OWASP - User contributions [en]

OWASP WebSpa Project

2015-03-19T15:54:48Z

Oliver M.: /* News */

=Main=
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

Release:<br>
[http://sourceforge.net/projects/webspa/files/webspa-08.zip/download WebSpa v0.8]

Source:<br>
[https://github.com/OWASP/WebSpa/archive/v0.8.zip| WebSpa v0.8.zip]<br>
[https://github.com/OWASP/WebSpa/archive/v0.8.tar.gz| WebSpa v0.8.tar.gz]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Feb 2015] The source WebSpa code repository has been migrated to GitHub. The compiled releases (.jar) are still made available on SourceForge.
* [17 Feb 2015] WebSpa has a new contributor – Daniel Imber. Dan, welcome to the team!
* [12 Jan 2015] Patryk Arciszewski decided to retire from the project. Patryk, thank you for your good work and may the Power of SPA be with you.
* [23 Nov 2014] Version 0.8 has been released and can now be found in the download section. We are proud to offer a working, stable proof-of-concept of WebSpa.
* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł, welcome to the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Does WebSpa supports older versions of Java?
: No. WebSpa is tested with an up-to-date JRE package, thus to run WebSpa a JRE 1.7 or greater is needed.
Using older versions of Java may lead to unexpected system behaviors.

; What does the ASCII-Art for WebSpa look like?
__
/\ \
__ __ __ __\ \ \____ ____ _____ __
/\ \/\ \/\ \ /'__`\ \ '__`\ _______ /',__\/\ '__`\ /'__`\
\ \ \_/ \_/ \/\ __/\ \ \L\ \/\______\/\__, `\ \ \L\ \/\ \L\.\_
\ \___x___/'\ \____\\ \_,__/\/______/\/\____/\ \ ,__/\ \__/.\_\
\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/__/\/_/
\ \_\
\/_/

The font is Larry 3D generated [http://patorjk.com/software/taag/#p=display&f=Larry%203D&t=web-spa here].

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Daniel Imber - Development & Refactoring
* [[User:Oliver_M.|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]
* Patryk Arciszewski

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request, but also offer improved usability features, which will simplify installing, configuring and running WebSpa.. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx
15 Add easy way to run the server as a background daemon

== [http://sourceforge.net/projects/webspa/files/webspa-08.zip/download Release 0.8 (Q4/2014)] ==

WebSpa_v0.8 is sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
40 Log to /var/log instead of a log.txt file
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
- FIXED: Modified the checking of 2 arrays being equal to be constant in time (Ticket #27)
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if they want to connect web servers with untrusted certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2015-03-19T15:35:58Z

Oliver M.: Updated "Quick Download" links

=Main=
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

Release:<br>
[http://sourceforge.net/projects/webspa/files/webspa-08.zip/download WebSpa v0.8]

Source:<br>
[https://github.com/OWASP/WebSpa/archive/v0.8.zip| WebSpa v0.8.zip]<br>
[https://github.com/OWASP/WebSpa/archive/v0.8.tar.gz| WebSpa v0.8.tar.gz]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [23 Nov 2014] Version 0.8 has been release and can now be found in the download section. We are proud to offer a working, stable proof-of-concept of WebSpa.
* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Does WebSpa supports older versions of Java?
: No. WebSpa is tested with an up-to-date JRE package, thus to run WebSpa a JRE 1.7 or greater is needed.
Using older versions of Java may lead to unexpected system behaviors.

; What does the ASCII-Art for WebSpa look like?
__
/\ \
__ __ __ __\ \ \____ ____ _____ __
/\ \/\ \/\ \ /'__`\ \ '__`\ _______ /',__\/\ '__`\ /'__`\
\ \ \_/ \_/ \/\ __/\ \ \L\ \/\______\/\__, `\ \ \L\ \/\ \L\.\_
\ \___x___/'\ \____\\ \_,__/\/______/\/\____/\ \ ,__/\ \__/.\_\
\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/__/\/_/
\ \_\
\/_/

The font is Larry 3D generated [http://patorjk.com/software/taag/#p=display&f=Larry%203D&t=web-spa here].

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Daniel Imber - Development & Refactoring
* [[User:Oliver_M.|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]
* Patryk Arciszewski

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request, but also offer improved usability features, which will simplify installing, configuring and running WebSpa.. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx
15 Add easy way to run the server as a background daemon

== [http://sourceforge.net/projects/webspa/files/webspa-08.zip/download Release 0.8 (Q4/2014)] ==

WebSpa_v0.8 is sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
40 Log to /var/log instead of a log.txt file
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
- FIXED: Modified the checking of 2 arrays being equal to be constant in time (Ticket #27)
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if they want to connect web servers with untrusted certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2015-03-19T06:26:47Z

Oliver M.: Updated contributors

=Main=
<div style="width:100%;height:90px;border:0,margin:0;overflow: hidden;">[[File:Incubator_big.jpg|link=OWASP_Project_Stages#tab=Incubator_Projects]]</div>
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-08.zip/download WebSpa v0.8]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [23 Nov 2014] Version 0.8 has been release and can now be found in the download section. We are proud to offer a working, stable proof-of-concept of WebSpa.
* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Does WebSpa supports older versions of Java?
: No. WebSpa is tested with an up-to-date JRE package, thus to run WebSpa a JRE 1.7 or greater is needed.
Using older versions of Java may lead to unexpected system behaviors.

; What does the ASCII-Art for WebSpa look like?
__
/\ \
__ __ __ __\ \ \____ ____ _____ __
/\ \/\ \/\ \ /'__`\ \ '__`\ _______ /',__\/\ '__`\ /'__`\
\ \ \_/ \_/ \/\ __/\ \ \L\ \/\______\/\__, `\ \ \L\ \/\ \L\.\_
\ \___x___/'\ \____\\ \_,__/\/______/\/\____/\ \ ,__/\ \__/.\_\
\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/__/\/_/
\ \_\
\/_/

The font is Larry 3D generated [http://patorjk.com/software/taag/#p=display&f=Larry%203D&t=web-spa here].

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Daniel Imber - Development & Refactoring
* [[User:Oliver_M.|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]
* Patryk Arciszewski

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request, but also offer improved usability features, which will simplify installing, configuring and running WebSpa.. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx
15 Add easy way to run the server as a background daemon

== [http://sourceforge.net/projects/webspa/files/webspa-08.zip/download Release 0.8 (Q4/2014)] ==

WebSpa_v0.8 is sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
40 Log to /var/log instead of a log.txt file
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
- FIXED: Modified the checking of 2 arrays being equal to be constant in time (Ticket #27)
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if they want to connect web servers with untrusted certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

User:Oliver M.

2014-11-23T18:59:58Z

Oliver M.: update CV and project involvements

Oliver grew up in a world of monochrome displays, needle printers, QuickBASIC and dial-up connections. He has always been very interested in information technology and has always had a high affinity for IT security. After a commercial apprenticeship, he studied IT at Zurich University of Applied Sciences (ZHAW) and wrote his bachelor's thesis on the topic 'BYOD from a risk management perspective'.

In his professional life, Oliver works as an ICT Security & Risk Engineer for one of Switzerland's biggest hospitals and only recently passed the CISM and CISSP exams. Previously, he had been working as an IT Risk Assessor and Vulnerability Manager for a major Swiss bank for several years.

'''Application Security & Project Involvement'''
*2013 - OWASP WebSpa Project ([https://www.owasp.org/index.php/OWASP_WebSpa_Project WebSpa])

'''Contact'''

Oliver Merki <br> oliver.merki@owasp.org

OWASP WebSpa Project

2014-11-23T18:46:27Z

Oliver M.: Release 0.8; updated Roadmap & News sections as well as the Quick Download link

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-08.zip/download WebSpa v0.8]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [23 Nov 2014] Version 0.8 has been release and can now be found in the download section. We are proud to offer a working, stable proof-of-concept of WebSpa.
* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Does WebSpa supports older versions of Java?
: No. WebSpa is tested with an up-to-date JRE package, thus to run WebSpa a JRE 1.7 or greater is needed.
Using older versions of Java may lead to unexpected system behaviors.

; What does the ASCII-Art for WebSpa look like?
__
/\ \
__ __ __ __\ \ \____ ____ _____ __
/\ \/\ \/\ \ /'__`\ \ '__`\ _______ /',__\/\ '__`\ /'__`\
\ \ \_/ \_/ \/\ __/\ \ \L\ \/\______\/\__, `\ \ \L\ \/\ \L\.\_
\ \___x___/'\ \____\\ \_,__/\/______/\/\____/\ \ ,__/\ \__/.\_\
\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/__/\/_/
\ \_\
\/_/

The font is Larry 3D generated [http://patorjk.com/software/taag/#p=display&f=Larry%203D&t=web-spa here].

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* [[User:Oliver_M.|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request, but also offer improved usability features, which will simplify installing, configuring and running WebSpa.. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx
15 Add easy way to run the server as a background daemon

== [http://sourceforge.net/projects/webspa/files/webspa-08.zip/download Release 0.8 (Q4/2014)] ==

WebSpa_v0.8 is sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
40 Log to /var/log instead of a log.txt file
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
- FIXED: Modified the checking of 2 arrays being equal to be constant in time (Ticket #27)
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if they want to connect web servers with untrusted certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-09-09T20:01:42Z

Oliver M.: Added link to the OWASP Connector newsletter in the news section

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-09-08T04:55:45Z

Oliver M.: Added definition of "Web Knocking"

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-08-26T18:53:11Z

Oliver M.: Updated project roadmap for WebSpa v0.8 - v0.9

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-04-24T20:03:50Z

Oliver M.: WebSpa Release 0.7; New team member added to the people section

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* http://sourceforge.net/projects/webspa/files/latest/download?source=files

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|eHlYnWyf35E|300|right|OWASP Web Knocking Project Demo}}
|
{{#ev:youtube|eHlYnWyf35E|300|right|OWASP Web Knocking Project Demo}}
|-
|
{{#ev:youtube|eHlYnWyf35E|300|right|OWASP Web Knocking Project Demo}}
|
{{#ev:youtube|eHlYnWyf35E|300|right|OWASP Web Knocking Project Demo}}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q2-Q3/2014) ==

WebSpa_v0.9 will examine attacks on the web knocking tool and propose controls in order to address the issues in question.

== Release 0.8 (Q2/2014) ==

WebSpa_v0.8 will incorporate in the server side component (run with -server option) the ability for a WebSpa administrator to generate a single output of all actions available for a Web Knocking user.

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Projects/OWASP WebSpa Project/Releases/Current

2014-04-24T20:03:12Z

Oliver M.: Updated current version to 0.7

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

London

2014-04-08T20:35:09Z

Oliver M.: Added WebSpa presentation to the chapter meeting of 20-Mar-2014

{{Chapter Template|chaptername=London|extra=The chapter leader is Justin Clarke (justin.clarke [at] owasp.org) since January 2009, with Tobias Gondrom (tobias.gondrom [at] owasp.org), and Dennis Groves (dennis.groves [at] owasp.org) constituting the London Chapter Board. Follow chapter news on Twitter at http://twitter.com/owasplondon|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-london|emailarchives=http://lists.owasp.org/pipermail/owasp-london}}
==Chapter Sponsors==
The following are the list of OWASP Corporate Members who have generously aligned themselves with the London chapter, therefore contributing funds to our chapter:<br />
{{MemberLinks|link=http://www.gdssecurity.com|logo=GDS_LOGO_SMALL.jpg}}
{{MemberLinks|link=http://www.quotium.com|logo=LogoQuotium.png}}
{{MemberLinks|link=http://www.mavitunasecurity.com/netsparker|logo=NetSparker_Logo_ResizedLondon.png‎}}

==Meeting Sponsors==
The following is the list of organisations who have generously provided us with space for London chapter meetings:<br />
{{MemberLinks|link=http://www.hotels.com|logo=Hicon_hotels-128-TM-R.PNG‎}}
{{MemberLinks|link=http://www.skype.com|logo=Skype logo solid.jpg‎}}

==Next Meeting/Event(s)==

===Thursday, March 20th 2014 (Central London)===
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

====Talks====
*'''Using Tunna (HTTP Tunnel) for penetration testing - Nikos Vassakis and Rodrigo Marcos'''
*: Once a web application is compromised and command execution is achieved, the attacker faces a number of hurdles. Network filtering is one of the key defensive techniques used to prevent attackers from creating further communication channels. This is usually an effective technique to limit the attacking avenues. Tunna is a tool designed to bypass firewall restrictions on remote web servers. It consists of a local application (supporting Ruby and Python) and a web application (supporting ASP.NET, Java and PHP). This presentation will cover all the steps required to effectively bypass firewalls protecting web applications, bind TCP ports on the compromised host and access other hosts in the DMZ.

*'''OWASP WebSpa - Yiannis Pavlosoglou''' ([[Media:OWASP_WebSpa_-_The_Concept_of_Web_Knocking_and_a_Tool_to_Go_With_it.pptx|PPTX]])
*: The OWASP WebSpa project is a tool implementing the novel idea of web knocking. The term web knocking stems from port knocking, If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking a form of host-to-host communication in which information flows across erroneous URLs. In this talk we introduce web knocking and WebSpa: A tool for single HTTP/S authorisation requests. Similarly to traditional network port-knocking schemes, WebSpa aims to create a covert channel of communication for Operating System (O/S) commands, over the web application layer. Within this presentation the applicability, as well as the hurdles crossed while developing WebSpa will be discussed. The presentation will conclude with a video demo illustrating how a specially crafted URL will be responsible for allowing access to a previous closed TCP port 22 and other services.

====Speakers====

*'''Nikos Vassakis'''
*:Nikos is a security consultant at SECFORCE. He holds a BSc in Computer Science and an MSc in Information Security, and has 2 years of security related working experience. When not working breaking one technology or another, he drinks beer, socialises and when time permits works on research projects. Current research activities focus mainly on post-exploitation network traffic tunnelling techniques and trying to take over the world.

*'''Rodrigo Marcos'''
*:Rodrigo is a security CREST consultant at SECFORCE, with 10 years of experience in the penetration testing industry. His interests cover a wide range of areas, such as network protocol fuzzing, programming and "high-protein" web hacking - trying to minimise the gap between web application and infrastructure testing to achieve his ultimate goal: World domination, one IP address at a time.

*'''Yiannis Pavlosoglou'''
*:There is a world of numbers, hiding behind letters, inside computers, this is what stimulates my work. I am currently employed in IT risk management within the financial industry, running a team of technical risk assessors. Prior to this, I spent 5 years in the world of professional penetration testing. I focused my career evolution on assisting large scale projects actually implement secure development practices. This included teaching developers how to write secure code. For OWASP, I was the project leader for JBroFuzz and used to chair the Global Industry Committee. I am on the Application Security Advisory Board of the (ISC)2. My academic qualifications include a PhD in information security, designing routing protocols for ad-hoc networks. I am a certified scrum master and hold the CISSP certification.

====RSVP====

RSVP is now open at Eventbrite - http://owasp-london.eventbrite.co.uk/

== Future Events ==

We have the following dates booked in with Skype, who have generously committed to hosting our regular chapter meetings for 2014:

===Thursday, May 15th 2014 (Central London)===
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

===Thursday, July 17th 2014 (Central London)===
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

===Thursday, September 18th 2014 (Central London)===
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

===Thursday, November 20th 2014 (Central London)===
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

== Past Events ==

===Thursday, January 16th 2014 (Central London)===
'''Location''': Skype, 2 Waterhouse Square, 140 Holborn, London, EC1N 2ST

'''Speakers''': Justin Clarke, Marco Morana and Tobias Gondrom

*'''Pushing CSP to Prod: Case Study of a Real-World Content-Security Policy Implementation - Justin Clarke'''
*:Widespread adoption of Content Security Policy (CSP) by most modern browsers has led many organisations to consider implementing CSP to thwart Cross-Site Scripting attacks in their web applications. In this session we will walk you through our experience successfully implementing CSP on our customer-facing web application, SendSafely.com, which relies heavily on JavaScript and HTML5. Our story will arm you with the knowledge you’ll want should you decide to go down the same path. When we initially decided to implement CSP, the BETA version of our website was already live. Like many sites, our platform grew from something we initially started as a pet project. Admittedly, building CSP into our site from day one would have been much easier...but not nearly as challenging or fun. We’ll start by walking you through our Content Security Policy, discuss the basic nuances between how each major browser implements CSP, and outline techniques for how we deal these nuances at runtime. Next, we’ll discuss the basic techniques we used for converting all of our classic “in-line” JavaScript to comply with the strict CSP that we developed. We’ll also talk about the not-so-easy task of getting third-party JavaScript to play nicely with CSP (cough, ReCaptcha, cough) and cover some edge cases we ran into related to the newer HTML5 APIs we rely on for certain tasks. Lastly, we’ll discuss what we learned from implementing a notification mechanism to report violations of our CSP at runtime. Needless to say we were surprised by what was reported, and we’ll share the results. Our hope is that by telling our story to the world, we’ll either save the rainforest or make your life a little easier should you decide to implement CSP (worst case scenario we’ll save you the trouble and dissuade you from even trying).

*'''2013 AppSec Guide and CISO Survey: Making OWASP Visible to CISOs - Marco Morana and Tobias Gondrom'''
*: Recognising the important role that the CISO has in managing application security processes within the organisations, OWASP sponsored a project in 2012 to develop guidance specifically for CISOs. The aim of the OWASP guide is to provide useful guidance to CISOs for effectively managing the risks of insecure web applications and software by planning the application security activities, investing in countermeasures to mitigate threats and considering the costs and the benefits for the organisation. Recognising that a CISO guide has first and for most capture the needs of CISO in managing application security from information security governance, risk and compliance perspectives a survey was developed in parallel with the draft of the CISO Guide. As the results of the 2013 CISO survey have become available, they have been used to tailor the guide to the specific CISOs needs. One of the most important aspects covered in the CISO guide are to making the business case for application security investments by helping CISOs in translating technical risks such as the OWASP top ten into business impacts, compliance with standards and regulations and risk management. Specifically the version of the guide that is presented at OWASP AppSec USA will be the first version that highlights the results of the CISO survey and seek to introduce CISOs to projects/resources that can help them in rolling out an application security program whose main goal is managing web application security risks.

===Thursday, December 12th 2013 (Central London)===
'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

'''Speakers''': Ofer Maor and Colin Watson

*'''IAST: Runtime Code & Data Security Analysis – Beyond SAST/DAST - Ofer Maor'''
*:Until recently, SAST/DAST dominated the application security testing market, each with its own pros and cons. We present IAST, a new approach, analysing code execution, memory and data in runtime, allowing for accurate inspection of the application. The presentation will present the basic IAST technology building blocks and their benefits, followed by discussing advanced IAST data analysis capabilities, which allow for a deeper analysis of the application and its business logic. We will discusses different approaches and implementations of IAST and Runtime code analysis, discussing the benefits of each. The presentation will include practical samples (including code!) of how IAST can be used to accurately detect both simple and complicated vulnerabilities, including SQL Injection, Parameter Tampering, Persistent XSS, CSRF, and more...

*'''OWASP Cornucopia - Colin Watson'''
*:Microsoft's Escalation of Privilege (EoP) threat modelling card game has been refreshed into a new version more suitable for common web applications, and aligned with OWASP advice and guides. "OWASP Cornucopia - Ecommerce Web Application Edition" will be presented and used to demonstrate how it can help software architects and developers identify security requirements from the OWASP Secure Coding Practices - Quick Reference Guide. He will also provide a brief introduction about how to contribute ideas and content to OWASP projects, and how to start a project.

===Thursday, October 24th 2013 (Central London)===
'''Location''': Expedia Inc (Hotels.com), Angel Building, 407 St John Street, London, EC1V 4EX

'''Speakers''': Dinis Cruz and Justin Clarke

*'''Using the O2 Platform, Zap and AppSensor to protect and test applications - Dinis Cruz'''
*:This presentation will show how these 3 OWASP tools can be used to find and mitigate security vulnerabilities in applications. The O2 Platform will be used to analyse the target application source code, and automate the use of both Zap and AppSensor's capabilities.

*'''OWASP Mobile Top 10 - Justin Clarke'''
*:The OWASP Mobile Security Project is a centralised resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation. Justin will be going through the current version of the Mobile Top 10, as well as discussing what is currently happening with the project.

===Monday, June 3rd 2013 (London EUTour2013 One Day Conference)===

'''Location''': Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY

For full details, including slides and videos of sessions, go to the main [https://www.owasp.org/index.php/EUTour2013 EUTour2013 Page] and click through to the London event.

===Thursday, November 8th 2012 (Central London)===

'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

'''Speakers''': Petko Petkov and Marco Morana

*'''A Short History of The JavaScript Security Arsenal - Petko D. Petkov'''
*:In 2006 we had the first JavaScript port scanner. The same year we saw the incarnation of more advanced tools such as AttackAPI, Carnaval and Backframe. A year later we saw several decent attempts to create complete security tools designed to run with nothing else but web technologies. That was just the start.
*:This presentation aims to show the progress that has been made in the past six years in terms of security tools developed entirely with the help of browser technologies. The presentation will take you on a journey through the years, exploring some of the interesting attack techniques used in the past, bringing back some of the important discussions and eventually reaching the culmination when modern tools and technologies will be shown and explained.

*'''The continuously evolving threat landscape call CISOs to consider new application security measures, how OWASP can help? - Marco Morana''' ([[Media:OWASP-London-CISO-Guidevs1.pptx|PPTX]])
*:The aim of this 20 minute talk is how to introduce Chief Information Security Officers (CISO) to the OWASP Application Security Guide. OWASP has developed a guidance to specifically to address the needs of CISOs to help them in prioritizing the risk mitigation of web application vulnerabilities might severely and negatively impact the organization and jeopardizing the business.

=== Thursday, May 10th 2012 (Application Security One-Day Conference - Free for OWASP Members) ===

'''Location''': Bletchley Park, Sherwood Drive, Milton Keynes, MK3 6EB

'''Time''': 10:00am - 4:30pm

ISSA-UK and OWASP are partnering for the first time to bring you a joint application security training conference, free for members of OWASP, ISSA-UK, or CSF. This unique event will attract attendees from both ISSA-UK's traditional information security membership base, and OWASP's web application specialists, bringing new thoughts and perspectives to both groups. The theme of the day is, no surprise, application security. We expect to focus on both methodologies and frameworks - such as OWASP's top 10 - and a variety of custom tools and frameworks, from open-source to proprietary. The goal is to deliver much needed tips and tricks to attendees, something to tackle our ever increasing workloads. Join us for a full day of application security tricks, tools and methods at the historic Bletchley Park. After the day's talks are over, please join us for a free tour of the famous WWII codebreaking facility!

=== Thursday, March 29th 2012 (Central London) ===

'''Location''': Morgan Stanley, 25 Cabot Square, Canary Wharf, London E14 4QA

'''Speakers''': Jim Manico and Manish Saindane

*'''Top 10 Web Defences - Jim Manico''' ([[Media:Developer Top Ten Core Controls v4.2.pptx|PPTX]])
*:We cannot hack or firewall our way secure. Application programmers need to learn to code in a secure fashion if we have any chance of providing organisations with proper defences in the current threatscape. This talk will discuss the 10 most important security-centric computer programming techniques necessary to build low-risk web based applications.
*'''IronWASP - Manish Saindane''' ([[Media:IronWASP.pptx|PPTX]])
*:IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners.

=== Thursday, March 8th 2012, 18:30-21:00 (Royal Holloway) ===

'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

'''Speakers''': Viet Pham and Tobias Gondrom

*''Implementing cryptography: good theory vs. bad practice - Viet Pham ([[https://www.owasp.org/images/c/c5/OwaspTalkMarch.pdf PDF]])
:Abstract: Cryptography is being widely implemented in software to provide security features. The main reason is that, many cryptographic mechanisms are mathematically proven secure, or trusted secure given some mathematical reasoning. However, to take full advantages of these mechanisms, they must be implemented strictly according to the theoretical models, e.g., several cryptographic mechanisms must be used together, in a specific manner to provide a desired security goal. However, without strong cryptographic background, many software developers tend to deviate from these models, thus making their own security software a gold mine for attackers. This talk gives examples to show why such situations exist, where do they spread, and how bad they may turn into.

*''Securing the SSL channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and and Pinning of Certs - Tobias Gondrom ([[http://www.gondrom.org/owasp/presentations/OWASP_defending-MITMA_RHUL.pdf PDF]])
:"In the recent months major trusted CAs providing trusted certificates for SSL/TLS in browser scenarios were compromised (e.g. seen in the Diginotar breach) and based on the current trust models (trusting all registered CAs equally for all domains) exposed vital web applications to the risk of man-in-the-middle attacks. Several approaches are currently discussed to mitigate this risk. The most advanced and closest to final adoption being the technologies discussed by the browser vendors at the recent IETF meeting in November in Taipei: HSTS and pinning of certificates. To better protect content providers against the distribution of bogus certificates, an HTTP header extension containing a fingerprint of their certificates linked to a domain address has been defined. This approach, which has been partly tested in Chrome, and already helped identify and protect to some extend Google's web application in the recent Diginotar compromise. Chrome users were able to detect the bogus DigiNotar certificates because Chrome had embedded the hashes of valid Google certificates. Back in July, the hacked DigiNotar certificate authority (CA), which has since gone out of business, was used to issue more than five hundred bogus certificates for companies including Google and various intelligence services."

=== Thursday, February 2nd 2012 ,18:30-21:00 ===

'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

'''Speakers''': Sarah Baso, Dinis Cruz, Dennis Groves

*''Security as Pollution (lessons learned)'' - Dinis Cruz
*:Based on David Rice's "Upon the Threshold of Opportunity" presentation at the OWASP AppSec USA 2010

*''Making Security Invisible by Becoming the Developer's Best Friends'' - Dinis Cruz
*:Based on Dinis' presentation at OWASP AppSec Brazil 2011

*''How to get a job in AppSec by Hacking and fixing TeamMentor'' - Dinis Cruz and Dennis Groves
*:This is for students and developers who want to get into the application security space and need to have/show real-world experience.

*''What's Happening on OWASP Today'' - Sarah Baso
*:This is an overview of the multiple activities that are currently happening around the world at OWASP presented by one of OWASP's employees currently focused on logistics, community and empowerment

=== Thursday, September 8th 2011 ===

'''Location''': Royal Holloway University of London, Bourne Lecture Theatre 2, Egham Hill, Egham, TW20 0EX

'''Speaker''': Daniel Cuthbert ([http://prezi.com/ylfkkek0vb-r/all-aboard-the-lulz-boat/ deck])

'''Title''': Doing it for the Lulz: Why Lulzsec has shown us to be an
ineffective industry.

=== Friday, June 3rd 2011 ===

'''Location''': Royal Holloway University of London, Room BLT2, Egham Hill, Egham, TW20 0EX

*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

=== Thursday, April 14th 2011 ===

'''Location''': Charterhouse Bar, 38 Charterhouse Street, Smithfield, London EC1M 6JH

*'''Wordpress Security - Steve Lord''' ([[Media:Wordpress-security-ext.pdf|PDF]])
*:Wordpress is one if the most popular blogging systems in the world but is routinely used to shoehorn complex sites into a blog shaped box, often because of it's flexibility and ease of use. In this talk, Mandalorian's Steve Lord discusses common Wordpress security snafus and how to avoid them.

*'''Outcomes from the recent OWASP Summit in Portugal - London based attendees of the Summit'''
*:Discussion of what came out of the recent OWASP Summit, "OWASP 4.0" and what is changing in the OWASP world now and in the near future

=== Thursday, February 17th 2011 ===

'''Location''': ThoughtWorks, Berkshire House, 168-173 High Holborn, City of London WC1V 7AA

A special meeting event, in conjunction with [http://londongeeknights.wetpaint.com London Geek Nights] on SSL usage and dangers. An opportunity to get some of the developer and security communities together to talk more pragmatically on this very key topic.

== Archived Events ==

For events before 2011, see [[Archived OWASP London Events]]

== Other Activities ==

*'''February 2010 - Personal Information Online COP'''
The [[Leeds UK]], London and [[Scotland]] Chapters [http://www.owasp.org/index.php/Industry:Personal_Information_Online_Code_of_Practice joint response] to the UK Information Commissioner's Office draft Personal Information Online Code of Practice.

*'''March 2009 - Entry for Nominet Best Practice Challenge 2009'''
Open Web Application Security Project was nominated by OWASP London for the Best Security Initiative Award ([[Image:Nominet_best_practice_challenge_2009_owasp_entry.pdf]]) in the [http://www.nominet.org.uk/about/bestpracticechallenge/ Nominet Best Practice Challenge 2009]. Short-listed June 2009. Announcement due 2 July 2009.

*'''16th October 2008 - COI Browser Standards for Public Websites'''

The London and [[Scotland]] Chapters joint response to the Central Office of Information draft document on [http://www.coi.gov.uk/guidance.php?page=200 browser standards for public websites] (version 0.13) ([[Image:OWASP-COI-Browser-Standards.pdf]]).

[[Category:United Kingdom]]
[[Category:Europe]]

File:OWASP WebSpa - The Concept of Web Knocking and a Tool to Go With it.pptx

2014-04-08T20:32:57Z

Oliver M.: