg]]

==Getting Started==

===Downloading===

At the moment WebSlayer is available only for Windows platform as an installable, the source code will be available in the next release.
You can download the latest version from Google Code, and the current version has no dependencies.

Grab the latest version from here: http://code.google.com/p/webslayer/downloads/list

===Installing===

There is a basic installation needed, just double click, select destination folder and it's done.

===Launching a basic attack===

First of all, you must understand that the tool is based in replacing the Keyword "FUZZ" or "FUZ2Z" by the payload that you have chosen.

So lets start using the application for discovering directories in a website:

* 1- In the Attack tab, insert the website URL that you want to brute force, with the keyword FUZZ in the end so WebSlayer will insert the content of the payload in that position. Eg:
<pre>
http://www.mysite.com/FUZZ
</pre>
* 2- Next we are going to choose the payload type, we will leave "Dictionary", and we are going to choose a dictionary file, in this case i recommend to use the file "common.txt", which is located in the wordlists folder.

* 3- Now click the "Start attack" button

==Future Developments==

We are working on the new release of WebSlayer, which will have a complete engine redesign, and some changes in the GUI.

Also we are working in:

* Adding more encoders/decoders
* Adding more generators in the Payload Generator
* The possibility to have more than 2 payloads
* Changing the payload keyword convention (instead of ussing FUZZ, we will allow the use of @mypayload@)
* Improving the logs
* Improving the session restoring
* Improving the Non standard code checking
* Multiple target URLS, ip range support for massive attacks
* Responses diffing
* Check for backups of detected files (.bak,.old,.txt,etc)
* GUI Redesign
* Crawler for getting the estructure as a starting points

One important area to work is the tailored dictionaries from know application/servers, it is important that the community participate providing new
dictionaries of known applications.

Also we are working in the release of packages for Linux and OS X

==Contacting us==

There are two ways of getting information on WebSlayer. The mailing list, and contacting the project lead directly.

Mailing list: https://lists.owasp.org/mailman/listinfo/owasp-webslayer-project

For content which is not appropriate for the public mailing list, you can alternatively contact Christian Martorella, at [cmartorella] at the [edge-security.com]

==FAQ's==

* a) Once a panel is detached how can i attach it again?
You can attach the panel again by double clicking on the title bar

==Project Contributors==

The WebSlayer project is run by Christian Martorella and Carlos del Ojo from Edge-Security

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]

Category:OWASP Webslayer Project

2008-11-02T22:42:20Z

Cmartorella:

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Webslayer Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Webslayer Project}}
[[Category:OWASP Project]]

== Overview ==

WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer.

It's possible to perform attacks like:

* Predictable resource locator (File and directories discovery)
* Login forms brute force
* Session brute force
* Parameters brute force
* Parameter fuzzing and Injection (XSS, SQL, etc)
* Basic and Ntml Bruteforcing

== Features ==

Some features are:

* Encodings: 15 encodings supported
* All parameters attack: the tool will inject the payload in every parameter (Headers, Get, Post)
* Authentication: Webslayer supports Ntml and Basic authentication, also you can brute force the authentication
* Multiple payloads: you can use 2 paylods in different parts
* Proxy support (authentication supported)
* Live filters: You can change the filters as the attack is taking place
* Multiple threads: You can set how many threads to use in the attack
* Session import/export: Allows you to save the session and to continue working with the results
* Integrated web browser: a full fledge webkit browser is included to analyze the results
* Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver, www.open-labs.org)
* Payload Generator (custom payload generator)

===For Resource Location prediction===

* Recursion: When discovering directories, you can set how deep to go
* Non standard code error checking: Webslayer will detect NoN Standard Code, to avoid presenting trash results
* Extensions: You can add a list of extensions to try with a dictionary

==Results analysis==

The power of Webslayer resides in the way you can work with the results, for every attack you will have all the responses, and for each ;
request you will have:

* Html results
* Source code
* Headers
* Web browser view (it will replay the request via the browser)

Multiple filters for improving the performance and for producing better results for the analyst

* Return Code
* Characters length
* Words length
* Lines length
* MD5
* Regular expression

Webslayer will maintain all the attacks in the session so you can work with them, compare, check later, etc.

[[Image:Webslayer-analysis.jpg]]

==Payload Generator==

Another interesting feature of WebSlayer is the Payload Generator, with this tool you can create your custom payloads, for all your needs. It has some basic functions like:

* Files: You can load dictionaries and encode the content.
* Numeric Ranges: Allow the creation of a numeric payload given a chosen range. Also allow to use a fixed width. Eg: "01","02",..,"09"
* Block: You can create characters block, given a string or set of characters. Eg: "A" "AA" AAA" "AAAA"
* Permutation: Given a charset and a width it will create all possibles permutations. Eg: "ABC", "ACB", "BAC" ..., "CBA"
* Credit Cards: You can create well formed credit card numbers for testing shopping carts, and payment modules
* Usernames: Given some names, it will create all the possibles combinations used in account naming patterns. Eg: John Doe: "j.doe","john.doe","johndoe", etc.

After you have some Generators, you can concatenate and create your final Payload, in the screenshot we created a Permutation of "abcaeiou" with a width of 5 characters, and for the final payload we concatenated the word "-owasp08" to the generator. The pattern to create the Payload is: [@PPerm00@]-owasp08
Yo can drag'n'drop the temporal generator, to the Payload creator pattern:

[[Image:Webslayer-payload.jpg]]

==Getting Started==

===Downloading===

At the moment WebSlayer is available only for Windows platform as an installable, the source code will be available in the next release.
You can download the latest version from Google Code, and the current version has no dependencies.

Grab the latest version from here: http://code.google.com/p/webslayer/downloads/list

===Installing===

There is a basic installation needed, just double click, select destination folder and it's done.

===Launching a basic attack===

First of all, you must understand that the tool is based in replacing the Keyword "FUZZ" or "FUZ2Z" by the payload that you have chosen.

So lets start using the application for discovering directories in a website:

* 1- In the Attack tab, insert the website URL that you want to brute force, with the keyword FUZZ in the end so WebSlayer will insert the content of the payload in that position. Eg:
<pre>
http://www.mysite.com/FUZZ
</pre>
* 2- Next we are going to choose the payload type, we will leave "Dictionary", and we are going to choose a dictionary file, in this case i recommend to use the file "common.txt", which is located in the wordlists folder.

* 3- Now click the "Start attack" button

==Future Developments==

We are working on the new release of WebSlayer, which will have a complete engine redesign, and some changes in the GUI.

Also we are working in:

* Adding more encoders/decoders
* Adding more generators in the Payload Generator
* The possibility to have more than 2 payloads
* Changing the payload keyword convention (instead of ussing FUZZ, we will allow the use of @mypayload@)
* Improving the logs
* Improving the session restoring
* Improving the Non standard code checking

One important area to work is the tailored dictionaries from know application/servers, it is important that the community participate providing new
dictionaries of known applications.

Also we are working in the release of packages for Linux and OS X

==Contacting us==

There are two ways of getting information on WebSlayer. The mailing list, and contacting the project lead directly.

Mailing list: https://lists.owasp.org/mailman/listinfo/owasp-webslayer-project

For content which is not appropriate for the public mailing list, you can alternatively contact Christian Martorella, at [cmartorella] at the [edge-security.com]

==FAQ's==

* a) Once a panel is detached how can i attach it again?
You can attach the panel again by double clicking on the title bar

==Project Contributors==

The WebSlayer project is run by Christian Martorella and Carlos del Ojo from Edge-Security

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]

Project Information:template Webslayer Project

2008-11-02T22:33:01Z

Cmartorella:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Webslayer Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc.

The tools has a payload generator and a easy and powerful results analyzer.

|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:cmartorella(at)edge-security.com '''Christian Martorella''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:cdelojo(at)edge-security.com '''Carlos del Ojo''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-webslayer-project '''Mailing List/Subscribe'''] [mailto:owasp-webslayer-project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:andres@neurofuzz.com '''Andres Andreu''']
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:name(at)name '''TBD'''] 
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[http://www.edge-security.com/webslayer.php - The tool's url]

|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* If any, add link.
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|Sponsor name, if applicable
| style="width:50%; background:#cccccc" align="center"|[[:Category:OWASP Webslayer Project Roadmap|'''Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''First Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Not yet''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - Self Evaluation - A|See&Edit: First Review/SelfEvaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Not yet''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - First Reviewer - B|See&Edit: First Review/1st Reviewer (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - Second Reviewer - C|See&Edit: First Review/2nd Reviewer (C)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - OWASP Board Member - D|See/Edit: First Review/Board Member (D)]]
|-
|}

[[Category:OWASP Project]]

Category:OWASP Webslayer Project

2008-11-02T22:32:16Z

Cmartorella:

[[:Category:OWASP Project|Click here to return to OWASP Projects page.]] 
[[:Project Information:template Webslayer Project|Click here to see (& edit, if wanted) the template.]]
{{:Project Information:template Webslayer Project}}
[[Category:OWASP Project]]

== Overview ==

WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer.

It's possible to perform attacks like:

* Predictable resource locator (File and directories discovery)
* Login forms brute force
* Session brute force
* Parameters brute force
* Parameter fuzzing and Injection (XSS, SQL, etc)
* Basic and Ntml Bruteforcing

== Features ==

Some features are:

* Encodings: 15 encodings supported
* All parameters attack: the tool will inject the payload in every parameter (Headers, Get, Post)
* Authentication: Webslayer supports Ntml and Basic authentication, also you can brute force the authentication
* Multiple payloads: you can use 2 paylods in different parts
* Proxy support (authentication supported)
* Live filters: You can change the filters as the attack is taking place
* Multiple threads: You can set how many threads to use in the attack
* Session import/export: Allows you to save the session and to continue working with the results
* Integrated web browser: a full fledge webkit browser is included to analyze the results
* Predefined dictionaries for predictable resource location, based on known servers (Thanks to Dark Raver, www.open-labs.org)
* Payload Generator (custom payload generator)

===For Resource Location prediction===

* Recursion: When discovering directories, you can set how deep to go
* Non standard code error checking: Webslayer will detect NoN Standard Code, to avoid presenting trash results
* Extensions: You can add a list of extensions to try with a dictionary

==Results analysis==

The power of Webslayer resides in the way you can work with the results, for every attack you will have all the responses, and for each ;
request you will have:

* Html results
* Source code
* Headers
* Web browser view (it will replay the request via the browser)

Multiple filters for improving the performance and for producing better results for the analyst

* Return Code
* Characters length
* Words length
* Lines length
* MD5
* Regular expression

Webslayer will maintain all the attacks in the session so you can work with them, compare, check later, etc.

[[Image:Webslayer-analysis.jpg]]

==Payload Generator==

Another interesting feature of WebSlayer is the Payload Generator, with this tool you can create your custom payloads, for all your needs. It has some basic functions like:

* Files: You can load dictionaries and encode the content.
* Numeric Ranges: Allow the creation of a numeric payload given a chosen range. Also allow to use a fixed width. Eg: "01","02",..,"09"
* Block: You can create characters block, given a string or set of characters. Eg: "A" "AA" AAA" "AAAA"
* Permutation: Given a charset and a width it will create all possibles permutations. Eg: "ABC", "ACB", "BAC" ..., "CBA"
* Credit Cards: You can create well formed credit card numbers for testing shopping carts, and payment modules
* Usernames: Given some names, it will create all the possibles combinations used in account naming patterns. Eg: John Doe: "j.doe","john.doe","johndoe", etc.

After you have some Generators, you can concatenate and create your final Payload, in the screenshot we created a Permutation of "abcaeiou" with a width of 5 characters, and for the final payload we concatenated the word "-owasp08" to the generator. The pattern to create the Payload is: [@PPerm00@]-owasp08
Yo can drag'n'drop the temporal generator, to the Payload creator pattern:

[[Image:Webslayer-payload.jpg]]

==Getting Started==

===Downloading===

At the moment WebSlayer is available only for Windows platform as an installable, the source code will be available in the next release.
You can download the latest version from Google Code, and the current version has no dependencies.

Grab the latest version from here: http://code.google.com/p/webslayer/downloads/list

===Installing===

There is a basic installation needed, just double click, select destination folder and it's done.

===Launching a basic attack===

First of all, you must understand that the tool is based in replacing the Keyword "FUZZ" or "FUZ2Z" by the payload that you have chosen.

So lets start using the application for discovering directories in a website:

* 1- In the Attack tab, insert the website URL that you want to brute force, with the keyword FUZZ in the end so WebSlayer will insert the content of the payload in that position. Eg:
<pre>
http://www.mysite.com/FUZZ
</pre>
* 2- Next we are going to choose the payload type, we will leave "Dictionary", and we are going to choose a dictionary file, in this case i recommend to use the file "common.txt", which is located in the wordlists folder.

* 3- Now click the "Start attack" button

==Contacting us==

There are two ways of getting information on WebSlayer. The mailing list, and contacting the project lead directly.

Mailing list: https://lists.owasp.org/mailman/listinfo/owasp-webslayer-project

For content which is not appropriate for the public mailing list, you can alternatively contact Christian Martorella, at [cmartorella] at the [edge-security.com]

==FAQ's==

* a) Once a panel is detached how can i attach it again?
You can attach the panel again by double clicking on the title bar

==Project Contributors==

The WebSlayer project is run by Christian Martorella and Carlos del Ojo from Edge-Security

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]

File:Webslayer-payload.jpg

2008-11-02T22:14:43Z

Cmartorella:

Category:OWASP Webslayer Project

2008-11-02T22:13:04Z

Cmartorella:

File:Webslayer-analysis.jpg

2008-11-02T22:11:17Z

Cmartorella:

Category:OWASP Webslayer Project

2008-11-02T22:06:19Z

Cmartorella:

Category:OWASP Webslayer Project

2008-11-02T21:59:25Z

Cmartorella:

Category:OWASP Webslayer Project

2008-11-02T21:39:48Z

Cmartorella:

Category:OWASP Webslayer Project

2008-11-02T21:04:39Z

Cmartorella:

OWASP Working Session Top 10 2009

2008-10-27T21:13:38Z

Cmartorella:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#b3b3b3; color:white"|'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Top 10 2009'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|Aims to provide a key awareness document for web application security.
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|[[:Category:OWASP Top Ten Project|OWASP Top Ten Project]]
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|'''Chair''' [mailto:dave.wichers(at)owasp.org '''Dave Wichers''']
| style="width:25%; background:#cccccc" align="center"|'''Secretary''' [mailto:jeff.williams(at)owasp.org '''Jeff Williams''']
| style="width:25%; background:#cccccc" align="center"|'''Mailing list''' [https://lists.owasp.org/mailman/listinfo/owasp-topten '''Subscription Page''']
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION SPECIFICS'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
* Discuss current Top10 structure and objectives,
* Identify which information sources will be considered for analysis, Eg:
** MITRE
** Compromise DB's (Attrition, WASC etc) and bias due to reporting
** Anonomised penetration test results and the difficulty in obtaining
* Define methodology to collect attacks statistics,
* Define prioritisation approach
** Agree weighting between current or emerging threats
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
| style="width:25%; background:#cccccc" align="center"|'''Venue''' [[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]
| style="width:25%; background:#cccccc" align="center"|'''Date&Time''' November 5 & 7, 2008 Time TBD
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model''' "Participants + Attendees"
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}

{|style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OPERATIONAL RESOURCES'''
|-
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION ADDITIONAL DETAILS'''
|-
| style="width:100%; background:#cccccc" align="left"|Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.

Potential Resources:

* [http://cve.mitre.org/cve/ MITRE's Common Vulnerability Enumeration (CVE) Database]

* The [http://www.webappsec.org/projects/whid/whid.shtml WASC Web Hacking Incidents Database]

* The [http://www.webappsec.org/projects/statistics/ 2007 WASC Web Application Security Statistics Report]
|}
{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES'''
|-
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group'''
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|The sources of input for the 2009 Top 10 will be identified.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|The ordering scheme for the Top 10 will be determined.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Discussion of whether the existing document structure should be maintained or adjusted.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|}
== Working Session Participants ==
(Add your name by editing this table. On the right, just above this frame, you have the option to edit)
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION PARTICIPANTS'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:15%; background:#cccccc" align="center"|'''Name'''
| style="width:15%; background:#cccccc" align="center"|'''Company'''
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''
|-
| style="width:7%; background:#7B8ABD" align="center"|1
| style="width:15%; background:#cccccc" align="center"|Paolo Perego
| style="width:15%; background:#cccccc" align="center"|Spike Reply
| style="width:63%; background:#cccccc" align="center"|As penetration tester it woud be great to me to participating in writing the new Top 10. As code reviewer and Orizon project leader it would be very interesting in scouting dynamic threats in order to add some dynamic feature to my tool.
|-
| style="width:7%; background:#7B8ABD" align="center"|2
| style="width:15%; background:#cccccc" align="center"|David Campbell
| style="width:15%; background:#cccccc" align="center"|OWASP Denver
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|3
| style="width:15%; background:#cccccc" align="center"|Robert Mann
| style="width:15%; background:#cccccc" align="center"|RBS / ABN AMRO
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|4
| style="width:15%; background:#cccccc" align="center"|Troy Leach
| style="width:15%; background:#cccccc" align="center"|[https://www.pcisecuritystandards.org/ PCI Security Standards Council]
| style="width:63%; background:#cccccc" align="center"|Technical Director
|-
| style="width:7%; background:#7B8ABD" align="center"|5
| style="width:15%; background:#cccccc" align="center"|Eoin Keary
| style="width:15%; background:#cccccc" align="center"|Ernst & Young. Long time OWASP member (Code and Testing guides)
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|6
| style="width:15%; background:#cccccc" align="center"| Matteo Meucci
| style="width:15%; background:#cccccc" align="center"| Minded Security
| style="width:63%; background:#cccccc" align="center"| I'd like to discuss about a new way to create the Top10 from the OWASP Community
|-
| style="width:7%; background:#7B8ABD" align="center"|7
| style="width:15%; background:#cccccc" align="center"|Giorgio Fedon
| style="width:15%; background:#cccccc" align="center"|Minded Security
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|8
| style="width:15%; background:#cccccc" align="center"|Andrea Cogliati
| style="width:15%; background:#cccccc" align="center"|OWASP Rochester, NY
| style="width:63%; background:#cccccc" align="center"|I volunteered as a technical writer
|-
| style="width:7%; background:#7B8ABD" align="center"|9
| style="width:15%; background:#cccccc" align="center"|Christian Martorella
| style="width:15%; background:#cccccc" align="center"|S21sec
| style="width:63%; background:#cccccc" align="center"|Interested in participating on the creating the Top 10, share some ideas.
|-
| style="width:7%; background:#7B8ABD" align="center"|10
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|}
If needed add here more lines.

[[Category:OWASP_Working_Session]]

Working Session Winter of Code 2009

2008-10-27T21:12:10Z

Cmartorella:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#b3b3b3; color:white"|'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Winter of Code 2009'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|Aims to define the next OWASP Season of Code frame.
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
*[[:OWASP Summer of Code 2008|OWASP Summer of Code 2008]],
*[[:OWASP Spring Of Code 2007|OWASP Spring Of Code 2007]],
*[[:OWASP Autumn Of Code 2006|OWASP Autumn Of Code 2006]].
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|'''Chair''' [mailto:dinis.cruz(at)owasp.org '''Dinis Cruz'''], [mailto:seba(at)owasp.org '''Sebastien Deleersnyder''']
| style="width:25%; background:#cccccc" align="center"|'''Secretary''' [mailto:paulo.coimbra(at)owasp.org '''Paulo Coimbra''']
| style="width:25%; background:#cccccc" align="center"|'''Mailing list''' [https://lists.owasp.org/mailman/listinfo/owasp-winter-of-code-2009 '''Subscription Page''']
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION SPECIFICS'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
* Define the operation model for the next OWASP Season of Code (the Winter of Code 08),
* Identify which areas should receive priority selection,
* Create 'virtual teams' from the attendees and allocate them to key projects,
* Discuss sponsoring models.
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
| style="width:25%; background:#cccccc" align="center"|'''Venue''' [[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]
| style="width:25%; background:#cccccc" align="center"|'''Date&Time''' November 4 & 7, 2008 Time TBD
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model''' "Everybody is a Participant"
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}

{|style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OPERATIONAL RESOURCES'''
|-
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION ADDITIONAL DETAILS'''
|-
| style="width:100%; background:#cccccc" align="center"|Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution
|}
{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES'''
|-
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group'''
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''
|-
| style="width:7%; background:#7B8ABD" align="center"|Initiative
| style="width:46%; background:#C2C2C2" align="center"|OWASP Winter of Code 08 plan.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|Decision
| style="width:46%; background:#C2C2C2" align="center"|Set of projects for immediate approval (assuming the proposal is ready).
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|}
== Working Session Participants ==
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION PARTICIPANTS'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:15%; background:#cccccc" align="center"|'''Name'''
| style="width:15%; background:#cccccc" align="center"|'''Company'''
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''
|-
| style="width:7%; background:#7B8ABD" align="center"|1
| style="width:15%; background:#cccccc" align="center"| Eduardo Vianna de Camargo Neves
| style="width:15%; background:#cccccc" align="center"| Conviso IT Security
| style="width:63%; background:#cccccc" align="center"| Understand how we can help the initiative and participate to continue the Positive Security project.
|-
| style="width:7%; background:#7B8ABD" align="center"|2
| style="width:15%; background:#cccccc" align="center"|Leonardo Cavallari Militelli
| style="width:15%; background:#cccccc" align="center"|E-VAL Tecnologia
| style="width:63%; background:#cccccc" align="center"|Share feelings from other 2 season of code, discuss improvements for WoC and continue ASDR development.
|-
| style="width:7%; background:#7B8ABD" align="center"|3
| style="width:15%; background:#cccccc" align="center"|Matt Tesauro
| style="width:15%; background:#cccccc" align="center"|OWASP Live CD 2008 Project Lead
| style="width:63%; background:#cccccc" align="center"|Discuss what worked and didn't work with the SoC. Give some input on how to spread the word about OWASP's XoC's
|-
| style="width:7%; background:#7B8ABD" align="center"|4
| style="width:15%; background:#cccccc" align="center"| Matteo Meucci
| style="width:15%; background:#cccccc" align="center"| Minded Security, OWASP Testing Guide
| style="width:63%; background:#cccccc" align="center"| Discuss new ideas about projects. Should OWASP says which projects develop?
|-
| style="width:7%; background:#7B8ABD" align="center"|5
| style="width:15%; background:#cccccc" align="center"| Carlo Pelliccioni
| style="width:15%; background:#cccccc" align="center"| Symantec, OWASP Backend Security Project
| style="width:63%; background:#cccccc" align="center"| Discuss about the next OWASP sponsorship to share new ideas.
|-
| style="width:7%; background:#7B8ABD" align="center"|6
| style="width:15%; background:#cccccc" align="center"|Christian Martorella
| style="width:15%; background:#cccccc" align="center"|Edge-Security, WebSlayer Project
| style="width:63%; background:#cccccc" align="center"|Interested in the topic
|-
| style="width:7%; background:#7B8ABD" align="center"|7
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|8
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|9
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|10
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|}
If needed add here more lines.

[[Category:OWASP_Working_Session]]

OWASP Working Session - OWASP Certification

2008-10-27T21:09:01Z

Cmartorella:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#b3b3b3; color:white"|'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Certification'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|TBD
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
* [[:Category:OWASP Certification Requirements|OWASP Certification Requirements]]
* [[:Category:OWASP Certification Project|OWASP Certification Project]]
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|'''Chair''' [mailto:name(at)name '''TBD''']
| style="width:25%; background:#cccccc" align="center"|'''Secretary''' TBD
| style="width:25%; background:#cccccc" align="center"|'''Mailing list''' [https://lists.owasp.org/mailman/listinfo/OWASP-cert '''Subscription Page''']
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION SPECIFICS'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
* Discuss and review current proposal and survey results,
* Identify risks of offering a certification program.
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
| style="width:25%; background:#cccccc" align="center"|'''Venue''' [[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]
| style="width:25%; background:#cccccc" align="center"|'''Date&Time''' November 5 & 7, 2008 Time TBD
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model''' "Everybody is a Participant"
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}

{|style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OPERATIONAL RESOURCES'''
|-
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION ADDITIONAL DETAILS'''
|-
| style="width:100%; background:#cccccc" align="left"|
Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.
|}
{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES'''
|-
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group'''
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|}
== Working Session Participants ==
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION PARTICIPANTS'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:15%; background:#cccccc" align="center"|'''Name'''
| style="width:15%; background:#cccccc" align="center"|'''Company'''
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''
|-
| style="width:7%; background:#7B8ABD" align="center"|1
| style="width:15%; background:#cccccc" align="center"| Dinis Cruz
| style="width:15%; background:#cccccc" align="center"| OWASP
| style="width:63%; background:#cccccc" align="center"| Want to share a number of ideas and see how I can help to make this happen
|-
| style="width:7%; background:#7B8ABD" align="center"|2
| style="width:15%; background:#cccccc" align="center"| Matteo Meucci
| style="width:15%; background:#cccccc" align="center"| Minded Security
| style="width:63%; background:#cccccc" align="center"| Thinking at the OWASP Certifications from many time. Would like to understand which kind of certification is better for the OWASP Community.
|-
| style="width:7%; background:#7B8ABD" align="center"|3
| style="width:15%; background:#cccccc" align="center"| Rex Booth
| style="width:15%; background:#cccccc" align="center"| Grant Thornton
| style="width:63%; background:#cccccc" align="center"| Interest in the cert topic.
|-
| style="width:7%; background:#7B8ABD" align="center"|4
| style="width:15%; background:#cccccc" align="center"| Pavol Luptak
| style="width:15%; background:#cccccc" align="center"| Nethemba s.r.o.
| style="width:63%; background:#cccccc" align="center"| Interest in the cert topic.
|-
| style="width:7%; background:#7B8ABD" align="center"|5
| style="width:15%; background:#cccccc" align="center"|David Campbell
| style="width:15%; background:#cccccc" align="center"|OWASP
| style="width:63%; background:#cccccc" align="center"|Cert skeptic
|-
| style="width:7%; background:#7B8ABD" align="center"|6
| style="width:15%; background:#cccccc" align="center"|Andrzej Targosz
| style="width:15%; background:#cccccc" align="center"|PROIDEA
| style="width:63%; background:#cccccc" align="center"|Interest in the topic.
|-
| style="width:7%; background:#7B8ABD" align="center"|7
| style="width:15%; background:#cccccc" align="center"|Giorgio Fedon
| style="width:15%; background:#cccccc" align="center"|Minded Security
| style="width:63%; background:#cccccc" align="center"|Share Ideas and talking about the need for a Certification
|-
| style="width:7%; background:#7B8ABD" align="center"|8
| style="width:15%; background:#cccccc" align="center"|Esteban Ribicic
| style="width:15%; background:#cccccc" align="center"|HP
| style="width:63%; background:#cccccc" align="center"|Interested on the topic
|-
| style="width:7%; background:#7B8ABD" align="center"|9
| style="width:15%; background:#cccccc" align="center"|Christian Martorella
| style="width:15%; background:#cccccc" align="center"|S21sec
| style="width:63%; background:#cccccc" align="center"|Interested in the topic, and share ideas.
|-
| style="width:7%; background:#7B8ABD" align="center"|10
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|}
If needed add here more lines.

OWASP Working Session - OWASP Tools Projects

2008-10-22T15:28:17Z

Cmartorella:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#b3b3b3; color:white"|'''Working Sessions Operational Rules''' - [[:Working Sessions Methodology|'''Please see here the general frame of rules''']].
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Work Session Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Tools Projects'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Work Session Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|The working session for OWASP Tools will address standards for Tool development at OWASP. This is will include standards for documentation, supporting tools via Books, How-Tos, Webcasts, Podcasts. We will also dive deep into the OWASP Project Assessment.
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Related Projects (if any)'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
[[:Category:OWASP Project|OWASP Tools Projects]]
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Email Contacts & Roles'''
| style="width:25%; background:#cccccc" align="center"|'''Chair''' [mailto:mark.roxberry(at)owasp.org '''Mark Roxberry''']
| style="width:25%; background:#cccccc" align="center"|'''Secretary''' [mailto:mtesauro(at)gmail.com '''Matt Tesauro''']
| style="width:25%; background:#cccccc" align="center"|'''Mailing list''' [https://lists.owasp.org/mailman/listinfo/owasp-tools-projects '''Subscription Page''']
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION SPECIFICS'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Objectives'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
* Discuss documentation procedures.
* Book creation procedure.
* Review OWASP Project Assessment.
|-
| style="width:25%; background:#7B8ABD" align="center"|'''Venue/Date&Time/Model'''
| style="width:25%; background:#cccccc" align="center"|'''Venue''' [[:OWASP EU Summit 2008|OWASP EU Summit Portugal 2008]]
| style="width:25%; background:#cccccc" align="center"|'''Date&Time''' November 4 & 7, 2008 Time TBD
| style="width:25%; background:#cccccc" align="center"|'''Discussion Model''' "Participants + Attendees"
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}

{|style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OPERATIONAL RESOURCES'''
|-
| style="width:100%; background:#cccccc" align="center"|Please add here, ASAP, any needed relevant resources, e.g. data-show, boards, laptops, etc.
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:white; color:white"|
|}
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION ADDITIONAL DETAILS'''
|-
| style="width:100%; background:#cccccc" align="left"|
Please add here, any additional notes, links, ideas, guidelines, etc... The objective is to help the working sessions participants and attendees to prepare their participation/contribution.
|}
{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION OUTCOMES'''
|-
| style="width:7%; background:#6C82B5" align="center"|Statements, Initiatives or Decisions
| style="width:46%; background:#b3b3b3" align="center"|'''Proposed by Working Group'''
| style="width:47%; background:#b3b3b3" align="center"|'''Approved by OWASP Board'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:46%; background:#C2C2C2" align="center"|Fill in here.
| style="width:47%; background:#C2C2C2" align="center"|After the Board Meeting - fill in here.
|}
== Working Session Participants ==
(Add you name by editing this table. On your the right, just above the this frame, you have the option to edit)
{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''WORKING SESSION PARTICIPANTS'''
|-
| style="width:7%; background:#7B8ABD" align="center"|
| style="width:15%; background:#cccccc" align="center"|'''Name'''
| style="width:15%; background:#cccccc" align="center"|'''Company'''
| style="width:63%; background:#cccccc" align="center"|'''Notes & reason for participating, issues to be discussed/addressed'''
|-
| style="width:7%; background:#7B8ABD" align="center"|1
| style="width:15%; background:#cccccc" align="center"|Paulo Coimbra
| style="width:15%; background:#cccccc" align="center"|OWASP
| style="width:63%; background:#cccccc" align="center"|Has contributed to the current OWASP Assessment Criteria.
|-
| style="width:7%; background:#7B8ABD" align="center"|2
| style="width:15%; background:#cccccc" align="center"|Rogan Dawes
| style="width:15%; background:#cccccc" align="center"|Corsaire
| style="width:63%; background:#cccccc" align="center"|WebScarab lead
|-
| style="width:7%; background:#7B8ABD" align="center"|3
| style="width:15%; background:#cccccc" align="center"|Andrew Petukhov
| style="width:15%; background:#cccccc" align="center"|Moscow State University
| style="width:63%; background:#cccccc" align="center"|Access Control Rules Tester lead
|-
| style="width:7%; background:#7B8ABD" align="center"|4
| style="width:15%; background:#cccccc" align="center"|Christian Martorella
| style="width:15%; background:#cccccc" align="center"|Edge-Security
| style="width:63%; background:#cccccc" align="center"|WebSlayer lead
|-
| style="width:7%; background:#7B8ABD" align="center"|5
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|6
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|7
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|8
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|9
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|10
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|-
| style="width:7%; background:#7B8ABD" align="center"|11
| style="width:15%; background:#cccccc" align="center"|
| style="width:15%; background:#cccccc" align="center"|
| style="width:63%; background:#cccccc" align="center"|
|}
If needed add here more lines.

[[Category:OWASP_Working_Session]]

Project Information:template Webslayer Project

2008-10-21T18:35:20Z

Cmartorella:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP Webslayer Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|
WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc.

The tools has a payload generator and a easy and powerful results analyzer.

|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:cmartorella(at)edge-security.com '''Christian Martorella''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:cdelojo(at)edge-security.com '''Carlos del Ojo''']
| style="width:14%; background:#cccccc" align="center"|[https://lists.owasp.org/mailman/listinfo/owasp-webslayer-project '''Mailing List/Subscribe'''] [mailto:owasp-webslayer-project@lists.owasp.org '''Mailing List/Use''']
| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:andres@neurofuzz.com '''Andres Andreu''']
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:name(at)name '''TBD'''] 
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member (if applicable) [mailto:name(at)name '''Name&Email''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
[http://www.edge-security.com/webslayer.php- The tool's url]

|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''RELATED PROJECTS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* If any, add link.
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|Sponsor name, if applicable
| style="width:50%; background:#cccccc" align="center"|[[:Category:OWASP Webslayer Project Roadmap|'''Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:21%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:22%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''First Review'''
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Not yet''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - Self Evaluation - A|See&Edit: First Review/SelfEvaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Not yet''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - First Reviewer - B|See&Edit: First Review/1st Reviewer (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - Second Reviewer - C|See&Edit: First Review/2nd Reviewer (C)]]
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Alpha Status''' - (To update) --------- [[Project Information:template Webslayer Project - First Review - OWASP Board Member - D|See/Edit: First Review/Board Member (D)]]
|-
|}

[[Category:OWASP Project]]