OWASP - User contributions [en]

OWASP Connections Committee - Application 3

2010-01-07T22:32:49Z

Marcin:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----

{| style="width:100%" border="0" align="center"
|-
! colspan="2" align="center" style="background:#4058A0; color:white" | '''COMMITTEE APPLICATION FORM'''
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Applicant's Name'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | Justin Clarke
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Current and past OWASP Roles'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | London Chapter Leader. Speaker at OWASP Ireland and IBWAS conferences in 2009.
|-
| style="width:25%; background:#7B8ABD" align="center" | '''Committee Applying for'''
| colspan="1" style="width:85%; background:#cccccc" align="left" | OWASP Connection Committee
|}

----

 

----

Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote.

----

 

----

{| style="width:100%" border="0" align="center"
|-
! colspan="8" align="center" style="background:#4058A0; color:white" | '''COMMITTEE RECOMMENDATIONS'''
|-
! align="center" style="background:white; color:white" | 
! align="center" style="background:#7B8ABD; color:white" | '''Who Recommends/Name'''
! align="center" style="background:#7B8ABD; color:white" | '''Role in OWASP'''
! align="center" style="background:#7B8ABD; color:white" | '''Recommendation Content'''
|-
| style="width:3%; background:#cccccc" align="center" | '''1'''
| style="width:20%; background:#cccccc" align="center" | Martin Knobloch
| style="width:20%; background:#cccccc" align="center" | Dutch Chapter Board/GEC
| style="width:57%; background:#cccccc" align="center" | Justin is definitely the man with experience and is driven to get this going!
|-
| style="width:3%; background:#cccccc" align="center" | '''2'''
| style="width:20%; background:#cccccc" align="center" | Colin Watson
| style="width:20%; background:#cccccc" align="center" | Global Industry Committee
| style="width:57%; background:#cccccc" align="center" | Justin is an ardent OWASP supporter and contributes very widely to the application security community. He has demonstrated his communication and collaboration skills while being London Chapter Leader and I therefore think he will be able to make a great contribution to this OWASP committee.
|-
| style="width:3%; background:#cccccc" align="center" | '''3'''
| style="width:20%; background:#cccccc" align="center" | Fabio Cerullo
| style="width:20%; background:#cccccc" align="center" | Global Education Committee
| style="width:57%; background:#cccccc" align="center" | Justin is a passionate person about application security. He not only contributes within the OWASP community but also with the wider application security industry and academia. I strongly believe he will be a great addition to the OWASP Connections Committee.
|-
| style="width:3%; background:#cccccc" align="center" | '''4'''
| style="width:20%; background:#cccccc" align="center" | Yiannis Pavlosoglou
| style="width:20%; background:#cccccc" align="center" | Global Industry Committee
| style="width:57%; background:#cccccc" align="center" | Few people can offer web application security the professional/personal drive and mentality of getting things done, as required, in the manner that Justin operates. Looking forward to seeing your work on this committee.
|-
| style="width:3%; background:#cccccc" align="center" | '''5'''
| style="width:20%; background:#cccccc" align="center" | Marcin Wielgoszewski
| style="width:20%; background:#cccccc" align="center" | NYNJ Metro Chapter
| style="width:57%; background:#cccccc" align="center" | Justin is one of few people I know to give it their all to produce quality results, and his work ethic shows. He is able to work with a variety of people and personalities, listen, and present his thoughts in an articulate manner. I have no doubt in my mind that Justin will make an excellent fit for the OWASP Connections committee.
|}

----

OWASP Podcast

2009-05-24T17:10:15Z

Marcin:

==== About ====

'''OWASP Podcast Series Hosted by Jim Manico'''

* The OWASP foundation presents the OWASP PODCAST SERIES hosted by [[User:Jmanico|Jim Manico]] from Aspect Security.
* Listen as Jim interviews OWASP volunteers, industry experts and leaders within the field of web application security.
* Questions? Comments? Please email [mailto:podcast@owasp.org podcast@owasp.org]
* Want to see the process and equipment behind the show? [https://www.owasp.org/index.php/Talk:OWASP_Podcast click here]

<table border="0"><tr><td>
[http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://www.owasp.org/download/jmanico/OWASP_Podcast_200x200.jpg]
</td><td align="center" width="150">
Subscribe [http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png]
</td>
</tr>
</table>

<paypal>OWASP Podcast</paypal>

==== Latest Shows====

<table border="0" class="wikitable">

<tr>
<th>#</th>
<th>Date</th>
<th>Actions</th>
<th>Description</th>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">22</td>
<td NOWRAP VALIGN="TOP">May 22, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_22.mp3 Listen Now] | [[Podcast_22|Show Notes]]</td>
<td VALIGN="TOP">Interview with Dan Cornell</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">21</td>
<td NOWRAP VALIGN="TOP">May 20, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_21.ogg Listen Now] | [[Podcast_21|Show Notes]]</td>
<td VALIGN="TOP">Interview with Richard Stallman</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">20</td>
<td NOWRAP VALIGN="TOP">May 13, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_20.mp3 Listen Now] | [[Podcast_20|Show Notes]]</td>
<td VALIGN="TOP">Interview with Mike Bailey</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">19</td>
<td NOWRAP VALIGN="TOP">May 11, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_19.mp3 Listen Now] | [[Podcast_19|Show Notes]] </td>
<td VALIGN="TOP">March 2009 News Commentary by Arshan Dabirsiaghi, Andre Gironda, Jim Manico and Jeff Williams (part 2)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">18</td>
<td NOWRAP VALIGN="TOP">April 30, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_18.mp3 Listen Now] | [[Podcast_18|Show Notes]] </td>
<td VALIGN="TOP">Interview with Jeremiah Grossman</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">17</td>
<td NOWRAP VALIGN="TOP">April 21, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_17.mp3 Listen Now] | [[Podcast_17|Show Notes]] </td>
<td VALIGN="TOP">Interview with Robert Hansen</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">16</td>
<td NOWRAP VALIGN="TOP">April 9, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_16.mp3 Listen Now] | [[Podcast_16|Show Notes]]</td>
<td VALIGN="TOP">Dave Aitel demonstrates cool</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">15</td>
<td NOWRAP VALIGN="TOP">April 4, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_15.mp3 Listen Now] | [[Podcast_15|Show Notes]]</td>
<td VALIGN="TOP">Brian Chess talks about BSIMM</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">14</td>
<td NOWRAP VALIGN="TOP">March 25, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_14.mp3 Listen Now] | [[Podcast_14|Show Notes]]</td>
<td VALIGN="TOP">Pravir Chandra talks about OWASP SAMM</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">13</td>
<td NOWRAP VALIGN="TOP">March 23, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_13.mp3 Listen Now] | [[Podcast_13|Show Notes]]</td>
<td VALIGN="TOP">March 2009 News Commentary by Arshan Dabirsiaghi, Andre Gironda, Jim Manico and Jeff Williams (part 1)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">12</td>
<td NOWRAP VALIGN="TOP">March 11, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_12.mp3 Listen Now] | [[Podcast_12|Show Notes]]</td>
<td VALIGN="TOP">Interview with Ryan Barnett (OWASP ModSecurity Core Ruleset)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">11</td>
<td NOWRAP VALIGN="TOP">March 4, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_11.mp3 Listen Now] | [[Podcast_11|Show Notes]]</td>
<td VALIGN="TOP">Interview with MITRE (Steve Christey and Bob Martin)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">10</td>
<td NOWRAP VALIGN="TOP">February 26, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_10.mp3 Listen Now] | [[Podcast_10|Show Notes]]</td>
<td VALIGN="TOP">Interview with Ken van Wyk</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">9</td>
<td NOWRAP VALIGN="TOP">February 20, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_9.mp3 Listen Now] | [[Podcast_9|Show Notes]]</td>
<td VALIGN="TOP">February 2009 News Commentary by Arshan Dabirsiaghi, Andre Gironda, Jim Manico and Jeff Williams (part 2)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">8</td>
<td NOWRAP VALIGN="TOP">February 20, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_8.mp3 Listen Now] | [[Podcast_8|Show Notes]]</td>
<td VALIGN="TOP">February 2009 News Commentary by Arshan Dabirsiaghi, Andre Gironda, Jim Manico and Jeff Williams (part 1)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">7</td>
<td NOWRAP VALIGN="TOP">January 30, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_7.mp3 Listen Now] | [[Podcast_7|Show Notes]]</td>
<td VALIGN="TOP">Interview with Jeff Williams</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">6</td>
<td NOWRAP VALIGN="TOP">January 24, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_6.mp3 Listen Now] | [[Podcast_6|Show Notes]]</td>
<td VALIGN="TOP">Roundtable with Andre Gironda, Brian Holyfield, Jim Manico, Marcin Wielgoszewski</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">5</td>
<td NOWRAP VALIGN="TOP">January 15, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_5.mp3 Listen Now] | [[Podcast_5|Show Notes]]</td>
<td VALIGN="TOP">Interview with Gary McGraw</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">4</td>
<td NOWRAP VALIGN="TOP">January 13, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_4.mp3 Listen Now] | [[Podcast_4|Show Notes]]</td>
<td VALIGN="TOP">Interview with Andrew van der Stock (OWASP Developers Guide)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">3</td>
<td NOWRAP VALIGN="TOP">December 30, 2009</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_3.mp3 Listen Now] | [[Podcast_3|Show Notes]]</td>
<td VALIGN="TOP">Interview with Matt Tesauro (OWASP Live CD)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">2</td>
<td NOWRAP VALIGN="TOP">December 20, 2008</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_2.mp3 Listen Now] | [[Podcast_2|Show Notes]]</td>
<td VALIGN="TOP">Interview with Stephen Craig Evans (OWASP WebGoat/ModSecurity Project)</td>
</tr>

<tr>
<td NOWRAP VALIGN="TOP">1</td>
<td NOWRAP VALIGN="TOP">November 21, 2008</td>
<td NOWRAP VALIGN="TOP">[http://www.owasp.org/download/jmanico/owasp_podcast_1.mp3 Listen Now] | [[Podcast_1|Show Notes]]</td>
<td VALIGN="TOP">News Commentary by Arshan Dabirsiaghi, Jeremiah Grossman, Jim Manico and Jeff Williams</td>
</tr>

</table>

==== Contributors and Sponsors ====

'''Host and Co-Producer'''
* [[User:Jmanico|Jim Manico]]

'''Mastering and Co-Producer'''
* Kevin Coons from ManaTribe

'''News Commentary Copy Editor'''
* [[User:dre|Andre Gironda]]

'''Audio Editing Team'''
* [[User:Jmanico|Jim Manico]]
* [[User:Marcin|Marcin Wielgoszewski]]
* Kevin Coons from ManaTribe

'''News Commentary Team'''
* Andre Gironda
* [[User:Jmanico|Jim Manico]]
* Jeff Williams
* Arshan Dabirsiaghi

'''Artwork'''
* Larry Casey
* Gareth Heyes

'''Sponsors'''
* The OWASP Foundation
* Music by [http://www.twistedmusic.com/artists/shpongle/ Shpongle] courtesy of [http://www.twistedmusic.com/ Twisted Records]

'''Illuminati-like influence over the Podcast'''
* Tom Brennan
* Jeff Williams
* Dinis Druz
* Kate Hartmann
* [[User:Marcin|Marcin Wielgoszewski]]
* Tracey Schavone
* The OWASP Leadership eList

==== Twitter ====

[http://twitter.com/manicode http://twitter.com/manicode]

<twitter>manicode</twitter>

==== Platinum Lounge ====

The OWASP Podcast Platinum Lounge is reserved for individuals who have participated in 5 or more podcasts. :)

* Jeff Williams (6 shows) 
* Andre Gironda (5 shows) 
* Arshan (5 shows) 
* Jim (22 shows)

__NOTOC__
<headertabs/>

User:Marcin

2009-05-24T17:08:17Z

Marcin:

Marcin is an OWASP contributor, evangelist, and chairman for the [[NYNJMetro | OWASP NY/NJ Metro Chapter]] "Special Projects Committee." He is part of the audio editing team and exhibits Illuminati-like influence over the [[OWASP_Podcast | OWASP Podcast Series]].

Marcin Wielgoszewski is a Security Engineer and Software Security Consultant for [http://www.gdssecurity.com Gotham Digital Science]. He is also blogger and owner of [http://www.tssci-security.com tssci-security], a blog dedicated to web application security, server and infrastructure virtualization, cloud computing, trusted systems, and software security and assurance.

==Presentations==
* [http://www.tssci-security.com/pub/2008_OWASP_EU_Summit-Wielgoszewski-AntiSamydotNET.pdf AntiSamy.NET: Fighting XSS the .NET Way]
* [http://tssci-security.com/pub/2008_ShmooCon_DC-Gironda-Wielgoszewski-Path_X.pdf Path X: Explosive Security Testing Tools with XPath]

==Links==
* [http://www.gdssecurity.com Gotham Digital Science]
* [http://www.tssci-security.com tssci-security]

==PGP Key==

pub KeyID = [http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB0D446C3 B0D446C3]

<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Key Server 0.9.6

mQGiBEX7TagRBAClwMBiWMHIDHRGhfh4733jkkR/StyQwFfyQAcQERJ1fqBUwoUt
Ei4vX7ZC9q1AFGhUD+ASEr6iMHPnQmMiy4gUgXoRarIeFVMI89my4qX13GweMjMD
Dq+MH3BDYIObp47tN+x+imoxsRXgS/sHbJmQGM3/77uKQZuYOOtpQ+HKPwCg2tof
Ry9Nm/W8UBZTnUNm739T5X0D/R3oCMfsuSasMgcuEQqsnNDTSIc7MmEf1BHWsieu
D3QvptzN0MhFemWwzF2ureTh4trKLhGhP9u14/DYStRu10iBBe6nSZv6R2aig3ll
ytXmB4A1X9Q5WH00qalqmpZa5/1frMT+Wcp6knioZQDmiNEZFVi/fOpY/g5mKJKh
MPqZA/96lww3t+WUwCadVUX781SIXQzzQLkhQxjR60oy6aHAQ7lss39VFIES383z
4MJdyOKOwpwJbIeZaXDfeDRNT1vwswFLrGD2Rs1nYNZU6/sbdMo7xD1SZDGh6rbC
ikCICwBWcpiFkZwbkqkT9lUcPN9ql4BiLUZGbB2QCI+6TC9ay7RDTWFyY2luIFdp
ZWxnb3N6ZXdza2kgKE1hcmNpbidzIFBHUCBLZXkpIDxtYXJjaW5AdHNzY2ktc2Vj
dXJpdHkuY29tPohgBBMRAgAgAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AFAkat
ZLkACgkQ3U7hhbDURsPvbwCfeh117AnipildPSiq7JDMxKz49KgAn1VgJivZV+7J
jW179PWXOVmtfKIriGYEExECACYFAkX7TagCGwMFCQHhM4AGCwkIBwMCBBUCCAME
FgIDAQIeAQIXgAAKCRDdTuGFsNRGw5InAJ0eDmApcw7IZv0601vtCfFO9sQUrwCf
V7251oQTKqXANLP/foQrhePC7iu5Ag0ERftNuhAIAOIgbIgxxeG3lVJrar7qKHsT
UgwdnL13ksIP407L4DwFEzUdtzTeZfQlHvtRJK7BeCtLDpvqjBdX2vKioJg+p2PS
W/30CcwxL3NviQ7+Zd6UOzz/01+1k9IM9k+heDKHit4t9vZW/nxLLQCTIQ8vATxe
hzfQRySGtHqyr5Ys8hOiTaU9WmiKzMMoc1+4TdhP8Ytn32ji6Pc+nydhCriE7/Fg
rTLybaNaw9TGvg8Ramq0V/aDHGltCLZEbsdIPGtvDfwy/M6FyG5zujsLalFFR3OD
hXaMZ9RQSQQWnap55V59hhsvlHboFbOT2ob3Q+k2HYJLayv6xzKq7pdJM9sv7CcA
BREH/jQ+HAKTTHkt2t9D+weVoMBLsTejT8RFZWF2RuF+4zfuMaySInjXt8AZjxhf
QupNbtgjUZzAmKZoQ9MWyKU+6y5lldbxXGsp+BGcILgimcG6b3ceA43nVACR9o3O
dJvGV0/QNOGkXLui0BOsZqOJ6otb3ancC3IR9TNzELaNFZKX+s7m5XHQnywxcu7q
iTOYEBPlZJGSsA6k3ej4IcPGa90kJmdOX7FC1VQCRYo7OdA4AuQYq94ypWaaGWKm
oJ45ix9/OG/PRdBHxfxbz0z4YeY34gw7Tv6Z5yiiJh1Cfo8bH7RZbRLb/+yI52Lx
/YojQ3KOuF6aLs86DgSKhTrsgdWISQQYEQIACQIbDAUCRq1kwwAKCRDdTuGFsNRG
w+OBAKCoXC7hlzO5ftleqHVVLZsJ6nfQeQCgzgUaxNN67W7s0XQaEaa2c+0F0w4=
=anSp
-----END PGP PUBLIC KEY BLOCK-----
</pre>

OWASP Podcast

2009-05-07T21:25:14Z

Marcin:

==== About ====

<table width="100%" valign="top"><tr><th width="50%"> </th><th> </th></tr><tr valign="top"><td>
''OWASP Podcast''

'''OWASP Podcast Series Hosted by Jim Manico'''

The OWASP foundation presents the OWASP PODCAST SERIES hosted by [[User:Jmanico|Jim Manico]]. Listen as Jim interviews OWASP volunteers, industry experts and leaders within the field of web application security. 

Questions? Comments? Please contact [mailto:podcast@owasp.org podcast@owasp.org] 
Want to see the process and equipment behind the show? [https://www.owasp.org/index.php/Talk:OWASP_Podcast click here]
<table border=0>
<tr>
<td>
[http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://www.owasp.org/download/jmanico/OWASP_Podcast_200x200.jpg]
</td>
<td align="center" width="150">
Subscribe [http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png] 
[http://www.owasp.org/download/jmanico/podcast.xml Archives]
</td>
</tr>
</table>
<paypal>OWASP Podcast</paypal>
</td><td>
;
 '''Latest Shows'''
* April 30, 2009 Podcast #18 - [http://www.owasp.org/download/jmanico/owasp_podcast_18.mp3 Listen Now] - [[Podcast_18|Show Notes]] - Interview with Jeremiah Grossman.

* April 21, 2009 Podcast #17 - [http://www.owasp.org/download/jmanico/owasp_podcast_17.mp3 Listen Now] - [[Podcast_17|Show Notes]] - Interview with Robert Hansen.

* April 9, 2009 Podcast #16 - [http://www.owasp.org/download/jmanico/owasp_podcast_16.mp3 Listen Now] - [[Podcast_16|Show Notes]] - Dave Aitel demonstrates cool.

* April 4, 2009 Podcast #15 - [http://www.owasp.org/download/jmanico/owasp_podcast_15.mp3 Listen Now] - [[Podcast_15|Show Notes]] - Brian Chess talks about BSIMM.

</td></tr>
</table>

==== News ====

'''Twitter from Jim Manico'''

<twitter>manicode</twitter>

==== Contributors and Sponsors ====

'''Host and Co-Producer'''
* [[User:Jmanico|Jim Manico]]

'''Mastering and Co-Producer'''
* Kevin Coons from ManaTribe

'''News Copy Editor'''
* Andre Gironda

'''Audio Editing Team'''
* [[User:Jmanico|Jim Manico]]
* Marcin Wielgoszewski
* Kevin Coons from ManaTribe

'''News Team'''
* Andre Gironda
* [[User:Jmanico|Jim Manico]]
* Jeff Williams
* Arshan Dabirsiaghi

__NOTOC__
<headertabs/>

Project Information:template AntiSamy Project - Final Review - Second Reviewer - F

2009-03-29T05:29:22Z

Marcin:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The OWASP AntiSamy.NET project is aimed to provide an API for .NET applications for validating rich HTML/CSS input from users without exposing the web application to cross site scripting and phishing attacks. The project is a direct port of the AntiSamy Java API. Currently, the project has one outstanding feature left to be implemented – Cascading Style Sheet (CSS) support. Support for CSS would allow users to wrap input within inline style and div elements. Arshan Dabirsiaghi stated that at the beginning of the project, it would not include support for CSS by the conclusion of Summer of Code 2008. This is noted here for reference as it is not stated on the project site.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Overall, AntiSamy.NET is 100% complete.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The offsiteURL regular expression in the policy files could be more restrictive. Looking up until the TLD, there are several characters, such as Unicode characters allowed within the FQDN where it should only be allowed in the path and the colon (:) character allowed outside of the FQDN. More time should be allotted to look at the regular expression pattern -- http://www.w3.org/Addressing/URL/uri-spec.html should be consulted. There are no performance measurements that show how much impact AntiSamy.NET puts on processing of input.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All project criteria to meet Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
AntiSamy.NET is an API for .NET projects. There is no “installer” associated with such a project. Basic usage instructions are included on the wiki, but there could be more effort put here. See below for more.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All features have been implemented, including CSS support. A Fortify open review scan was completed and no issues were found.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
It would be nice to see all functions documented and a data flow graph that shows how input flows through the API and is acted on. I (Marcin Wielgoszewski) would be willing to create this documentation for the project. See http://osteele.com/tools/reanimator and http://osteele.com/archives/2006/02/reanimator. Also, with regards to unit testing, see the chapter on "Code Coverage" written by Charlie Miller in "Open Source Fuzzing Tools." It discusses how to increase code coverage with fuzzing. This directly relates to the unit tests as we cannot guarantee they test all functionality implemented within AntiSamy.NET.
|}

Category:OWASP AntiSamy Project .NET

2009-03-16T02:27:31Z

Marcin: /* Limitations */

{{:Project Information:template AntiSamy Project}}
[[Category:OWASP_AntiSamy_Project]]
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Beta Quality Tool]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

# Download AntiSamy from its home on Google Code
# Choose one of the standard policy files that matches as close to the functionality you need:
#* antisamy-slashdot.xml
#* (more to come in the near future)
# Tailor the policy file according to your site's rules
# Call the API from the code

=== Downloading ===

Currently, you can download the code using SVN from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet AntiSamy .NET Google Code SVN]

In the future the source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

Currently, there is only one dependency, HtmlAgilityPack.dll. To run the unit tests, you will also need:
#nunit.core.dll
#nunit.core.interfaces.dll
#nunit.framework.dll

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Limitations ==

No CSS support has been included yet in AntiSamy .NET. It will be added hopefully within the next few months. With the default stylesheet, style tags are not allowed and are stripped out, as is the style attribute.

'''Update 03/15/2009''': CSS support has been implemented in the latest revision (r95) of AntiSamy.NET, and can be checked out from the SVN.

== Contacting us ==
There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.

=== OWASP AntiSamy mailing list ===
The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.

=== Emailing the project lead ===

For content which is not appropriate for the public mailing list, you can alternatively contact Jerry Hoff, at [jerry.hoff] at the [aspectsecurity.com] (s/ at the /@/).

=== Issue tracking ===

Visit the [http://code.google.com/p/owaspantisamy/issues/list Google Code issue tracker]

Visit the Google Code issue tracker

Category:OWASP AntiSamy Project .NET

2009-03-16T02:27:03Z

Marcin: /* Limitations */

{{:Project Information:template AntiSamy Project}}
[[Category:OWASP_AntiSamy_Project]]
[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Beta Quality Tool]]

== What is AntiSamy .NET? ==

The OWASP AntiSamy .NET project is a few things. Technically, it is an API for ensuring user-supplied HTML/CSS is in compliance within an application's rules. Another way of saying that could be: It's an API that helps you make sure that clients don't supply malicious cargo code in the HTML they supply for their profile, comments, etc. that gets persisted on the server. The term malicious code in terms of web applications is usually regarded only as JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine. However, there are many situations where "normal" HTML and CSS can be used in a malicious manner.

Philosophically, AntiSamy .NET is a departure from all contemporary security mechanisms. Generally, the security mechanism and user have a communication that is virtually one way, for good reason. Letting the potential attacker know details about the validation is considered unwise as it allows the attacker to "learn" and "recon" the mechanism for weaknesses. These types of information leaks can also hurt in ways you don't expect. A login mechanism that tells the user, "Username invalid" leaks the fact that a user by that name does not exist. A user could use a dictionary or phone book or both to remotely come up with a list of valid usernames. Using this information, an attacker could launch a brute force attack or massive account lock denial-of-service. So, we get that.

Unfortunately, that's just not very usable in this situation. Typical Internet users are largely ineffective when it comes to writing HTML/CSS, so where do they get their HTML from? Usually they copy it from somewhere out on the web. Simply rejecting their input without any clue as to why is jolting and annoying. Annoyed users go somewhere else to do their social networking.

Socioeconomically, AntiSamy .NET is a have-not enabler. Private companies like Google, MySpace, eBay, etc. have come up with proprietary solutions for solving this problem. This introduces two problems. One is that proprietary solutions are not usually all that good, and even if they are, well - naturally they're reluctant to share this hard-earned IP for free. Fortunately, we just don't care. We don't see any reason why only these private companies should have this functionality, so we are releasing this for free.

The [http://www.owasp.org/index.php/OWASP_Licenses OWASP licensing policy] (further explained in the [http://www.owasp.org/index.php/Membership membership FAQ]) allows OWASP projects to be released under any [http://www.opensource.org/licenses/alphabetical approved open source license]. Under these guidelines, AntiSamy .NET is distributed under a [http://www.opensource.org/licenses/bsd-license.php BSD license].

== Getting Started ==

There's 4 steps in the process of integrating AntiSamy. Each step is detailed in the next section, but the high level overview follows:

# Download AntiSamy from its home on Google Code
# Choose one of the standard policy files that matches as close to the functionality you need:
#* antisamy-slashdot.xml
#* (more to come in the near future)
# Tailor the policy file according to your site's rules
# Call the API from the code

=== Downloading ===

Currently, you can download the code using SVN from [http://code.google.com/p/owaspantisamy/source/browse/#svn/trunk/dotNet AntiSamy .NET Google Code SVN]

In the future the source code and the compiled .dll can be found at [http://code.google.com/p/owaspantisamy/downloads/list Google Code]

=== Installing ===

There is no installation needed to get AntiSamy .NET to run. Simply reference the .dll in your code, make sure the dependencies are present, and you are good to go.

Currently, there is only one dependency, HtmlAgilityPack.dll. To run the unit tests, you will also need:
#nunit.core.dll
#nunit.core.interfaces.dll
#nunit.framework.dll

=== Tailoring the policy file ===

Smaller organizations may want to deploy AntiSamy in a default configuration, but it's equally likely that a site may want to have strict, business-driven rules for what users can allow. The discussion that decides the tailoring should also consider attack surface - which grows in relative proportion to the policy file.

=== Running ===

Using AntiSamy is abnormally easy. Here is an example of invoking AntiSamy with a policy file:

AntiSamy _as = new AntiSamy();
string filename = Server.MapPath("./properties/antisamy-slashdot.xml");
Policy policy = Policy.getInstance(filename);
CleanResults results = _as.scan(txtInput.Text, policy);

And here is an example of using both the clean HTML and the error messages:

lblOutput.Text = results.getCleanHTML();
string s = "";
for (int i = 0; i < results.getErrorMessages().Count; i++)
{
s += results.getErrorMessages()[i].ToString() + "";
}
lblErrors.Text = s;

== Limitations ==

No CSS support has been included yet in AntiSamy .NET. It will be added hopefully within the next few months. With the default stylesheet, style tags are not allowed and are stripped out, as is the style attribute.

Update 03/15/2009: CSS support has been implemented in the latest revision (r95) of AntiSamy.NET, and can be checked out from the SVN.

== Contacting us ==
There are two ways of getting information on AntiSamy. The mailing list, and contacting the project lead directly.

=== OWASP AntiSamy mailing list ===
The first is the mailing list which is located at https://lists.owasp.org/mailman/listinfo/owasp-antisamy. The list was previously private and the archives have been cleared with the release of version 1.0. We encourage all prospective and current users and bored attackers to join in the conversation. We're happy to brainstorm attack scenarios, discuss regular expressions and help with integration.

=== Emailing the project lead ===

For content which is not appropriate for the public mailing list, you can alternatively contact Jerry Hoff, at [jerry.hoff] at the [aspectsecurity.com] (s/ at the /@/).

=== Issue tracking ===

Visit the [http://code.google.com/p/owaspantisamy/issues/list Google Code issue tracker]

Visit the Google Code issue tracker

Project Information:template AntiSamy Project - Final Review - Second Reviewer - F

2009-03-11T16:53:07Z

Marcin:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The OWASP AntiSamy.NET project is aimed to provide an API for .NET applications for validating rich HTML/CSS input from users without exposing the web application to cross site scripting and phishing attacks. The project is a direct port of the AntiSamy Java API. Currently, the project has one outstanding feature left to be implemented – Cascading Style Sheet (CSS) support. Support for CSS would allow users to wrap input within inline style and div elements. Arshan Dabirsiaghi stated that at the beginning of the project, it would not include support for CSS by the conclusion of Summer of Code 2008. This is noted here for reference as it is not stated on the project site.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Overall, AntiSamy.NET is 100% complete.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The offsiteURL regular expression in the policy files could be more restrictive. Looking up until the TLD, there are several characters, such as Unicode characters allowed within the FQDN where it should only be allowed in the path and the colon (:) character allowed outside of the FQDN. More time should be allotted to look at the regular expression pattern -- http://www.w3.org/Addressing/URL/uri-spec.html should be consulted. There are no performance measurements that show how much impact AntiSamy.NET puts on processing of input.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All project criteria to meet Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
AntiSamy.NET is an API for .NET projects. There is no “installer” associated with such a project. Basic usage instructions are included on the wiki, but there could be more effort put here. See below for more.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All features have been implemented, including CSS support. One last pass through Fortify is required (pending).
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
It would be nice to see all functions documented and a data flow graph that shows how input flows through the API and is acted on. I (Marcin Wielgoszewski) would be willing to create this documentation for the project. See http://osteele.com/tools/reanimator and http://osteele.com/archives/2006/02/reanimator. Also, with regards to unit testing, see the chapter on "Code Coverage" written by Charlie Miller in "Open Source Fuzzing Tools." It discusses how to increase code coverage with fuzzing. This directly relates to the unit tests as we cannot guarantee they test all functionality implemented within AntiSamy.NET.
|}

Podcast 6

2009-02-05T16:22:40Z

Marcin:

'''[[OWASP_Podcast | OWASP Podcast Series]] #6'''
 OWASP Roundtable 
Recorded January 24, 2009 

[http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png] [http://www.owasp.org/download/jmanico/owasp_podcast_6.mp3 direct download]

"Current WAF's are applying these old school 
concepts, network security, to address software 
security problems ... I think this is just 
doomed to fail" - Marcin

Participants
- Brian Holyfield is a co-founder of Gotham Digital Science.
- Marcin Wielgoszewski is a security consultant based out of New York City.
- Andre Gironda is a web application security trainer in the Phoenix area.

Links
* [http://www.gdssecurity.com/l/spf/ Secure Parameter Filter for IIS (SPF)]
* [http://www.tssci-security.com/ tssci-security]

Category:OWASP Scrubbr

2009-02-05T05:27:12Z

Marcin: /* Credits */

= What is Scrubbr? =
Scrubbr is a BSD-licensed database scanning tool that checks numerous database
technologies for the presence of possible stored cross-site scripting attacks.
The tool was partialy inspired by "Scrawlr", a trimmed-down version of HP's
WebInspect which was released for free after the so-called "asprox" mass-SQL
injection bot exploited hundreds of thousands of insecure ASP sites.

In a similar vein, Aspect Security generously donated Scrubbr to OWASP to help
people get some visibility into their databases and check for malicious data.

== What can Scrubbr do for me? ==
If you can tell Scrubbr how to access your database, it will search through
every field capable of holding strings in the database for malicious code. If
you want it to, it will search through every table, every row, and every column.
This will be very slow on large enterprise databases, but its very useful to
have assurance that there is no malicious data anywhere in the system.

Scrubbr can detect input that doesn't match up with an AntiSamy policy file.
There is a subtle difference between "matching an AntiSamy policy" and being
"detected as an attack."

There are numerous tools out that *detect* XSS attacks in different contexts
better than AntiSamy. The most prominent and peer-reviewed are NoScript
(http://noscript.net) and PHPIDS (http://php-ids.org/category/PHPIDS/). However,
this is not strictly what AntiSamy does. AntiSamy checks if rich input that is
passed in is allowed according to a policy file.

Chances are that there is some input in your database that looks like rich input
how we in the web world think about it, but actualy isn't. For example, if
someone writes the following in their profile comment:

"Hey, I sure am gonna miss seeing Sarah Palin on TV all the time <g>".

Obviously the user intended the <g> string to express a grin emotion, but that
unfortunately looks like rich input, and since AntiSamy uses a whitelist for
higher assurance, it will be flagged.

We are always looking to improve our engine, and we are working with the PHPIDS
group to possibly invoke their ruleset in order to provide less false positives.

With all of that being said, AntiSamy does an excellent job in most situations
and will still detect the vast majority of stored XSS attacks, depending on the
injection context.

== What can't Scrubbr do for me? ==
Scrubbr can't find XSS vulnerabilities in your web application. It can only
detect data that doesn't follow your site's policy for input that is in your
database. If you don't have a policy for rich input, then start with the
Slashdot policy file and add what you think you need from the other policy
files. More information on policy files can be found on the OWASP AntiSamy page:

http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project

Once you have a policy in place, then you can enfoce it with Scrubbr.

= How do I get Scrubbr? =

You can download the Scrubbr installer from the project's Google Code downloads page.

= Contacting the Scrubbr group =
If you would like to request a feature, let us know about a bug, or provide a
patch, please let us know on the Google Code issue tracker for the project:

http://code.google.com/p/owaspscrubbr/issues

General questions can be e-mailed to the Scrubbr mailing list
owasp-scrubbr@lists.owasp.org. If you have a question about Scrubbr development,
contact the owasp-scrubbr-devel@lists.owasp.org mailing list.

= Known weak points =
Scrubbr is a new open source project, and not surprisingly it has a few issues that we are working to address. If you have an issue that's not on this list, please add it to the issues list described in the previous section.

== Uninstaller doesn't quite work in Vista ==
Microsoft Vista uses Virtual Paths (like Java servlets) to accommodate the diverge between UAC and Windows XP security, which makes uninstalling a manual process.

When a user executes a setup executable (setup.exe, install.exe, etc.) Vista will prompt you with a security dialog before it allows the setup program to install files to a system directory like C:\Program Files. However, since Scrubbr uses [izPack http://izpack.org] as a cross-platform installer, the setup executable is actually a cross-platform JAR executable instead of an exe file. This does not trip the necessary Windows Vista UAC prompt and therefore silently fails to actually install to C:\Program Files. However, since Vista knew that this behavior would happen a lot, they compensated by redirecting the installation to another path, C:\Users\<your_username>\AppData\Local\VirtualStore\Program Files. Therefore, when the Uninstaller runs, it tries to delete C:\Program Files\Scrubbr, which doesn't exist, since it's unaware that Scrubbr has been installed to a virtual directory.

This can be thought of as a bug in either Vista or in izPack, since neither accounts for the other. However, izPack allows us to install to many different platforms cleanly, so we don't think we're going to switch. That being said, uninstalling on Vista when the Uninstall option doesn't work is simple:
1. Open up Explorer
2. Navigate to C:\Users\<your_username>\AppData\Local\VirtualStore\Program Files
3. Delete the Scrubbr directory
4. Confirm that Scrubbr is no longer in your Start Menu or Program Files directory

Scrubbr has an extremely small footprint. It installs a few files into Program Files and that is it. There is no user settings in your profile directory or registry values or anything of the sort. Simply deleting the directory makes it go away forever.

= Credits =
Scrubbr was primarily developed by Arshan Dabirsiaghi
(arshan.dabirsiaghi@aspectsecurity.com) of Aspect Security with help from
Brandon DeVries (brd@jhu.edu). Other folks contributed in their
own ways, including:

* Dave Wichers, COO, Aspect Security
* Jeff Williams, CEO, Aspect Security
* Mike Fauzy, Senior Application Security Engineer, Aspect Security
* Marcin Wielgoszewski, Security Consultant, Founder TSSCI-Security.com

[[Category:OWASP Project]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]

Podcast 2

2008-12-22T11:25:16Z

Marcin: /* OWASP News */

'''[https://www.owasp.org/index.php/Category:OWASP_PodCast OWASP Podcast Series] #2'''

Recorded December 20, 2008

"For PCI Compliance, its doesn't say that .. that your site has to be secure. It says you need to put in processes, and that you know, you have to act like you're trying..." - Stephen Craig Evans

[http://www.owasp.org/download/jmanico/podcast.xml http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png]

== Participants ==
- Stephen Craig Evans is an independent software security consultant based in southeast Asia.
- Jim Manico is a Web Application Architect and Security Engineer for Aspect Security.

== OWASP News ==

'''December 16, 2008''' - [http://securesoftware.blogspot.com/2008/12/owasp-security-testing-guide-vs-3.html OWASP testing guide version 3 has been officially released]
* The new testing guide is finally here! Give it to your developers, testers, and anyone else responsible for ensuring the security of an application is built to spec through formal testing and observation. Also great for the consultant, to brush up on testing techniques for a variety of technologies. This Summer of Code 2008 Project was lead by [http://www.owasp.org/index.php/User:Mmeucci Matteo Meucci] and the following [[OWASP_Testing_Guide_Contributors|contributors]].

'''December 15, 2008''' - [http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html Breaking Google Gears' Cross-Origin Communication Model]
* <short description goes here>

'''December 10, 2008''' - [http://www.microsoft.com/technet/security/advisory/961051.mspx Vulnerability in Internet Explorer Could Allow Remote Code Execution] and how the heck did this vuln [http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx slip through Microsoft's SDL?]
* <short description goes here>

'''December 10, 2008''' - Michael Zalewski, Googler, dumped core on his [http://googleonlinesecurity.blogspot.com/2008/12/announcing-browser-security-handbook.html browser security knowledge.]
* <short description goes here>

'''December 9-11, 2008''' - [http://www.owasp.org/index.php/ESAPI_Summit The first OWASP ESAPI Summit]
* <short description goes here>

'''December 8, 2008''' - [http://blogs.zdnet.com/security/?p=2308 4 XSS flaws hit Facebook]
* <short description goes here>

'''December 8, 2008''' - Safe ActiveX? [http://googleonlinesecurity.blogspot.com/2008/12/native-client-technology-for-running.html Google wants to run native code over the web.]
* <short description goes here>

== Interview with Stephen Craig Evans ==
- OWASP Summer of Code project, [http://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project "Securing WebGoat using ModSecurity"]
- [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
- Advice for those who want to contribute to a OWASP project
- Status of Web App Sec in the Asia/Pacific region

Podcast 2

2008-12-22T11:23:29Z

Marcin: /* OWASP News */

'''[https://www.owasp.org/index.php/Category:OWASP_PodCast OWASP Podcast Series] #2'''

Recorded December 20, 2008

"For PCI Compliance, its doesn't say that .. that your site has to be secure. It says you need to put in processes, and that you know, you have to act like you're trying..." - Stephen Craig Evans

[http://www.owasp.org/download/jmanico/podcast.xml http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png]

== Participants ==
- Stephen Craig Evans is an independent software security consultant based in southeast Asia.
- Jim Manico is a Web Application Architect and Security Engineer for Aspect Security.

== OWASP News ==

'''December 16, 2008''' - [http://securesoftware.blogspot.com/2008/12/owasp-security-testing-guide-vs-3.html OWASP testing guide version 3 has been officially released]
* The new testing guide is finally here! Give it to your developers, testers, and anyone else responsible for ensuring the security of an application is built to spec through formal testing and observation. Also great for the consultant, to brush up on testing techniques for a variety of technologies. This Summer of Code 2008 Project was lead by [http://www.owasp.org/index.php/User:Mmeucci|Matteo Meucci] and the following [[OWASP_Testing_Guide_Contributors|contributors]].

'''December 15, 2008''' - [http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html Breaking Google Gears' Cross-Origin Communication Model]
* <short description goes here>

'''December 10, 2008''' - [http://www.microsoft.com/technet/security/advisory/961051.mspx Vulnerability in Internet Explorer Could Allow Remote Code Execution] and how the heck did this vuln [http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx slip through Microsoft's SDL?]
* <short description goes here>

'''December 10, 2008''' - Michael Zalewski, Googler, dumped core on his [http://googleonlinesecurity.blogspot.com/2008/12/announcing-browser-security-handbook.html browser security knowledge.]
* <short description goes here>

'''December 9-11, 2008''' - [http://www.owasp.org/index.php/ESAPI_Summit The first OWASP ESAPI Summit]
* <short description goes here>

'''December 8, 2008''' - [http://blogs.zdnet.com/security/?p=2308 4 XSS flaws hit Facebook]
* <short description goes here>

'''December 8, 2008''' - Safe ActiveX? [http://googleonlinesecurity.blogspot.com/2008/12/native-client-technology-for-running.html Google wants to run native code over the web.]
* <short description goes here>

== Interview with Stephen Craig Evans ==
- OWASP Summer of Code project, [http://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project "Securing WebGoat using ModSecurity"]
- [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
- Advice for those who want to contribute to a OWASP project
- Status of Web App Sec in the Asia/Pacific region

Podcast 2

2008-12-22T11:22:55Z

Marcin: /* OWASP News */

'''[https://www.owasp.org/index.php/Category:OWASP_PodCast OWASP Podcast Series] #2'''

Recorded December 20, 2008

"For PCI Compliance, its doesn't say that .. that your site has to be secure. It says you need to put in processes, and that you know, you have to act like you're trying..." - Stephen Craig Evans

[http://www.owasp.org/download/jmanico/podcast.xml http://images.apple.com/itunes/overview/images/overview-icon-itunes20081106.jpg] [http://www.owasp.org/download/jmanico/podcast.xml https://www.owasp.org/images/d/d3/Feed-icon-32x32.png]

== Participants ==
- Stephen Craig Evans is an independent software security consultant based in southeast Asia.
- Jim Manico is a Web Application Architect and Security Engineer for Aspect Security.

== OWASP News ==

'''December 16, 2008''' - [http://securesoftware.blogspot.com/2008/12/owasp-security-testing-guide-vs-3.html OWASP testing guide version 3 has been officially released]
* The new testing guide is finally here! Give it to your developers, testers, and anyone else responsible for ensuring the security of an application is built to spec through formal testing and observation. Also great for the consultant, to brush up on testing techniques for a variety of technologies. This Summer of Code 2008 Project was lead by [[http://www.owasp.org/index.php/User:Mmeucci|Matteo Meucci]] and the following [[OWASP_Testing_Guide_Contributors|contributors]].

'''December 15, 2008''' - [http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html Breaking Google Gears' Cross-Origin Communication Model]
* <short description goes here>

'''December 10, 2008''' - [http://www.microsoft.com/technet/security/advisory/961051.mspx Vulnerability in Internet Explorer Could Allow Remote Code Execution] and how the heck did this vuln [http://blogs.msdn.com/sdl/archive/2008/12/18/ms08-078-and-the-sdl.aspx slip through Microsoft's SDL?]
* <short description goes here>

'''December 10, 2008''' - Michael Zalewski, Googler, dumped core on his [http://googleonlinesecurity.blogspot.com/2008/12/announcing-browser-security-handbook.html browser security knowledge.]
* <short description goes here>

'''December 9-11, 2008''' - [http://www.owasp.org/index.php/ESAPI_Summit The first OWASP ESAPI Summit]
* <short description goes here>

'''December 8, 2008''' - [http://blogs.zdnet.com/security/?p=2308 4 XSS flaws hit Facebook]
* <short description goes here>

'''December 8, 2008''' - Safe ActiveX? [http://googleonlinesecurity.blogspot.com/2008/12/native-client-technology-for-running.html Google wants to run native code over the web.]
* <short description goes here>

== Interview with Stephen Craig Evans ==
- OWASP Summer of Code project, [http://www.owasp.org/index.php/Category:OWASP_Securing_WebGoat_using_ModSecurity_Project "Securing WebGoat using ModSecurity"]
- [http://www.owasp.org/index.php/Category:OWASP_Orizon_Project OWASP Orizon Project]
- Advice for those who want to contribute to a OWASP project
- Status of Web App Sec in the Asia/Pacific region

I've Been Hacked-What Now

2008-11-21T14:56:11Z

Marcin: /* My server has been hacked...what do I do now? */

=My server has been hacked...what do I do now?=

This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.

Anyone interested in contributing is welcome.

==Identification==

Basic principles:

* Incident identification/notification may occur from a number of information sources (events):
** Staff reporting unusual activity
** Staff, clients or public reporting a problem
** Technical teams/support discovering evidence of an incident on systems.
** Alerts from IDS, security monitoring systems or anti-virus software, Firewalls or WAFS.

* Roles:
** A Security incident owner must be assigned.
** A point of contact must be available to respond to incidents at all times.
** A security incident owner must track the security incident to remediation and resolution.

* Examples of an incident:
** Virus/malware infection
** Unauthorized system changes
** Unauthorized application/web site changes
** Unauthorized disclosure of client information or information leakage
** Theft or loss of company information/assets

* Examples of an event:
** Reports from intrusion detection system/WAF/Firewall or log scraping system
** Reports from vulnerability scanning/traffic monitoring/performance monitoring

==Assessment==

Incident severity :

Risk Rating

* '''Low''':
** Events that cannot be 100% identified as attacks and have no effect on operations;
** False activation of intrusion detection systems, WAF alerts etc
** Non-repeated scans or probing from an external uncontrolled network

* '''Medium'''
** Incidents that have no negative impact on operations. Incidents identified but unsuccessful in an attempt to actively breach information security controls from external or internal standpoint
** Repeated active probing or parameter manipulation from an external or internal source.
** Malware/rogue code/virus that has been successfully contained or removed

==Containment==
==Evidence Collection==
==Forensic Analysis==
==Investigation==
==Incident Follow-up==
==Lessons Learned==
==Event Correlation and Aggregation (Streamlining)==

User:Marcin

2008-11-20T15:03:16Z

Marcin: /* Projects */

==Projects==
[[:Category:OWASP AntiSamy Project .NET|OWASP AntiSamy .NET]] 
[[:Category:Intrinsic_Security_Working_Group|Intrinsic Security Working Group]] 
[[Phoenix/Tools]]

==My Website==

[http://www.tssci-security.com tssci-security]

==PGP Key==

pub KeyID = [http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB0D446C3 B0D446C3]

<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Key Server 0.9.6

mQGiBEX7TagRBAClwMBiWMHIDHRGhfh4733jkkR/StyQwFfyQAcQERJ1fqBUwoUt
Ei4vX7ZC9q1AFGhUD+ASEr6iMHPnQmMiy4gUgXoRarIeFVMI89my4qX13GweMjMD
Dq+MH3BDYIObp47tN+x+imoxsRXgS/sHbJmQGM3/77uKQZuYOOtpQ+HKPwCg2tof
Ry9Nm/W8UBZTnUNm739T5X0D/R3oCMfsuSasMgcuEQqsnNDTSIc7MmEf1BHWsieu
D3QvptzN0MhFemWwzF2ureTh4trKLhGhP9u14/DYStRu10iBBe6nSZv6R2aig3ll
ytXmB4A1X9Q5WH00qalqmpZa5/1frMT+Wcp6knioZQDmiNEZFVi/fOpY/g5mKJKh
MPqZA/96lww3t+WUwCadVUX781SIXQzzQLkhQxjR60oy6aHAQ7lss39VFIES383z
4MJdyOKOwpwJbIeZaXDfeDRNT1vwswFLrGD2Rs1nYNZU6/sbdMo7xD1SZDGh6rbC
ikCICwBWcpiFkZwbkqkT9lUcPN9ql4BiLUZGbB2QCI+6TC9ay7RDTWFyY2luIFdp
ZWxnb3N6ZXdza2kgKE1hcmNpbidzIFBHUCBLZXkpIDxtYXJjaW5AdHNzY2ktc2Vj
dXJpdHkuY29tPohgBBMRAgAgAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AFAkat
ZLkACgkQ3U7hhbDURsPvbwCfeh117AnipildPSiq7JDMxKz49KgAn1VgJivZV+7J
jW179PWXOVmtfKIriGYEExECACYFAkX7TagCGwMFCQHhM4AGCwkIBwMCBBUCCAME
FgIDAQIeAQIXgAAKCRDdTuGFsNRGw5InAJ0eDmApcw7IZv0601vtCfFO9sQUrwCf
V7251oQTKqXANLP/foQrhePC7iu5Ag0ERftNuhAIAOIgbIgxxeG3lVJrar7qKHsT
UgwdnL13ksIP407L4DwFEzUdtzTeZfQlHvtRJK7BeCtLDpvqjBdX2vKioJg+p2PS
W/30CcwxL3NviQ7+Zd6UOzz/01+1k9IM9k+heDKHit4t9vZW/nxLLQCTIQ8vATxe
hzfQRySGtHqyr5Ys8hOiTaU9WmiKzMMoc1+4TdhP8Ytn32ji6Pc+nydhCriE7/Fg
rTLybaNaw9TGvg8Ramq0V/aDHGltCLZEbsdIPGtvDfwy/M6FyG5zujsLalFFR3OD
hXaMZ9RQSQQWnap55V59hhsvlHboFbOT2ob3Q+k2HYJLayv6xzKq7pdJM9sv7CcA
BREH/jQ+HAKTTHkt2t9D+weVoMBLsTejT8RFZWF2RuF+4zfuMaySInjXt8AZjxhf
QupNbtgjUZzAmKZoQ9MWyKU+6y5lldbxXGsp+BGcILgimcG6b3ceA43nVACR9o3O
dJvGV0/QNOGkXLui0BOsZqOJ6otb3ancC3IR9TNzELaNFZKX+s7m5XHQnywxcu7q
iTOYEBPlZJGSsA6k3ej4IcPGa90kJmdOX7FC1VQCRYo7OdA4AuQYq94ypWaaGWKm
oJ45ix9/OG/PRdBHxfxbz0z4YeY34gw7Tv6Z5yiiJh1Cfo8bH7RZbRLb/+yI52Lx
/YojQ3KOuF6aLs86DgSKhTrsgdWISQQYEQIACQIbDAUCRq1kwwAKCRDdTuGFsNRG
w+OBAKCoXC7hlzO5ftleqHVVLZsJ6nfQeQCgzgUaxNN67W7s0XQaEaa2c+0F0w4=
=anSp
-----END PGP PUBLIC KEY BLOCK-----
</pre>

User:Marcin

2008-11-20T14:51:52Z

Marcin:

==Projects==
[[:Category:OWASP AntiSamy Project .NET|OWASP AntiSamy .NET]] 
[[:Category:Intrinsic_Security_Working_Group|Intrinsic Security Working Group]]

==My Website==

[http://www.tssci-security.com tssci-security]

==PGP Key==

pub KeyID = [http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB0D446C3 B0D446C3]

<pre>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP Key Server 0.9.6

mQGiBEX7TagRBAClwMBiWMHIDHRGhfh4733jkkR/StyQwFfyQAcQERJ1fqBUwoUt
Ei4vX7ZC9q1AFGhUD+ASEr6iMHPnQmMiy4gUgXoRarIeFVMI89my4qX13GweMjMD
Dq+MH3BDYIObp47tN+x+imoxsRXgS/sHbJmQGM3/77uKQZuYOOtpQ+HKPwCg2tof
Ry9Nm/W8UBZTnUNm739T5X0D/R3oCMfsuSasMgcuEQqsnNDTSIc7MmEf1BHWsieu
D3QvptzN0MhFemWwzF2ureTh4trKLhGhP9u14/DYStRu10iBBe6nSZv6R2aig3ll
ytXmB4A1X9Q5WH00qalqmpZa5/1frMT+Wcp6knioZQDmiNEZFVi/fOpY/g5mKJKh
MPqZA/96lww3t+WUwCadVUX781SIXQzzQLkhQxjR60oy6aHAQ7lss39VFIES383z
4MJdyOKOwpwJbIeZaXDfeDRNT1vwswFLrGD2Rs1nYNZU6/sbdMo7xD1SZDGh6rbC
ikCICwBWcpiFkZwbkqkT9lUcPN9ql4BiLUZGbB2QCI+6TC9ay7RDTWFyY2luIFdp
ZWxnb3N6ZXdza2kgKE1hcmNpbidzIFBHUCBLZXkpIDxtYXJjaW5AdHNzY2ktc2Vj
dXJpdHkuY29tPohgBBMRAgAgAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AFAkat
ZLkACgkQ3U7hhbDURsPvbwCfeh117AnipildPSiq7JDMxKz49KgAn1VgJivZV+7J
jW179PWXOVmtfKIriGYEExECACYFAkX7TagCGwMFCQHhM4AGCwkIBwMCBBUCCAME
FgIDAQIeAQIXgAAKCRDdTuGFsNRGw5InAJ0eDmApcw7IZv0601vtCfFO9sQUrwCf
V7251oQTKqXANLP/foQrhePC7iu5Ag0ERftNuhAIAOIgbIgxxeG3lVJrar7qKHsT
UgwdnL13ksIP407L4DwFEzUdtzTeZfQlHvtRJK7BeCtLDpvqjBdX2vKioJg+p2PS
W/30CcwxL3NviQ7+Zd6UOzz/01+1k9IM9k+heDKHit4t9vZW/nxLLQCTIQ8vATxe
hzfQRySGtHqyr5Ys8hOiTaU9WmiKzMMoc1+4TdhP8Ytn32ji6Pc+nydhCriE7/Fg
rTLybaNaw9TGvg8Ramq0V/aDHGltCLZEbsdIPGtvDfwy/M6FyG5zujsLalFFR3OD
hXaMZ9RQSQQWnap55V59hhsvlHboFbOT2ob3Q+k2HYJLayv6xzKq7pdJM9sv7CcA
BREH/jQ+HAKTTHkt2t9D+weVoMBLsTejT8RFZWF2RuF+4zfuMaySInjXt8AZjxhf
QupNbtgjUZzAmKZoQ9MWyKU+6y5lldbxXGsp+BGcILgimcG6b3ceA43nVACR9o3O
dJvGV0/QNOGkXLui0BOsZqOJ6otb3ancC3IR9TNzELaNFZKX+s7m5XHQnywxcu7q
iTOYEBPlZJGSsA6k3ej4IcPGa90kJmdOX7FC1VQCRYo7OdA4AuQYq94ypWaaGWKm
oJ45ix9/OG/PRdBHxfxbz0z4YeY34gw7Tv6Z5yiiJh1Cfo8bH7RZbRLb/+yI52Lx
/YojQ3KOuF6aLs86DgSKhTrsgdWISQQYEQIACQIbDAUCRq1kwwAKCRDdTuGFsNRG
w+OBAKCoXC7hlzO5ftleqHVVLZsJ6nfQeQCgzgUaxNN67W7s0XQaEaa2c+0F0w4=
=anSp
-----END PGP PUBLIC KEY BLOCK-----
</pre>

OWASP EU Summit 2008

2008-11-19T21:16:41Z

Marcin: /* ACTUAL AGENDA */

{|
! width="315" align="left"|
! width="190" align="center" |
! width="300" align="center" |
|-
| align="center"|__TOC__
| align="center"|[[Image:OWASP EU Summit Portugal 2008.jpg]] ''''SETTING THE WEB APPLICATION SECURITY AGENDA FOR 2009'''' 4th - 7th November 2008
| align="left"|
* [[OWASP EU Summit 2008--PRESS|Press Information]]
* [https://www.owasp.org/index.php/OWASP_EU_Summit_2008_Media_Coverage Summit media coverage]
* [[:OWASP Working Session - Browser Security Letters|Open Letter to Browsers&Frameworks]]
* [http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA Confirmed Sponsored Participants]
* [[:OWASP Summit UALG 1 Day Conference|OWASP Summit UALG 1 Day Conference]]
* [http://twitter.com/OwaspEU08Summit OwaspEU08Summit on Twitter!]
* [[OWASP EU Summit 2008 Internals|OWASP EU Summit 2008 Internals]]
|}

<paypal>EU 08 Donation</paypal>

== OWASP EU SUMMIT 2008 OVERVIEW - [http://video.google.com/videoplay?docid=-7044581008789784268&hl=en WATCH VIDEO]==

* OWASP Summit EU 2008 is a worldwide gathering of OWASP leaders and Key Industry Players to present and discuss the latest OWASP Tools and documentation projects.
* In addition to 40+ presentations from the OWASP Leaders granted 250,000 USD for web application security research, the summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and decide roadmaps for OWASP projects, chapters and for the OWASP community itself.
* Containing both technical and business tracks, the Summit is the perfect place to learn what resources OWASP has available for use today.
* And with the confirmed presence of its most active leaders (OWASP is partially covering their expenses), the Summit will provide a relaxed but professional environment to meet the OWASP Leaders and to contribute to those project’s roadmaps for 2009.
* Following and expanding the tradition started at OWASP conferences, the Summit will also host the largest offering of training courses, covering multiple OWASP specific and Web Application Security Topics.

Marketing information: [https://www.owasp.org/images/8/89/OWASP_EU_Summit_2008-Overview.pdf 6 page brochure] or this [https://www.owasp.org/images/3/3d/OWASP_EU_Summit_2008_-Full_Brochure.pdf 33 page brochure].

== COST & REGISTRATION ==

There are multiple options available for participation (OWASP members get 20% Discount):

* Working Sessions and Conference (4 days: 4th,5h,6th and 7th): €500 Euros ($700.00 USD)
* Conference only (2 days: 6th and 7th) €350 Euros ($500 USD)
* Training:
** 2 days: €950 ($1350 USD)
** 1 day: €475 ($675 USD)
** 1/2 day €235 (335 USD)
* Students
** Working Session, and Conference: €150 Euros ($200 USD)
** Training: €100 Euros per day ($130 USD)
To register and pay for your participation please use: [http://guest.cvent.com/i.aspx?4W,M3,35818773-e14b-4d8e-8db8-5e14a6285a3d http://www.owasp.org/images/7/7f/Register.gif]

A currency converter can be found at [http://www.xe.com/ucc/ xe.com/ucc].

== SPONSORSHIP OPPORTUNITIES ==

For information on sponsoring see [[OWASP EU Summit 2008 Sponsors]].

== SPONSORS ==
{| style="width:100%" border="0" align="center"
! colspan="0" align="center" style="background:white; color:white" |
|-
| style="width:100%; background:#FFDF80"; align="center" | https://www.owasp.org/images/5/5a/AOD_Logo_2c.gif https://www.owasp.org/images/9/9e/Mnemonic_logo.png https://www.owasp.org/images/1/1a/Softtek_logo.gif
|}

== FORMER AGENDA ==
[[:OWASP EU Summit 2008 Former Agenda|Click here to see.]]

== ACTUAL AGENDA ==

{| style="width:80%" border="0" align="center"
| colspan="5" align="center" style="background:#4058A0; color:white" | Agenda for Monday, November 3rd, 2008
|-
| style="width:10%; background:#7B8ABD" | 13:00 || colspan="4" style="width:80%; background:#B36B00" align="center" | Lunch
|-
| style="width:10%; background:#7B8ABD" | || colspan="4" style="width:80%; background:#c0e0e0" align="center" | Training Sessions
|-
| style="width:10%; background:#7B8ABD" | 15:00 to 17:00 || style="width:30%; background:#c0e0e0" align="center" | Securing WebGoat with ModSecurity
Stephen Craig Evans
| style="width:30%; background:#c0e0e0" align="center" | WebSec Apps for Managers and Executives
Mano Paul
| style="width:30%; background:#c0e0e0" align="center" | OWASP Testing Guide
Matteo Meucci
|-
| style="background:#7B8ABD" | 19:00 || colspan="4" style="background:#FFFF00" align="center" | Summit Briefing
Dinis Cruz and Summit Organization Team
|-
| style="background:#7B8ABD" | 20:00 || colspan="4" style="background:#B36B00" align="center" | OWASPers Dinner
|}

{| style="width:80%" border="0" align="center"
| colspan="5" align="center" style="background:#4058A0; color:white" | Agenda for Tuesday, November 4th, 2008
|-
| style="width:10%; background:#7B8ABD" | 08:00 || colspan="4" style="width:80%; background:#FFBFEF" align="center" | Registration
|-
| style="width:10%; background:#7B8ABD" | 09:00 || colspan="4" style="width:80%; background:#FFFF00" align="center" | Summit Keynote
Dinis Cruz and Summit Organization Team
|-
| style="width:10%; background:#7B8ABD" | || colspan="2" style="width:30%; background:#80FF80" align="center" | Documents
| colspan="2" style="width:30%; background:#80FF80" align="center" | Tools
|-
| style="background:#7B8ABD" | 09:30 || colspan="2" style="background:#80FF80" align="center" | OWASP Testing Guide
Matteo Meucci
| colspan="2" style="background:#80FF80" align="center" | OWASP JSP Testing Tool
Jason Li
|-
| style="background:#7B8ABD" | 09:45 || colspan="2" style="background:#80FF80" align="center" | [https://www.owasp.org/index.php/Image:Code_Review_Eoin.pptx OWASP Code Review Guide]
Eoin Keary
| colspan="2" style="background:#80FF80 " align="center" | [https://www.owasp.org/index.php/Image:OWASP_EU_Summit_2008_The_Owasp_Orizon_Project.ppt OWASP Orizon Project]
Paolo Perego (a.k.a. thesp0nge)
|-
| style="background:#7B8ABD" | 10:00 || colspan="2" style="background:#80FF80" align="center" | OWASP Application Security Desk Reference (ADSR)
Leonardo Cavallari Militelli
| colspan="2" style="background:#80FF80 " align="center" | OWASP Live CD
Matt Tesauro
|-
| style="background:#7B8ABD" | 10:15 || colspan="2" style="background:#80FF80" align="center" | OWASP Spanish Project
Juan Carlos Calderon
| colspan="2" style="background:#80FF80 " align="center" | [https://www.owasp.org/index.php/Image:OWASP_EU_Summit_2008_WebScarab_treasures.ppt WebScarab-NG]
Rogan Dawes
|-
| style="background:#7B8ABD" | 10:30 || colspan="5" style="background:#B36B00" align="center" | Coffee Break
|-
| style="background:#7B8ABD" | 10:45 || colspan="2" style="background:#80FF80" align="center" | .NET ESAPI
Alex Smolen
| colspan="2" style="background:#80FF80" align="center" | JBroFuzz
Yiannis
|-
| style="background:#7B8ABD" | 11:00 || colspan="6" style="background:#FFFF00" align="center" | Working Sessions Briefing
Dinis Cruz
|-
| style="background:#7B8ABD" | || colspan="6" style="background:#7B8ABD" align="center" | Working Sessions
|-
| style="background:#7B8ABD" | 11:15 || style="background:#7B8ABD" align="center" | Documentation Projects/Guides Integration and Unified 4.0 Version
Chair: Eduardo Neves
| style="background:#7B8ABD" align="center" | Browser Security
Chair: Arshan Dabirsiaghi
Secretary: Kuai Hinojosa
| style="background:#7B8ABD" align="center" | Tools Projects
Chair: Matt Tesauro
|-
| style="background:#7B8ABD" | 13:00 || colspan="4" style="background:#B36B00" align="center" | Lunch
|-
| style="background:#7B8ABD" | 14:00 || colspan="4" style="background:#c0e0e0" align="center" | Training Sessions
|-
| style="background:#7B8ABD" | || style="background:#c0e0e0" align="center" | The Art and Science of Threat Modeling Web Applications
Mano Paul
| style="background:#c0e0e0" align="center" | [https://www.owasp.org/index.php/Image:SELinux-course-OWASP.pdf Web Server Hardening SELinux]
Pavol Luptak
| style="background:#c0e0e0" align="center" | Offensive WebApp Hacking
Marco Slaviero
|-
| style="background:#7B8ABD" | 16:00 || colspan="4" style="background:#B36B00" align="center" | Coffee Break
|-
| style="background:#7B8ABD" | || colspan="4" style="background:#7B8ABD" align="center" | Working Sessions
|-
| style="background:#7B8ABD" | 16:30 || colspan="4" style="background:#7B8ABD " align="center" | ESAPI
Chair: Jeff Williams
Secretary: Arshan Dabirsiaghi
|-
| style="background:#7B8ABD" | 18:30 || colspan="2" style="background:#7B8ABD" align="center" | ASDR
Chair: Leonardo Cavallari
| style="background:#7B8ABD " align="center" | .NET Project
Chair: Dinis Cruz
|}

{| style="width:80%" border="0" align="center"
| colspan="5" align="center" style="background:#4058A0; color:white" | Agenda for Wednesday, November 5th, 2008
|-
| style="width:10%; background:#7B8ABD" | 09:15 || colspan="4" style="width:80%; background:#FFFF00" align="center" | Daily Briefing:
Dinis Cruz
|-
| style="width:10%; background:#7B8ABD" | || colspan="2" style="width:30%; background:#80FF80" align="center" | Standards and Education
(Room 1)
| colspan="2" style="width:30%; background:#80FF80" align="center" | Tools
(Room 2)
|-
| style="background:#7B8ABD" | 10:00|| colspan="2" style="background:#80FF80" align="center" | [http://www.owasp.org/index.php/Category:OWASP_Positive_Security_Project '''OWASP Positive Security (SoC 08)''']
Eduardo Vianna de Camargo Neves
| colspan="2" style="background:#80FF80" align="center" | [https://www.owasp.org/index.php/Image:OWASP_EU_Summit_2008_AcCoRuTe.pptx OWASP Access Control Rules Tester Project]
Andrew Petukhov
|-
| style="background:#7B8ABD" | 10:15 || colspan="2" style="background:#80FF80" align="center" | [http://www.owasp.org/index.php/Category:OWASP_Education_Project '''OWASP Education''']
Sebastien Deleersnyder, Martin Knobloch
| colspan="2" style="background:#80FF80 " align="center" | [https://www.owasp.org/index.php/Image:Teachable_static_analysis_workbench.pptx OWASP Teachable Static Analysis Workbench]
Dmitry Kozlov
|-
| style="background:#7B8ABD" | 10:30 || colspan="2" style="background:#80FF80" align="center" | OWASP Internationalization Guidelines
Juan Carlos Calderon
| colspan="2" style="background:#80FF80 " align="center" | [http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project OWASP AppSensor]
Michael Coates
|-
| style="background:#7B8ABD" | 10:45 || colspan="2" style="background:#80FF80" align="center" | [https://www.owasp.org/index.php/Image:PASSWD.ppt PASSWD:Metrics and Vulnerabilities]
Lucilla Mancini
| colspan="2" style="background:#80FF80 " align="center" | OWASP Backend Security Project
Carlo Pelliccioni
|-
| style="background:#7B8ABD" | 11:00 || colspan="2" style="background:#80FF80" align="center" | OWASP Open Review Project
Dan Cornell
| colspan="2" style="background:#80FF80 " align="center" | [https://www.owasp.org/index.php/Image:Site_generator.pptx OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project]
Dmitry Kozlov
|-
| style="background:#7B8ABD" | 11:15 || colspan="4" style="background:#80FF80" align="center" | OWASP Global Committee Elections
(Room 1)
|-
| style="background:#7B8ABD" | 11:30 || colspan="4" style="background:#B36B00" align="center" | Coffee Break
|-
| style="background:#7B8ABD" | || colspan="4" style="background:#7B8ABD" align="center" | Working Sessions
|-
| style="background:#7B8ABD" | 12:45 || style="background:#7B8ABD" align="center" | [[OWASP Working Session Education Project|OWASP Working Session Education Project]] Chair: Sebastien Deleersnyder (Room 1)
| style="background:#7B8ABD" align="center" | ''Testing Guide''
Chair: Matteo Meucci
(Room 2)
| colspan="2" style="background:#7B8ABD" align="center" | ''Web Application Framework Security''
Chair: Arshan Dabirsiaghi
Secretary: Kuai Hinojosa
(Room 3)
|-
| style="background:#7B8ABD" | 14:45 || colspan="4" style="background:#B36B00" align="center" | Lunch During Working Sessions
|-
| style="background:#7B8ABD" | 15:00 || colspan="4" style="background:#c0e0e0" align="center" | Training Sessions
|-
| style="background:#7B8ABD" | 15:00|| style="background:#c0e0e0" align="center" | Flash Player Security
Peleus Uhley
(Room 1)
| style="background:#c0e0e0" align="center" | OWASP Top 10
Sebastien Deleersnyder and Martin Knobloch
(Room 2)
| style="background:#c0e0e0" align="center" | [https://www.owasp.org/index.php/Image:OWASP_EU_Summit_2008_WebScarab_treasures.ppt Uncovering WebScarab's Secret Treasures]
Rogan Dawes
(Sala Bella Vista)
| style="background:#c0e0e0" align="center" | [http://www.owasp.org/index.php/Image:Hacking_the_Owasp_Orizon.ppt Hacking the Orizon]
Paolo Perego
(Room 3)
|-
| style="background:#7B8ABD" | 17:00 || colspan="4" style="background:#B36B00" align="center" | Coffee Break
|-
| style="background:#7B8ABD" | || colspan="4" style="background:#7B8ABD" align="center" | Working Sessions
|-
| style="background:#7B8ABD" | 17:30 || style="background:#7B8ABD " align="center" | Code Review Guide
Chair: Eoin Keary
(Room 2)
| style="background:#7B8ABD " align="center" | EU Funding for OWASP Projects
Chair: Carlos Serrao
(Sala Bella Vista)
| style="background:#7B8ABD " align="center" | OWASP Certification
Chair: Tom Brennan
(Room 1)
| style="background:#7B8ABD " align="center" | Software Assurance Maturity Model
Chair: Pravir Chandra
(Room 3)
|-
| style="background:#7B8ABD" | 19:00 || style="background:#7B8ABD " align="center" | OWASP Website
Chair: Favio Cerull
(Room 1)
| style="background:#7B8ABD " align="center" | Metrics & Vulnerabilities
Chair: Lucilla Mancini
(Room 2)
| colspan="2" style="background:#7B8ABD " align="center" | OWASP Orizon
Paolo Perego
(Room 3)
|}

{| style="width:80%" border="0" align="center"
| colspan="6" align="center" style="background:#4058A0; color:white" | Agenda for Thursday, November 6th, 2008
|-
| style="width:10%; background:#7B8ABD" | 09:15 || colspan="5" style="width:80%; background:#FFFF00" align="center" | Daily Briefing:
Dinis Cruz
|-
| style="width:10%; background:#7B8ABD" | || colspan="2" style="width:30%; background:#80FF80" align="center" | Technology
| colspan="3" style="width:30%; background:#80FF80" align="center" | Tools
|-
| style="background:#7B8ABD" | 10:00|| colspan="2" style="background:#80FF80" align="center" | OWASP Classic ASP Security Project
Juan Carlos Calderon
| colspan="3" style="background:#80FF80" align="center" | OWASP Source Code Review
James Walden
|-
| style="background:#7B8ABD" | 10:15 || colspan="2" style="background:#80FF80 " align="center" | OWASP Ruby on Rails Security Project
Heiko Webers
| colspan="3" style="background:#80FF80 " align="center" | OWASP Enigmaform and mod_Openpgp
Arturo Alberto Busleiman (a.k.a. Buanzo)
|-
| style="background:#7B8ABD" | 10:30 || colspan="2" style="background:#80FF80" align="center" | OWASP Webslayer Project
Christian Martorella
| colspan="3" style="background:#80FF80 " align="center" | OWASP Securing WebGoat using ModSecurity
Stephen Evans and Christian Folini
|-
| style="background:#7B8ABD" | 11:00 || colspan="2" style="background:#80FF80" align="center" | OWASP Skavenger Project
Matthias Rohr
| colspan="3" style="background:#80FF80 " align="center" | OWASP AntiSamy.NET
Marcin Wielgoszewski
|-
| style="background:#7B8ABD" | 11:15 || colspan="5" style="background:#B36B00" align="center" | Coffee Break
|-
| style="background:#7B8ABD" | || colspan="5" style="background:#7B8ABD" align="center" | Working Sessions
|-
| style="background:#7B8ABD" | 11:30 || style="background:#7B8ABD" align="center" | Top 10
2009
Chair: Dave Wichers
Secretary: Jeff Williams
(Room 1)
| style="background:#7B8ABD" align="center" | Intra Governmental Affairs
Chair: David Campbell
(Room 2)
| style="background:#7B8ABD" align="center" | SAMM v2
(Room 3)
| style="background:#7B8ABD" align="center" | Web Site
12:15
Executive Room
| style="background:#7B8ABD" align="center" | Handling Web MalWare
12:15
Sala Bella Vista
|-
| style="background:#7B8ABD" | 13:00 || colspan="5" style="background:#B36B00" align="center" | Lunch During Working Sessions
|-
| style="background:#7B8ABD" | 14:00 || colspan="5" style="background:#c0e0e0" align="center" | Training Sessions
|-
| style="background:#7B8ABD" | || style="background:#c0e0e0" align="center" | Ajax Security
(Room 1)
| colspan="2" style="background:#c0e0e0" align="center" | Auditing Flash Applications
Peleus Uhley
(Room 2)
| style="background:#c0e0e0" align="center" | WebApp Assessment
Vicente Aguilera Diaz
(Room 3)
| style="background:#c0e0e0" align="center" | Mod Security
Lucas C. Ferreira
(Executive Room)
|-
| style="background:#7B8ABD" | 13:00 || colspan="5" style="background:#B36B00" align="center" | Coffee Break
|-
| style="background:#7B8ABD" | || colspan="5" style="background:#7B8ABD" align="center" | Working Sessions
|-
| style="background:#7B8ABD" | 16:30 || colspan="5" style="background:#7B8ABD " align="center" | Strategic Planning and Business Models compatible with OWASP values
Chair: Jeff Williams, Dinis Cruz, Dave Wichers, Sebastien Deleersnyder, and Tom Brennan
Secretary: Kate Hartmann and Paulo Combra
|-
| style="background:#7B8ABD" | 18:30 || style="background:#7B8ABD " align="center" | 2-Way Internationalization
Chair: Juan Carlos Calderon and Sebastien Deleersnyder
(Room 1)
| style="background:#7B8ABD " align="center" | Best Practices for Chapter Leaders
Chair: Georg Hess
(Room 2)
| style="background:#7B8ABD " align="center" | Portuguese Public & Private Organizations
Chair: Carlos Serrao
(Room 3)
| style="background:#7B8ABD " align="center" | Live CD & DVD
Chair: Matt Tesauro
(Sala Bella Vista)
| style="background:#7B8ABD " align="center" | OWASP Awards
Chair: Colin Watson
(Executive Room)
|-
| style="background:#7B8ABD" | 20:00 || colspan="5" style="background:#B36B00 " align="center" | Gala Dinner - Restaurante de Real
|-
| style="background:#7B8ABD " | 22:00 || colspan="5" style="background:#B36B00 " align="center" | OWASP Band - LE CLUB
|}

{| style="width:80%" border="0" align="center"
| colspan="6" align="center" style="background:#4058A0; color:white" | Agenda for Friday, November 7th, 2008
|-
| style="width:10%; background:#7B8ABD" | 10:00 || colspan="6" style="width:80%; background:#FFFF00" align="center" | OWASP AppSec Agenda 2009: Working Session Outcomes
Dinis Cruz
|-
| style="width:10%; background:#7B8ABD" | 10:15 || colspan="6" style="width:80%; background:#FFFF00" align="center" | Results Presentations
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Documentation Projects/Guides Integration and Unified 4.0 Version
Chair: Eduardo Neves
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Browser Security
Chair: Arshan Dabirsiaghi
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | ESAPI
Chair: Jeff Williams
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Tools Projects
Chair: Matt Tesauro
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Code Review Guide
Chair: Eoin Keary
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | OWASP Certification
Chair: Tom Brennan
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Software Assurance Maturity Model
Chair: Pravir Chandra
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Top 10 2009
Chair: Dave Wichers
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Intra Governmental Affairs
Chair: David Campbell
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Best Practices for Chapter Leaders
Chair: Georg Hess
|-
| style="width:10%; background:#7B8ABD" | 11:15 || colspan="6" style="width:80%; background:#B36B00" align="center" | Coffee Break and vote break (put your dots on the wall)
|-
| style="width:10%; background:#7B8ABD" | 11:30 || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Live CD & DVD
Chair: Matt Tesauro
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | ADSR
Chair: Leonardo Cavallari
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Education Project
Chair: Sebastien Deleersnyder
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Web Application Framework Security
Chair: Arshan Dabirsiaghi
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Testing Guide
Chair: Matteo Meucci
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | OWASP Censorship
Chair: Tom Brennan
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | EU Funding for OWASP Projects
Chair: Carlos Serrao
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | OWASP Website
Chair: Fabio Cerull
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | OWASP Orizon
Chair: Paolo Perego
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Handling Web MalWare
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | 2-Way Internationalization
Chair: Juan Carlos Calderon
|-
| style="width:10%; background:#7B8ABD" | || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Portuguese Public & Private Organizations
Chair: Carlos Serrao
|-
| style="width:10%; background:#7B8ABD" | 12:45 || colspan="6" style="width:80%; background:#C2C2C2" align="center" | Winter of Code 2009
Chair: Dinis Cruz and Sebastien Deleersnyder
Secretary: Paulo Combra
|-
| style="width:10%; background:#7B8ABD" | 13:00 || colspan="6" style="width:80%; background:#B36B00" align="center" | Lunch - During Winter of Code
|-
| style="width:10%; background:#7B8ABD" | 14:00 || colspan="6" style="width:80%; background:#FFFF00" align="center" | Board Meeting
|-
| style="width:10%; background:#7B8ABD" | 17:00 || colspan="6" style="width:80%; background:#FFFF00" align="center" | Announcement of Summit Procedings
|}

==VENUE & TRAVEL ARRANGEMENTS==

The OWASP European Summit 2008 will be hosted at the 5 start Resort in Algarve Portugal ([http://www.granderealsantaeulaliahotel.com/index.html '''Grande Real Santa Eulália Resort & Hotel''']). We suggest the hotel booking and the travel arrangements be handled via [http://www.diplomatatours.pt/owasp.php '''Diplomata Tours'''], the assigned travel agency.

The venue address:

Praia de Santa Eulália

PO Box 2445

Albufeira, Portugal

8200-916

[http://maps.google.com/maps?f=q&hl=en&geocode=&q=Grande+Real+Santa+Eul%C3%A1lia+Resort+%26+Hotel+algarve&sll=37.015438,-7.919769&sspn=0.084982,0.176468&ie=UTF8&ll=37.124054,-8.182583&spn=0.08486,0.176468&z=13&iwloc=B Google Maps Link]

Nearest Airport: [http://maps.google.co.uk/maps?f=q&hl=en&geocode=&q=Aeroporto+de+Faro,+Montenegro,+Faro,+8005,+Portugal&ie=UTF8&ll=37.096812,-7.967834&spn=0.502766,1.235962&z=10&output=html Faro]

== U.S. Absentee Voting Information ==

U.S. citizens attending the Summit on 4 November (Election Day) may vote absentee. You may find the information you need [http://www.fvap.gov/ here], [http://www.eac.gov/ here] or [http://travel.state.gov/law/info/info_2964.html here], or on your home [http://www.usa.gov/Agencies/State_and_Territories.shtml state/territory] or foreign [http://www.usembassy.gov/ embassy/consulate] web site. These links are provided for your information only; OWASP does not endorse any political party, candidate, etc. and is not able to provide you with instructions or assistance in voting or registering.

[[Category:OWASP AppSec Conference]]

I've Been Hacked-What Now

2008-11-19T14:26:34Z

Marcin:

====My Server Has Been Hacked--What Do I Do Now??====

This page will offer suggestions and resources for identifying and eliminating threats to your web servers/applications after a suspected attack.

Anyone interested in contributing is welcome.

comment added by [[User:Marcin|Marcin]] • 14:24, 19 November 2008 (UTC): 
Below are some basic bullet points that should be expanded on/revised, etc.

*Identification
*Assessment
*Containment
*Evidence Collection
*Forensic Analysis
*Investigation
*Incident Follow-up

Project Information:template AntiSamy Project

2008-10-29T15:46:57Z

Marcin:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP AntiSamy .NET Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|This project is API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:arshan.dabirsiaghi(at)gmail.com '''Arshan Dabirsiaghi''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:li.jason.c(at)gmail.com '''Jason Li'''] [mailto:j(at)lollyshouse.net '''J Irving'''] [mailto:jerryhoff(at)gmail.com '''Jerry Hoff''']
| style="width:14%; background:#cccccc" align="center"| 
[https://lists.owasp.org/mailman/listinfo/owasp-antisamy '''Mailing List/Subscribe'''] 
[mailto:owasp-antisamy@lists.owasp.org '''Mailing List/Use''']

| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marcin(at)tssci-security.com Marcin Wielgoszewski] [[:Image:Mwielgoszewski-CV.pdf|Curriculum]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:jeff.williams@owasp.org '''Jeff Williams''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/owaspantisamy/downloads/list Owasp Anti-Samy Tool]
* [http://www.antisamy.net/ A test site set up to bang on it]
* (If appropriate, more links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#OWASP_AntiSamy_.NET|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:22%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template AntiSamy Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template AntiSamy Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''N/A''' --------- [[Project Information:template AntiSamy Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:21%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Project Information:template AntiSamy Project

2008-10-29T15:42:19Z

Marcin:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP AntiSamy .NET Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|This project is API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:arshan.dabirsiaghi(at)gmail.com '''Arshan Dabirsiaghi''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:li.jason.c(at)gmail.com '''Jason Li'''] [mailto:j(at)lollyshouse.net '''J Irving'''] [mailto:jerryhoff(at)gmail.com '''Jerry Hoff''']
| style="width:14%; background:#cccccc" align="center"| 
[https://lists.owasp.org/mailman/listinfo/owasp-antisamy '''Mailing List/Subscribe'''] 
[mailto:owasp-antisamy@lists.owasp.org '''Mailing List/Use''']

| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marcin(at)tssci-security.com Marcin Wielgoszewski] [[:Image:Mwielgoszewski-CV.pdf|Curriculum]]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:jeff.williams@owasp.org '''Jeff Williams''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/owaspantisamy/downloads/list Owasp Anti-Samy Tool]
* [http://www.antisamy.net/ A test site set up to bang on it]
* (If appropriate, more links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#OWASP_AntiSamy_.NET|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:22%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template AntiSamy Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template AntiSamy Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template AntiSamy Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:21%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

Project Information:template AntiSamy Project - Final Review - Second Reviewer - F

2008-10-01T17:28:08Z

Marcin:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The OWASP AntiSamy.NET project is aimed to provide an API for .NET applications for validating rich HTML/CSS input from users without exposing the web application to cross site scripting and phishing attacks. The project is a direct port of the AntiSamy Java API. Currently, the project has one outstanding feature left to be implemented – Cascading Style Sheet (CSS) support. Support for CSS would allow users to wrap input within inline style and div elements. Arshan Dabirsiaghi stated that at the beginning of the project, it would not include support for CSS by the conclusion of Summer of Code 2008. This is noted here for reference as it is not stated on the project site.

There are also 8 outstanding issues (defects) of Low and Medium priority listed in http://code.google.com/p/owaspantisamy/issues/list none of which affect the .NET version of AntiSamy.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Overall, AntiSamy.NET is about 90% complete with missing CSS support.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The offsiteURL regular expression in the policy files could be more restrictive. Looking up until the TLD, there are several characters, such as Unicode characters allowed within the FQDN where it should only be allowed in the path and the colon (:) character allowed outside of the FQDN. More time should be allotted to look at the regular expression pattern -- http://www.w3.org/Addressing/URL/uri-spec.html should be consulted. There are no performance measurements that show how much impact AntiSamy.NET puts on processing of input.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All project criteria to meet Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
AntiSamy.NET is an API for .NET projects. There is no “installer” associated with such a project. Basic usage instructions are included on the wiki, but there could be more effort put here. See below for more.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
AntiSamy.NET has not been analyzed by a source code analysis tool. All 50+ AntiSamy.NET unit tests run have passed. Having been subject to third-party review, all attacks attempted failed to bypass AntiSamy.NET restrictions. More testing should be done using double-encoded attacks and perhaps a second (side) project could be started that contains various attacks to be used for fuzzing applications.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
It would be nice to see all functions documented and a data flow graph that shows how input flows through the API and is acted on. I (Marcin Wielgoszewski) would be willing to create this documentation for the project. See http://osteele.com/tools/reanimator and http://osteele.com/archives/2006/02/reanimator. Also, with regards to unit testing, see the chapter on "Code Coverage" written by Charlie Miller in "Open Source Fuzzing Tools." It discusses how to increase code coverage with fuzzing. This directly relates to the unit tests as we cannot guarantee they test all functionality implemented within AntiSamy.NET.
|}

Project Information:template AntiSamy Project - Final Review - Second Reviewer - F

2008-10-01T16:26:16Z

Marcin:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The OWASP AntiSamy.NET project is aimed to provide an API for .NET applications for validating rich HTML/CSS input from users without exposing the web application to cross site scripting and phishing attacks. The project is a direct port of the AntiSamy Java API. Currently, the project has one outstanding feature left to be implemented – Cascading Style Sheet (CSS) support. Support for CSS would allow users to wrap input within inline style and div elements. Arshan Dabirsiaghi stated that at the beginning of the project, it would not include support for CSS by the conclusion of Summer of Code 2008. This is noted here for reference as it is not stated on the project site.

There are also 8 outstanding issues (defects) of Low and Medium priority listed in http://code.google.com/p/owaspantisamy/issues/list none of which affect the .NET version of AntiSamy.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Overall, AntiSamy.NET is about 70% complete with missing CSS support.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The offsiteURL regular expression in the policy files could be more restrictive. Looking up until the TLD, there are several characters, such as Unicode characters allowed within the FQDN where it should only be allowed in the path and the colon (:) character allowed outside of the FQDN. More time should be allotted to look at the regular expression pattern -- http://www.w3.org/Addressing/URL/uri-spec.html should be consulted. There are no performance measurements that show how much impact AntiSamy.NET puts on processing of input.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All project criteria to meet Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
AntiSamy.NET is an API for .NET projects. There is no “installer” associated with such a project. Basic usage instructions are included on the wiki, but there could be more effort put here. See below for more.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
AntiSamy.NET has not been analyzed by a source code analysis tool. All 50+ AntiSamy.NET unit tests run have passed. Having been subject to third-party review, all attacks attempted failed to bypass AntiSamy.NET restrictions. More testing should be done using double-encoded attacks and perhaps a second (side) project could be started that contains various attacks to be used for fuzzing applications.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
It would be nice to see all functions documented and a data flow graph that shows how input flows through the API and is acted on. I (Marcin Wielgoszewski) would be willing to create this documentation for the project. See http://osteele.com/tools/reanimator and http://osteele.com/archives/2006/02/reanimator. Also, with regards to unit testing, see the chapter on "Code Coverage" written by Charlie Miller in "Open Source Fuzzing Tools." It discusses how to increase code coverage with fuzzing. This directly relates to the unit tests as we cannot guarantee they test all functionality implemented within AntiSamy.NET.
|}

Project Information:template AntiSamy Project - Final Review - Second Reviewer - F

2008-10-01T16:15:03Z

Marcin:

[[Project Information:template AntiSamy Project|Clik here to return to the previous page]].

{| style="width:100%" border="0" align="center"
! colspan="3" align="center" style="background:#4058A0; color:white"|'''FINAL REVIEW'''
|-
| style="width:25%; background:white" align="center"|'''PART I'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Project Deliveries & Objectives
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET| OWASP AntiSamy .NET Project's Deliveries & Objectives]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please exemplify writing down those of them that haven't been realised.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
The OWASP AntiSamy.NET project is aimed to provide an API for .NET applications for validating rich HTML/CSS input from users without exposing the web application to cross site scripting and phishing attacks. The project is a direct port of the AntiSamy Java API. Currently, the project has one outstanding feature left to be implemented – Cascading Style Sheet (CSS) support. Support for CSS would allow users to wrap input within inline style and div elements. Arshan Dabirsiaghi stated that at the beginning of the project, it would not include support for CSS by the conclusion of Summer of Code 2008. This is noted here for reference as it is not stated on the project site.

There are also 8 outstanding issues (defects) of Low and Medium priority listed in http://code.google.com/p/owaspantisamy/issues/list none of which affect the .NET version of AntiSamy.

|-
| style="width:25%; background:#7B8ABD" align="center"|
2. At what extent have the project deliveries & objectives been accomplished? Having in consideration [[OWASP Summer of Code 2008 Applications#OWASP AntiSamy .NET|'''the assumed ones''']], please quantify in terms of percentage.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
Overall, AntiSamy.NET is about 70% complete with missing CSS support.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
A) The offsiteURL regular expression in the policy files could be more restrictive. Looking up until the TLD, there are several characters, such as Unicode characters allowed within the FQDN where it should only be allowed in the path and the colon (:) character allowed outside of the FQDN. More time should be allotted to look at the regular expression pattern -- http://www.w3.org/Addressing/URL/uri-spec.html should be consulted. There are no performance measurements that show how much impact AntiSamy.NET puts on processing of input.
|-
| style="width:25%; background:white" align="center"|'''PART II'''
| colspan="2" style="width:75%; background:white" align="left"|
|-
| style="width:25%; background:#7B8ABD" align="center"|
Assessment Criteria
| colspan="2" style="width:75%; background:#cccccc" align="left"|
[[:Category:OWASP Project Assessment|OWASP Project Assessment Criteria]]
|-
| style="width:25%; background:#4058A0" align="center"|'''QUESTIONS'''
| colspan="2" style="width:75%; background:#4058A0" align="left"|'''ANSWERS'''
|-
| style="width:25%; background:#7B8ABD" align="center"|
1. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Alpha Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
All project criteria to meet Alpha Quality status have been fulfilled.
|-
| style="width:25%; background:#7B8ABD" align="center"|
2. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Beta Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
AntiSamy.NET is an API for .NET projects. There is no “installer” associated with such a project. Basic usage instructions are included on the wiki, but there could be more effort put here. See below for more.
|-
| style="width:25%; background:#7B8ABD" align="center"|
3. Having into consideration the [[:Category:OWASP Project Assessment|OWASP Project Assessment Methodology]] which criteria, if any, haven’t been fulfilled in terms of '''Release Quality''' status?
| colspan="2" style="width:75%; background:#cccccc" align="left"|
AntiSamy.NET has not been analyzed by a source code analysis tool. All 50+ AntiSamy.NET unit tests run have passed. Having been subject to third-party review, all attacks attempted failed to bypass AntiSamy.NET restrictions. More testing should be done using double-encoded attacks and perhaps a second (side) project could be started that contains various attacks to be used for fuzzing applications.
|-
| style="width:25%; background:#7B8ABD" align="center"|
4. Please do use the right hand side column to provide advice and make work suggestions.
| colspan="2" style="width:75%; background:#cccccc" align="left"|
It would be nice to see all functions documented and a data flow graph that shows how input flows through the API and is acted on. I (Marcin Wielgoszewski) would be willing to create this documentation for the project. See http://osteele.com/tools/reanimator and http://osteele.com/archives/2006/02/reanimator. Also, with regards to unit testing, see the chapter on "Code Coverage" written by Charlie Miller in "Open Source Fuzzing Tools." It discusses how to increase code coverage with fuzzing. This directly relates to the unit tests as we cannot guarantee they test all functionality implemented within AntiSamy.NET.
|}

OWASP EU Summit 2008 Paid Participants

2008-09-07T17:31:19Z

Marcin: /* Provisory list of 'expenses paid' participants */

== Provisory list of 'expenses paid' participants ==

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECTED CONFERENCE PAID ATTENDEES AND/OR SPEAKERS - NEEDS OWASP BOARD CONFIRMATION'''
|-
| style="width:20%; background:#b3b3b3" align="center"|'''NAME'''
| style="width:40%; background:#b3b3b3" align="center"|'''POSITION/REASON OF ATTENDANCE'''
| style="width:20%; background:#b3b3b3" align="center"|'''COUNTRY'''
| style="width:20%; background:#b3b3b3" align="center"|'''DEPARTURE (AIRPORT/CITY)'''
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP BOARD MEMBERS & EMPLOYEES'''
|-
| style="width:20%; background:#cccccc" align="center"|Jeff Williams
| style="width:40%; background:#cccccc" align="center"|Board, Chair, Wiki, Management
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
| style="width:20%; background:#cccccc" align="center"|Dave Wichers
| style="width:40%; background:#cccccc" align="center"|Board, Conferences, Financials
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
| style="width:20%; background:#cccccc" align="center"|Dinis Cruz
| style="width:40%; background:#cccccc" align="center"|Board, Firehose of Ideas and Money spender
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Tom Brennan
| style="width:40%; background:#cccccc" align="center"|Board, OWASP Governance
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|New York, NY
|-
| style="width:20%; background:#cccccc" align="center"|Sebastien Deleersnyder
| style="width:40%; background:#cccccc" align="center"|Board, OWASP Chapters and Projects
| style="width:20%; background:#cccccc" align="center"|Belgium
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Paulo Coimbra
| style="width:40%; background:#cccccc" align="center"|Employee, Project Manager
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Kate Hartmann
| style="width:40%; background:#cccccc" align="center"|Employee, Operations Director
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Washington, D.C.
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Achim Hoffmann
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Skavenger Project, OWASP w3af Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|Frankfurt or Munich
|-
| style="width:20%; background:#cccccc" align="center"|Alexander Fry
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Source Code Review OWASP Projects OWASP Teachable Static Analysis Workbench OWASP WeBekci Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Arshan Dabirsiaghi
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP AntiSamy Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Baltimore, MD
|-
| style="width:20%; background:#cccccc" align="center"|Andrew Petukhov
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Access Control Rules Tester Project
| style="width:20%; background:#cccccc" align="center"|Russia
| style="width:20%; background:#cccccc" align="center"|Moscow
|-
| style="width:20%; background:#cccccc" align="center"|Arturo Alberto Busleiman
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Enigform and mod_Openpgp
| style="width:20%; background:#cccccc" align="center"|Argentina
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Carlo Pelliccioni
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Backend Security Project
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|Rome
|-
| style="width:20%; background:#cccccc" align="center"|Deb, LX Studios
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Book Cover & Sleeve Design, OWASP Individual & Corporate Member Packs, Conference Attendee Packs
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Eduardo Vianna de Camargo Neves
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Positive Security
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|Curitiba (CWB)
|-
| style="width:20%; background:#cccccc" align="center"|Wagner Elias
| style="width:40%; background:#cccccc" align="center"|Reviwer, OWASP Positive Security
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|São Paulo(GRU)
|-
| style="width:20%; background:#cccccc" align="center"|Eoin Keary
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Code Review Guide, Chapter Leader
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)
|-
| style="width:20%; background:#cccccc" align="center"|Esteban Ribicic
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Backend Security Project OWASP Classic ASP Security Project OWASP AntiSamy .NET OWASP Interceptor Project - 2008 Update
| style="width:20%; background:#cccccc" align="center"|Croatia
| style="width:20%; background:#cccccc" align="center"|Wien
|-
| style="width:20%; background:#cccccc" align="center"|Fabio Cerullo
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)
|-
| style="width:20%; background:#cccccc" align="center"|Frederick Donovan
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|United States
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Heiko Webers
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Ruby on Rails Security Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|Frankfurt
|-
| style="width:20%; background:#cccccc" align="center"|Anthony Shireman
| style="width:40%; background:#cccccc" align="center"|Project reviewer, OWASP Ruby on Rails Security Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Portland, OR (PDX)
|-
| style="width:20%; background:#cccccc" align="center"|Juan Carlos Calderon
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Internationalization Guidelines OWASP Spanish Project OWASP Classic ASP Security Project
| style="width:20%; background:#cccccc" align="center"|Mexico
| style="width:20%; background:#cccccc" align="center"|MMAS - Aguascalientes, Mexico
|-
| style="width:20%; background:#cccccc" align="center"|Justin Derry
| style="width:40%; background:#cccccc" align="center"|Chapter leader & Project Leader, OWASP Interceptor Project
| style="width:20%; background:#cccccc" align="center"|Sydney Australia
| style="width:20%; background:#cccccc" align="center"|Sydney Australia
|-
| style="width:20%; background:#cccccc" align="center"|Kevin Fuller
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3 OWASP SQL Injector Benchmarking Project (SQLiBENCH)
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Sacramento Ca
|-
| style="width:20%; background:#cccccc" align="center"|Leonardo Cavallari Militelli
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|Brazil
| style="width:20%; background:#cccccc" align="center"|Sao Paulo (GRU)
|-
| style="width:20%; background:#cccccc" align="center"|Mark Roxberry
| style="width:40%; background:#cccccc" align="center"|Leader, OWASP .NET Project
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Matt Tesauro
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Live CD 2008
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Austin, TX or Dallas, TX
|-
| style="width:20%; background:#cccccc" align="center"|Matteo Meucci
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Testing Guide
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|Rome
|-
| style="width:20%; background:#cccccc" align="center"|Matthias Rohr
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Skavenger Project
| style="width:20%; background:#cccccc" align="center"|Germany
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Michael Coates
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP AppSensor
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Chicago
|-
| style="width:20%; background:#cccccc" align="center"|Nam Nguyen
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Testing Guide v3, Python Static Analysis, OWASP Education
| style="width:20%; background:#cccccc" align="center"|Vietnam
| style="width:20%; background:#cccccc" align="center"|Ho Chi Minh City
|-
| style="width:20%; background:#cccccc" align="center"|P.Satish Kumar
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Code Review Guide
| style="width:20%; background:#cccccc" align="center"|India
| style="width:20%; background:#cccccc" align="center"|Hyderabad/Mumbai/Chennai
|-
| style="width:20%; background:#cccccc" align="center"|Paolo Perego
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP Orizon Project
| style="width:20%; background:#cccccc" align="center"|Italy
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Parvathy Iyer
| style="width:40%; background:#cccccc" align="center"|OWASP Corporate Application Security Guide
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Newark (New Jersey)or Newyork (Newyork city)
|-
| style="width:20%; background:#cccccc" align="center"|Pierre Parrend
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP OpenSign Server Project OWASP Application Security Verification Standard
| style="width:20%; background:#cccccc" align="center"|France
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Stephen Craig Evans
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Securing WebGoat using ModSecurity
| style="width:20%; background:#cccccc" align="center"|Singapore
| style="width:20%; background:#cccccc" align="center"|Singapore
|-
| style="width:20%; background:#cccccc" align="center"|Jason Li
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP JSP Testing Tool
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Baltimore
|-
| style="width:20%; background:#cccccc" align="center"|Gandhi Aryavalli Sriranga Narasimha
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Application Security Desk Reference (ASDR)
| style="width:20%; background:#cccccc" align="center"|India
| style="width:20%; background:#cccccc" align="center"|Bangalore
|-
| style="width:20%; background:#cccccc" align="center"|Rodrigo Marcos
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP Internationalization Guidelines Project OWASP Spanish Project
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Marcin Wielgoszewski
| style="width:40%; background:#cccccc" align="center"|Reviewer, OWASP AntiSamy.NET
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|New York, NY
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008 SPECIAL PROJECT CONTRIBUTORS'''
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SUMMER OF CODE 2008/LOGISTICS'''
|-
| style="width:20%; background:#cccccc" align="center"|Sarah Cruz
| style="width:40%; background:#cccccc" align="center"|Project leader, Graphic Design
| style="width:20%; background:#cccccc" align="center"|UK
| style="width:20%; background:#cccccc" align="center"|London
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP SPRING OF CODE 2007 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Przemyslaw Skowron
| style="width:40%; background:#cccccc" align="center"|Project Leader, Refresh Attacks List
| style="width:20%; background:#cccccc" align="center"|Poland
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Joshua Perrymon
| style="width:40%; background:#cccccc" align="center"|Project Leader, OWASP LiveCD, OWASP Phishing Framework, Alabama Chapter Lead
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|Birmingham,AL
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP AUTUMN OF CODE 2006 PROJECT LEADERS & REVIEWERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Rogan Dawes
| style="width:40%; background:#cccccc" align="center"|Project leader, WebScarab-NG
| style="width:20%; background:#cccccc" align="center"|South Africa
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Simon Roses Femerling
| style="width:40%; background:#cccccc" align="center"|Project leader, OWASP Pantera
| style="width:20%; background:#cccccc" align="center"|Spain
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE PROJECT LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Alex Smolen
| style="width:40%; background:#cccccc" align="center"| Project leader, .NET ESAPI
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''ACTIVE CHAPTER LEADERS (NOT CURRENTLY PARTICIPATING ON SOC 08)'''
|-
| style="width:20%; background:#cccccc" align="center"|Antti Laulajainen
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Helsinki
| style="width:20%; background:#cccccc" align="center"|Finland
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Steve Antoniewicz
| style="width:40%; background:#cccccc" align="center"|Chapter Board Member, NY/NJ Metro
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Kuai Hinojosa
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Twin-Cities
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Jim Manico
| style="width:40%; background:#cccccc" align="center"|Chapter leader/founder, Hawaii
| style="width:20%; background:#cccccc" align="center"|Hawaii, USA
| style="width:20%; background:#cccccc" align="center"|Anahola, Island of Kauai
|-
| style="width:20%; background:#cccccc" align="center"|Rex Booth
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Washington DC
| style="width:20%; background:#cccccc" align="center"|USA
| style="width:20%; background:#cccccc" align="center"|?
|-
| style="width:20%; background:#cccccc" align="center"|Andrzej Targosz
| style="width:40%; background:#cccccc" align="center"|Chapter leader, Poland
| style="width:20%; background:#cccccc" align="center"|Poland
| style="width:20%; background:#cccccc" align="center"|Cracow
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
! colspan="7" align="left" style="background:white; color:black"|'''SIGNIFICANT PAST OWASP CONTRIBUTOR (THAT IS NOT ALREADY COVERED BY ONE OF THE ABOVE CATEGORIES)'''
|-
| style="width:20%; background:#cccccc" align="center"|David Rook
| style="width:40%; background:#cccccc" align="center"|Code Review Guide Contributor, Irish Chapter Contributor
| style="width:20%; background:#cccccc" align="center"|Ireland
| style="width:20%; background:#cccccc" align="center"|Dublin (DUB)
|-
! colspan="7" align="left" style="background:white; color:black"|'''OWASP NON-INDIVIDUAL MEMBERS'''
|-
| style="width:20%; background:#cccccc" align="center"|Name
| style="width:40%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
| style="width:20%; background:#cccccc" align="center"|
|-
|}

Project Information:template AntiSamy Project

2008-09-05T20:29:48Z

Marcin:

{| style="width:100%" border="0" align="center"
! colspan="7" align="center" style="background:#4058A0; color:white"|'''PROJECT IDENTIFICATION'''
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Project Name'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|'''OWASP AntiSamy .NET Project'''
|-
| style="width:15%; background:#7B8ABD" align="center"| '''Short Project Description'''
| colspan="6" style="width:85%; background:#cccccc" align="left"|This project is API for validating rich HTML/CSS input from users without exposure to cross-site scripting and phishing attacks.
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Email Contacts'''
| style="width:14%; background:#cccccc" align="center"|Project Leader [mailto:arshan.dabirsiaghi(at)gmail.com '''Arshan Dabirsiaghi''']
| style="width:14%; background:#cccccc" align="center"|Project Contributors [mailto:li.jason.c(at)gmail.com '''Jason Li'''] [mailto:j(at)lollyshouse.net '''J Irving'''] [mailto:jerryhoff(at)gmail.com '''Jerry Hoff''']
| style="width:14%; background:#cccccc" align="center"| 
[https://lists.owasp.org/mailman/listinfo/owasp-antisamy '''Mailing List/Subscribe'''] 
[mailto:owasp-antisamy@lists.owasp.org '''Mailing List/Use''']

| style="width:14%; background:#cccccc" align="center"|First Reviewer [mailto:kisero(at)gmail.com Esteban Ribičić] [http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum]
| style="width:14%; background:#cccccc" align="center"|Second Reviewer [mailto:marcin(at)tssci-security.com Marcin Wielgoszewski]
| style="width:15%; background:#cccccc" align="center"|OWASP Board Member [mailto:jeff.williams@owasp.org '''Jeff Williams''']
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''PROJECT MAIN LINKS'''
|-
| style="width:100%; background:#cccccc" align="center"|
* [http://code.google.com/p/owaspantisamy/downloads/list Owasp Anti-Samy Tool]
* [http://www.antisamy.net/ A test site set up to bang on it]
* (If appropriate, more links to be added)
|}
{| style="width:100%" border="0" align="center"
! colspan="6" align="center" style="background:#4058A0; color:white"|'''SPONSORS & GUIDELINES'''
|-
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']]
| style="width:50%; background:#cccccc" align="center"|[[OWASP Summer of Code 2008 Applications#OWASP_AntiSamy_.NET|'''Sponsored Project/Guidelines/Roadmap''']]
|}
{| style="width:100%" border="0" align="center"
! colspan="5" align="center" style="background:#4058A0; color:white"|ASSESSMENT AND REVIEW PROCESS
|-
| style="width:15%; background:#6C82B5" align="center"|'''Review/Reviewer'''
| style="width:22%; background:#b3b3b3" align="center"|'''Author's Self Evaluation''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''First Reviewer''' (applicable for Alpha Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''Second Reviewer''' (applicable for Beta Quality & further)
| style="width:21%; background:#b3b3b3" align="center"|'''OWASP Board Member''' (applicable just for Release Quality)
|-
| style="width:15%; background:#7B8ABD" align="center"|'''50% Review'''
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template AntiSamy Project - 50 Review - Self Evaluation - A|See&Edit:50% Review/Self-Evaluation (A)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- [[Project Information:template AntiSamy Project - 50 Review - First Reviewer - C|See&Edit: 50% Review/1st Reviewer (C)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- [[Project Information:template AntiSamy Project 50 Review Second Review E|See&Edit: 50%Review/2nd Reviewer (E)]]
| style="width:21%; background:#C2C2C2" align="center"|X
|-
| style="width:15%; background:#7B8ABD" align="center"|'''Final Review'''
| style="width:22%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - Self Evaluation - B|See&Edit: Final Review/SelfEvaluation (B)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes''' --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - First Reviewer - D|See&Edit: Final Review/1st Reviewer (D)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - Second Reviewer - F|See&Edit: Final Review/2nd Reviewer (F)]]
| style="width:21%; background:#C2C2C2" align="center"|Objectives & Deliveries reached? '''Yes/No''' (To update) --------- Which status has been reached? '''Season of Code''' - (To update) --------- [[Project Information:template AntiSamy Project - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member (G)]]
|-
|}

OWASP Newsletter 17

2008-08-15T20:27:51Z

Marcin: /* OWASP references in the Media */

== OWASP Newsletter #17 (12-August-2008) ==
Welcome to the 17th edition of the OWASP Newsletter, featuring [[OWASP_NYC_AppSec_2008_Conference|The New York City AppSec Conference]] .

As always, if you have any content to add to the next edition, please feel free to add it directly to its WIKI page [[OWASP Newsletter 18]].

Kate Hartmann - OWASP Operations Director - Tel: 301-575-0197 - eMail: Kate.Hartmann@owasp.org

== Featured Item: OWASP NYC 2008 ==
OWASP NYC AppSec 2008 Conference Schedule – Sept 24th - Sept 25th [http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Full details] In association with: WASC, NYM InfraGard, AITGlobal, NYC PHP, NYCBUG, ISACA, ISSA and Pace University your invited to (2) days of Seminars and Technology Pavilion from the world's best application security technology minds, (2) days of hardcore hands-on training, all held at Pace University, located in downtown New York City at One Pace Plaza New York, NY 10038. Event Fees: $350 for 2 days of seminars, $675 for 1-day training classes and $1,350 for 2-day courses. With capacity of 1000 folks from around the world, don't miss this event!

<center>[http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference http://www.owasp.org/images/a/ad/NYC08_468x60_72_newdates.gif]</center>

== Featured Item: India Conference ==
[https://www.owasp.org/index.php/OWASP_AppSec_India_Conference_2008 OWASP AppSec India Conference 2008]

[[Image:OWASP_India-mhnew.gif]]

== Featured Item: Israel Conference ==
[https://www.owasp.org/index.php/OWASP_Israel_2008_Conference OWASP AppSec Israel Conference 2008]

= OWASP AppSec India Conference 2008 - August 20th-21st 2008 =

== Featured Projects ==

* Four new projects have been set up, namely:
** [[:Category:OWASP EnDe|'''OWASP EnDe Project''']] - This tool is an encoder, decoder, converter, transformer, calculator, for various codings used in the wild wide web. Achim Hoffmann is the project leader.
** [[:Category:OWASP Google Hacking Project|'''OWASP Google Hacking Project''']] - This is a Google SOAP Search API with Perl. Christian Heinrich is the project leader.
** [[:Category:OWASP NetBouncer Project|'''OWASP NetBouncer Project''']] - This is secure by default centralised input/output validation library which combines security rules and business rules as well as escaping in the output level. Ferruh Mavituna is the project leader.
** [[:Category:OWASP Open Review Project|'''OWASP Open Review Project''']] - A project to openly check open source libraries and software that are vital to most commercial and non-commercial apps around. Mario de Boer is the project leader.
 
* The [[OWASP Summer of Code 2008|'''OWASP Summer of Code 2008''']] is doing its way up the ladder.
** 34 SoC’s projects pages, the [[:Category:OWASP_Project#Current_Season_of_Code_Projects |Current Season of Code Projects]], have been set up.
** [[:OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers|70 reviewers were matched with 34 SoC’s projects]].
** Having reached the stage of 50% completion, 7 project have already been reviewed, namely:
*** [[:OWASP Internationalization|OWASP Internationalization Guidelines Project]]'''
*** [[:OWASP Spanish|OWASP Spanish Project]]
*** [[:Category:OWASP Ruby on Rails Security Guide V2|OWASP Ruby on Rails Security Guide v2]]
*** [[:Category:OWASP Source Code Review OWASP Projects Project|OWASP Source Code Review OWASP Projects]]
*** [[:Category:GTK plus GUI for w3af Project|GTK+ GUI for w3af project]]
*** [[:Category:OWASP Live CD 2008 Project|OWASP Live CD 2008 Project]]
*** [[:Category:OWASP Python Static Analysis Project|OWASP Python Static Analysis]]

== Latest additions to the WIKI ==

==== New Pages====

* [https://www.owasp.org/index.php?title=Front_Range_OWASP_Conference&rcid=31984 Front Range OWASP Conference in Denver]

* [http://www.owasp.org/index.php/How_to_Host_a_Conference How to Host a Conference]

== Chapter News ==

===Paypal now Accepted===

Chapter pages are being updated with the new link to paypal. This will allow your chapter sponsors to make donations to your chapter or project directly. Because the funds will be managed through the OWASP Foundation, your local chapter or project may take advantage of the non-profit status! Reimbursement of expenses will be processed through submission of an expense report. Please contact [mailto:alison.mcnamee@owasp.org Alison McNamee] with any questions.

===New Chapter Pages===

[[Iran|Iran]]

[[Vietnam|Vietnam]]

[[Nigeria|Nigeria]]

[[Saudi Arabia|Saudi Arabia]]

[[Alabama|Alabama]]

[[Croatia|Croatia]]

[[Hawaii|Hawaii]]

== OWASP references in the Media==

[http://www.net-security.org/dl/insecure/INSECURE-Mag-16.pdf OWASP Featured Article: Producing Producing Secure Software With Software Security Enhanced Processes, In-secure Magazine, Page 57-67]

NSA: http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/support/I733-034R-2007.pdf

FFIEC: http://www.occ.treas.gov/ftp/bulletin/2008-16.html

FTC: http://www.ftc.gov/bcp/conline/pubs/buspubs/security.shtm

NIST: http://csrc.nist.gov/publications/PubsSPs.html

DHS: https://buildsecurityin.us-cert.gov/swa/downloads/SwA_in_Acquisition.pdf

== Application Security News==

=='''[https://www.owasp.org/index.php/Template:Application_Security_News Application Security News Feed]'''==

{{Application Security News}}

Don't trust user input

2008-07-24T19:40:14Z

Marcin:

{{Template:Principle}}

Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''

==Description==

A principle is a simple rule that helps to guide security decisions in complex situations.
# Start with a one-sentence description of the principle
# Describe the principle and how it should be applied to security decisions

A user or client will not always submit data your application will expect. By building robust applications that do not trust user input by default, you ensure the application will be able to handle unexpected data gracefully. Examples of user input include: form data, client information such as user-agent strings, cookies, referer, etc. Anything that is submitted in an HTTP request should be considered user input.

==Examples==

===Phone number===
: A short example description, small picture, or sample code with [http://www.site.com links]

===Short example name===
: A short example description, small picture, or sample code with [http://www.site.com links]

==Related [[Vulnerabilities]]==

* [[Vulnerability 1]]
* [[Vulnerabiltiy 2]]

==Related [[Controls]]==

* [[Input Validation]]

==References==

* http://www.link1.com
* [http://www.link2.com Title for the link2]

Phoenix/Tools

2008-07-04T13:56:31Z

Marcin: /* Java static analysis, security frameworks, and web application security tools */

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
HackerFox(http://yehg.co.nr) : Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector (http://yehg.co.nr) - http://userscripts.org/scripts/show/22955

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Browser SSL Compatibility

2008-05-15T14:28:28Z

Marcin: New page: // reserved page describing SSL compatibility by browser history

// reserved page describing SSL compatibility by browser history

Phoenix/Tools

2008-05-12T01:02:01Z

Marcin: Removed links submitted by "Rave." Links were to ebook warez sites.

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
HackerFox(http://yehg.co.nr) : Portable Firefox with web hacking addons bundled - http://sf.net/projects/hackfox

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
Java - http://www.ebooknetworking.com/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
Greasemonkey: XSS Malware Script Detector (http://yehg.co.nr) - http://userscripts.org/scripts/show/22955

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2007-07-26T17:31:01Z

Marcin:

__NOTOC__
Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2007-07-17T18:13:09Z

Marcin:

__NOTOC__
Please send comments or questions to the Phoenix-OWASP mailing-list.

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2007-07-17T18:07:04Z

Marcin: /* HTTP proxying / editing */

__NOTOC__
Please send comments or questions to the Phoenix-OWASP mailing-list.

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander - http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

Phoenix/Tools

2007-07-17T17:59:02Z

Marcin:

__NOTOC__
Please send comments or questions to the Phoenix-OWASP mailing-list.

==LiveCDs==
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 

==Test sites / testing grounds==
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 

==HTTP proxying / editing==
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander http://jscmd.rubyforge.org/ 

==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 

==HTTP general testing / fingerprinting==
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 

==Browser-based HTTP tampering / editing / replaying==
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 

==Cookie editing / poisoning==
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 

==Ajax and XHR scanning==
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 

==RSS extensions and caching==
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 

==SQL injection scanning==
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 

==Web application security malware, backdoors, and evil code==
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 

==Web application services that aid in web application security assessment==
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 

==Browser-based security fuzzing / checking==
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 

==PHP static analysis and file inclusion scanning==
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 

==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 

==Web services enumeration / scanning / fuzzing==
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 

==Web application non-specific static source-code analysis==
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 

==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 

==Java static analysis, security frameworks, and web application security tools==
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 

==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 

==Threat modeling==
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 

==Add-ons for Firefox that help with general web application security==
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 

==Add-ons for Firefox that help with Javascript and Ajax web application security==
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 

==Bookmarklets that aid in web application security==
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 

==SSL certificate checking / scanning==
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 

==Honeyclients, Web Application, and Web Proxy honeypots==
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 

==Blackhat SEO and maybe some whitehat SEO==
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 

==Footprinting for web application security==
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 

==Database security assessment==
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 

==Browser Defenses==
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 

==Browser Privacy==
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 

==Application and protocol fuzzing (random instead of targeted)==
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html

User:Marcin

2007-07-11T14:22:50Z

Marcin: New page: [http://www.tssci-security.com tssci-security] pub KeyID = [http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB0D446C3 B0D446C3]

[http://www.tssci-security.com tssci-security]

pub KeyID = [http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB0D446C3 B0D446C3]

Phoenix/Tools

2007-07-11T14:13:36Z

Marcin:

Please send comments or questions to the Phoenix-OWASP mailing-list. 
 
LiveCDs 
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/ 
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/ 
 
Test sites / testing grounds 
SPI Dynamics (live) - http://zero.webappsecurity.com/ 
Cenzic (live) - http://crackme.cenzic.com/ 
Watchfire (live) - http://demo.testfire.net/ 
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com 
WebMaven / Buggy Bank (includes live testsite) - http://www.mavensecurity.com/webmaven 
Foundstone SASS tools - http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/s3i_tools.htm 
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project 
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator 
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/ 
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/ 
 
HTTP proxying / editing 
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project 
Burp - http://www.portswigger.net/ 
Paros - http://www.parosproxy.org/ 
Fiddler - http://www.fiddlertool.com/ 
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project 
Suru - http://www.sensepost.com/research/suru/ 
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/ 
Charles - http://www.xk72.com/charles/ 
Odysseus - http://www.bindshell.net/tools/odysseus 
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/ 
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/ 
JS Commander http://jscmd.rubyforge.org/ 
 
RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools 
Wfuzz - http://www.edge-security.com/wfuzz.php 
ProxMon - http://www.isecpartners.com/proxmon.html 
Wapiti - http://wapiti.sourceforge.net/ 
Grabber - http://rgaucher.info/beta/grabber/ 
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py 
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project 
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm 
JBroFuzz - http://sourceforge.net/projects/jbrofuzz 
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/ 
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/ 
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz 
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter 
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html 
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml 
RFuzz - http://rfuzz.rubyforge.org/ 
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999 
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html 
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/ 
WSTool - http://wstool.sourceforge.net/ 
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/ 
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/ 
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/ 
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/ 
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743 
 
HTTP general testing / fingerprinting 
Wbox: HTTP testing tool - http://hping.org/wbox/ 
ht://Check - http://htcheck.sourceforge.net/ 
Mumsie - http://www.lurhq.com/tools/mumsie.html 
WebInject - http://www.webinject.org/ 
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/ 
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/ 
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/ 
Load-balancing detector - http://ge.mine.nu/lbd.html 
HMAP - http://ujeni.murkyroc.com/hmap/ 
Net-Square: httprint - http://net-square.com/httprint/ 
Wpoison: http stress testing - http://wpoison.sourceforge.net/ 
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml 
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/ 
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp 
Nikto - http://www.cirt.net/code/nikto.shtml 
twill - http://twill.idyll.org/ 
DirBuster - http://www.sittinglittleduck.com/DirBuster/ 
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip 
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html 
 
Browser-based HTTP tampering / editing / replaying 
TamperIE - http://www.bayden.com/Other/ 
isr-form - http://www.infobyte.com.ar/developments.html 
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/ 
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/ 
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/ 
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/ 
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/ 
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/ 
 
Cookie editing / poisoning 
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz 
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/ 
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/ 
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/ 
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp 
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx 
 
Ajax and XHR scanning 
Sahi - http://sahi.co.in/ 
scRUBYt - http://scrubyt.org/ 
jQuery - http://jquery.com/ 
jquery-include - http://www.gnucitizen.org/projects/jquery-include 
Sprajax - http://www.denimgroup.com/sprajax.html 
Watir - http://wtr.rubyforge.org/ 
Watij - http://watij.com/ 
Watin - http://watin.sourceforge.net/ 
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/ 
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin 
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/ 
Firebug Lite - http://www.getfirebug.com/lite.html 
firewaitr - http://code.google.com/p/firewatir/ 
 
RSS extensions and caching 
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/ 
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/ 
 
SQL injection scanning 
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php 
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project 
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/ 
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html 
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html 
sqlmap - http://sqlmap.sourceforge.net/ 
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/ 
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas 
PRIAMOS - http://www.priamos-project.com/ 
 
Web application security malware, backdoors, and evil code 
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/ 
Jikto - http://busin3ss.name/jikto-in-the-wild/ 
XSS Shell - http://ferruh.mavituna.com/article/?1338 
XSS-Proxy - http://xss-proxy.sourceforge.net 
AttackAPI - http://www.gnucitizen.org/projects/attackapi/ 
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/ 
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/ 
BeEF - http://www.bindshell.net/tools/beef/ 
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/ 
What is my IP address? - http://reglos.de/myaddress/ 
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm 
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/ 
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval 
Technika - http://www.gnucitizen.org/projects/technika/ 
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet 
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/ 
 
Web application services that aid in web application security assessment 
Netcraft - http://www.netcraft.net 
AboutURL - http://www.abouturl.com/ 
The Scrutinizer - http://www.scrutinizethis.com/ 
net.toolkit - http://clez.net/ 
ServerSniff - http://www.serversniff.net/ 
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/ 
Webmaster-Toolkit - http://www.webmaster-toolkit.com/ 
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address 
PHP charset encoding - http://h4k.in/encoding 
data: URL testcases - http://h4k.in/dataurl 
 
Browser-based security fuzzing / checking 
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi 
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/ 
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/ 
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html 
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html 
COMRaider - http://labs.idefense.com 
bcheck - http://bcheck.scanit.be/bcheck/ 
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects 
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp 
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/ 
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php 
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7 
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html 
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm 
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/ 
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/ 
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324 
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/ 
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1 
 
PHP static analysis and file inclusion scanning 
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/ 
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php
 
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25 
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit 
 
Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources 
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS 
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/ 
dotnetids - http://code.google.com/p/dotnetids/ 
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html 
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/ 
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules 
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/ 
mod_security rules generator - http://noeljackson.com/tools/modsecurity/ 
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3 
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz 
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99 
Akismet: blog spam defense - http://akismet.com/ 
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/ 
 
Web services enumeration / scanning / fuzzing 
WebServiceStudio2.0 - http://www.gotdotnet.com/Community/UserSamples/Details.aspx?SampleGuid=65a1d4ea-0f7a-41bd-8494-e916ebc4159c 
Net-square: wsChess - http://net-square.com/wschess/index.shtml 
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project 
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm 
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html 
 
Web application non-specific static source-code analysis 
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/ 
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1 
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project 
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/ 
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html 
A smaller, but also good list - http://spinroot.com/static/ 
 
Static analysis for C/C++ (CGI, ISAPI, etc) in web applications 
RATS - http://www.securesoftware.com/resources/download_rats.html 
ITS4 - http://www.cigital.com/its4/ 
FlawFinder - http://www.dwheeler.com/flawfinder/ 
Splint - http://www.splint.org/ 
Uno - http://spinroot.com/uno/ 
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net 
Valgrind - http://www.valgrind.org/ 
 
Java static analysis, security frameworks, and web application security tools 
HDIV Struts - http://hdiv.org/ 
Orizon - http://sourceforge.net/projects/orizon/ 
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/ 
PMD - http://pmd.sourceforge.net/ 
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/ 
EMMA - http://emma.sourceforge.net/ 
JLint - http://jlint.sourceforge.net/ 
Java PathFinder - http://javapathfinder.sourceforge.net/ 
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/ 
Checkstyle - http://checkstyle.sourceforge.net/ 
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver 
tinapoc - http://sourceforge.net/projects/tinapoc 
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html 
Solex - http://solex.sourceforge.net/ 
Java Explorer - http://metal.hurlant.com/jexplore/ 
HTTPClient - http://www.innovation.ch/java/HTTPClient/ 
another HttpClient - http://jakarta.apache.org/commons/httpclient/ 
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html 
 
Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET 
Orcas - http://msdn.microsoft.com/vstudio/express/future/downloads/default.aspx 
Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx 
FxCop - http://blogs.msdn.com/fxcop/ http://www.gotdotnet.com/team/fxcop/ 
Microsoft Application Verifier - http://www.microsoft.com/technet/prodtechnol/windows/appcompatibility/appverifier.mspx 
Microsoft internal tools you can't have yet - http://www.microsoft.com/windows/cse/pa_projects.mspx http://research.microsoft.com/Pex/ http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf 
 
Threat modeling 
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en 
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php 
Octotrike - http://www.octotrike.org/ 
 
Add-ons for Firefox that help with general web application security 
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/ 
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/ 
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/ 
Public Fox - https://addons.mozilla.org/firefox/3911/ 
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms 
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/ 
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html 
IE Tab - https://addons.mozilla.org/firefox/1419/ 
User-Agent Switcher - https://addons.mozilla.org/firefox/59/ 
ServerSwitcher - https://addons.mozilla.org/firefox/2409/ 
HeaderMonitor - https://addons.mozilla.org/firefox/575/ 
RefControl - https://addons.mozilla.org/firefox/953/ 
refspoof - https://addons.mozilla.org/firefox/667/ 
No-Referrer - https://addons.mozilla.org/firefox/1999/ 
LocationBar^2 - https://addons.mozilla.org/firefox/4014/ 
SpiderZilla - http://spiderzilla.mozdev.org/ 
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143 
Fire Encrypter - https://addons.mozilla.org/firefox/3208/ 
 
Add-ons for Firefox that help with Javascript and Ajax web application security 
Selenium IDE - http://www.openqa.org/selenium-ide/ 
Firebug - http://www.joehewitt.com/software/firebug/ 
Venkman - http://www.mozilla.org/projects/venkman/ 
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/ 
Greasemonkey - http://www.greasespot.net/ 
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/ 
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler 
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/ 
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/ 
 
Bookmarklets that aid in web application security 
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html 
BMlets - http://optools.awardspace.com/bmlet.html 
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/ 
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide
rich functionality - http://www.blummy.com/ 
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html 
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/ 
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/ 
 
SSL certificate checking / scanning 
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip 
[ZIP] Foundstone SSLDigger - http://foundstone.com/resources/freetooldownload.htm?file=ssldigger.zip 
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/ 
 
Honeyclients, Web Application, and Web Proxy honeypots 
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ 
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/ 
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/ 
Google Hack Honeypot - http://ghh.sourceforge.net/ 
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/ 
SpyBye - http://www.monkey.org/~provos/spybye/ 
Honeytokens - http://www.securityfocus.com/infocus/1713 
 
Blackhat SEO and maybe some whitehat SEO 
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/ 
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html 
SEOQuake (Firefox Add-on) - http://www.seoquake.com/ 
 
Footprinting for web application security 
Evolution - http://www.paterva.com/evolution-e.html 
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/ 
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/ 
Edge-Security tools - http://www.edge-security.com/soft.php 
Fierce Domain Scanner - http://ha.ckers.org/fierce/ 
Googlegath - http://www.nothink.org/perl/googlegath/ 
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/ 
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/ 
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/ 
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/ 
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/ 
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/ 
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/ 
 
Database security assessment 
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/ 
 
Browser Defenses 
DieHard - http://www.diehard-software.org/ 
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/ 
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/ 
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo 
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/ 
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497 
NoScript (Firefox Add-on) - http://www.noscript.net/ 
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/ 
Adblock (Firefox Add-on) - http://adblock.mozdev.org/ 
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html 
SafeCache (Firefox Add-on) - http://www.safecache.com/ 
SafeHistory (Firefox Add-on) - http://www.safehistory.com/ 
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/ 
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/ 
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/ 
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/ 
FireKeeper - http://firekeeper.mozdev.org/ 
 
Browser Privacy 
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/ 
Privacy Bird - http://www.privacybird.com/ 
 
Application and protocol fuzzing (random instead of targeted) 
Sulley - http://fuzzing.org/ 
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/ 
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/ 
autodafé: an act of software torture - http://autodafe.sourceforge.net/ 
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html