OWASP - User contributions [en]

Category:OWASP Flash Security Project

2015-03-02T23:15:06Z

Fran Brown: FlashDiggity - Stach & Liu re-branded as Bishop Fox. Updated website link accordingly and minor update to tool description.

==== Main ====

== Overview ==

The OWASP Flash Security Project is an open project for sharing knowledge in order to raise awareness of Flash application security.

== Goals ==

The OWASP Flash Security Project aims to share guidelines, tools and resources for securing Flash applications.

 

== Table of Contents ==

{| cellspacing="1" cellpadding="1" border="0" style="width: 651px; height: 66px;"
|-
| '''Research'''
| '''References'''
| '''Tools'''
| '''Libraries'''
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Videos Videos]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#References References]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#OWASP_Tools OWASP Tools]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Third-party_Security_Libraries 3rd Party Libs]
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#White_Papers_.2F_Presentations White Papers/Presentations]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Useful_Specifications Specifications]
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Static_Analysis Static Analysis]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Articles Articles]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Disassemblers Disassemblers]
|
|-
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Example_Vulnerabilities Example Vulnerabilities]
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Decompilers Decompilers]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Obfuscators_.2F_De-obfuscators Obfuscators/De-obfuscators]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Local_Shared_Object_Editors LSO Editors]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#AMF_Tools AMF Tools]
|
|-
|
|
| [http://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project#Analysis Analysis/Defense]
|
|}

 

== Videos ==

* [http://tv.adobe.com/show/how-to-develop-secure-flash-platform-apps/ How to Develop Secure Flash Platform Apps] An Adobe TV series discussing how to author and test secure Flash applications. The presentations cover common vulnerabilities in SWF content and how to avoid them. Each video is about 5-10 minutes long and is by Peleus Uhley.

* [http://tv.adobe.com/watch/max-2010-develop/creating-secure-actionscript-applications/ Creating Secure ActionScript Applications] An hour long video targeted at developers and QEs on creating secure Flash applications from Adobe MAX 2010. Adobe MAX is Adobe's developer conference. The talk is by Peleus Uhley.

* [http://vimeo.com/15506137 Assessing, Testing & Validating Flash Content] A 45 minute talk from OWASP AppSec USA 2010 on how to assess and test Flash applications. The talk is by Peleus Uhley.

* [http://tv.adobe.com/#vi+f15384v1102 Understanding the Flash Player Security Model] Deneb Meketa of Adobe gives a one hour presentation at the Adobe MAX 2008 conference in San Francisco entitled, "Flash Security: Why and how." This presentation provides a good overview of several aspects of Flash Player's security model. Approximately 1 hour long.

* [http://h30431.www3.hp.com/index.jsp?fr_story=3a98c704f7ef61299c19ef1f648f1acb1a5aeab8&rf=bm Billy Wins A Cheeseburger] A video by HP that explains a basic Flash vulnerability that can be found by decompilers. Approximately 3 minutes long.

* [http://securitytube.net/Hacking-Flash-Applications-for-Fun-and-Profit-(Blackhat)-video.aspx Blinded by Flash: Widespread Security Risks Flash Developers Don't See] Prajakta Jagdale describes the attack surface flash applications have based on various things developers overlook. In this presentation she talks about the basic cross domain security model between flash applets, Cross Site Scripting attacks on Flash applications, Data injection attacks, Flash malware, decompilation of Flash swf files, code and binary obfuscation and many other attack vectors which a malicious attacker could use to hack Flash applications. Approximately 1 hour long.

* [https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Jon%20Rose%20-%20Deblaze%20A%20Remote%20Method%20Enumeration%20Tool%20for%20Flex%20Servers%20-%20Video%20and%20Slides.m4v Deblaze - A Remote Method Enumeration Tool for Flex Servers] This is an excellent 20 minute presentation from DefCon 17 by Jon Rose on how to test AMF services using the deBlaze tool that he authored.

* [http://technet.microsoft.com/en-us/security/ee460903.aspx#ria RIA Security: Real-World Lessons from Flash and Silverlight] Jesse Collins from Microsoft's Silverlight team and Peleus Uhley from Adobe's Flash team discuss common threats to RIA applications. Approximately 1 hour long.

 

== White Papers / Presentations ==

'''Flash'''

* '''Flash Parameter Injection''' [http://blog.watchfire.com/FPI.pdf pdf], IBM Rational Application Security Team, [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference OWASP AppSec 2008], 24th September 2008, NYC, NY (USA)

* '''Testing Flash Applications using WebScarab''' [https://www.owasp.org/images/5/58/Testing_Flash_Applications.pdf pdf], Martin Clausen - Deloitte [http://www.owasp.org/index.php/Denmark Denmark Chapter Meeting], 12th March 2008, Denmark

* '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).

* '''Testing and Exploiting Flash Applications''' [http://events.ccc.de/camp/2007/Fahrplan/attachments/1320-FlashSec.pdf pdf], Fukami, Chaos Computer Camp, 2007

* '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose, CA (USA)

* '''Neat, New, and Ridiculous Flash Hacks''' - whitepaper: [http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-wp.pdf pdf], presentation:[http://www.blackhat.com/presentations/bh-dc-10/Bailey_Mike/BlackHat-DC-2010-Bailey-Neat-New-Ridiculous-flash-hacks-slides.pdf pdf], Mike Bailey, Black Hat DC 2010, Washington, DC (USA)

 '''AMF'''

* '''AMF Testing Made Easy''' - whitepaper: [https://media.blackhat.com/bh-us-12/Briefings/Carettoni/BH_US_12_Carettoni_AMF_Testing_WP.pdf pdf], presentation: [https://media.blackhat.com/bh-us-12/Briefings/Carettoni/BH_US_12_Carettoni_AMF_Testing_Slides.pdf pdf], Luca Carettoni, Black Hat USA 2012, Las Vegas, NV (USA). This presentation discusses how to use the [http://code.google.com/p/blazer/ Blazer] tool with Burp to conduct AMF testing.

* '''Pentesting Adobe Flex Applications''' - [http://www.gdssecurity.com/l/OWASP_NYNJMetro_Pentesting_Flex.pdf pdf], Marcin Wielgoszewski, April 2010 OWASP NYC Chapter Meeting, NYC, NY (USA)

* '''DeBlaze: A remote enumeration tool for Flex servers''' [http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-jon_rose-deblaze.pdf pdf], Jon Rose, [http://www.defcon.org/html/links/dc-archives/dc-17-archive.html#Rose DefCon 17], 31st July 2009, Las Vegas, NV (USA)

 '''University Research'''

* '''ActionScript bytecode verification with co-logic programming''' [http://portal.acm.org/citation.cfm?id=1554339.1554342 pdf], Brian W. DeVries, Gopal Gupta, Kevin W. Hamlen, Scott Moore, and Meera Sridhar of The University of Texas at Dallas, Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security 2009.

* '''Creating a more sophisticated security platform for Flash, AIR and others''' [http://www.utdallas.edu/~mxs072100/Adobe.ppt ppt] Presented at Adobe Systems, Inc. by Meera Sridhar, November, 2009

* '''ActionScript In-Lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl.pdf pdf], Meera Sridhar and Kevin W. Hamlen of The University of Texas at Dallas, Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), Jan 2010.

* '''ActionScript In-lined Reference Monitoring in Prolog''' [http://www.utdallas.edu/~mxs072100/padl10.pptx pptx] Presented at PADL 2010, Madrid, Spain by Meera Sridhar.

 

== Articles ==

'''Development'''
* [http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html Creating more secure SWF web applications] This Adobe Developer Center article discusses secure ActionScript programming practices.

* [http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html Cross-domain policy file usage recommendations for Flash Player] This Adobe Developer Center article discusses some of the common security issues that you should consider when deciding how to use a cross-domain policy file on your server.

* [http://www.insideria.com/2010/03/flash-player-10-security-model.html Flash Player 10 Security Model: Stakeholders and Sandboxes] This is an article that condenses the official Flash Player Security Model down to a one page article discussing the stakeholders and sandboxes.

* [http://theflashblog.com/?p=419 AMFPHP Security Basics] This a blog covering how to secure AMFPHP version 1.9 and higher. AMFPHP is server-side code that receives AMF requests from Flash clients.

* [http://blogs.adobe.com/asset/2009/11/securely_deploying_cross-domai.html Securely Deploying Cross-Domain Policy files] This Adobe ASSET blog provides 5 tips for securely deploying cross-domain policy files.

* [http://askmeflash.com/article/16/securing-your-flash-application Securing your Flash Application] A quick ten item checklist of high level things to look for in your SWF before shipping.

* [http://www.senocular.com/flash/tutorials/contentdomains/ Security Domains, Application Domains, and More in ActionScript 3.0] A fairly in depth article by Senocular.com explaining security domains, application domains, cross-domain policy files, allowDomain() and more.

'''Penetration Testing'''
* [http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/ A Lazy Pen Tester’s Guide to Testing Flash Applications] A short blog describing some of the basic steps of testing Flash applications by iViZ.

* [http://www.gdssecurity.com/l/b/2010/03/17/penetrating-intranets-through-adobe-flex-applications/ Penetrating Intranets through Adobe Flex Applications] A short blog (03/17/2010) by Marcin Wielgoszewski of Gothan Digital Science introducing the [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] tool and how to take advantage of open BlazeDS proxies.

* [http://www.gdssecurity.com/l/b/2009/11/11/pentesting-adobe-flex-applications-with-a-custom-amf-client/ Pentesting Adobe Flex Applications with a Custom AMF Client] A short blog (11/11/2009) by Marcin Wielgoszewski of Gothan Digital Science on how to write custom pyAMF-based clients for testing Flex services.

* [http://erlend.oftedal.no/blog/?blogid=103 Client-side Remote File Inclusion in Flash] This blog discusses how to perform cross-site scripting attacks against applications that read in XML configuration files.

* [http://code.google.com/p/doctype/wiki/ArticleFlashSecurity Flash Security] A Google code article on different types of cross-site scripting and crossdomain.xml attacks.

'''Updates to the Flash Player Security Model'''
* [http://www.adobe.com/devnet/security/articles/flash-player-sandbox-bridge.html The Flash Player sandbox bridge] - This Adobe Developer Center article describes how the new LoaderInfo sandbox bridge APIs can be used as a safer alternative to Security.allowDomain(*).

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10.1_air2_security_changes.html Understanding the security changes in Flash Player 10.1 and AIR 2] - This Adobe Developer Center article describes the new changes that affect security in Flash Player 10.1 and AIR. This article discusses a new feature, LoaderContext.allowCodeImport, which can help in safely loading remote content via loadBytes(). It also discusses minor changes in behavior that may require action by the developer.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_security_changes.html Understanding the security changes in Flash Player 10] - This Adobe Developer Center article describes the new changes that affect security in the Flash Player 10. This includes information on changes to socket timing, policy file strictness, upload and download, RTMFP and full screen mode.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer10_uia_requirements.html User-initiated action requirements in Flash Player 10] - This Adobe Developer Center article describes the new user-initiated action requires in Flash Player 10. These requirements include chances to FileReference, Clipboard, full-screen mode and pop-up windows.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html Preparing for the Flash Player 9 April 2008 Security Update] - This Adobe Developer Center article describes the new mitigations for DNS Rebinding (socket policy files), cross-site flashing and the introduction of cross-domain header meta-policies to help address attacks such as the UPnP attack.

* [http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html Security Changes in Flash Player 9] This Adobe Developer Center article describes the important changes that need to be made to existing crossdomain.xml and socket policy files. All websites that use cross-domain or socket policy files will need to implement these changes in order to be compatible with Adobe's new format. After the implementation of Phase II, Adobe will no longer support the old format.

 

== Example Vulnerabilities ==

''The intent of this section is to provide real-world examples of exploitation. This can be useful for consultants to help demonstrate to clients that these techniques have been used in the wild. In some instances, these examples include individual SWFs that were copied to hundreds of web sites. Therefore, a consultant should look for these specific SWFs on a website when performing an assessment to ensure that they have a current version.''

* [http://web.appsec.ws/FlashExploitDatabase.php Flash Exploit Database] This contains a list of popular, shared SWFs that have cross-site scripting vulnerabilities.

* [http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html Cross-site Scripting through Flash in Gmail Based Services] - This is an example of a cross-site scripting vulnerability that was the result of passing tainted data to ExternalInterface.call.

* [http://docs.google.com/Doc?docid=ajfxntc4dmsq_14dt57ssdw XSS Vulnerabilities in Common Flash Files] - This paper by Rich Cannings shows sample attack URLs for individual SWFs that are hosted across hundreds of websites. The techniques demonstrated in this paper for achieving cross-site scripting including using javascript: URLs, asfunction: URLs, and loading malicious child SWFs (aka cross-site Flashing).

* [http://lists.grok.org.uk/pipermail/full-disclosure/2003-April/004514.html clickTAG Cross-site scripting] - It is very common for Flash-based advertisements to accept a FlashVar called, clickTAG. If the clickTAG FlashVar is passed directly to a browser navigation API, such as getURL, then the attacker can achieve cross-site scripting by changing the clickTAG URL to a javascript: URL. Cross-site scripting as the result of a manipulated clickTAG FlashVar is the most common manifestation of cross-site scripting in Flash content.

* [http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html I used to know what you watched on YouTube] - Jeremiah Grossman's blog post regarding his attack on youTube.com's "*.google.com" cross-domain permission.

 

== References ==

* [http://www.owasp.org/index.php/Testing_for_Cross_site_flashing_(OWASP-DV-004) OWASP Testing Guide: Testing for cross-site flashing] - Covers finding both cross-site scripting and cross-site flashing.

* [http://www.adobe.com/devnet/flashplayer/security.html Adobe Flash Player Developer Center Security section] - Where Adobe posts articles and information related to Flash Player security.

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player10_security_wp.html Adobe Flash Player 10 Security Model]

* [http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf Adobe Flash Player 9 Security Model]

* [http://www.adobe.com/support/security/ Adobe Security Bulletins and Advisories] This is where Adobe posts all of their security advisories and bulletins.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7f9b.html Applying Flex Security] The security chapter from the Adobe Flex 4 manual.

* [http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7d23.html Flash Player Security] The security chapter from the Programming ActionScript 3.0 section the Flash CS4 Documentation.

* [http://help.adobe.com/en_US/Flex/4.0/UsingSDK/WS2db454920e96a9e51e63e3d11c0bf69084-7d14.html Developing and Loading Sub-applications] This Flex SDK framework allows two or more untrusted SWFs to pass limited information between each other through the use of Shared Events.

 
== Useful Specifications ==

* [http://www.adobe.com/devnet/swf/ SWF File Format Specification] This documents the file format and structure of SWF files.

* [http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf AVM2 Specification] Describes the Flash ActionScript Virtual Machine used for ActionScript 3.0 code.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf3_spec_05_05_08.pdf AMF3 Specification] The specification for version 3 of AMF used by Flash Player.

* [http://opensource.adobe.com/wiki/download/attachments/1114283/amf0_spec_121207.pdf?version=1 AMF0 Specification] The specification for the first generation of AMF (AMF 0) used by Flash Player.

* [http://www.adobe.com/devnet/rtmp/ RTMP Specification] This is the specification for the Real Time Messaging Protocol used by SWF content

* [http://www.adobe.com/devnet/flv/ Video File Format Specification] The FLV/F4V open specification documents the file formats for storing media content used to deliver streaming audio and video for playback in Adobe® Flash® Player and Adobe AIR™ software.

* [http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html Cross-domain Policy File Specification] This document serves as a reference for the structure and use of cross-domain policy files.

* [http://www.mozilla.org/projects/tamarin/ Tamarin Open Source Project] The Tamarin virtual machine is used within the Adobe Flash Player and is also being adopted for use by projects outside Adobe. The Tamarin just-in-time compiler (the "NanoJIT") is a collaboratively developed component used by both Tamarin and Mozilla TraceMonkey.

 

== Third-party Security Libraries ==

* [http://crypto.hurlant.com/ AS3Crypto] - An ActionScript 3.0 cryptography library.

* [http://code.google.com/p/as3corelib/ as3corelib] - An Adobe sponsored Google Code project that contains ActionScript 3.0 implementations of WS-Security, SHA, MD5 and other utilities.

* [http://labs.adobe.com/wiki/index.php/Alchemy:Libraries Alchemy ActionScript 3 Crypto Wrapper] - An Adobe labs project to port OpenSSL to ActionScript using Alchemy (previously known as Flacc). Includes the SHA1, SHA2, MD5, PKCS12 and AES from OpenSSL.

* [http://code.google.com/p/flash-validators/ flash-validators] - An Adobe sponsored Google Code project that contains ActionScript 2.0 and ActionScript 3.0 data validation libraries.

* [http://bugs.adobe.com/jira/browse/BLZ-415 Protected Messaging Adaptor] - This addition to the latest version of BlazeDS protects against an attack that allows an untrusted individual to subscribe to wildcard sub-topics. This threat is described within this [http://www.jamesward.com/blog/2009/07/22/protected-messaging-in-flex-with-blazeds-and-lcds/ blog] by James Ward.

* [http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/mx/validators/package-detail.html Flex validators] - Validation routines contained within the Adobe Flex SDK.

 

== OWASP Tools ==

* [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] OWASP Flash security testing tool

 
== Static Analysis ==

* [http://opensource.adobe.com/wiki/display/flexpmd/FlexPMD FlexPMD] Performs general code analysis with a few security checks.

* [https://www.fortify.com/products/hpfssc/source-code-analyzer.html Fortify Static Code Analyzer] '''($)''' Fortify's SCA supports searching for vulnerabilities within ActionScript 3.0, Flex 3 and Flex 4 applications.

* [http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#searchdiggity-v-3 FlashDiggity] FlashDiggity is part of the SearchDiggity tool created by the Bishop Fox consulting firm. It will decompile the SWF and use regular expressions to search for strings that are security related. FlashDiggity automates Google/Bing searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and information disclosures.

* [http://h30499.www3.hp.com/t5/Following-the-White-Rabbit-A/SWFScan-FREE-Flash-decompiler/ba-p/5440167 SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

 

== Disassemblers ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] An Adobe Labs project that performs disassembly of ActionScript 2 and ActionScript 3. Also shows SWF Tag information.

* [http://flasm.sourceforge.net/ Flasm] Flasm provides both disassembly and assembly functionality.

* [http://www.docsultant.com/nemo440/ Nemo440] Nemo440 is an AIR based ActionScript 3.0 disassembler.

* [http://opensource.adobe.com/svn/opensource/flex/sdk/trunk/bin/ swfdump] The Adobe Flex SDK, when built with ant, creates the swfdump utility ([http://blogs.adobe.com/gosmith/2008/02/disassembling_a_swf_with_swfdu_1.html overview]).

* [http://code.google.com/p/erlswf/ ErlSWF] A SWF disassembly tool based authored in Erlang

* [http://www.masonchang.com/2008/06/building-abcdump.html abcdump] The abcdump tool can be built from the tamarin source tree to disassemble AS3 byte code.

* [http://www.sweetscape.com/010editor/ 010Editor] This commercial tool has a [http://www.sweetscape.com/010editor/templates/files/SWFTemplate.bt template] for analyzing AS2 byte code.

* [http://segfaultlabs.com/swfutils swfutils] An ActionScript 3 library for disassembling SWF files.

* [https://github.com/CyberShadow/RABCDAsm#readme RABCDAsm] RABCDAsm is a collection of utilities including an ActionScript 3 assembler/disassembler, and a few tools to manipulate SWF files.

* [http://yogda.2ka.org/ Yogda AVM2 Workbench] Yogda® is a development tool for intermediate/advanced actionscript programmers. It includes an AVM2 disassembler.

 

== Decompilers ==

* [http://www.flash-decompiler.com/ Flash Decompiler Trillix] '''($):''' Windows and Mac versions. Supports ActionScript 2.0 and ActionScript 3.0, Flash 5, 6, 7, 8, 9, 10, Flash CS5 and Flex. Able to extract resources,edit SWF elements and provide a source FLA file. Costs @ $80 plus tax/shipping.

* [http://www.swfwire.com/inspector SWFWire Inspector] An open source AIR application for viewing images, shapes, and even syntax-highlighted ActionScript 3 within SWF files.

* [https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf SWFScan] This Windows tool decompiles a SWF and performs static analysis to identify common vulnerabilities for both ActionScript 2.0 and ActionScript 3.0 content.

* [http://www.nowrap.de/flare.html Flare] Flare ActionScript 2.0 decompiler for Windows, Linux and Mac OS X.

* [http://www.buraks.com/asv/ Buraks ActionScript Viewer] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.sothink.com/product/flashdecompiler/ SoThink Flash Decompiler] '''($):''' An ActionScript 2.0 and ActionScript 3.0 decompiler that is able to extract resources and provide a rough FLA file. Costs @ $80 plus tax/shipping.

* [http://www.dcomsoft.com/download/dfdinstall.exe Dump Flash Decompiler] Freeware program that treats compressed and decompressed SWF-files and shows the detailed structure in the tree form. Windows.

* [http://www.free-decompiler.com/flash/ JPEXS Free Flash Decompiler (FFDec)] JPEXS Free Flash Decompiler (FFDec) is free opensource Flash SWF Decompiler. Program can view source code of ActionScript 1/2 or 3 parts, export it or edit (p-code editor for AS3). Texts or images can be edited or replaced. The SWF decompiler can also export shapes, images, sounds or movies. SWF to FLA format conversion is also available.

 

== Obfuscators / De-obfuscators ==

It should be noted that no obfuscator can protect a SWF from being reverse engineered. An attacker will always be able to extract data from SWFs if they believe it is worth the effort. Obfuscators are only serve as a deterrent for preventing casual inspection of the SWF.

It should also be noted that some obfuscators generate SWFs that do not conform to the Adobe SWF file format specification. Flash Player may still be able to play them but they do not conform to the spec. This could lead to some security tools such as Blitzablieter rejecting them as potentially malicious.

*[https://github.com/F-Secure/Sulo Sulo] Sulo is an open-source project from F-Secure. It can log decrypted strings from SecureSWF-protected files and it can dynamically save swf objects loaded with Loader.loadBytes() to disk.

*[http://sourceforge.net/p/swf-reader/wiki/Home/ SWF Reader] SWF Reader can edit and deobfuscate SWFs. It has implemented a few deobfuscators for AS2 and AS3 Flash but mostly concentrates on AS3 SWFs

*[http://www.buraks.com/swfrul/ SWF Revealer] There are two versions of Buraks SWF Revealer. This link points to one version. There is another version is which is an add-on to Buraks ActionScript Viewer.

*[http://swfid.zz.mu/ SWF ID] Detect common SWF protectors, SWF obfuscators, SWF cryptors and SWF compilers.

*[http://www.dcomsoft.com/ DComSoft SWF Protector] '''($):''' ActionScript 2.0/3.0 obfuscator for protecting your SWF files from Flash Decompilers. Available for Windows, Mac OS, Linux. Costs approximately $40.

 

== Local Shared Object Editors ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Cross-platform tool for viewing and editing LSOs.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin.

* [http://solve.sourceforge.net/ SolVE] Cross-platform Local Shared Object editor and viewer.

* [http://sourceforge.net/projects/soleditor/ .sol Editor] Windows based Local Shared Object editor

 

== AMF Tools ==

* [http://labs.adobe.com/technologies/swfinvestigator/ Adobe SWF Investigator] Allows sending of custom messages, simple fuzzing and service identification of AMF endpoints.

* [http://blog.coursevector.com/flashbug Flashbug] An extension for the Firefox Firebug plugin that allows you to view AMF data sent to and from the page to the server.

* [http://deblaze-tool.appspot.com/ DeBlaze] A free tool that attempts to identify AMF services through brute force, dictionary attacks.

* [http://www.gdssecurity.com/l/t/d.php?k=Blazentoo Blazentoo] Blazentoo is an Adobe AIR application that can be used to exploit insecure Adobe BlazeDS and LiveCycle Data Services ES servers. Blazentoo provides the ability to seamlessly browse web content, abusing insecurely configured Proxy Services.

* [http://code.google.com/p/blazer/ Blazer] Blazer is a custom AMF messages generator with fuzzing capabilities, developed as Burp Suite plugin. It is designed and implemented to make AMF testing easy, and yet allows researchers to control fully the entire security testing process.

* [http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project WebScarab] Full AMF support is currently checked into the main branch of the WebScarab project. It has not been rolled into the SourceForge or Java Web Start versions of the WebScarab project at the time of this writing.

* [http://code.google.com/p/webscarab-amf-plugin/ WebScarab AMF Plugin] This is a google code project to add AMF support as a plugin to WebScarab.

* [http://amfparser.codeplex.com/ AMF Parser] AMFParser plugin for Fiddler2 web debugger. It can be used for parsing and displaying AMF data inside HTTP's POST requests and responses.

* [http://code.google.com/p/pinta/ pinta] Pinta is a utility that allows a developer to test services by making custom AMF service calls, and viewing detailed output. This Google Code project is based on Adobe AIR.

* [http://www.charlesproxy.com/ Charles Proxy] '''($):''' This is a basic HTTP proxy but it provides support for interpreting AMF communications. Costs approximately $50.

* [http://releases.portswigger.net/2009/08/v1214.html Burp Suite Professional] '''($):''' The 1.2.124 version of Burp Suite Pro adds AMF support to all tools except for Burp Intruder and Burp Scanner is updated to automatically place attack payloads within string-based AMF values.

* [http://george.hedfors.com/content/action-message-format-amf-shell AMF Shell] AMF Shell is a command line utility based on Python that enumerates services and allows the user to send customized AMF messages to a server.

 

== Cross-Domain Tools ==

* [http://web.appsec.ws/Tools/Crossdomain.swf Cross-domain Policy Analyzer] A tool to test your cross-domain policy file by Jason Calvert of WhiteHat Security.

 

== Analysis ==

* [http://www.utdallas.edu/~mxs072100/ASIRM_project.html Certifying IRM for ActionScript Bytecode] This page contains the binaries for Meera Sridhar's research into using In-lined Reference Monitors to rewrite ActionScript bytecode for the purposes of policy enforcement. This project is currently targeted at AVM2 code.

* [http://blitzableiter.recurity.com/ Blitzablieter] Blitzablieter is a project currently run by Recurity Labs and the German government. The goal is to prevent malicious SWFs from entering a network through normalization and policy enforcement. This project currently handles AVM1 code.

* [http://wepawet.iseclab.org/ Wepawet] Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files. It is currently run by University of California, Santa Barbara.

* [https://github.com/sporst/SWFREtools/ SWFRETools] The SWFRETools are a collection of tools built for vulnerability analysis of the Adobe Flash player and for malware analysis of malicious SWF files. The tools are partly written in Java and partly in Python and are licensed under the GPL 2.0 license.

 

== Project Contributors ==

The Flash Security project is run by [[:User:Puhley|Peleus Uhley]].

== Project Sponsors ==

The Flash Security project is sponsored by [http://www.mindedsecurity.com [[Image:|MindedLogo.PNG]]]

==== Project Identification ====

{{Template:Project Details/OWASP_Flash_Security_Project | OWASP Project Identification Tab}}

__NOTOC__ <headertabs />

 __NOTOC__ <headertabs />

[[Category:OWASP_Project|Flash Security Project]] [[Category:OWASP_Download]] [[Category:OWASP_Tool]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document]]

Research for SharePoint (MOSS)

2014-11-24T12:28:28Z

Fran Brown: Added tool: McAfee Network Discovery for Microsoft SharePoint

This page contains research notes on Microsoft's SharePoint MOSS and WSS

== Resources==

==== Microsoft resources====
* [http://office.microsoft.com/download/afile.aspx?AssetID=AM102437421033 Security Architecture for SharePoint Products and Technologies] (Word Doc)
* [http://sharepoint.microsoft.com SharePoint Community Portal]
* [http://technet.microsoft.com/en-us/library/cc262619.aspx Downloadable book: Security for Office SharePoint Server 2007] - [http://go.microsoft.com/fwlink/?LinkID=94375 link to 277 page Doc file]
* [http://blogs.msdn.com/arpans/archive/2008/05/09/sharepoint-end-user-security.aspx SharePoint End User Security]

==== Other Resources and Documentation====
* [http://www.finalcandidate.com/en/tandp/Pages/SharePointSecurityConcepts.aspx SharePoint Security Concepts] - contains a number of other links to more material
* [http://blogs.gartner.com/neil_macdonald/2009/02/25/sharepoint-security-best-practices/ SharePoint Security Best Practices] - $995 Gartner report
* [http://sharepointmagazine.net/technical/administration/microsoft-office-sharepoint-server-2007-security-model Microsoft Office SharePoint Server 2007 Security Model]
* [http://www.cmswire.com/cms/enterprise-cms/sharepoint-security-concerns-simply-a-lack-of-governance-003551.php SharePoint Security Concerns Simply a Lack of Governance?]
* [http://www.cmswire.com/cms/enterprise-cms/governance-key-for-sharepoint-implementations-003123.php Governance Key for SharePoint Implementations]
* [http://www.bishopfox.com/files/articles/2012/Information%20Security%20Magazine%20JulyAug2012-SharePoint.pdf SearchSecurity – Securing SharePoint: SharePoint security best practices] - Information Security Magazine July/Aug2012 - Volume 14 - Locking Down Sharepoint - Businesses love Microsoft’s collaboration software but can forget to secure it.

==== Presentations ====
* Bishop Fox - HackCon 2011 - Oslo, Norway - February 16, 2011 : [http://www.bishopfox.com/files/slides/2011/HackCon%202011%20-%20SharePoint%20Security%20-%20Feb2011.pdf SharePoint Security: Advanced SharePoint Security Tips and Tools]
* OWASP Houston Chapter - August 12, 2009 : [http://owasp.icrew.org/downloads/OWASP_ShohnTrojacek.pdf SharePoint Auditing and Penetration Testing] Presentation by: Shohn Trojacek
* from Denim group:
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TASSCCTEC2009_20090326.pdf Securing SharePoint (PDF Format)] - TASSCC Technology Education Conference in Austin, March 26, 2009
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TRISC_20090324.pdf Securing Sharepoint (PDF Format)] - Texas Regional Infrastructure Security Conference (TRISC) in Austin, March 24, 2009
** [http://sp.meetdux.com/archive/2009/07/08/a-primer-to-sharepoint-security.aspx A Primer to SharePoint Security] - video

==== Other interesting resources====
* [http://www.indeed.com.au/jobs?q=Moss+Security&l= MOSS Security jobs (in Australia)]
* [http://www.cmswire.com/news/topic/sharepoint Articles on CMSWire about SharePoint]

==== Other Blogs and Articles ====
* [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=212903345 Microsoft SharePoint: A Weak Link In Enterprise Security?] - Dark Reading

==== Security related technical articles ====
* [http://www.sharepointsecurity.com/sharepoint/sharepoint-security/how-to-programmatically-disable-code-access-security/ How to Programmatically Disable Code Access Security]

== Published Security issues ==

=== SharePoint related vulnerabilities and its status ===
* {Note: Add MSRC case}
* http://milw0rm.com/exploits/8704 & http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

== MOSS Security related WebParts, Tools & services ==

==== Open Source ====
* From CodePlex (see more on this search for [http://www.codeplex.com/site/search?ProjectSearchText=Sharepoint%20Security SharePoint Security]
** [http://securitytemplates.codeplex.com/ SharePoint Security Templates] (CodePlex)
** [http://spsecurity.codeplex.com/ SharePoint Security Configuration Feature]
** [http://accesschecker.codeplex.com Sharepoint Access Checker Web Part]
** [http://sitesecuritymgmt.codeplex.com/ Site Security Management Utility]
** [http://cryptocollaboration.codeplex.com/ CryptoCollaboration For SharePoint]

==== Commercially Supported ====
* [http://www.sharepointsecurity.com ARB Security Solutions (www.sharepointsecurity.com)]
* [http://www.surety.com/Offerings/AbsoluteProof/For-MS-SharePoint.aspx AbsoluteProof for MS SharePoint] - related article [http://www.cmswire.com/cms/enterprise-cms/surety-releases-absoluteproof-for-sharepoint-002471.php Surety Releases AbsoluteProof for SharePoint]
* [http://www.avepoint.com/assets/pdf/Social_Security_Administration_Case_Study.pdf Sharepoint case study (marketing doc)]

== Dangerous MOSS APIs ==

Map the security implications of MOSS APIs, for example:
* which APIs (if badly used)are vulnerable to: XSS, CSRF, SQL Injection
* configuration settings that have security implications

== SharePoint Hacking ==
==== SharePoint Hacking Tools ====
* [http://extensions.professionallyevil.com/beef.php SharePoint Enumerator | Professionally Evil] - This is a collection of 4 modules that help enumerate the SharePoint server the victim is connected to.
* [http://sparty.secniche.org/ Sparty] - MS Sharepoint and Frontpage Auditing Tool
* [https://github.com/toddsiegel/spscan SPScan] - SharePoint scanner and fingerprinter based on WPScan
* [http://www.mcafee.com/us/downloads/free-tools/sharepoint-discovery.aspx McAfee Network Discovery for Microsoft SharePoint]
* [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/ Bishop Fox - SharePoint Hacking Diggity Project] - SharePoint hacking tools project page. Currently includes such hacking tools as:
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#google-and-bing-hacking-dictionary-files SharePoint – Google and Bing Diggity Dictionary Files] - New GoogleDiggity input dictionary file containing 121 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google. Recently, we’ve also created a Bing hacking dictionary (124 Bing queries) that can be imported into BingDiggity and used to identify SharePoint exposures as well.
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-hacking-alerts-for-google-and-bing SharePoint Hacking Alerts for Google and Bing] - SharePoint Hacking Alerts provide real-time vulnerability updates from both the Google and Bing search engines. These convenient RSS feeds help locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google and Bing. [http://www.google.com/alerts Google Alerts] have been created for all SharePoint related search strings, which generate a new alert each time newly indexed pages by Google match one of those regular expressions. Microsoft Bing’s &format=rss directive was used to turn Bing searches into RSS feeds.
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepointurlbrute SharePointURLBrute] - SharePointURLBrute is a new SharePoint hacking utility developed to help assessors quickly test user access to 101 common SharePoint administrative pages (e.g. “Add Users” page -> /_layouts/aclinv.aspx) by automating forceful browsing attacks.
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-userdispenum SharePoint UserDispEnum] - UserDispEnum is a new SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can be easily extracted from the SharePoint user profiles. For real, live examples of SharePoint site deployments insecurely exposing this functionality to anonymous users on the Internet, see Google results of: “http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx”. Users can leverage [http://www.bishopfox.com/resources/tools/google-hacking-diggity/ Bishop Fox’s GoogleDiggity hacking tools] to identify these exposures within their own organization, and then employ the UserDispEnum tool to exploit them during penetration tests.
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-dlp-tools SharePoint DLP Tools] - COMING SOON – Bishop Fox's data loss prevention (DLP) tools for Microsoft SharePoint. SharePoint DLP Tools utilize administrative web services to help automate the searching of SharePoint files and lists for SSNs, credit card numbers, passwords, and other common information disclosures.

==== SharePoint Hacking Presentations ====
* '''2008'''
** [http://www.youtube.com/watch?v=DYudvh9cfZM hak5 - Episode 407 - Toorcon 2008: Robin Wood, Dan Griffin] - see 11:10 minute mark in video for interview with Dan Griffin about SharePoint Hacking.
* '''2012'''
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/presentation-slides/ Bishop Fox - SharePoint Hacking Diggity Project - Presentations]:
*** OWASP L.A. 2012 - Los Angeles, CA - February 22, 2012 : [http://www.bishopfox.com/files/slides/2012/OWASP%20LA%20-%20SharePoint%20Hacking%20-%2022Feb2012.pdf SharePoint Hacking: Advanced SharePoint Security Tips and Tools]
* '''2013'''
** [http://www.youtube.com/watch?feature=player_embedded&v=AAObW2fcB_s TMI: Assessing and Exploiting SharePoint at DerbyCon 3.0]
** [https://media.blackhat.com/us-13/Arsenal/us-13-Sood-Sparty-Slides.pdf Sparty - Blackhat USA 2013] Sparty : A Frontpage and Sharepoint Auditing Tool

== WebParts Security ==

* Security ratings & mappings of MOSS Deployed Web Parts
* Security ratings & mappings of 3rd Part Web Parts

Phoenix

2014-11-24T07:48:42Z

Fran Brown: Stach & Liu rebranded as "Bishop Fox". Updated links accordingly.

{{Chapter Template|chaptername=Phoenix|extra=The chapter leader is [mailto:pete.roalofs@owasp.org Pete Roalofs] 

|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-phoenix|emailarchives=http://lists.owasp.org/pipermail/owasp-phoenix}}

== OWASP Phoenix -- ==

No meetings currently scheduled. Join the mailing list for meeting announcements.

== Local News ==

'''Thanks everyone for supporting CactusCon, over 320 people attended! OWASP Phoenix was a partner sponsor.'''

OWASP Phoenix 2014 Meetings

Meetings are on the first Tuesday of the month, 6:30 PM - 7:30 PM, for 1 hour.

Afterward, we'll head to a local watering hole for socializing and fun.

== 2014 Meetings Calendar ==

This calendar will be updated as meetings are announced. 

2014 schedule TBD

== Resources ==

'''Archived pages on [[Phoenix/Tools]] and [[Phoenix/ToolsProfile]]'''

This chapter is dedicated to bringing together local businesses, students, and web and security enthusiasts in order to discuss current events, trends, tools, and offensive/defensive techniques related to web application security. We currently hold meetings every month, typically with one or two speakers at each meeting.

== What talks would you like to see? ==

'''Please Update''' 

== Previous Meetings ==

 
'''Nick Hitchcock ''' 

This talk will take you from start to finish in a targeted social engineering attack. Using customized SE skills coupled with easy to use software tools, you will understand how real world attackers are infiltrating large organizations. Instead of bringing out “theoretical” scenarios, real world penetration testing examples will be discussed and demonstrated.

BIO at http://www.linkedin.com/in/nickhitchcock

 
'''Title: Steve Springett - - 'Introduction to OWASP Dependency-Check' ''' 

Does your application have dependencies on 3rd party libraries? Do you know if those same libraries have published CVEs? Dependency-Check, an OWASP project, can help by providing identification and monitoring of application dependencies. The core engine can scan the libraries and will create an inventory of all the dependent libraries and whether or not there are any published CVEs. This talk will be provide an introduction to Dependency-Check.
Bio:
Steve Springett is an application security engineer at Axway. As part of the Product Security Group, he provides direction, best practices, education and tools to software development teams around the world. Steve has a software engineering background and is a contributor to OWASP Dependency-Check.

 
'''Title: Top Ten Web Defenses''' 
We cannot “firewall” or “patch” our way to secure websites. In the past,
security professionals thought firewalls, Secure Sockets Layer (SSL),
patching, and privacy policies were enough. Today, however, these
methods are outdated and ineffective, as attacks on prominent,
well-protected websites are occurring every day. Most every organization
in the world have something in common – they have had websites
compromised in some way. No company or industry is immune. Programmers
need to learn to build websites differently. This talk will review the
top coding techniques developers need to master in order to build a
low-risk, high-security web application.

BIO: Jim Manico is the VP of Security Architecture for WhiteHat
Security, a web security firm. He authors and delivers developer
security awareness training for WhiteHat Security and has a background
building software as a developer and architect for over 20 years. Jim is
also a global board member for the OWASP foundation where he helps drive
the strategic vision for the organization. He manages and participates
in several OWASP projects, including the OWASP cheat sheet series and
several additional secure coding projects.

 
June 4, 2013 
'''[http://www.owasp.org/images/d/d5/About_OWASP.pdf About OWASP]''' 
'''[http://www.owasp.org/images/3/38/AppSensor.pdf AppSensor - The future of Application Security], [[user:Dennis_Groves|Dennis Groves]]''' 
'''[http://www.owasp.org/images/f/fb/OWASP_GLOBAL_PROJECTS.pdf OWASP Projects], [[user:Samantha_Groves|Samantha Groves]], Global OWASP project manager.''' 

Dennis Groves is the co-founder of OWASP. He is a well known thought leader in application security who's work focuses on multidisciplinary approaches to information security risk management. He holds an MSc in Information Security from Royal Holloway, University of London. He is currently an expert for the UK mirror of ISO subcommittee 27, WG4.

Samantha Groves who is the Global OWASP project manager to speak briefly about the OWASP projects.

 '''MS SQL Injection - Start to Finish'''

'''Scott White ''' 

This presentation will be a live hacking session demonstrating reconnaissance, identification, and exploitation of SQL injection with Microsoft SQL Server as the back end database. SQL injection will be performed from start to finish, showing various techniques for obtaining data, and even fully compromising servers. Both basic and advanced exploitation techniques will be explored.

Scott White is a Principal Security Consultant for Cleveland-based TrustedSec. He has presented to organizations such as OWASP, ISSA, ISACA, FBI's Infragard, and others. He has also spoken at Defcon, and has been called upon by organizations such as the FBI and Secret Service as a subject matter expert. He is the technical reviewer for the popular book, "Metasploit: The Penetration Tester's Guide". He holds a bachelors degree in Computer Science and a master's degree in Network Security. He has held various past positions in support, system administration, web development, penetration testing, and application security for both public and private sectors with clients in both government and commercial spaces. His experience includes performing web application security assessments, internal, external, and physical penetration tests, source code reviews, social engineering, and web application security training. With over 10 years of programming experience coupled with offensive security testing, he has a thorough web application security understanding from both developer and attacker perspectives.

 '''Dan Cornell, Using ThreadFix To Manage Application Vulnerabilities'''

'''Dan Cornell ''' 

ThreadFix is an open source software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. It imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows organizations to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. This presentation will walk through the major functionality in ThreadFix and describe several common use cases such as merging the results of multiple open source and commercial scanning tools and services. It will also demonstrate how ThreadFix can be used to track the results of scanning over time and gauge the effectiveness of different scanning techniques and technologies. Finally it will provide examples of how tracking assurance activities across an organization’s application portfolio can help the organization optimize remediation activities to best address risks associated with vulnerable software.

Dan Cornell has over twelve years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies.

Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as ROOTs in Norway and OWASP EU Summit in Portugal.

 '''Standard Android and iOS Tools for 2013'''

'''Andre Gironda ''' 

Andre Gironda will be presenting on "Standard Android and iOS Tools for 2013" This is a follow-up to his 2012 talk.

 '''Content Discovery and Link Extraction for Application Security Testing'''

'''Andre Gironda ''' 

Andre Gironda, HP, will be presenting on "Content Discovery and Link Extraction for Application Security Testing". The talk will be focused on how to discover content the right way and make decisions before actual testing begins, as well as how to adjust needs during a on-going test. Most of the discussion will be tool agnostic, but it will help attendees if they have some prior experience with tools such as OWASP DirBuster or a commercial-grade crawler such as Netsparker Community Edition.

Andre Gironda is a mobile application security risk consultant for HP Fortify who lives in Tempe, AZ

 '''Not the end of XSS'''

'''Michael Brooks ''' 

XSS is by no means a solved problem. There is no silver bullet, function call or technology that makes you absolutely immune. This talk is focusing on bypassing Anti-XSS filters found in browsers as well as bypassing Content Security Policy (CSP) restrictions. This talk covers how these technologies are used to protect a web application and how they can be abused by an attacker.

Michael Brooks

Michael Brooks was in the top 1% of earners in the Google bug bounty program. He has written exploits for software you have probably used, patches have been written and we are all safer for it. A perfectly secure system can never be accomplished, test everything, trust nothing.

 '''"Cool" Vulnerabilities'''

'''Lonnie Benavides ''' 

Web application management software is often overlooked and can contain critical vulnerabilities. This talk will focus on four different publically known vulnerabilities within Adobe Cold Fusion. Exploitation of these issues results in a complete compromise of the underlying web server. Live demonstrations will be provided.

Lonnie Benavides is a penetration tester and the lead of the Boeing Red Team. Lonnie has been pen testing since 2003 when he joined an Air Force Red Team based out of McChord Air Force Base in Washington State. He has taken over military bases, aircraft, and banks. Lonnie and his family relocated from Seattle to Phoenix in February.

 '''Sweet Pickles'''

'''Chase Schultz ''' 

Sweet Pickles is inspired by a talk presented at Blackhat by Marco Salverio about practical pickle exploitation. Sweet pickles aims to address some of the concerns presented by Marco in his Sour Pickles talk. Using strong cryptography methods Sweet Pickles attempts to address the problem of confidentiality and authenticity of a python pickle while in transit. Sweet pickles utilizes Advaced Encryption Standard(AES) and Elliptic Curve Cryptography(ECC) to help secure Python's Serialized Objects(Pickles). Sweet pickles was first presented at the International Cyber Defense Workshop hosted by the Department of Defense by Chase. This presentation will be an elaboration on the research Chase has done on python pickles and his work to secure them.

Bio: Chase Schultz is currently a student at the University of Advancing Technology. He is majoring in Network Security and hopes to finish his degree in December of 2021(End of the world and all that aside…) Chase enjoy's application security and hunting bugs in software. He's spent time working for Stach & Liu as a web application penetration tester and also leads the [Buffer]Overflow Club at UAT. He developed Sweet pickles as a project in his free time to address the problems presented at Blackhat 2011 in the Sour Pickles talk. He is fluent in Python, C/C++, Assembly and random shit. Beyond playing with Python, Chase enjoys reverse engineering, and general software exploitation. Also enjoyed are Andre's random cocktails and IPA's.

 '''Standard Android and iOS Tools for 2012'''

'''Andre Gironda''' 

Abstract: This will be a talk that discusses the baseline toolchains around
Android and iOS applications, whether trying to gain insight into
in-app activities, OS activities, IPC, as well as standard networking
protocols for both static and runtime.

Bio: Andre Gironda is a mobile application security risk consultant for HP
Fortify who lives in Tempe, AZ
 

 '''Application Security: More Than Just Secure Coding Practices'''

'''Scott White''' 

Abstract: From a penetration tester's perspective, this presentation will examine a holistic approach to managing application security since attack vectors are not adequately mitigated using secure coding practices and traditional code reviews.

Bio: Scott is a Senior Information Security Engineer at Diebold, Inc., holding a bachelors degree in computer science, a master's degree in network security, and is well-respected in the information security industry. He manages the global application security process ensuring that new and existing applications conform to industry and secure coding best practices. Additionally, he heads up offensive security efforts within Diebold, continually testing its systems and associates through penetration tests, product reviews, and social engineering exercises. He has held various past positions in support, system administration, web development, penetration testing, and application security for both public and private organizations servicing clients in the government and commercial spaces. His experience includes performing web application security assessments, internal, external, and physical penetration tests, source code reviews, social engineering, and developer training. With over 5 years working directly with information security and over 10 years programming experience, he has a thorough web application security understanding from both developer and attacker viewpoints. He has spoken at Defcon, the world’s largest hacker’s convention, and has also been called on by organizations such as the FBI and Secret Service as a subject matter expert. He is the technical editor for the popular book, "Metasploit The Penetration Tester's Guide". 

'''wxFramework''' '''(Web Exploitation Framework)''' 

'''Ken Johnson''' 

The project’s goal is to assist penetration testers in exploiting web application and web service weaknesses. Because exploitation of applications is rarely point and click and usually requires multiple steps, network exploitation frameworks often fall short of the goal. The framework is intended to assist attackers along their exploitation journey. During this talk we will preview the new graphical interface for the first time and demonstrate how it changes or enhances the reasons you may wish to try wXf.

Bio:

Ken Johnson is a Senior Application Security Consultant performing source code analysis and web application penetration testing. Ken is the primary developer of the Web Exploitation Framework (wXf) and contributes to various open source application security projects. He has spoken at AppSec DC, OWASP NoVA, Northern Virginia Hackers Association and is a contributor to the Attack Research team. 

 '''2011 Appsec Tools State-of-the-Art'''

'''Andre Gironda'''

 

Abstract: Every tool you should leverage during an app pen-test or secure code review will be discussed. The two best web proxies, Burp Pro (@portswigger) and Fiddler (@ericlaw) will be demonstrated along with the two best crawlers from @netsparker and WebInspect. The results from @sectooladdict will be discussed and the analysis demonstrated on @owaspbwa. Additional topics will be discussed, such as executive management reporting using dradisframework.org by way of imports from @w3af. There will also be topics for application developers, such as the new OWASP Data Exchange Format Project, as well as using CAT.NET, RIPS, LAPSE+, and Fortify to go from vulnerable sources to runtime analysis to full exploitation. Even esoteric tools from long-ago that have held their value will be discussed and potentially demonstrated 

BIO: Andre works for the HP Application Security Center (ASC) doing application penetration-testing, secure code review, and reverse engineering. He has 9 years of direct experience with application security topics, has been using Burp Suite on pen-tests since early 2005, and runs his own tool benchmarks at home in Tempe, AZ. 

 

'''Andrew Wilson & Michael Brooks'''

'''Traps of Gold''' 

 Bio: Michael Brooks is on the Google Security Hall Of Fame. He works for the security company Sitewatch.

Bio: Andrew Wilson is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 9 years experience building and securing software for a variety of companies. Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. 

'''Obfuscating Search Queries with Hayst.ac'''

'''David Huerta'''

Hayst.ac, is a browser userscript to obfuscate search queries with machine-generated queries with the goal to be as close to indistinguishable from the human generated ones as possible. This is ultimately to discourage the use of search histories as a source of user profiling.

Bio: After arriving in Arizona from the posh, cosmopolitan enclave of southeastern Idaho, David founded the DeVry Linux User Group (DeLUG) in 2003, an originally student organization that drew members and activities from the greater West Valley Free software community, including students at GCC and ASU West. He also serves on the board of directors for HeatSync Labs, a hackerspace in Chandler.

'''OWASP O2 Platform''' '''Dinis Cruz'''

The O2 Platform is focused on automating application security knowledge and workflows. It is specifically designed for developers and security consultants to be able to perform quick, effective and thorough source code-driven application security reviews (blackbox + whitebox). In addition to the manual findings created/discovered by security consultants, the OWASP O2 Platform allows the easy consumption of results from multiple OWASP projects and commercial scanning tools. This allows security consultants to find, exploit and automate (via Unit Tests) security vulnerabilities usually dismissed by the community as impossible to find/recreate. More importantly, it provides security consultants a mechanism to: (a) "talk" with developers (via UnitTest), (b) give developers a way to replicate + "check if it's fixed" the vulnerabilities reported and (c) engage in a two-way conversion on the best way to fix/remediate those vulnerabilities. For more details see https://www.owasp.org/index.php/OWASP_O2_Platform, to download binary or source goto http://code.google.com/p/o2platform/downloads/list

Bio Dinis Cruz is a Security Consultant based in London (UK) and specialized in: ASP.NET/J2EE Application Security, Application Security audits and .NET Security Curriculum Development. For the past couple years Dinis has focused on the field of Static Source Code Analysis and Dynamic Website Assessments (aka penetration testing), and is the main developer of the OWASP O2 Platform which is an Open Source project that is focused on 'Automating Security Consultants Knowledge/Workflows' and 'Allowing non-security experts to access and consume Security Knowledge'. Dinis is currently focused on making the O2 Platform the industry standard for consuming, instrumenting and data-sharing between: the multiple WebAppSec tools, the Security consultants and the final users (from management to developers). (https://www.owasp.org/index.php/User:Dinis.cruz)

 

'''Improving your Fu  '''- '''Andrew Wilson'''

Delivering high quality results is the goal and earmark of any serious security practitioner. Professional penetration testing requires a set of reliable skills that will enable him/her to deliver consistently. Tools simply aren't enough. This talk outlines 10 of the more important disciplines and practices you can do to build or grow that solid foundation.

Bio: 

 '''Exploitation Redux and Bug Bounties  - Michael Brooks'''

Talk covered some of the recent vulnerabilities affecting Google and Mozilla, highlights such exploits as exploitation by email.

 List of bounty winners and a lot of blog links: [http://www.google.com/corporate/halloffame.html http://www.google.com/corporate/halloffame.html] Interesting SMTP based XSS [http://spareclockcycles.org/2010/12/14/gmail-google-chrome-xss-vulnerability/ http://spareclockcycles.org/2010/12/14/gmail-google-chrome-xss-vulnerability/] XSS via event handlers: [http://adblockplus.org/blog/finding-security-issues-in-a-website-or-how-to-get-paid-by-google http://adblockplus.org/blog/finding-security-issues-in-a-website-or-how-to-get-paid-by-google] Good examples of strange XSS: [http://google-gruyere.appspot.com/ http://google-gruyere.appspot.com/] My Exploits (Including the Majordomo 2 Directory Traversal Vulnerability) [http://www.exploit-db.com/author/?a=628 http://www.exploit-db.com/author/?a=628]

Bio: Michael Brooks is on the Google Security Hall Of Fame. He works for the security company Sitewatch.

 

'''SharePoint Hacking - Advanced SharePoint Security Tools and Tips      -Francis Brown'''

[http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/ http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/]

Microsoft SharePoint products and technologies continue to grow in popularity and have become the core foundation upon which many organizations have built their web presence. Unfortunately, guidance concerning common SharePoint security issues tends to be overly complex and often misunderstood. Ultimately this results in insecurely configured and deployed SharePoint instances in production environments.

This demonstration rich presentation will cover our newly released SharePoint hacking tools and techniques that security professionals can easily use to identify and exploit common insecure configurations in SharePoint applications. Some of the areas we’ll attempt to tackle are: • Identifying vulnerable SharePoint applications using public search engines such as Google and Bing • Gaining unauthorized access to SharePoint administrative web interfaces • Exploiting holes in SharePoint site user permissions and inheritance • Illustrating the dangers of granting excessive access to normal user accounts • Pillaging Active Directory via insecure SharePoint services • Attacking 3rd party plugins/code within SharePoint • And much more…

Bio:

 '''Appsec Design Reviews Reloaded - Andre Gironda '''The best place to start in the software lifecycle is during the design phase. Workflow tools exist for SDL processes, build servers, penetration-testing activities, and many other application security checkpoints. However, very few tools and techniques exist or are readily available when performing application security design reviews. The full process of application security should be agreed upon during the design phase by the security department and all relevant application development teams. The direction of the projects and the patterns used in the application architectures can also be augmented from an application security perspective. This presentation will provide discussion around how to solve many of these and other challenges in application security. The focus will be on web applications that use common technologies, such as managed code frameworks. Bio: Andre has contributed to many OWASP documents and has been working in the appsec space for almost 5 years. He is a local to the Phoenix area and has presented on application security topics recently at BSides, OWASP, and Toorcon events.

 

 

'''Professional Burping'''

Burp suite is by and large considered one of the de-facto tools for testing web applications for security flaws. This talk will cover many of the professional version only features and various advanced usages that can be done to really take advantage of all this tool has to offer. Topics will include a quick review of burp, effectively leveraging professional only tools, deep dive into intruder, and using 3rd party extensions. Andrew Wilson's Bio: 

'''Debugger Basics: Software Cracking and Buffer Overflows''' Finding and exploiting a basic buffer overflow, start to finish including fuzzing to command shell. A small primer before "warez and keygens": bypassing a serial number based registration for software, the most basic form of software cracking.

Bio: Scott White is a Senior Penetration Tester for SecureState LLC, a pure play information securityassessment company based in Cleveland, Ohio. He is the web application security expert on the Profiling team. His day to day duties include web application security assessments, internal, external, and physical penetration tests, source code reviews, and developer training. Scott holds a bachelors of science in computer science and a master of science in network security. With over 5 years working with security and over 10 years programming experience, he has a thorough web application security understanding from both the developer and attacker viewpoints. He has spoken at Defcon, the world’s largest hacker’s convention held in Las Vegas each year, and has also been called on by organizations such as the FBI and Secret Service as a subject matter expert. Scott White Senior Penetration Tester www.securestate.com http://securestate.blogspot.com

 '''Database Security and Encryption, Adrian Lane'''

Bio: Adrian is a Security Strategist and brings over 22 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on "the other side" as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, contributed articles to many major publications, and is easily recognizable by his "network hair" and propensity to wear loud colors. Once you get past his windy rants on data security and incessant coffee consumption, he is quite entertaining. Adrian is a Computer Science graduate of the University of California at Berkeley with post-graduate work in operating systems at Stanford University.

 

'''masSEXploitation, Mike Brooks ''' This talk covers the use of chaining vulnerabilities in order to bypass layered security systems. This talk will also cover ways of obtaining wormable remote code execution on a modern LAMP platform. These attacks where developed by me, and they are very new. These attacks are as real as it gets, and the results are making the headlines.

Bio: I will be giving this talk at this years Defcon and it will 3rd year in a row that I spoken. According to the Department of Homeland Security I have found a vulnerability with a severity metric of 13.5 which makes it into the top 1,000 most dangerous of all time. I am the top answerer of security questions on StackOverflow.com (The Rook). I actively hunt for vulnerabilities on a verity of platforms. I write exploit code and make it public.

[http://www.exploit-db.com/exploits/16103/ http://www.exploit-db.com/exploits/16103/] (Directory Traversal exploitable via email) [http://www.exploit-db.com/exploits/15838/ http://www.exploit-db.com/exploits/15838/] (Exploit chain:captcha bypass->sqli(insert)->persistant xss on front page)

 

 '''Involuntary Case Studies in Data Breaches, Rich Mogull, Securosis'''

It's absolutely bass ackwards, but while the bad guys constantly share details of their exploits, including techniques, when it comes to real incidents, actual defenders rarely talk about what worked, and what didn't. Our entire industry is built on anecdote and the few tidbits we can glean from press reports. Thus we, as an industry, don't link means and methods to actual security outcomes. Without this information we're like a bunch of blindfolded wannabe ninjas trying to catch rounds from a machine gun with our bare hands. In this session we'll name names as we build in-depth case studies based on publicly available information, some of which isn't overly public. We will combine these with the latest information from breach reports released by incident response companies and the Dataloss Database. The session will build a picture of how real breaches happen, which security controls really work, and which compliance checkboxes are a complete and total waste of time.

 

'''Application Security Tools ''' [http://www.owasp.org/index.php/Image:Scanner-Sparkly.ppt A Scanner Sparkly] - Web Application Proxy Editors and Scanners - Andre Gironda [http://www.owasp.org/index.php/Image:Owasp-lessonslearned.ppt Gray Box Assessment Lessons Learned] - Adam Muntner Risk Assessment Considerations for Web Applications (brief talk+discussion) - Erich Newell

'''[http://www.owasp.org/index.php/Image:Same-origin.pdf Reflections on Trusting the Same-Origin Policy] â and other web+network trust issues â Andre Gironda''' 

In computing, the same origin policy is an important security measure for client-side scripting (mostly Javascript). It prevents a document or script loaded from one "origin" from getting or setting properties of a document from a different "origin". It was designed to protect browsers from executing code from external websites, which could be malicious.

XSS and CSRF vulnerabilities exploit trust shared between a user and a website by circumventing the same-domain policy. DNS Pinning didn't pan out exactly right, either. Can client-side scripting allow malicious code to get into your browser history and cache? Can it enumerate what plugins you have installed in your browser, or even programs you have installed to your computer? Can it access and modify files on your local hard drive or other connected filesystems? Can client-side scripts be used to access and control everything you access online? Can it be used to scan and attack your Intranet / local network? Does an attacker have to target you in order to pull off one of these attacks successfully? If I turn off Javascript or use NoScript, am I safe? What other trust relationships does the web application n-Tier model break?

'''Data@Risk â Protecting Web Applications Throughout the Development Lifecycle from Hackers - Brian Christian''' 

Brian Christian, Co-founder and Application Security Engineer, S.P.I. Dynamics, Inc. discussed what Web application security is and why it is needed throughout the entire development lifecycle. We will discuss common vulnerabilities in the Web application layer and why they are so easily exploited. This session demonstrates how to defend against common attacks at the Web application layer with examples covering Web application hacking methods such as SQL Injection, Blind SQL Injection, Cross-Site Scripting (XSS), Parameter Manipulation, etc. We will also review how compliance and regulatory legislation such as PCI, GLBA, HIPAA, CASB 1386, and Sarbanes-Oxley, etc. specifically relates to and affects Web application security. Additionally, we will examine how security throughout the development lifecycle is essential to the security of Web application code and the protection of proprietary data.

'''Web Application 0-Day â Jon Rose''' 

Learn about how to identify, exploit, and remediate some of the most common security vulnerabilities in web applications. Weâll be using real-world examples in a dynamic, fun, and open discussion using publicly available source code. 

[http://www.stachliu.com/presentations/webapp0day/index.html Discovering Web Application Vulnerabilities with Google CodeSearch]

'''Building Application Security into the SDLC - Adam Muntner''' 

Adam will share his experiences about how organizations can integrate application security into all phases of the Software Development Life Cycle, from the creation of functional specifications all the way through deployment, maintenance, and updates. He will explain how to "bake security in" rather than "ice it on."

[[Category:Arizona]]

Conduct search engine discovery/reconnaissance for information leakage (OTG-INFO-001)

2014-11-24T07:45:43Z

Fran Brown: Stach & Liu rebranded as "Bishop Fox". Updated links accordingly.

{{Template:OWASP Testing Guide v4}}

== Summary ==
There are direct and indirect elements to search engine discovery and reconnaissance. Direct methods relate to searching the indexes and the associated content from caches. Indirect methods relate to gleaning sensitive design and configuration information by searching forums, newsgroups, and tendering websites.

Once a search engine robot has completed crawling, it commences indexing the web page based on tags and associated attributes, such as <TITLE>, in order to return the relevant search results [1]. If the robots.txt file is not updated during the lifetime of the web site, and inline HTML meta tags that instruct robots not to index content have not been used, then it is possible for indexes to contain web content not intended to be included in by the owners. Website owners may use the previously mentioned robots.txt, HTML meta tags, authentication, and tools provided by search engines to remove such content.

== Test Objectives ==

To understand what sensitive design and configuration information of the application/system/organization is exposed both directly (on the organization's website) or indirectly (on a third party website).

== How to Test ==

Use a search engine to search for:
* Network diagrams and configurations
* Archived posts and emails by administrators and other key staff
* Log on procedures and username formats
* Usernames and passwords
* Error message content
* Development, test, UAT and staging versions of the website

=== Search operators ===
Using the advanced "site:" search operator, it is possible to restrict search results to a specific domain [2]. Do not limit testing to just one search engine provider as they may generate different results depending on when they crawled content and their own algorithms. Consider using the following search engines:

* Baidu
* binsearch.info
* Bing
* Duck Duck Go
* ixquick/Startpage
* Google
* Shodan
* PunkSpider

Duck Duck Go and ixquick/Startpage provide reduced information leakage about the tester.

Google provides the Advanced "cache:" search operator [2], but this is the equivalent to clicking the "Cached" next to each Google Search Result. Hence, the use of the Advanced "site:" Search Operator and then clicking "Cached" is preferred.

The Google SOAP Search API supports the doGetCachedPage and the associated doGetCachedPageResponse SOAP Messages [3] to assist with retrieving cached pages. An implementation of this is under development by the [[::Category:OWASP_Google_Hacking_Project |OWASP "Google Hacking" Project]].

PunkSpider is web application vulnerability search engine. It is of little use for a penetration tester doing manual work. However it can be useful as demonstration of easiness of finding vulnerabilities by script-kiddies.

'''Example'''
To find the web content of owasp.org indexed by a typical search engine, the syntax required is:
<pre>
site:owasp.org
</pre>
[[Image:Google_site_Operator_Search_Results_Example_20121219.jpg||border]]

To display the index.html of owasp.org as cached, the syntax is:
<pre>
cache:owasp.org
</pre>
[[Image:Google_cache_Operator_Search_Results_Example_20121219.jpg||border]]

=== Google Hacking Database ===

The Google Hacking Database is list of useful search queries for Google. Queries are put in several categories:
* Footholds
* Files containing usernames
* Sensitive Directories
* Web Server Detection
* Vulnerable Files
* Vulnerable Servers
* Error Messages
* Files containing juicy info
* Files containing passwords
* Sensitive Online Shopping Info

== Tools ==
[4] FoundStone SiteDigger - http://www.mcafee.com/uk/downloads/free-tools/sitedigger.aspx 
[5] Google Hacker - http://yehg.net/lab/pr0js/files.php/googlehacker.zip 
[6] Bishop Fox's Google Hacking Diggity Project - http://www.bishopfox.com/resources/tools/google-hacking-diggity/ 
[7] PunkSPIDER - http://punkspider.hyperiongray.com/ 

== References ==
'''Web''' 
[1] "Google Basics: Learn how Google Discovers, Crawls, and Serves Web Pages" - https://support.google.com/webmasters/answer/70897 
[2] "Operators and More Search Help" - https://support.google.com/websearch/answer/136861?hl=en 
[3] "Google Hacking Database" - http://www.exploit-db.com/google-dorks/ 

== Remediation ==
Carefully consider the sensitivity of design and configuration information before it is posted online.

Periodically review the sensitivity of existing design and configuration information that is posted online.

Appendix A: Testing Tools

2014-11-24T07:41:07Z

Fran Brown: Stach & Liu rebranded as "Bishop Fox". Updated links accordingly.

{{Template:OWASP Testing Guide v4}}

==Open Source Black Box Testing tools==

=== General Testing ===
* '''[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP]'''
**The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.
**ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
** WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is portable to many platforms. WebScarab has several modes of operation that are implemented by a number of plugins.
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
** Pantera uses an improved version of SpikeProxy to provide a powerful web application analysis engine. The primary goal of Pantera is to combine automated capabilities with complete manual testing to get the best penetration testing results.
* '''[[:OWASP Mantra - Security Framework]]'''
**Mantra is a web application security testing framework built on top of a browser. It supports Windows, Linux(both 32 and 64 bit) and Macintosh. In addition, it can work with other software like ZAP using built in proxy management function which makes it much more convenient. Mantra is available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish.
* '''SPIKE''' - http://www.immunitysec.com/resources-freesoftware.shtml
** SPIKE designed to analyze new network protocols for buffer overflows or similar weaknesses. It requires a strong knowledge of C to use and only available for the Linux platform.
* '''Burp Proxy''' - http://www.portswigger.net/Burp/
** Burp Proxy is an intercepting proxy server for security testing of web applications it allows Intercepting and modifying all HTTP(S) traffic passing in both directions, it can work with custom SSL certificates and non-proxy-aware clients.
* '''Odysseus Proxy''' - http://www.wastelands.gen.nz/odysseus/
** Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. It will intercept an HTTP session's data in either direction.
* '''Webstretch Proxy''' - http://sourceforge.net/projects/webstretch
** Webstretch Proxy enable users to view and alter all aspects of communications with a web site via a proxy. It can also be used for debugging during development.
* '''WATOBO''' - http://sourceforge.net/apps/mediawiki/watobo/index.php?title=Main_Page
** WATOBO works like a local proxy, similar to Webscarab, ZAP or BurpSuite and it supports passive and active checks.
* '''Firefox LiveHTTPHeaders''' - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
** View HTTP headers of a page and while browsing.
* '''Firefox Tamper Data''' - https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
** Use tamperdata to view and modify HTTP/HTTPS headers and post parameters
* '''Firefox Web Developer Tools''' - https://addons.mozilla.org/en-US/firefox/addon/web-developer/
** The Web Developer extension adds various web developer tools to the browser.
* '''DOM Inspector''' - https://developer.mozilla.org/en/docs/DOM_Inspector
** DOM Inspector is a developer tool used to inspect, browse, and edit the Document Object Model (DOM)
* '''Firefox Firebug''' - http://getfirebug.com/
** Firebug integrates with Firefox to edit, debug, and monitor CSS, HTML, and JavaScript.
* '''Grendel-Scan''' - http://securitytube-tools.net/index.php?title=Grendel_Scan
** Grendel-Scan is an automated security scanning of web applications and also supports manual penetration testing.
* '''OWASP SWFIntruder''' - http://www.mindedsecurity.com/swfintruder.html
** SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed for analyzing and testing security of Flash applications at runtime.
* '''SWFScan''' - http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/SWFScan-FREE-Flash-decompiler/ba-p/5440167
** Flash decompiler
* '''Wikto''' - http://www.sensepost.com/labs/tools/pentest/wikto
** Wikto features including fuzzy logic error code checking, a back-end miner, Google-assisted directory mining and real time HTTP request/response monitoring.
* '''w3af''' - http://w3af.org
** w3af is a Web Application Attack and Audit Framework. The project’s goal is finding and exploiting web application vulnerabilities.
* '''skipfish''' - http://code.google.com/p/skipfish/
** Skipfish is an active web application security reconnaissance tool.
* '''Web Developer toolbar''' - https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm
** The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.
* '''HTTP Request Maker''' - https://chrome.google.com/webstore/detail/kajfghlhfkcocafkcjlajldicbikpgnp?hl=en-US
** Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages, tamper with the URL, headers and POST data and, of course, make new requests
* '''Cookie Editor''' - https://chrome.google.com/webstore/detail/fngmhnnpilhplaeedifhccceomclgfbg?hl=en-US
** Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
* '''Cookie swap''' - https://chrome.google.com/webstore/detail/dffhipnliikkblkhpjapbecpmoilcama?hl=en-US
** Swap My Cookies is a session manager, it manages cookies, letting you login on any website with several different accounts.
* '''Firebug lite for Chrome"" - https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench
**Firebug Lite is not a substitute for Firebug, or Chrome Developer Tools. It is a tool to be used in conjunction with these tools. Firebug Lite provides the rich visual representation we are used to see in Firebug when it comes to HTML elements, DOM elements, and Box Model shading. It provides also some cool features like inspecting HTML elements with your mouse, and live editing CSS properties
* '''Session Manager"" - https://chrome.google.com/webstore/detail/bbcnbpafconjjigibnhbfmmgdbbkcjfi
**With Session Manager you can quickly save your current browser state and reload it whenever necessary. You can manage multiple sessions, rename or remove them from the session library. Each session remembers the state of the browser at its creation time, i.e the opened tabs and windows.
* '''Subgraph Vega''' - http://www.subgraph.com/products.html
**Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

=== Testing for specific vulnerabilities ===

==== Testing for DOM XSS ====
* DOMinator Pro - https://dominator.mindedsecurity.com

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''

==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.org/
* Absinthe 1.1 (formerly SQLSqueal) - http://sourceforge.net/projects/absinthe/
* SQLInjector - Uses inference techniques to extract data and determine the backend database server. http://www.databasesecurity.com/sql-injector.htm
* Bsqlbf-v2: A perl script allows extraction of data from Blind SQL Injections - http://code.google.com/p/bsqlbf-v2/
* Pangolin: An automatic SQL injection penetration testing tool - http://www.darknet.org.uk/2009/05/pangolin-automatic-sql-injection-tool/
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper - http://www.ruizata.com/
* Multiple DBMS Sql Injection tool - SQL Power Injector - http://www.sqlpowerinjector.com/
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools - http://packetstormsecurity.org/files/43795/sqlbftools-1.2.tar.gz.html

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad

==== Testing SSL ====
* Foundstone SSL Digger - http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx

==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html
* Ncat - http://nmap.org/ncat/

==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker
* Metasploit - http://www.metasploit.com/
** A rapid exploit development and Testing frame work

==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''
* Wfuzz - http://www.darknet.org.uk/2007/07/wfuzz-a-tool-for-bruteforcingfuzzing-web-applications/

==== Googling ====
* Bishop Fox's Google Hacking Diggity Project - http://www.bishopfox.com/resources/tools/google-hacking-diggity/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

==Commercial Black Box Testing tools==
* NGS Typhon III - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-typhon-iii/
* NGSSQuirreL - http://www.nccgroup.com/en/our-services/security-testing-audit-compliance/information-security-software/ngs-squirrel-vulnerability-scanners/
* IBM AppScan - http://www-01.ibm.com/software/awdtools/appscan/
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
* Burp Intruder - http://www.portswigger.net/burp/intruder.html
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* Sleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft SOAtest (more QA-type tool)- http://www.parasoft.com/jsp/products/soatest.jsp?itemId=101
* MatriXay - http://www.dbappsecurity.com/webscan.html
* N-Stalker Web Application Security Scanner - http://www.nstalker.com
* HP WebInspect - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-webinspect
* SoapUI (Web Service security testing) - http://www.soapui.org/Security/getting-started.html
* Netsparker - http://www.mavitunasecurity.com/netsparker/
* SAINT - http://www.saintcorporation.com/
* QualysGuard WAS - http://www.qualys.com/enterprises/qualysguard/web-application-scanning/
* Retina Web - http://www.eeye.com/Products/Retina/Web-Security-Scanner.aspx
* Cenzic Hailstorm - http://www.cenzic.com/downloads/datasheets/Cenzic-datasheet-Hailstorm-Technology.pdf

==Source Code Analyzers==

===Open Source / Freeware===
* [[:Category:OWASP_Orizon_Project|Owasp Orizon]]
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* [[OWASP O2 Platform]]
* Google CodeSearchDiggity - http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net
* Find Security Bugs - http://h3xstream.github.io/find-sec-bugs/
* Oedipus - http://www.darknet.org.uk/2006/06/oedipus-open-source-web-application-security-analysis/
* W3af - http://w3af.sourceforge.net/
* phpcs-security-audit - https://github.com/Pheromone/phpcs-security-audit

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* Parasoft C/C++ test - http://www.parasoft.com/jsp/products/cpptest.jsp/index.htm
* Checkmarx CxSuite - http://www.checkmarx.com
* HP Fortify - http://www.hpenterprisesecurity.com/products/hp-fortify-software-security-center/hp-fortify-static-code-analyzer
* GrammaTech - http://www.grammatech.com
* ITS4 - http://seclab.cs.ucdavis.edu/projects/testing/tools/its4.html
* Appscan - http://www-01.ibm.com/software/rational/products/appscan/source/
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com
* Armorize CodeSecure - http://www.armorize.com/codesecure/

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://seleniumhq.org/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-01.ibm.com/software/awdtools/purify/
* Seeker by Quotium - http://www.quotium.com/prod/security.php

===Binary Analysis===

* BugScam IDC Package - http://sourceforge.net/projects/bugscam
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu's Link Sleuth - http://home.snafu.de/tilman/xenulink.html

Research for SharePoint (MOSS)

2014-11-24T07:36:39Z

Fran Brown: Stach & Liu rebranded as "Bishop Fox". Updated links and names to the SharePoint Hacking Diggity Project tools and resources accordingly.

This page contains research notes on Microsoft's SharePoint MOSS and WSS

== Resources==

==== Microsoft resources====
* [http://office.microsoft.com/download/afile.aspx?AssetID=AM102437421033 Security Architecture for SharePoint Products and Technologies] (Word Doc)
* [http://sharepoint.microsoft.com SharePoint Community Portal]
* [http://technet.microsoft.com/en-us/library/cc262619.aspx Downloadable book: Security for Office SharePoint Server 2007] - [http://go.microsoft.com/fwlink/?LinkID=94375 link to 277 page Doc file]
* [http://blogs.msdn.com/arpans/archive/2008/05/09/sharepoint-end-user-security.aspx SharePoint End User Security]

==== Other Resources and Documentation====
* [http://www.finalcandidate.com/en/tandp/Pages/SharePointSecurityConcepts.aspx SharePoint Security Concepts] - contains a number of other links to more material
* [http://blogs.gartner.com/neil_macdonald/2009/02/25/sharepoint-security-best-practices/ SharePoint Security Best Practices] - $995 Gartner report
* [http://sharepointmagazine.net/technical/administration/microsoft-office-sharepoint-server-2007-security-model Microsoft Office SharePoint Server 2007 Security Model]
* [http://www.cmswire.com/cms/enterprise-cms/sharepoint-security-concerns-simply-a-lack-of-governance-003551.php SharePoint Security Concerns Simply a Lack of Governance?]
* [http://www.cmswire.com/cms/enterprise-cms/governance-key-for-sharepoint-implementations-003123.php Governance Key for SharePoint Implementations]
* [http://www.bishopfox.com/files/articles/2012/Information%20Security%20Magazine%20JulyAug2012-SharePoint.pdf SearchSecurity – Securing SharePoint: SharePoint security best practices] - Information Security Magazine July/Aug2012 - Volume 14 - Locking Down Sharepoint - Businesses love Microsoft’s collaboration software but can forget to secure it.

==== Presentations ====
* Bishop Fox - HackCon 2011 - Oslo, Norway - February 16, 2011 : [http://www.bishopfox.com/files/slides/2011/HackCon%202011%20-%20SharePoint%20Security%20-%20Feb2011.pdf SharePoint Security: Advanced SharePoint Security Tips and Tools]
* OWASP Houston Chapter - August 12, 2009 : [http://owasp.icrew.org/downloads/OWASP_ShohnTrojacek.pdf SharePoint Auditing and Penetration Testing] Presentation by: Shohn Trojacek
* from Denim group:
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TASSCCTEC2009_20090326.pdf Securing SharePoint (PDF Format)] - TASSCC Technology Education Conference in Austin, March 26, 2009
** [http://www.denimgroup.com/media/pdfs/DenimGroup_SecuringSharePoint_TRISC_20090324.pdf Securing Sharepoint (PDF Format)] - Texas Regional Infrastructure Security Conference (TRISC) in Austin, March 24, 2009
** [http://sp.meetdux.com/archive/2009/07/08/a-primer-to-sharepoint-security.aspx A Primer to SharePoint Security] - video

==== Other interesting resources====
* [http://www.indeed.com.au/jobs?q=Moss+Security&l= MOSS Security jobs (in Australia)]
* [http://www.cmswire.com/news/topic/sharepoint Articles on CMSWire about SharePoint]

==== Other Blogs and Articles ====
* [http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=212903345 Microsoft SharePoint: A Weak Link In Enterprise Security?] - Dark Reading

==== Security related technical articles ====
* [http://www.sharepointsecurity.com/sharepoint/sharepoint-security/how-to-programmatically-disable-code-access-security/ How to Programmatically Disable Code Access Security]

== Published Security issues ==

=== SharePoint related vulnerabilities and its status ===
* {Note: Add MSRC case}
* http://milw0rm.com/exploits/8704 & http://milw0rm.com/sploits/2009-IIS-Advisory.pdf

== MOSS Security related WebParts, Tools & services ==

==== Open Source ====
* From CodePlex (see more on this search for [http://www.codeplex.com/site/search?ProjectSearchText=Sharepoint%20Security SharePoint Security]
** [http://securitytemplates.codeplex.com/ SharePoint Security Templates] (CodePlex)
** [http://spsecurity.codeplex.com/ SharePoint Security Configuration Feature]
** [http://accesschecker.codeplex.com Sharepoint Access Checker Web Part]
** [http://sitesecuritymgmt.codeplex.com/ Site Security Management Utility]
** [http://cryptocollaboration.codeplex.com/ CryptoCollaboration For SharePoint]

==== Commercially Supported ====
* [http://www.sharepointsecurity.com ARB Security Solutions (www.sharepointsecurity.com)]
* [http://www.surety.com/Offerings/AbsoluteProof/For-MS-SharePoint.aspx AbsoluteProof for MS SharePoint] - related article [http://www.cmswire.com/cms/enterprise-cms/surety-releases-absoluteproof-for-sharepoint-002471.php Surety Releases AbsoluteProof for SharePoint]
* [http://www.avepoint.com/assets/pdf/Social_Security_Administration_Case_Study.pdf Sharepoint case study (marketing doc)]

== Dangerous MOSS APIs ==

Map the security implications of MOSS APIs, for example:
* which APIs (if badly used)are vulnerable to: XSS, CSRF, SQL Injection
* configuration settings that have security implications

== SharePoint Hacking ==
==== SharePoint Hacking Tools ====
* [http://extensions.professionallyevil.com/beef.php SharePoint Enumerator | Professionally Evil] - This is a collection of 4 modules that help enumerate the SharePoint server the victim is connected to.
* [http://sparty.secniche.org/ Sparty] - MS Sharepoint and Frontpage Auditing Tool
* [https://github.com/toddsiegel/spscan SPScan] - SharePoint scanner and fingerprinter based on WPScan
* [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/ Bishop Fox - SharePoint Hacking Diggity Project] - SharePoint hacking tools project page. Currently includes such hacking tools as:
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#google-and-bing-hacking-dictionary-files SharePoint – Google and Bing Diggity Dictionary Files] - New GoogleDiggity input dictionary file containing 121 queries that allow users to uncover SharePoint specific vulnerabilities exposed via the Google search engine. This dictionary helps assessors locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google. Recently, we’ve also created a Bing hacking dictionary (124 Bing queries) that can be imported into BingDiggity and used to identify SharePoint exposures as well.
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-hacking-alerts-for-google-and-bing SharePoint Hacking Alerts for Google and Bing] - SharePoint Hacking Alerts provide real-time vulnerability updates from both the Google and Bing search engines. These convenient RSS feeds help locate exposures of common SharePoint administrative pages, web services, and site galleries that an organization typically would not want to be made available to the public, let alone indexed by Google and Bing. [http://www.google.com/alerts Google Alerts] have been created for all SharePoint related search strings, which generate a new alert each time newly indexed pages by Google match one of those regular expressions. Microsoft Bing’s &format=rss directive was used to turn Bing searches into RSS feeds.
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepointurlbrute SharePointURLBrute] - SharePointURLBrute is a new SharePoint hacking utility developed to help assessors quickly test user access to 101 common SharePoint administrative pages (e.g. “Add Users” page -> /_layouts/aclinv.aspx) by automating forceful browsing attacks.
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-userdispenum SharePoint UserDispEnum] - UserDispEnum is a new SharePoint user enumeration tool that exploits insecure access controls to the /_layouts/UserDisp.aspx?ID=1 page. This utility cycles through the integer ID values from 1 onward to identify valid users, account names, and other related profile information that can be easily extracted from the SharePoint user profiles. For real, live examples of SharePoint site deployments insecurely exposing this functionality to anonymous users on the Internet, see Google results of: “http://www.google.com/#q=inurl:”/_layouts/userdisp.aspx”. Users can leverage [http://www.bishopfox.com/resources/tools/google-hacking-diggity/ Bishop Fox’s GoogleDiggity hacking tools] to identify these exposures within their own organization, and then employ the UserDispEnum tool to exploit them during penetration tests.
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/attack-tools/#sharepoint-dlp-tools SharePoint DLP Tools] - COMING SOON – Bishop Fox's data loss prevention (DLP) tools for Microsoft SharePoint. SharePoint DLP Tools utilize administrative web services to help automate the searching of SharePoint files and lists for SSNs, credit card numbers, passwords, and other common information disclosures.

==== SharePoint Hacking Presentations ====
* '''2008'''
** [http://www.youtube.com/watch?v=DYudvh9cfZM hak5 - Episode 407 - Toorcon 2008: Robin Wood, Dan Griffin] - see 11:10 minute mark in video for interview with Dan Griffin about SharePoint Hacking.
* '''2012'''
** [http://www.bishopfox.com/resources/tools/sharepoint-hacking-diggity/presentation-slides/ Bishop Fox - SharePoint Hacking Diggity Project - Presentations]:
*** OWASP L.A. 2012 - Los Angeles, CA - February 22, 2012 : [http://www.bishopfox.com/files/slides/2012/OWASP%20LA%20-%20SharePoint%20Hacking%20-%2022Feb2012.pdf SharePoint Hacking: Advanced SharePoint Security Tips and Tools]
* '''2013'''
** [http://www.youtube.com/watch?feature=player_embedded&v=AAObW2fcB_s TMI: Assessing and Exploiting SharePoint at DerbyCon 3.0]
** [https://media.blackhat.com/us-13/Arsenal/us-13-Sood-Sparty-Slides.pdf Sparty - Blackhat USA 2013] Sparty : A Frontpage and Sharepoint Auditing Tool

== WebParts Security ==

* Security ratings & mappings of MOSS Deployed Web Parts
* Security ratings & mappings of 3rd Part Web Parts

Appendix A: Testing Tools

2011-10-01T19:09:05Z

Fran Brown:

{{Template:OWASP Testing Guide v3}}

==Open Source Black Box Testing tools==

=== General Testing ===

* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
* SPIKE - http://www.immunitysec.com
* Paros - http://www.parosproxy.org
* Burp Proxy - http://www.portswigger.net
* Achilles Proxy - http://www.mavensecurity.com/achilles
* Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
* Webstretch Proxy - http://sourceforge.net/projects/webstretch
* Firefox LiveHTTPHeaders, Tamper Data and Developer Tools - http://www.mozdev.org
* Grendel-Scan - http://www.grendel-scan.com
* [[:Category:SWFIntruder|OWASP SWFIntruder]]
* http://www.mindedsecurity.com/swfintruder.html

[[Category:FIXME| link not working

* Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html

]]

=== Testing for specific vulnerabilities ===

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''
==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.sourceforge.net
* Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
* SQLInjector - http://www.databasesecurity.com/sql-injector.htm
* bsqlbf-1.2-th - http://www.514.es

[[Category:FIXME|link not working

* Multiple DBMS Sql Injection tool - SQL Power Injector
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper

]]

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad
==== Testing SSL ====
* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html

[[Category:FIXME|link not working
==== Testing for HTTP Methods ====
* NetCat - http://www.vulnwatch.org/netcat

]]
==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker

[[Category:FIXME|link not working

* Metasploit - http://www.metasploit.com/projects/Framework/
** A rapid exploit development and Testing frame work

]]
==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''

==== Googling ====
* Stach & Liu's Google Hacking Diggity Project - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/
* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

==Commercial Black Box Testing tools==

* Typhon - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
* NGSSQuirreL - http://www.ngssoftware.com/products/database-security/
* Watchfire AppScan - http://www.watchfire.com
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
* Burp Intruder - http://portswigger.net/intruder
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* WebSleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester
* Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft WebKing (more QA-type tool)
* MatriXay - http://www.dbappsecurity.com
* N-Stalker Web Application Security Scanner - http://www.nstalker.com

[[Category:FIXME|check these links

* Watchfire AppScan - http://www.watchfire.com
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php

link broken:
* SPI Dynamics WebInspect - http://www.spidynamics.com
* ScanDo - http://www.kavado.com

]]

==Source Code Analyzers==

===Open Source / Freeware===
* [[:Category:OWASP_Orizon_Project|Owasp Orizon]]
* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* [[OWASP O2 Platform]]
* Google CodeSearchDiggity - http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net

[[Category:FIXME|broken link

* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

]]

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* CodeWizard - http://www.parasoft.com/products/wizard
* Checkmarx CxSuite - http://www.checkmarx.com
* Fortify - http://www.fortifysoftware.com
* GrammaTech - http://www.grammatech.com
* ITS4 - http://www.cigital.com/its4
* Ounce labs Prexis - http://www.ouncelabs.com
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com

[[Category:FIXME|link not working

* Armorize CodeSecure - http://www.armorize.com/product/

]]

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://www.openqa.org/selenium/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

===Binary Analysis===

* BugScam - http://sourceforge.net/projects/bugscam
* BugScan - http://www.hbgary.com
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu - http://home.snafu.de/tilman/xenulink.html

[[Category:FIXME|check this link

* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

]]

Source Code Analysis Tools

2011-10-01T19:05:20Z

Fran Brown:

Source Code Analysis tools are designed to analyze source code and/or compiled version of code in order to help find security flaws. Ideally, such tools would automatically find security flaws with a high degree of confidence that what is found is indeed a flaw. However, this is beyond the state of the art for many types of application security flaws. Thus, such tools frequently serve as aids for an analyst to help them zero in on security relevant portions of code so they can find flaws more efficiently, rather than a tool that simply finds flaws automatically.

Some tools are starting to move into the IDE. For the types of problems that can be detected during the software development phase itself, this is a powerful phase within the development lifecycle to employ such tools, as it provides immediate feedback to the developer on issues they might be introducing into the code during code development itself. This immediate feedback is very useful as compared to finding vulnerabilities much later in the development cycle.

==Strengths and Weaknesses of such tools==

=== Strengths ===
* Scales Well (Can be run on lots of software, and can be repeatedly (like in nightly builds))
* For things that such tools can automatically find with high confidence, such as buffer overflows, SQL Injection Flaws, etc. they are great.

=== Weaknesses ===
* Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. The current state of the art only allows such tools to automatically find a relatively small percentage of application security flaws. Tools of this type are getting better, however.
* High numbers of false positives.
* Frequently can't find configuration issues, since they are not represented in the code.
* Difficult to 'prove' that an identified security issue is an actual vulnerability.
* Many of these tools have difficulty analyzing code that can't be compiled. Analysts frequently can't compile code because they don't have the right libraries, all the compilation instructions, all the code, etc.

==Important Selection Criteria==

* Requirement: Must support your language, but not usually a key factor once it does.

* Types of Vulnerabilities it can detect (Out of the OWASP Top Ten?) (plus more?)
* Does it require a fully buildable set of source?
* Can it run against binaries instead of source?
* Can it be integrated into the developer's IDE?
* License cost for the tool. (Some are sold per user, per org, per app, per line of code analyzed. Consulting licenses are frequently different than end user licenses.)

==OWASP Tools Of This Type==
* [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
* [[OWASP_LAPSE_Project | OWASP LAPSE Project]]
* [[OWASP O2 Platform]]

==Open Source or Free Tools Of This Type==

* [http://www.stachliu.com/resources/tools/google-hacking-diggity-project/attack-tools/ Google CodeSearchDiggity] - Utilizes Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. ''Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.''
* [http://findbugs.sourceforge.net/ FindBugs] - Find Bugs (including some security flaws) in Java Programs
* [http://msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx FxCop] (Microsoft) - FxCop is an application that analyzes managed code assemblies (code that targets the .NET Framework common language runtime) and reports information about the assemblies, such as possible design, localization, performance, and security improvements.
* [http://pmd.sourceforge.net/ PMD] - PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)
* [http://msdn.microsoft.com/en-us/library/ms933794.aspx PreFast] (Microsoft) - PREfast is a static analysis tool that identifies defects in C/C++ programs
* [http://www.fortify.com/security-resources/rats.jsp RATS] (Fortify) - Scans C, C++, Perl, PHP and Python source code for security problems like buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions
* [http://www.securitycompass.com/inner_swaat.shtml SWAAT] - Simplistic Beta Tool - Languages: Java, JSP, ASP .Net, and PHP
* [http://www.dwheeler.com/flawfinder/ Flawfinder] Flawfinder - Scans C and C++
* [http://sourceforge.net/projects/rips-scanner/ RIPS] - RIPS is a static source code analyzer for vulnerabilities in PHP web applications

==Commercial Tools from OWASP Members Of This Type==

These vendors have decided to support OWASP by becoming [[Membership|members]]. OWASP appreciates the support from these organizations, but cannot endorse any commercial products or services.

* [http://www.armorize.com/corpweb/en/products/codesecure Static Source Code Analysis with CodeSecure™] (Armorize Technologies)
* [http://www.artofdefence.com/en/hypersource/hypersource.html Static Source Code Analysis with hypersource] (art of defence)
* [http://www.fortifysoftware.com/products/sca.jsp Source Code Analysis] (HP/Fortify)
* [http://www.veracode.com/ Veracode] (Veracode)

==Other Well Known Commercial Tools Of This Type==

* [http://www.checkmarx.com/Products.aspx?id=3 CxSuite] (Checkmarx)
* [http://www.coverity.com/products/prevent.html Prevent] (Coverity)
* [http://www-01.ibm.com/software/awdtools/appscan/ IBM Rational AppScan Developer] (formerly Ounce)
* [http://www.klocwork.com/products/insight.asp Insight] (KlocWork)

==More Info==

* TODO: add comments from: http://lists.owasp.org/pipermail/owasp-dotnet/2006-August/000002.html
* [[Appendix_A:_Testing_Tools | Appendix A: Testing Tools]]
* [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers NIST's list of Source Code Security Analysis Tools]

[[Category:OWASP .NET Project]]

__NOTOC__

Research for SharePoint (MOSS)

2011-04-07T14:12:31Z

Fran Brown: