https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Spinkham
OWASP - User contributions [en]
2026-05-02T03:48:17Z
User contributions
MediaWiki 1.27.2
https://wiki.owasp.org/index.php?title=Triangle&diff=242951
Triangle
2018-08-29T20:21:15Z
<p>Spinkham: Add meetup tag to keep meetings up to date</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leaders are Chris Romeo and [mailto:steve.pinkham@owasp.org Steve Pinkham]. The current board consists of: <br />
<br />
* Rich Daugherty<br />
* Eric Hart<br />
* Steve Pinkham<br />
* Chris Romeo<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
We hope that you will join us at our meetings soon!<br />
<br />
<meetup group="owasptriangle" /> <br />
<br />
==Current Sponsors==<br />
<br />
Our current meeting space sponsor is iContact.<br />
<br />
We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=237407
Triangle
2018-02-08T05:49:53Z
<p>Spinkham: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leaders are Chris Romeo and [mailto:steve.pinkham@owasp.org Steve Pinkham]. The current board consists of: <br />
<br />
* Rich Daugherty<br />
* Eric Hart<br />
* Steve Pinkham<br />
* Chris Romeo<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
<br />
February 22, 2018<br />
<br />
Please RSVP at [https://www.meetup.com/owasptriangle/events/237687599/ https://www.meetup.com/owasptriangle/]<br />
<br />
====== Building an AppSec Program on the Cheap with OWASP ======<br />
Explore the OWASP universe and how to build an application security program with a budget of $0 using only the open-source documents and tools that OWASP provides. Experience a practitioner's guide for how to take the most famous OWASP projects and meld them together into a working program. Projects are broken down into training/awareness/definition, builder, breaker, and defender, with an explanation of the human resources required to make this successful.<br />
<br />
The meetings food is being provided primarily with funds donated by HPE / Fortify. We thank them for their support of OWASP's mission to increase software security awareness and effectiveness, and hope you will let them know you appreciate it in any future interactions you have with them.<br />
<br />
Hope you can all join us!<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
HPE/Fortify is a Gold Chapter Supporter, and we thank them very much for their recent donation.<br />
<br />
Our current meeting space sponsor is iContact.<br />
<br />
We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=OWASP_DefectDojo_Project&diff=233584
OWASP DefectDojo Project
2017-09-21T17:50:51Z
<p>Spinkham: Fixed link to getting started guide</p>
<hr />
<div>=Main=<br />
<br />
<div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:OWASP_Project_Header.jpg|link=]]</div><br />
<br />
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-<br />
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |<br />
<br />
==OWASP DefectDojo Tool Project ==<br />
An open source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools.<br />
<br />
DefectDojo is a tracking tool written in Python / Django. DefectDojo was created in 2013 and open-sourced on March 13th, 2015. The project was started to make optimizing vulnerability tracking less painful. The top goal of DefectDojo is to reduce the amount of time security professionals spend logging vulnerabilities. DefectDojo accomplishes this by offering a templating system for vulnerabilities, imports for common vulnerability scanners, report generation, and metrics.<br />
<br />
==Description==<br />
DefectDojo streamlines the testing process through several 'models' that an admin can manipulate with Python code. The core models include: 'engagements', 'tests' and 'findings'. DefectDojo has supplemental models that facilitate metrics, authentication, report generation, and tools. DefectDojo is written in Python 2.7 with Django 1.8.<br />
<br />
Testing or installing DefectDojo is easy. There is a live demo for interested parties to try Dojo [https://github.com/rackerlabs/django-DefectDojo#demo here]. If you decide to setup an instance of Dojo for your organization, we have developed a script that handles all dependencies, configures the database, and creates a super user. Complete installation instructions are found [https://github.com/rackerlabs/django-DefectDojo#installation here]. A complete walk-through can be found [http://defectdojo.readthedocs.org/en/latest/ here]. Documented example workflows can be found [https://github.com/rackerlabs/django-DefectDojo/blob/master/doc/workflows.md].<br />
<br />
==Licensing==<br />
DefectDojo is licensed under the [https://github.com/rackerlabs/django-DefectDojo/blob/master/LICENSE.md BSD Simplified License].<br />
<br />
== Project Resources ==<br />
<br />
[https://github.com/rackerlabs/django-DefectDojo#demo Live Demo]<br />
<br />
[https://github.com/rackerlabs/django-DefectDojo Source Code]<br />
<br />
[https://github.com/rackerlabs/django-DefectDojo/blob/master/docs/getting-started.rst Getting Started Guide]<br />
<br />
[https://github.com/rackerlabs/django-DefectDojo/releases What's New]<br />
<br />
[https://github.com/rackerlabs/django-DefectDojo/issues Issue Tracker]<br />
<br />
== Project Leaders ==<br />
[https://www.owasp.org/index.php/User:Devgreg Greg Anderson] [mailto:greg.anderson@owasp.org @]<br />
<br />
[mailto:charles.neill@owasp.org Charles Neill]<br />
<br />
[https://www.owasp.org/index.php/User:Grendel Jay Paz][mailto:jay.paz@owasp.org @]<br />
<br />
== Related Projects ==<br />
<br />
* [https://www.owasp.org/index.php/OWASP_AppSec_Pipeline OWASP AppSec Pipeline]<br />
<br />
==Classifications==<br />
<br />
{| width="200" cellpadding="2"<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_TOOL.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Tool]]<br />
|-<br />
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=https://www.owasp.org/index.php/Category:OWASP_Code]]<br />
|-<br />
| rowspan="2" align="center" valign="top" width="50%" | [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects|Incubator Project]]<br />
| align="center" valign="top" width="50%" | [[File:Owasp-builders-small.png|link=Builders]] <br />
|-<br />
| align="center" valign="top" width="50%" | [[File:Owasp-defenders-small.png|link=Defenders]]<br />
|-<br />
|}<br />
<br />
== News and Events ==<br />
* [1 Oct 2016] [https://github.com/OWASP/django-DefectDojo/releases/tag/1.1.0 Version 1.1.0 Released]<br />
* [22 Dec 2015] [https://github.com/rackerlabs/django-DefectDojo/releases/tag/v1.0.5 Version 1.0.5 Released]<br />
* [08 Sep 2015] [https://github.com/rackerlabs/django-DefectDojo/releases/tag/v1.0.4 Version 1.0.4 Released]<br />
* [27 Jul 2015] [https://github.com/rackerlabs/django-DefectDojo/releases/tag/v1.0.3 Version 1.0.3 Released]<br />
* [16 Jun 2015] [https://github.com/rackerlabs/django-DefectDojo/releases/tag/v1.0.2 Version 1.0.2 Released]<br />
* [30 Sep 2015] [https://github.com/rackerlabs/django-DefectDojo/releases/tag/v1.0.1 Version 1.0.1 Released]<br />
* [02 Apr 2015] [https://github.com/rackerlabs/django-DefectDojo/releases/tag/v1.0 Version 1.0.0 Released]<br />
* [15 Mar 2015] [https://github.com/rackerlabs/django-DefectDojo DefectDojo is open-sourced]<br />
<br />
|}<br />
<br />
=FAQs=<br />
<br />
==How can I participate in your project?==<br />
All you have to do is make the Project Leaders aware of your available time to contribute to the project. It is also important to let the Leaders know how you would like to contribute and pitch in to help the project meet its goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key. If you are a programmer and wish to contribute code, we regularly review [https://github.com/rackerlabs/django-DefectDojo/pulls pull requests].<br />
<br />
==If I am not a programmer can I participate in your project?==<br />
Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for people to help translate our documentation. See the Road Map and Getting Involved tab for more details.<br />
<br />
= Acknowledgements =<br />
==Contributors==<br />
<br />
<br />
<br />
* Greg Anderson - Greg wrote the original code base with Charles Neill<br />
* Charles Neill - Charles wrote the original code base with Greg Anderson.<br />
* Jay Paz - Jay added a multitude of functionalities / UI enhancements, that has made Dojo production ready.<br />
* Michael Dong - Michael dong contributed to the baseline self-service tools.<br />
*Fatimah Zohra - Fatimah also contributed to the baseline self-service tools.<br />
* Aarron Weaver - Added CheckMarx support.<br />
* Yaakov Saxon - Fixed ZAP and CWE parsing.<br />
* Matt Valdes - Fixed an issue with the Ansible install.<br />
<br />
= Road Map and Getting Involved =<br />
At this time, Dojo is already being used by multiple large enterprises, but there is still many aspects we want to improve. Part of our next steps is to better evangelize our work and encourage others to contribute. However, we do have a set of core contributors that actively work on the project. Feature-wise, we hope to push a proof of concept plugin that will aid in retesting automation.<br />
<br />
<br />
<br />
==Roadmap==<br />
As of March, 2016, the highest priorities for the next 6 months are:<br />
<strong><br />
* A proof of concept plugin that will aid in retesting automation<br />
* JIRA Integration<br />
* Dynamic Application Tagging.<br />
</strong><br />
<br />
Subsequent Releases will add:<br />
<br />
<strong><br />
* CI / CD for pull requests<br />
* Additional Unit Tests<br />
* Automated Regression tests<br />
</strong><br />
<br />
==Getting Involved==<br />
Involvement in the development and promotion of <strong>DefectDojo</strong> is actively encouraged!<br />
You do not have to be a security expert or a programmer to contribute.<br />
Some of the ways you can help are as follows:<br />
<br />
===Coding===<br />
We could implement some of the later items on the roadmap sooner if someone wanted to help out with unit or automated regression tests<br />
===Localization===<br />
Are you fluent in another language? Can you help translate the text strings in the <strong>DefectDojo</strong> into that language?<br />
<br />
===Testing===<br />
Do you have a flair for finding bugs in software? We want to produce a high quality product, so any help with Quality Assurance would be greatly appreciated. Let us know if you can offer any help.<br />
<br />
===Feedback===<br />
Please use the [https://lists.owasp.org/mailman/listinfo/OWASP_Tool_Project_Template DefectDojo project mailing list] for feedback about:<br />
<ul><br />
<li>What do like?</li><br />
<li>What don't you like?</li><br />
<li>What features would you like to see prioritized on the roadmap?</li><br />
</ul><br />
<br />
=Project About=<br />
<br />
<br />
{{Template:Project About<br />
| project_name =OWASP DefectDojo<br />
| project_description =OWASP DefectDojo is an open source vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics, and baseline self-service tools. <br />
| project_license = [https://github.com/rackerlabs/django-DefectDojo/blob/master/LICENSE.md BSD Simplified License]<br />
| leader_name1=Greg Anderson<br />
| leader_email1=greg.anderson@owasp.org<br />
| leader_username1=devgreg<br />
| leader_name2=Charles Neill<br />
| leader_email2=charles.neill@owasp.org<br />
| leader_username2=N/A<br />
| leader_name3=Jay Paz<br />
| leader_email3= N/A<br />
| leader_username3=grendel<br />
}} <br />
<br />
__NOTOC__ <headertabs></headertabs> <br />
<br />
[[Category:OWASP Project]]<br />
[[Category:OWASP_Builders]]<br />
[[Category:OWASP_Defenders]]<br />
[[Category:OWASP_Tool]]<br />
[[Category:Projects|DefectDojo]]<br />
[[Category:Incubator Projects|DefectDojo]]<br />
[[Category:OWASP DefectDojo|DefectDojo]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=233583
Triangle
2017-09-21T15:58:33Z
<p>Spinkham: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leaders are Chris Romeo and [mailto:steve.pinkham@owasp.org Steve Pinkham]. The current board consists of: <br />
<br />
* Rich Daugherty<br />
* Eric Hart<br />
* Steve Pinkham<br />
* Chris Romeo<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
<br />
October, 2017, details TBA<br />
<br />
Please RSVP at https://www.meetup.com/owasptriangle/events/237687599/<br />
<br />
OWASP Triangle Chapter is back for 2017! We are making some changes to enhance your experience as a member of this Meetup! Starting this month, we'll provide two separate talks at each Meetup. We'll also have dinner each time, so that those coming directly from work do not go hungry! iContact is our new meeting space sponsor, so please look closely at the new location. We no longer need to collect names and employers, but still please RSVP so we ensure that we order enough food. <br />
<br />
We're proud to welcome Phillip Maddux (AKA Px Mx AKA foospidy) as our primary speaker. Phillip works at Signal Sciences, and will share a talk entitled "Application Security for the Modern Web":<br />
<br />
Over the last several years we’ve witnessed, and experienced, an advance towards new approaches in web technologies and the processes to deploy web applications. In this talk, we’ll explore and describe the “Modern Web”, discuss observations on the evolution of the Secure SDLC, recognize existing challenges in achieving real-time threat visibility once web applications are deployed to production, and finally, walk through the concepts that address the challenges in fast paced “agile” development cycles. <br />
<br />
Before the main talk we will have food and Steve Pinkham will kick off our new series called "Back to Basics". Each meeting we'll have a short introductory talk covering one of the OWASP Top 10 Application Security Threats. This month we will cover #1: Injection<br />
<br />
The meetings food is being provided primarily with funds donated by HPE / Fortify. We thank them for their support of OWASP's mission to increase software security awareness and effectiveness, and hope you will let them know you appreciate it in any future interactions you have with them. <br />
<br />
Hope you can all join us!<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
HPE/Fortify is a Gold Chapter Supporter, and we thank them very much for their recent donation.<br />
<br />
Our current meeting space sponsor is iContact.<br />
<br />
We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=226321
Triangle
2017-02-14T03:07:32Z
<p>Spinkham: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Rich Daugherty<br />
* Eric Hart<br />
* Steve PInkham<br />
* Chris Romeo<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
<br />
February 23, 2017<br />
<br />
6:30 PM to 8:30 PM<br />
<br />
iContact: 2121 RDU Center Drive, 4th Floor, Morrisville, NC<br />
<br />
Please RSVP at https://www.meetup.com/owasptriangle/events/237687599/<br />
<br />
OWASP Triangle Chapter is back for 2017! We are making some changes to enhance your experience as a member of this Meetup! Starting this month, we'll provide two separate talks at each Meetup. We'll also have dinner each time, so that those coming directly from work do not go hungry! iContact is our new meeting space sponsor, so please look closely at the new location. We no longer need to collect names and employers, but still please RSVP so we ensure that we order enough food. <br />
<br />
We're proud to welcome Phillip Maddux (AKA Px Mx AKA foospidy) as our primary speaker. Phillip works at Signal Sciences, and will share a talk entitled "Application Security for the Modern Web":<br />
<br />
Over the last several years we’ve witnessed, and experienced, an advance towards new approaches in web technologies and the processes to deploy web applications. In this talk, we’ll explore and describe the “Modern Web”, discuss observations on the evolution of the Secure SDLC, recognize existing challenges in achieving real-time threat visibility once web applications are deployed to production, and finally, walk through the concepts that address the challenges in fast paced “agile” development cycles. <br />
<br />
Before the main talk we will have food and Steve Pinkham will kick off our new series called "Back to Basics". Each meeting we'll have a short introductory talk covering one of the OWASP Top 10 Application Security Threats. This month we will cover #1: Injection<br />
<br />
The meetings food is being provided primarily with funds donated by HPE / Fortify. We thank them for their support of OWASP's mission to increase software security awareness and effectiveness, and hope you will let them know you appreciate it in any future interactions you have with them. <br />
<br />
Hope you can all join us!<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
HPE/Fortify is a Gold Chapter Supporter, and we thank them very much for their recent donation.<br />
<br />
Our current meeting space sponsor is iContact.<br />
<br />
We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=226320
Triangle
2017-02-14T03:05:21Z
<p>Spinkham: /* Next Meeting */ Feb 20176 meeting</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Rich Daugherty<br />
* Eric Hart<br />
* Steve PInkham<br />
* Chris Romeo<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
<br />
Thursday, February 23, 2017<br />
6:30 PM to 8:30 PM<br />
iContact<br />
2121 RDU Center Drive, 4th Floor, Morrisville, NC<br />
<br />
Please RSVP at https://www.meetup.com/owasptriangle/events/237687599/<br />
<br />
OWASP Triangle Chapter is back again! We are making some changes to enhance your experience as a member of this Meetup! Starting this month, we'll provide two separate talks at each Meetup. We'll also have dinner each time, so that those coming directly from work do not go hungry! iContact is our new meeting space sponsor, so please look closely at the new location. We no longer need to collect names and employers, but still please RSVP so we ensure that we order enough food. <br />
<br />
We're proud to welcome Phillip Maddux (AKA Px Mx AKA foospidy) as our primary speaker. Phillip works at Signal Sciences, and will share a talk entitled "Application Security for the Modern Web":<br />
<br />
Over the last several years we’ve witnessed, and experienced, an advance towards new approaches in web technologies and the processes to deploy web applications. In this talk, we’ll explore and describe the “Modern Web”, discuss observations on the evolution of the Secure SDLC, recognize existing challenges in achieving real-time threat visibility once web applications are deployed to production, and finally, walk through the concepts that address the challenges in fast paced “agile” development cycles. <br />
<br />
Before the main talk we will have food and Steve Pinkham will kick off our new series called "Back to Basics". Each meeting we'll have a short introductory talk covering one of the OWASP Top 10 Application Security Threats. This month we will cover #1: Injection<br />
<br />
The meetings food is being provided primarily with funds donated by HPE / Fortify. We thank them for their support of OWASP's mission to increase software security awareness and effectiveness, and hope you will let them know you appreciate it in any future interactions you have with them. <br />
<br />
Hope you can all join us!<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
HPE/Fortify is a Gold Chapter Supporter, and we thank them very much for their recent donation.<br />
<br />
Our current meeting space sponsor is iContact.<br />
<br />
We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=226319
Triangle
2017-02-14T01:23:49Z
<p>Spinkham: Change sponsors</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Rich Daugherty<br />
* Eric Hart<br />
* Steve PInkham<br />
* Chris Romeo<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
<br />
<br />
Hope you can all join us!<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
HPE/Fortify is a Gold Chapter Supporter, and we thank them very much for their recent donation.<br />
<br />
Our current meeting space sponsor is iContact.<br />
<br />
We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=225928
Triangle
2017-02-03T01:27:18Z
<p>Spinkham: New board, clear old meeting anouncement</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Rich Daugherty<br />
* Eric Hart<br />
* Steve PInkham<br />
* Chris Romeo<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
<br />
<br />
Hope you can all join us!<br />
<br />
<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
Our current meeting space sponsor is Credit Suisse. We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=208842
Triangle
2016-02-13T16:44:53Z
<p>Spinkham: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
Declarative Security: Opting in to browser protections for safer apps<br />
<br />
Come discuss declarative security with us, and learn and/or share how you can make your apps safer with security directives like Strict Transport Security, Content Security Policy and the like. We'll cover the vulns, the protections, browser support and impact on development.<br />
<br />
Hope you can all join us!<br />
<br />
Credit Suisse is our meeting space sponsor. As for past meetups there, signups close the day before the event, and we do need answers to the signup questions of real name and employer for the security desk. Thanks!<br />
<br />
<br />
Location: Credit Suisse<br />
Time: February 18, 6:30-8:00<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
Our current meeting space sponsor is Credit Suisse. We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=208841
Triangle
2016-02-13T16:43:53Z
<p>Spinkham: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
Declarative Security: Opting in to browser protections for safer apps<br />
<br />
Come discuss declarative security with us, and learn and/or share how you can make your apps safer with security directives like Strict Transport Security, Content Security Policy and the like. We'll cover the vulns, the protections, browser support and impact on development.<br />
<br />
Hope you can all join us!<br />
<br />
Credit Suisse is our meeting space sponsor. As for past meetups there, signups close the day before the event, and we do need answers to the signup questions of real name and employer for the security desk. Thanks!<br />
<br />
<br />
Location: Credit Suisse<br />
Time: Febuary 13, 6:30-8:00<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
Our current meeting space sponsor is Credit Suisse. We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=202171
Triangle
2015-10-15T21:07:45Z
<p>Spinkham: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
Coding for Security: 5 Things a Bad Guy Wants YOU To Do<br />
<br />
Luke Stephens of Tek Security Group will be presenting on secure coding this month. Luke is a great speaker with a deep and varied background, so don't miss this one!<br />
For more details about the conten and to RSVP, please visit the meetup page: http://www.meetup.com/owasptriangle/<br />
<br />
<br />
Location: Credit Suisse<br />
Time: October 15, 6:30-8:30<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes. <br />
<br />
http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
Our current meeting space sponsor is Credit Suisse. We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=199783
Triangle
2015-09-01T16:17:23Z
<p>Spinkham: /* Next Meeting */ Put up September's meeting</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
Cisco’s Security Dojo: Raising the Application Security Awareness of 20,000+<br />
<br />
Chris Romeo of Cisco will be sharing with us his experiences guiding their Security Advocate program to drive application security awareness and improvement. <br />
He will be giving the same talk a week later at the national conference, so were excited to have him present for us first! <br />
For more details about the content you can see the AppSecUSA listing: http://appsecusa2015.sched.org/event/0614d5358a88cdc61652d078763b63d7<br />
<br />
Location: Credit Suisse<br />
Time: September 17, 6:30-8:30<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes.<br />
<br />
For more details see our meetup page: http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
Our current meeting space sponsor is Credit Suisse. We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=199661
Triangle
2015-08-27T15:58:28Z
<p>Spinkham: </p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
Credit Suisse<br />
August 27, 6:30-8:30<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes.<br />
For more details see our meetup page: http://www.meetup.com/owasptriangle/<br />
<br />
==Current Sponsors==<br />
<br />
Our current meeting space sponsor is Credit Suisse. We are seeking meeting/food sponsors, please contact us if you are interested!<br />
<br />
==Involvement==<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, food, content and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]<br />
[[Category:North Carolina]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=198547
Triangle
2015-08-07T18:16:42Z
<p>Spinkham: /* Next Meeting */</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<br />
==Next Meeting==<br />
Credit Suisse<br />
August 27, 6:30-8:30<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes.<br />
For more details see our meetup page: http://www.meetup.com/owasptriangle/<br />
<br />
----<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=198546
Triangle
2015-08-07T18:15:56Z
<p>Spinkham: Clean up duplicate content from new template</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<br />
==Next Meeting==<br />
Credit Suisse<br />
August 27, 6:30-8:30<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes.<br />
For more details see our meetup page: http://www.meetup.com/owasptriangle/<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=198545
Triangle
2015-08-07T18:11:28Z
<p>Spinkham: Announce next meeting</p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
==Next Meeting==<br />
Credit Suisse<br />
August 27, 6:30-8:30<br />
<br />
Everyone is welcome to join us at our chapter meetings, but registration is required at meetup for planning purposes.<br />
For more details see our meetup page: http://www.meetup.com/owasptriangle/<br />
----<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to presenting or leading with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<p><br />
<br /><br />
----<br />
<br />
<br />
</p><br />
----<br />
<br /><br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations. <br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=167767
Triangle
2014-02-09T23:41:59Z
<p>Spinkham: </p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The current chapter leader is [mailto:steve.pinkham@owasp.org Steve Pinkham], current board consists of: <br />
<br />
* Jonathon Brenner<br />
* Barbara Cosgriff<br />
* Rich Daugherty<br />
* Dan Fiedler<br />
* Peter Hewett<br />
* Luke Stephens<br />
<br />
|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
<br />
<br />
<br />
<strong>Industry Advisers:</strong><br /><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<p><br />
<br /><br />
----<br />
<br />
<br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
Various<br />
<br />
Next Meeting: <br />
<br />
TBA.<br />
<br />
For more details see our meetup page: http://www.meetup.com/owaspnc/<br />
----<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations. Consistent meeting space is currently our biggest need.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=167766
Triangle
2014-02-09T23:35:09Z
<p>Spinkham: </p>
<hr />
<div>{{Chapter Template|chaptername=Triangle|extra=The chapter leaders are [mailto:steve.pinkham@owasp.org Steve Pinkham] and [prplwiredwizard@gmail.com Morgan Todd].|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Raleigh|emailarchives=http://lists.owasp.org/pipermail/owasp-Raleigh}}<br />
<br />
== Local News ==<br />
<br />
'''Meeting Location'''<br />
<br />
Everyone is welcome to join us at our chapter meetings.<br />
<br />
<br />
<br />
<br />
<strong>Industry Advisers:</strong><br /><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<p><br />
<br /><br />
----<br />
<br />
<br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
Various<br />
<br />
Next Meeting: <br />
<br />
TBA.<br />
<br />
For more details see our meetup page: http://www.meetup.com/owaspnc/<br />
----<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations. Consistent meeting space is currently our biggest need.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:United States]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=138480
Triangle
2012-11-02T04:32:08Z
<p>Spinkham: /* Meeting Location */</p>
<hr />
<div>==Welcome to the OWASP Raleigh Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
Chapter Leader: [mailto:steve.pinkham@owasp.org Steve Pinkham] <br /><br />
Co-organizer: [mailto:prplwiredwizard@gmail.com Morgan Todd]<br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
Various<br />
<br />
Next Meeting: <br />
<br />
November 14, 2012<br />
<br />
Cameron Village Library, Room 202<br />
1930, Clark Ave, Raleigh<br />
<br />
6:30PM<br />
<br />
For more details see our meetup page: http://www.meetup.com/owaspnc/<br />
----<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations. Consistent meeting space is currently our biggest need.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=138479
Triangle
2012-11-02T04:28:44Z
<p>Spinkham: /* Meeting Location */ Added next meeting and other info</p>
<hr />
<div>==Welcome to the OWASP Raleigh Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
Chapter Leader: [mailto:steve.pinkham@owasp.org Steve Pinkham] <br /><br />
Co-organizer: [mailto:prplwiredwizard@gmail.com Morgan Todd]<br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
Various<br />
<br />
Next Meeting: <br />
<br />
November 14, 2012<br />
<br />
Cameron Village Library, Room 202<br />
1930, Clark Ave, Raleigh<br />
<br />
6:30PM<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations. Consistent meeting space is currently our biggest need.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=130218
Triangle
2012-05-21T16:00:54Z
<p>Spinkham: /* Chapter Leadership */ Add Morgan Todd as co-organizer, change Steve Pinkham to Chapter Leader to match OWASP chapter policies</p>
<hr />
<div>==Welcome to the OWASP Raleigh Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
Chapter Leader: [mailto:steve.pinkham@owasp.org Steve Pinkham] <br /><br />
Co-organizer: [mailto:prplwiredwizard@gmail.com Morgan Todd]<br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
TBD, see Meetup page<br />
<br />
Next Meeting: TBD, see the [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page].<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=114443
Triangle
2011-07-22T20:01:51Z
<p>Spinkham: OWASP NC -> OWASP Raleigh as Charlotte chapter is running again</p>
<hr />
<div>==Welcome to the OWASP Raleigh Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
President: [mailto:steve.pinkham@gmail.com Steve Pinkham] <br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<br />
[[Category:North Carolina]]<br />
[[Category:OWASP Chapter]]<br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
TBD, see Meetup page<br />
<br />
Next Meeting: TBD, see the [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page].<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=SQL_Injection&diff=109415
SQL Injection
2011-04-25T06:49:04Z
<p>Spinkham: Make pangolin reference more neutral per Content Guidelines</p>
<hr />
<div>{{Template:Attack}}<br />
[[Category:OWASP ASDR Project]]<br />
[[Category:Security Focus Area]]<br />
__NOTOC__<br><br><br />
<br />
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}'''<br />
<br />
== Overview ==<br />
A [[SQL injection]] attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. <br />
SQL injection attacks are a type of [[Top 10 2007-Injection Flaws | injection attack]], in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.<br />
<br />
==Threat Modeling==<br />
* SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. <br />
* SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections. <br />
* The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.<br />
<br />
==Related Security Activities==<br />
<br />
===How to Avoid SQL Injection Vulnerabilities===<br />
<br />
See the [[:Category:OWASP Guide Project|OWASP Guide]] article on how to [[Guide to SQL Injection | Avoid SQL Injection]] Vulnerabilities.<br><br />
See the OWASP [[SQL Injection Prevention Cheat Sheet]].<br />
<br />
===How to Review Code for SQL Injection Vulnerabilities===<br />
<br />
See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Reviewing Code for SQL Injection|Review Code for SQL Injection]] Vulnerabilities.<br />
<br />
===How to Test for SQL Injection Vulnerabilities===<br />
<br />
See the [[:Category:OWASP Testing Project|OWASP Testing Guide]] article on how to [[Testing for SQL Injection (OWASP-DV-005)|Test for SQL Injection]] Vulnerabilities.<br />
<br />
==Description==<br />
SQL injection errors occur when:<br />
<br />
# Data enters a program from an untrusted source. <br />
# The data used to dynamically construct a SQL query <br />
<br />
The main consequences are:<br />
<br />
* '''Confidentiality''': Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with [[Glossary#SQL Injection|SQL Injection]] vulnerabilities.<br />
<br />
* '''Authentication''': If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password.<br />
<br />
* '''Authorization''': If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a [[Glossary#SQL Injection|SQL Injection]] vulnerability.<br />
<br />
* '''Integrity''': Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a [[Glossary#SQL Injection|SQL Injection]] attack.<br />
<br />
== Risk Factors==<br />
The platform affected can be:<br />
* Language: SQL<br />
* Platform: Any (requires interaction with a SQL database)<br />
<br />
[[Glossary#SQL Injection|SQL Injection]] has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. <br />
<br />
Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes.<br />
<br />
== Examples ==<br />
<br />
===Example 1===<br />
<br />
In SQL:<br />
<br />
<pre><br />
select id, firstname, lastname from authors<br />
</pre><br />
<br />
If one provided:<br />
<br />
<pre><br />
Firstname: evil'ex<br />
Lastname: Newman<br />
</pre><br />
<br />
the query string becomes:<br />
<br />
<pre><br />
select id, firstname, lastname from authors where forename = 'evil'ex' and surname ='newman'<br />
which the database attempts to run as <br />
</pre><br />
<br />
<pre><br />
Incorrect syntax near al' as the database tried to execute evil. <br />
</pre><br />
<br />
A safe version of the above SQL statement could be coded in Java as:<br />
<br />
<pre><br />
String firstname = req.getParameter("firstname");<br />
String lastname = req.getParameter("lastname");<br />
// FIXME: do your own validation to detect attacks<br />
String query = "SELECT id, firstname, lastname FROM authors WHERE forename = ? and surname = ?";<br />
PreparedStatement pstmt = connection.prepareStatement( query );<br />
pstmt.setString( 1, firstname );<br />
pstmt.setString( 2, lastname );<br />
try<br />
{<br />
ResultSet results = pstmt.execute( );<br />
}<br />
</pre><br />
<br />
===Example 2===<br />
<br />
The following C# code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user.<br />
<br />
<pre><br />
...<br />
string userName = ctx.getAuthenticatedUserName();<br />
string query = "SELECT * FROM items WHERE owner = "'" <br />
+ userName + "' AND itemname = '" <br />
+ ItemName.Text + "'";<br />
sda = new SqlDataAdapter(query, conn);<br />
DataTable dt = new DataTable();<br />
sda.Fill(dt);<br />
...<br />
</pre><br />
<br />
The query that this code intends to execute follows:<br />
<br />
<pre><br />
SELECT * FROM items<br />
WHERE owner = <br />
AND itemname = ;<br />
</pre><br />
<br />
However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName does not contain a single-quote character. If an attacker with the user name wiley enters the string "name' OR 'a'='a" for itemName, then the query becomes the following:<br />
<br />
<pre><br />
SELECT * FROM items<br />
WHERE owner = 'wiley'<br />
AND itemname = 'name' OR 'a'='a';<br />
</pre><br />
<br />
The addition of the OR 'a'='a' condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:<br />
<br />
<pre><br />
SELECT * FROM items;<br />
</pre><br />
<br />
This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.<br />
<br />
===Example 3===<br />
<br />
This example examines the effects of a different malicious value passed to the query constructed and executed in Example 1. If an attacker with the user name hacker enters the string "hacker'); DELETE FROM items; --" for itemName, then the query becomes the following two queries:<br />
<br />
<pre><br />
SELECT * FROM items <br />
WHERE owner = 'hacker'<br />
AND itemname = 'name';<br />
<br />
DELETE FROM items;<br />
<br />
--'<br />
</pre><br />
<br />
Many database servers, including Microsoft® SQL Server 2000, allow multiple SQL statements separated by semicolons to be executed at once. While this attack string results in an error in Oracle and other database servers that do not allow the batch-execution of statements separated by semicolons, in databases that do allow batch execution, this type of attack allows the attacker to execute arbitrary commands against the database.<br />
<br />
Notice the trailing pair of hyphens (--), which specifies to most database servers that the remainder of the statement is to be treated as a comment and not executed. In this case the comment character serves to remove the trailing single-quote left over from the modified query. In a database where comments are not allowed to be used in this way, the general attack could still be made effective using a trick similar to the one shown in Example 1. If an attacker enters the string "name'); DELETE FROM items; SELECT * FROM items WHERE 'a'='a", the following three valid statements will be created:<br />
<br />
<pre><br />
SELECT * FROM items <br />
WHERE owner = 'hacker'<br />
AND itemname = 'name';<br />
<br />
DELETE FROM items;<br />
<br />
SELECT * FROM items WHERE 'a'='a';<br />
</pre><br />
<br />
One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from a whitelist of safe values or identify and escape a blacklist of potentially malicious values. Whitelisting can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security. As is almost always the case, blacklisting is riddled with loopholes that make it ineffective at preventing SQL injection attacks. For example, attackers can:<br />
<br />
* Target fields that are not quoted <br />
* Find ways to bypass the need for certain escaped meta-characters <br />
* Use stored procedures to hide the injected meta-characters <br />
<br />
Manually escaping characters in input to SQL queries can help, but it will not make your application secure from SQL injection attacks.<br />
<br />
Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.<br />
<br />
<pre><br />
procedure get_item (<br />
itm_cv IN OUT ItmCurTyp,<br />
usr in varchar2,<br />
itm in varchar2)<br />
is<br />
open itm_cv for ' SELECT * FROM items WHERE ' ||<br />
'owner = '''|| usr || <br />
' AND itemname = ''' || itm || '''';<br />
end get_item;<br />
</pre><br />
<br />
Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks.<br />
<br />
==Related [[Threat Agents]]==<br />
* [[:Category:Command Execution]] <br />
* [[Injection problem]]<br />
<br />
==Related [[Attacks]]==<br />
* [[Top 10 2007-Injection Flaws | injection attack]]<br />
* [[Blind SQL Injection]]<br />
* [[Code Injection]]<br />
* [[Double Encoding]]<br />
* [[Interpreter_Injection#ORM_Injection]]<br />
<br />
==Related [[Vulnerabilities]]==<br />
* [[:Category:Input Validation Vulnerability]]<br />
<br />
==Related [[Controls]]==<br />
* [[Input Validation]]<br />
* [[Output Validation]]<br />
* [[Static Code Analysis]]<br />
[[Category:FIXME|this was the text that was here before we added the links. Can it be deleted?<br />
Avoidance and mitigation <br />
<br />
* Requirements specification: A non-SQL style database which is not subject to this flaw may be chosen.<br />
<br />
* Implementation: Use vigorous white-list style checking on any user input that may be used in an SQL command. Rather than escape meta-characters, it is safest to disallow them entirely. Reason: Later use of data that has been entered in the database may neglect to escape meta-characters before use.<br />
<br />
* Image:Advanced Topics on SQL Injection Protection.ppt<br />
]]<br />
<br />
==References ==<br />
* [http://www.greensql.net/ GreenSQL Open Source SQL Injection Filter] - An Open Source database firewall used to protect databases from SQL injection attacks.<br />
* [http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf An Introduction to SQL Injection Attacks for Oracle Developers] - This also includes recommended defenses.<br />
* OWASP [[:Category:OWASP_SQLiX_Project | SQLiX Project]] - An SQL Injection Scanner.<br />
* [http://www.nosec.org/en/pangolin.html Pangolin] - Closed source SQL Injection Scanner.<br />
[[Category:Injection Attack]]<br />
[[category:Attack]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=106704
Triangle
2011-03-12T20:28:54Z
<p>Spinkham: /* Chapter Leadership */ Removed Victor Fayed after non-response of over a month</p>
<hr />
<div>==Welcome to the OWASP North Carolina Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
President: [mailto:steve.pinkham@gmail.com Steve Pinkham] <br /><br />
Vice President: [mailto://CWhitesock(@)coastalfcu(.)org Chris Whitesock] <br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
TBD, see Meetup page<br />
<br />
Next Meeting: TBD, see the [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page].<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2010_Schedule&diff=106236
OWASP AppSec DC 2010 Schedule
2011-03-04T14:21:18Z
<p>Spinkham: Add new video releases</p>
<hr />
<div>__NOTOC__ <br />
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]] <br />
<br />
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]<br />
<br><br />
<br><br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
====Training 11/08====<br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 1 - Nov 8th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security <br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
<!-- Training Day 1 --><br />
|}<br />
====Training 11/09==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 2 - Nov 9th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''159B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
<!-- Training Day 2 --><br />
|}<br />
====Plenary Day 1 - 11/10==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 1 - Nov 10th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Defense (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Government (145A)'''<br />
|- valign="bottom<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:50 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:50-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Neal Ziring|Keynote: Neal Ziring]]<br>National Security Agency<br>[http://vimeo.com/groups/asdc10/videos/18820731 Video] | [[Media: OWASP-appsec2010-app_assurance-nziring-20101110.ppt | Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | OWASP Status Update<br>[[OWASP:About#Global_Board_Members| OWASP Board]]<br>[http://vimeo.com/groups/asdc10/videos/18821089 Video] | [http://www.owasp.org/images/0/0f/OWASPDC2010-v1.pdf Slides]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:30-10:45 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Redspin30x120.png|link=http://www.redspin.com]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:45-11:30 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Python Basics for Web App Pentesters]]<br>Justin Searle <br><br>[http://vimeo.com/groups/asdc10/videos/19346235 Video] | [[Media: Python_Basics_for_Web_App_Pentesters.zip|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Drive By Downloads: How To Avoid Getting A Cap Popped In Your App]]<br>Neil Daswani<br><br> Video | [[Media:OWASP_Dasient_11_10_10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Secure Code Review: Enterprise Metrics]]<br>Richard Tychansky<br><br>Video | [[Media:OWASP_-_Secure_Code_Review_Enterprise_Metrics.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Cyber-Assurance Ecosystem - Automation Activities for Securing the Enterprise]]<br>Joe Jarzombek & Tom Millar<br><br>[http://vimeo.com/groups/asdc10/videos/18802696 Video] | [[Media:SwA_SCRM_10Nov2010_jj.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:30-11:35 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:35-12:20 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[White and Black box testing of Lotus Domino Applications]]<br>Ari Elias-bachrach and Casey Pike<br><br>[http://vimeo.com/groups/asdc10/videos/19344945 Video] | [[Media: Domino_testing_presentation.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Protecting Federal Government from Web 2.0 Application Security Risks]]<br>Sarbari Gupta<br><br> Video | [[Media: Protecting_Federal_Government_from_Web_2.0_Application_Security_Risks_-_Sarbari_Gupta_FINAL.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Measuring Security: 5 KPIs for Successful Web App Security Programs]]<br>Rafal Los<br><br>[http://vimeo.com/groups/asdc10/videos/18820054 Video] | [[Media:Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Security Risk and the Software Supply Chain]]<br>Karen Goertzel<br><br> Video | [[Media:BoozAllen-AppSecDC2010-sw_scrm.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:20-1:20 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Pen Testing with Iron]]<br>Andrew Wilson <br><br> Video | [[Media:PenTestingWithIron.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Providing application-level assurance through DNSSEC]]<br>Suresh Krishnaswamy, Wes Hardaker and Russ Mundy<br><br> Video | [[Media: Providing-Application-level-Assurance-through-DNSSEC-final.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[H.....t.....t....p.......p....o....s....t]]<br>Onn Chee & Tom Brennan <br><br>[http://vimeo.com/groups/asdc10/videos/18818757 Video] | [http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Slides]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Understanding How They Attack Your Weaknesses: CAPEC]]<br>Sean Barnum<br><br><br><br>Making Security Measurable<br>[http://vimeo.com/groups/asdc10/videos/19618464 Video] | [[Media:Making_Security_Measurable_-_CWE_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br><br><br>Understanding How They Attack Your Weaknesses<br>[http://vimeo.com/groups/asdc10/videos/19629525 Video] | [[Media:Understanding_How_They_Attack_Your_Weaknesses-CAPEC_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:10 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="2" | Break<br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="1" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:10-2:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking Oracle From Web Apps]]<br>Sumit Siddharth<br><br>[http://vimeo.com/groups/asdc10/videos/19357262 Video] | [[Media: Hacking_Oracle_From_Web_Apps_2.0.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[GuardRails: A Nearly Painless Solution to Insecure Web Applications|GuardRails: A (Nearly) Painless Solution to Insecure Web Applications]]<br>Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri<br><br>[http://vimeo.com/groups/asdc10/videos/19355417 Video] | [[Media:Guardrails_owasp_final.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Framed! Security-patching Common Web Development Frameworks]] - Panel<br><br>[http://vimeo.com/groups/asdc10/videos/18808494 Video]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 2:55-3:10 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:SecureIdeas_30X65.png|link=http://www.secureideas.net]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 3:10-3:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[wXf: Web Exploitation Framework]]<br>Ken Johnson and Chris Gates<br><br>[http://vimeo.com/groups/asdc10/videos/19104630 Video] | [[Media: WXf_ASDC_Presentation.odp.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Strengths of Combining Code Review with Application Penetration Testing]]<br>Dave Wichers<br><br>[http://vimeo.com/groups/asdc10/videos/19104928 Video] | [[Media: 2010-DC_The_Power_of_Code_Review.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Dealing with Web Application Security, Regulation Style]]<br>Andrew Weidenhamer<br><br> [http://vimeo.com/groups/asdc10/videos/19629938 Video] | [[Media: Andrew_Weidenhamer_AppSecDC_Presentation.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Ensuring Software Assurance Process Maturity]]<br>Edmund Wotring<br><br> [http://vimeo.com/groups/asdc10/videos/19914698 Video] | [[Media:20101110_-_Ensuring_Software_Assurance_Process_Maturity_-_Final.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:00-4:45 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="5" | [[Pen-Test Panel]]<br> [http://vimeo.com/groups/asdc10/videos/19908268 Video]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Botnet Resistant Coding: Protecting Your Users from Script Kiddies]]<br>Fabian Rothschild and Peter Greko<br><br> Video | [[Media:OWASP_Bot_res_enc.pptx|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" rowspan="1" | [[OWASP Broken Web Applications Project Update]]<br>Chuck Willis<br>[http://vimeo.com/groups/asdc10/videos/19331937 Video] | [[Media:Chuck_Willis_OWASPBWA_for_OWASP_AppSecDC_2010-11-10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[People, Process, and Technology: OWASP Impact on the SwA Processes and Practices Working Group]]<br>Michele Moss<br><br>[http://vimeo.com/groups/asdc10/videos/19105480 Video] | [[Media: OWASP_DC_2010_Moss_fin.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation]]<br>Joshua Windsor and Joshua Pauli<br>Video | [[Media: Smashing_WebGoat_-_AppSecDC_Presentation.odp.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:45-4:50 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:50-5:35 <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners]]<br>David Shelly, Randy Marchany & Joseph Tront<br><br>[http://vimeo.com/groups/asdc10/videos/18984178 Video] | [[Media:Closing_the_Gap_AppSecDC_Shelly.ppt|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Using Misuse Cases to Articulate Vulnerabilities to Stakeholders]]<br>Scott Mendenhall<br>Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Federal Perspectives on Application Security]] - Panel<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incident Database (WHID) Report]]<br>Ryan Barnett<br>[http://vimeo.com/groups/asdc10/videos/19337407 Video] | [[Media:AppSecDC_2010-WHID_Report-Ryan_Barnett.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:30-7:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Cocktails sponsored by [[Image:Trustwave50x250.png|link=https://www.trustwave.com/]]<br />
<!-- Day 1 --><br />
|}<br />
====Plenary Day 2 - 11/11==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 2 - Nov 11th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''New Frontiers (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''OWASP (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Process (145A)'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:55 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:55-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Day 2 Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Ron Ross|Keynote: Ron Ross]]<br>National Institute of Standards and Technology<br>[http://vimeo.com/groups/asdc10/videos/18826138 Video] | [[Media: OWASP-11-11-2010-Ross.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:15 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Trustwave30x150.png|link=https://www.trustwave.com/]] <br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:15-11:00 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking SAP BusinessObjects]]<br>Joshua Abraham and Will Vandevanter<br><br> [http://vimeo.com/groups/asdc10/videos/19891280 Video] | Slides <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Cloudy with a chance of hack!]]<br>Lars Ewe<br><br> Video | [[Media:OWASP_Cloudy_with_a_chance_of_hack_Nov_2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Don't Judge a Website by its Icon - Read the Label!|Don’t Judge a Website by its Icon – Read the Label!]]<br>Jeff Williams<br><br>Video | [[Media:2010-11_OWASP_Software_Labels.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers]]<br>Dan Cornell<br><br>[http://vimeo.com/groups/asdc10/videos/18980995 Video] | [[Media: ApplicationPortfolioRiskRanking_BanishingFUDWithStructureAndNumbers_Content.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:00-11:05 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:05-11:50 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Deconstructing ColdFusion ]]<br>Chris Eng and Brandon Creighton<br><br> [http://vimeo.com/groups/asdc10/videos/19912816 Video] | [[Media: OWASP_AppSec_DC_2010_-_Deconstructing_ColdFusion.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Declarative Web Security]]<br>Brandon Sterne<br><br> [http://vimeo.com/groups/asdc10/videos/18984410 Video] | [[Media: Mozilla_OWASP_AppSec_2010_DC.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Secure Coding Practices Quick Reference Guide]]<br>Keith Turpin<br><br>[http://vimeo.com/groups/asdc10/videos/19105173 Video] | [[Media: Secure_Coding_Practices_Quick_Ref_4.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Code Reviewing Strategies]]<br>Andrew Wilson and John Hoopes<br><br> Video | [[Media:CodeReviewStrategies.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:50-11:55 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:55-12:40 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Friendly Traitor 2 Features are hot but giving up our secrets is not!]]<br>Kevin Johnson and Mike Poor<br><br>[http://vimeo.com/groups/asdc10/videos/18810353 Video] | [[Media: Friendly_Traitor_2.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Exploiting the media for fun and profit. Analysis of a new type of web application attacks through media files]]<br>Aleksandr Yampolskiy<br><br> Video | [[Media:Exploiting_Media_For_Fun_and_Profit.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Open Source Web Entry Firewall]]<br>Ivan Buetler<br><br> Video | [[Media: AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Microsoft's Security Development Lifecycle for Agile Development]]<br>Nick Coblentz<br><br>[http://vimeo.com/groups/asdc10/videos/19105707 Video] | [[Media:OWASP_AppSec_DC_2010_-_Microsoft_SDL-Agile_Presentation_-_Nick_Coblentz_2010-11-11.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:40-1:40 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:40-2:25 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking .NET Applications at Runtime: A Dynamic Attack]]<br>Jon McCoy<br><br>[http://vimeo.com/groups/asdc10/videos/18984620 Video] | [[Media: AppSecDC_-_Attacking_.NET_Applications_at_Runtime.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Life in the Clouds: a Service Provider's View]]<br>Michael Smith<br><br>[http://vimeo.com/groups/asdc10/videos/18820461 Video] | [[Media: Life_In_the_Clouds.Smith.AppSecDC2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Solving Real World Problems with ESAPI]]<br>Chris Schmidt<br><br> Video | [[Media:ESAPI-2010-AppSecDC.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Financial Services Panel]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:25-2:30 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:30-3:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[JavaSnoop: How to hack anything written in Java]]<br>Arshan Dabirsiaghi<br><br>[http://vimeo.com/groups/asdc10/videos/19051012 Video] | [[Media:JavaSnoop_-_OWASP_AppSec_DC_2010.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Social Zombies Gone Wild: Totally Exposed and Uncensored]]<br>Kevin Johnson and Tom Eston<br><br>[http://vimeo.com/groups/asdc10/videos/18827316 Video] | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Attack Detection and Prevention with OWASP AppSensor]]<br>Colin Watson<br><br> [http://vimeo.com/groups/asdc10/videos/19631724 Video] | [[Media:AppSecDC-colin-watson-appsensor.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 3:15-3:30 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC-2010-Syngress75x30.gif|link=http://www.syngress.com/]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 3:30-4:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Unlocking the Toolkit: Attacking Google Web Toolkit]]<br>Ron Gutierrez<br><br> Video | [[Media: Attacking_Google_Web_Toolkit.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications]]<br>Dan Cornell<br><br> Video | [[Media: SmartPhonesDumbApps_OWASPDC_20101111_Content.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ModSecurity Core Rule Set]]<br>Ryan Barnett<br><br> Video | [[Media:AppSecDC_2010-ModSecurityCRS_Ryan_Barnett.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Implementing a Secure Software Development Program]]<br>Darren Death<br><br> Video | Slides<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:15-4:20 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 4:20-5:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Constricting the Web: Offensive Python for Web Hackers]]<br>Marcin Wielgoszewski and Nathan Hamiel<br><br> [http://vimeo.com/groups/asdc10/videos/19632487 Video] | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Threats from Economical Improvement]]<br>Eduardo Neves<br><br> Video | [[Media: Threats_from_Economical_Improvement_OWASP_AppSec_2010_LR.key.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ESAPI SwingSet]]<br>Fabio Cerullo<br><br> Video | [[Media:Esapi_swingset_talk_dc.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform]]<br>Benjamin Tomhave<br><br> [http://vimeo.com/groups/asdc10/videos/19908922 Video] | [[Media: Carrot-stick-consequences-AppSecDC-2010.key.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:05-5:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Closing Remarks/Prizes<br>The OWASP AppSec DC Team<!-- Day 2 --><br />
|}<br />
<headertabs /><br />
<br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2010]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Talk:Summit_2011_Working_Sessions/Session009&diff=104531
Talk:Summit 2011 Working Sessions/Session009
2011-02-08T19:37:20Z
<p>Spinkham: Add CSP friendliness as a potential recomendation criteria</p>
<hr />
<div>I'm remote, but just wanted to suggest that Content Security Policy is a significantly game changing technology that it should be discussed also. For CSP to be effective, the Unobtrusive Javascript paradigm must be adopted by the frameworks. This should be part of any recomendation produced by this body.<br />
<br />
--Spinkham</div>
Spinkham
https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session009/Deliverable_3&diff=104530
Summit 2011 Working Sessions/Session009/Deliverable 3
2011-02-08T19:36:26Z
<p>Spinkham: sign my blurb ;-)</p>
<hr />
<div>== '''Deliverable 3''' ==<br />
<br />
'''White paper or standard for what we want the web frameworks to provide in terms of XSS defenses. Turning the XSS Prevention Cheat Sheet into a standard/metric for frameworks would be great.''' <br />
<br />
To be filled in.<br />
<br />
I'm remote, but just wanted to suggest that Content Security Policy is a significantly game changing technology that it should be discussed also.<br />
For CSP to be effective, the [http://en.wikipedia.org/wiki/Unobtrusive_JavaScript Unobtrusive Javascript] paradigm must be adopted by the frameworks. This should be part of any recomendation produced by this body.<br />
<br />
-Spinkham</div>
Spinkham
https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session009/Deliverable_3&diff=104529
Summit 2011 Working Sessions/Session009/Deliverable 3
2011-02-08T19:35:40Z
<p>Spinkham: Suggest CSP friendliness as a criteria</p>
<hr />
<div>== '''Deliverable 3''' ==<br />
<br />
'''White paper or standard for what we want the web frameworks to provide in terms of XSS defenses. Turning the XSS Prevention Cheat Sheet into a standard/metric for frameworks would be great.''' <br />
<br />
To be filled in.<br />
<br />
I'm remote, but just wanted to suggest that Content Security Policy is a significantly game changing technology that it should be discussed also.<br />
For CSP to be effective, the [http://en.wikipedia.org/wiki/Unobtrusive_JavaScript Unobtrusive Javascript] paradigm must be adopted by the frameworks. This should be part of any recomendation produced by this body.</div>
Spinkham
https://wiki.owasp.org/index.php?title=Talk:Summit_2011_Working_Sessions/Session068&diff=104526
Talk:Summit 2011 Working Sessions/Session068
2011-02-08T18:38:02Z
<p>Spinkham: </p>
<hr />
<div>Aparently there was a collaboration link posted for the session? Can anyone put that here for reference?<br />
<br />
I'll put my $0.02 here in the mean time.<br />
<br />
We should make the easy stuff go away, have the hard stuff well documented, and go to where devs are. They're too busy to come to us.<br />
<br />
What can be solved by a framework or with a mechanism like a CSP flag should be, and what can't should be documented in the framework or language docs.<br />
<br />
Simply put, if you want to give devs security information, it needs to be in the places the devs go. That can include links to external resources for more details, but the first place the dev goes to for examples and documentation has to cover security well. <br />
<br />
OWASP also needs to connect with publishers to further that goal.<br />
<br />
-- SPinkham</div>
Spinkham
https://wiki.owasp.org/index.php?title=Talk:Summit_2011_Working_Sessions/Session068&diff=104525
Talk:Summit 2011 Working Sessions/Session068
2011-02-08T18:36:53Z
<p>Spinkham: Created page with "Aparently there was a collabotation link posted for the session? Can anyone put that here for reference? I'll put my $0.02 here in the mean time. We should make the easy stuff ..."</p>
<hr />
<div>Aparently there was a collabotation link posted for the session? Can anyone put that here for reference?<br />
<br />
I'll put my $0.02 here in the mean time.<br />
<br />
We should make the easy stuff go away,have the hard stuff well documented,and go to where devs are.They're too busy to come to us.<br />
<br />
What can be solved by a framework or CSP flag should be, and what can't should be documented in the framework or language docs. Simply put, if you want to give devs security information, it needs to be in the places the devs go. That can include links to external resources for more details, but the first place the dev goes to for examples and documentation has to cover security well. <br />
<br />
OWASP needs to connect with publishers to further that goal.<br />
<br />
-- SPinkham</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=104410
Triangle
2011-02-08T13:58:37Z
<p>Spinkham: Edits for change in leadership team</p>
<hr />
<div>==Welcome to the OWASP North Carolina Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
President: [mailto:steve.pinkham@gmail.com Steve Pinkham] <br /><br />
Vice President: [mailto://CWhitesock(@)coastalfcu(.)org Chris Whitesock] <br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
Higher Ed: [mailto:fayedv(@)meredith(.)edu Victor Fayed] <br/><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
TBD, see Meetup page<br />
<br />
Next Meeting: TBD, see the [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page].<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please don't hesitate to contact the leadership team if you would like to assist the local chapter in any way.<br />
<br />
We accept flattery, suggestions, and snide remarks as well as monetary, time, and facilities donations.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com. The [http://www.meetup.com/owaspnc/ OWASP NC meetup.com page] has details of our next meeting. RSVP if possible.<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in some ongoing projects our membership is already involved in, as well as being open to new projects.<br />
<br />
Please contact the leadership team if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=104409
Triangle
2011-02-08T13:52:05Z
<p>Spinkham: </p>
<hr />
<div>==Welcome to the OWASP North Carolina Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
President: [mailto:steve.pinkham(@)gmail(.)com Steve Pinkham] <br /><br />
Vice President: [mailto://CWhitesock(@)coastalfcu(.)org Chris Whitesock] <br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
Higher Ed: [mailto:fayedv(@)meredith(.)edu Victor Fayed] <br/><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
TBD, see Meetup page<br />
<br />
Next Meeting: TBD, see Meetup page<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please contact mmenefee[at]gmail[dot]com if you would like to assist with helping grow the local chapter.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we are soliciting interest in new and ongoing projects our membership is involved in. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com.<br />
<br />
Click [http://www.meetup.com/owaspnc/ here] for details of our next meeting, and RSVP<br />
<br />
==Projects==<br />
<br />
We are soliciting interest in <br />
<br />
Please contact [mailto:steve.pinkham(@)gmail(.)com Steve Pinkham] if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=104408
Triangle
2011-02-08T13:49:59Z
<p>Spinkham: /* Meeting Location */</p>
<hr />
<div>==Welcome to the OWASP North Carolina Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
President: [mailto:steve.pinkham(@)gmail(.)com Steve Pinkham] <br /><br />
Vice President: [mailto://CWhitesock(@)coastalfcu(.)org Chris Whitesock] <br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
Higher Ed: [mailto:fayedv(@)meredith(.)edu Victor Fayed] <br/><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
TBD, see Meetup page<br />
<br />
Next Meeting: TBD, see Meetup page<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please contact mmenefee[at]gmail[dot]com if you would like to assist with helping grow the local chapter.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we will be sponsoring several already in-development tools. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com.<br />
<br />
Click [http://www.meetup.com/owaspnc/ here] for details of our next meeting, and RSVP<br />
<br />
==Projects==<br />
<br />
We are currently engaged in several new OWASP project initiatives, mostly surrounding passive assessment techniques used during the pen testing process. If you are interested in helping out, we need some development assistance. <br />
<br />
We are currently developing in PHP, Perl & Python, using MySQl for back-end storage. <br />
<br />
Please contact [mailto:mmenefee(at)gmail(.)com Mike Menefee] if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=Triangle&diff=104406
Triangle
2011-02-08T13:48:57Z
<p>Spinkham: /* Chapter Leadership */ Change Mike to Steve, see mailing list for details</p>
<hr />
<div>==Welcome to the OWASP North Carolina Local Chapter homepage!== <br />
<br />
====Chapter Leadership====<br />
President: [mailto:steve.pinkham(@)gmail(.)com Steve Pinkham] <br /><br />
Vice President: [mailto://CWhitesock(@)coastalfcu(.)org Chris Whitesock] <br /><br />
<br />
<strong>Industry Advisers:</strong><br /><br />
Higher Ed: [mailto:fayedv(@)meredith(.)edu Victor Fayed] <br/><br />
<br /><br />
We are looking for board members and industry advisers, so if you are interested, please contact us!<br />
<br /><br />
<br /><br />
<br />
<br />
<br /><br />
<br />
==Participation==<br />
OWASP chapter meetings are free and open to anyone interested in application security. We encourage members to give presentations on specific topics and to contribute to the local chapter by sharing their knowledge with others. Prior to participating with OWASP please review the [https://www.owasp.org/index.php/Chapter_Rules/ Chapter Rules]. <br />
<br />
<p><br />
Join the Chapter by signing up on our <br />
[http://lists.owasp.org/mailman/listinfo/owasp-Raleigh mailing list]<br /><br />
<br />
<br />
Or, you can view our Mailing List Archives [http://lists.owasp.org/pipermail/owasp-raleigh/ here]<br />
</p><br />
<p><br />
<br /><br />
----<br />
<br />
<paypal>Raleigh</paypal><br />
</p><br />
----<br />
<br /><br />
<br />
==Meeting Location==<br />
''Coastal Federal Credit Union Headquarters<br /><br />
''1000 St Albans Drive<br /><br />
''Raleigh NC, 27609<br /><br />
''Google Map [http://www.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=1000+St+Albans+Dr,+Raleigh,+NC+27609&jsv=141e&sll=37.0625,-95.677068&sspn=36.589577,93.164063&ie=UTF8&ei=BBxxSe62I4GyMLnSmbcH&sig2=lHNDCIwg7EhUum2l_DAR7Q&cd=1&cid=35832537,-78621982,13423347940142949601&li=lmd here]<br /><br />
<br />
Next Meeting: February 17th 6:30-8:30 PM<br />
----<br />
<br />
<br />
The Raleigh NC Chapter is looking for new members. Please contact mmenefee[at]gmail[dot]com if you would like to assist with helping grow the local chapter.<br />
<br />
Aside from regular meetings with guest speakers from other chapters and organizations, we will be sponsoring several already in-development tools. If you have any interest in contributing to these projects, please let me know. <br />
<br />
As always -- everyone is welcome to join us at our chapter meetings.<br />
====Events====<br />
----<br />
Our Chapter meetings and events are scheduled at Meetup.com.<br />
<br />
Click [http://www.meetup.com/owaspnc/ here] for details of our next meeting, and RSVP<br />
<br />
==Projects==<br />
<br />
We are currently engaged in several new OWASP project initiatives, mostly surrounding passive assessment techniques used during the pen testing process. If you are interested in helping out, we need some development assistance. <br />
<br />
We are currently developing in PHP, Perl & Python, using MySQl for back-end storage. <br />
<br />
Please contact [mailto:mmenefee(at)gmail(.)com Mike Menefee] if you are interested in helping out!</div>
Spinkham
https://wiki.owasp.org/index.php?title=Talk:Summit_2011_Working_Sessions/Session056&diff=104405
Talk:Summit 2011 Working Sessions/Session056
2011-02-08T13:47:19Z
<p>Spinkham: Created page with "This session is not on the list of static or dynamic talks for the conference. Is it still happening?"</p>
<hr />
<div>This session is not on the list of static or dynamic talks for the conference. Is it still happening?</div>
Spinkham
https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2010_Schedule&diff=103380
OWASP AppSec DC 2010 Schedule
2011-02-04T17:32:02Z
<p>Spinkham: More vimeo video links</p>
<hr />
<div>__NOTOC__ <br />
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]] <br />
<br />
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]<br />
<br><br />
<br><br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
====Training 11/08====<br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 1 - Nov 8th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security <br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
<!-- Training Day 1 --><br />
|}<br />
====Training 11/09==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 2 - Nov 9th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''159B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
<!-- Training Day 2 --><br />
|}<br />
====Plenary Day 1 - 11/10==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 1 - Nov 10th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Defense (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Government (145A)'''<br />
|- valign="bottom<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:50 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:50-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Neal Ziring|Keynote: Neal Ziring]]<br>National Security Agency<br>[http://vimeo.com/groups/asdc10/videos/18820731 Video] | [[Media: OWASP-appsec2010-app_assurance-nziring-20101110.ppt | Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | OWASP Status Update<br>[[OWASP:About#Global_Board_Members| OWASP Board]]<br>[http://vimeo.com/groups/asdc10/videos/18821089 Video] | [http://www.owasp.org/images/0/0f/OWASPDC2010-v1.pdf Slides]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:30-10:45 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Redspin30x120.png|link=http://www.redspin.com]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:45-11:30 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Python Basics for Web App Pentesters]]<br>Justin Searle <br><br>[http://vimeo.com/groups/asdc10/videos/19346235 Video] | [[Media: Python_Basics_for_Web_App_Pentesters.zip|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Drive By Downloads: How To Avoid Getting A Cap Popped In Your App]]<br>Neil Daswani<br><br> Video | [[Media:OWASP_Dasient_11_10_10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Secure Code Review: Enterprise Metrics]]<br>Richard Tychansky<br><br>Video | [[Media:OWASP_-_Secure_Code_Review_Enterprise_Metrics.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Cyber-Assurance Ecosystem - Automation Activities for Securing the Enterprise]]<br>Joe Jarzombek & Tom Millar<br><br>[http://vimeo.com/groups/asdc10/videos/18802696 Video] | [[Media:SwA_SCRM_10Nov2010_jj.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:30-11:35 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:35-12:20 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[White and Black box testing of Lotus Domino Applications]]<br>Ari Elias-bachrach and Casey Pike<br><br>[http://vimeo.com/groups/asdc10/videos/19344945 Video] | [[Media: Domino_testing_presentation.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Protecting Federal Government from Web 2.0 Application Security Risks]]<br>Sarbari Gupta<br><br> Video | [[Media: Protecting_Federal_Government_from_Web_2.0_Application_Security_Risks_-_Sarbari_Gupta_FINAL.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Measuring Security: 5 KPIs for Successful Web App Security Programs]]<br>Rafal Los<br><br>[http://vimeo.com/groups/asdc10/videos/18820054 Video] | [[Media:Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Security Risk and the Software Supply Chain]]<br>Karen Goertzel<br><br> Video | [[Media:BoozAllen-AppSecDC2010-sw_scrm.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:20-1:20 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Pen Testing with Iron]]<br>Andrew Wilson <br><br> Video | [[Media:PenTestingWithIron.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Providing application-level assurance through DNSSEC]]<br>Suresh Krishnaswamy, Wes Hardaker and Russ Mundy<br><br> Video | [[Media: Providing-Application-level-Assurance-through-DNSSEC-final.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[H.....t.....t....p.......p....o....s....t]]<br>Onn Chee & Tom Brennan <br><br>[http://vimeo.com/groups/asdc10/videos/18818757 Video] | [http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Slides]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Understanding How They Attack Your Weaknesses: CAPEC]]<br>Sean Barnum<br><br><br><br>Making Security Measurable<br>Video | [[Media:Making_Security_Measurable_-_CWE_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br><br><br>Understanding How They Attack Your Weaknesses<br>Video | [[Media:Understanding_How_They_Attack_Your_Weaknesses-CAPEC_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:10 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="2" | Break<br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="1" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:10-2:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking Oracle From Web Apps]]<br>Sumit Siddharth<br><br>[http://vimeo.com/groups/asdc10/videos/19357262 Video] | [[Media: Hacking_Oracle_From_Web_Apps_2.0.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[GuardRails: A Nearly Painless Solution to Insecure Web Applications|GuardRails: A (Nearly) Painless Solution to Insecure Web Applications]]<br>Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri<br><br>[http://vimeo.com/groups/asdc10/videos/19355417 Video] | [[Media:Guardrails_owasp_final.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Framed! Security-patching Common Web Development Frameworks]] - Panel<br><br>[http://vimeo.com/groups/asdc10/videos/18808494 Video]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 2:55-3:10 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:SecureIdeas_30X65.png|link=http://www.secureideas.net]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 3:10-3:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[wXf: Web Exploitation Framework]]<br>Ken Johnson and Chris Gates<br><br>[http://vimeo.com/groups/asdc10/videos/19104630 Video] | [[Media: WXf_ASDC_Presentation.odp.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Strengths of Combining Code Review with Application Penetration Testing]]<br>Dave Wichers<br><br>[http://vimeo.com/groups/asdc10/videos/19104928 Video] | [[Media: 2010-DC_The_Power_of_Code_Review.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Dealing with Web Application Security, Regulation Style]]<br>Andrew Weidenhamer<br><br> Video | [[Media: Andrew_Weidenhamer_AppSecDC_Presentation.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Ensuring Software Assurance Process Maturity]]<br>Edmund Wotring<br><br> Video | [[Media:20101110_-_Ensuring_Software_Assurance_Process_Maturity_-_Final.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:00-4:45 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="5" | [[Pen-Test Panel]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Botnet Resistant Coding: Protecting Your Users from Script Kiddies]]<br>Fabian Rothschild and Peter Greko<br><br> Video | [[Media:OWASP_Bot_res_enc.pptx|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" rowspan="1" | [[OWASP Broken Web Applications Project Update]]<br>Chuck Willis<br>[http://vimeo.com/groups/asdc10/videos/19331937 Video] | [[Media:Chuck_Willis_OWASPBWA_for_OWASP_AppSecDC_2010-11-10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[People, Process, and Technology: OWASP Impact on the SwA Processes and Practices Working Group]]<br>Michele Moss<br><br>[http://vimeo.com/groups/asdc10/videos/19105480 Video] | [[Media: OWASP_DC_2010_Moss_fin.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation]]<br>Joshua Windsor and Joshua Pauli<br>Video | [[Media: Smashing_WebGoat_-_AppSecDC_Presentation.odp.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:45-4:50 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:50-5:35 <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners]]<br>David Shelly, Randy Marchany & Joseph Tront<br><br>[http://vimeo.com/groups/asdc10/videos/18984178 Video] | [[Media:Closing_the_Gap_AppSecDC_Shelly.ppt|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Using Misuse Cases to Articulate Vulnerabilities to Stakeholders]]<br>Scott Mendenhall<br>Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Federal Perspectives on Application Security]] - Panel<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incident Database (WHID) Report]]<br>Ryan Barnett<br>[http://vimeo.com/groups/asdc10/videos/19337407 Video] | [[Media:AppSecDC_2010-WHID_Report-Ryan_Barnett.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:30-7:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Cocktails sponsored by [[Image:Trustwave50x250.png|link=https://www.trustwave.com/]]<br />
<!-- Day 1 --><br />
|}<br />
====Plenary Day 2 - 11/11==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 2 - Nov 11th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''New Frontiers (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''OWASP (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Process (145A)'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:55 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:55-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Day 2 Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Ron Ross|Keynote: Ron Ross]]<br>National Institute of Standards and Technology<br>[http://vimeo.com/groups/asdc10/videos/18826138 Video] | [[Media: OWASP-11-11-2010-Ross.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:15 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Trustwave30x150.png|link=https://www.trustwave.com/]] <br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:15-11:00 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking SAP BusinessObjects]]<br>Joshua Abraham and Will Vandevanter<br><br> Video | Slides <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Cloudy with a chance of hack!]]<br>Lars Ewe<br><br> Video | [[Media:OWASP_Cloudy_with_a_chance_of_hack_Nov_2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Don't Judge a Website by its Icon - Read the Label!|Don’t Judge a Website by its Icon – Read the Label!]]<br>Jeff Williams<br><br>Video | [[Media:2010-11_OWASP_Software_Labels.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers]]<br>Dan Cornell<br><br>[http://vimeo.com/groups/asdc10/videos/18980995 Video] | [[Media: ApplicationPortfolioRiskRanking_BanishingFUDWithStructureAndNumbers_Content.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:00-11:05 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:05-11:50 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Deconstructing ColdFusion ]]<br>Chris Eng and Brandon Creighton<br><br> Video | [[Media: OWASP_AppSec_DC_2010_-_Deconstructing_ColdFusion.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Declarative Web Security]]<br>Brandon Sterne<br><br> [http://vimeo.com/groups/asdc10/videos/18984410 Video] | [[Media: Mozilla_OWASP_AppSec_2010_DC.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Secure Coding Practices Quick Reference Guide]]<br>Keith Turpin<br><br>[http://vimeo.com/groups/asdc10/videos/19105173 Video] | [[Media: Secure_Coding_Practices_Quick_Ref_4.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Code Reviewing Strategies]]<br>Andrew Wilson and John Hoopes<br><br> Video | [[Media:CodeReviewStrategies.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:50-11:55 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:55-12:40 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Friendly Traitor 2 Features are hot but giving up our secrets is not!]]<br>Kevin Johnson and Mike Poor<br><br>[http://vimeo.com/groups/asdc10/videos/18810353 Video] | [[Media: Friendly_Traitor_2.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Exploiting the media for fun and profit. Analysis of a new type of web application attacks through media files]]<br>Aleksandr Yampolskiy<br><br> Video | [[Media:Exploiting_Media_For_Fun_and_Profit.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Open Source Web Entry Firewall]]<br>Ivan Buetler<br><br> Video | [[Media: AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Microsoft's Security Development Lifecycle for Agile Development]]<br>Nick Coblentz<br><br>[http://vimeo.com/groups/asdc10/videos/19105707 Video] | [[Media:OWASP_AppSec_DC_2010_-_Microsoft_SDL-Agile_Presentation_-_Nick_Coblentz_2010-11-11.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:40-1:40 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:40-2:25 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking .NET Applications at Runtime: A Dynamic Attack]]<br>Jon McCoy<br><br>[http://vimeo.com/groups/asdc10/videos/18984620 Video] | [[Media: AppSecDC_-_Attacking_.NET_Applications_at_Runtime.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Life in the Clouds: a Service Provider's View]]<br>Michael Smith<br><br>[http://vimeo.com/groups/asdc10/videos/18820461 Video] | [[Media: Life_In_the_Clouds.Smith.AppSecDC2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Solving Real World Problems with ESAPI]]<br>Chris Schmidt<br><br> Video | [[Media:ESAPI-2010-AppSecDC.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Financial Services Panel]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:25-2:30 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:30-3:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[JavaSnoop: How to hack anything written in Java]]<br>Arshan Dabirsiaghi<br><br>[http://vimeo.com/groups/asdc10/videos/19051012 Video] | [[Media:JavaSnoop_-_OWASP_AppSec_DC_2010.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Social Zombies Gone Wild: Totally Exposed and Uncensored]]<br>Kevin Johnson and Tom Eston<br><br>[http://vimeo.com/groups/asdc10/videos/18827316 Video] | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Attack Detection and Prevention with OWASP AppSensor]]<br>Colin Watson<br><br> Video | [[Media:AppSecDC-colin-watson-appsensor.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 3:15-3:30 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC-2010-Syngress75x30.gif|link=http://www.syngress.com/]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 3:30-4:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Unlocking the Toolkit: Attacking Google Web Toolkit]]<br>Ron Gutierrez<br><br> Video | [[Media: Attacking_Google_Web_Toolkit.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications]]<br>Dan Cornell<br><br> Video | [[Media: SmartPhonesDumbApps_OWASPDC_20101111_Content.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ModSecurity Core Rule Set]]<br>Ryan Barnett<br><br> Video | [[Media:AppSecDC_2010-ModSecurityCRS_Ryan_Barnett.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Implementing a Secure Software Development Program]]<br>Darren Death<br><br> Video | Slides<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:15-4:20 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 4:20-5:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Constricting the Web: Offensive Python for Web Hackers]]<br>Marcin Wielgoszewski and Nathan Hamiel<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Threats from Economical Improvement]]<br>Eduardo Neves<br><br> Video | [[Media: Threats_from_Economical_Improvement_OWASP_AppSec_2010_LR.key.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ESAPI SwingSet]]<br>Fabio Cerullo<br><br> Video | [[Media:Esapi_swingset_talk_dc.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform]]<br>Benjamin Tomhave<br><br> Video | [[Media: Carrot-stick-consequences-AppSecDC-2010.key.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:05-5:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Closing Remarks/Prizes<br>The OWASP AppSec DC Team<!-- Day 2 --><br />
|}<br />
<headertabs /><br />
<br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2010]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2010_Schedule&diff=103379
OWASP AppSec DC 2010 Schedule
2011-02-04T17:29:32Z
<p>Spinkham: More vimeo video links</p>
<hr />
<div>__NOTOC__ <br />
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]] <br />
<br />
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]<br />
<br><br />
<br><br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
====Training 11/08====<br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 1 - Nov 8th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security <br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
<!-- Training Day 1 --><br />
|}<br />
====Training 11/09==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 2 - Nov 9th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''159B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
<!-- Training Day 2 --><br />
|}<br />
====Plenary Day 1 - 11/10==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 1 - Nov 10th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Defense (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Government (145A)'''<br />
|- valign="bottom<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:50 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:50-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Neal Ziring|Keynote: Neal Ziring]]<br>National Security Agency<br>[http://vimeo.com/groups/asdc10/videos/18820731 Video] | [[Media: OWASP-appsec2010-app_assurance-nziring-20101110.ppt | Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | OWASP Status Update<br>[[OWASP:About#Global_Board_Members| OWASP Board]]<br>[http://vimeo.com/groups/asdc10/videos/18821089 Video] | [http://www.owasp.org/images/0/0f/OWASPDC2010-v1.pdf Slides]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:30-10:45 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Redspin30x120.png|link=http://www.redspin.com]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:45-11:30 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Python Basics for Web App Pentesters]]<br>Justin Searle <br><br> Video | [[Media: Python_Basics_for_Web_App_Pentesters.zip|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Drive By Downloads: How To Avoid Getting A Cap Popped In Your App]]<br>Neil Daswani<br><br> Video | [[Media:OWASP_Dasient_11_10_10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Secure Code Review: Enterprise Metrics]]<br>Richard Tychansky<br><br>Video | [[Media:OWASP_-_Secure_Code_Review_Enterprise_Metrics.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Cyber-Assurance Ecosystem - Automation Activities for Securing the Enterprise]]<br>Joe Jarzombek & Tom Millar<br><br>[http://vimeo.com/groups/asdc10/videos/18802696 Video] | [[Media:SwA_SCRM_10Nov2010_jj.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:30-11:35 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:35-12:20 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[White and Black box testing of Lotus Domino Applications]]<br>Ari Elias-bachrach and Casey Pike<br><br> Video | [[Media: Domino_testing_presentation.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Protecting Federal Government from Web 2.0 Application Security Risks]]<br>Sarbari Gupta<br><br> Video | [[Media: Protecting_Federal_Government_from_Web_2.0_Application_Security_Risks_-_Sarbari_Gupta_FINAL.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Measuring Security: 5 KPIs for Successful Web App Security Programs]]<br>Rafal Los<br><br>[http://vimeo.com/groups/asdc10/videos/18820054 Video] | [[Media:Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Security Risk and the Software Supply Chain]]<br>Karen Goertzel<br><br> Video | [[Media:BoozAllen-AppSecDC2010-sw_scrm.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:20-1:20 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Pen Testing with Iron]]<br>Andrew Wilson <br><br> Video | [[Media:PenTestingWithIron.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Providing application-level assurance through DNSSEC]]<br>Suresh Krishnaswamy, Wes Hardaker and Russ Mundy<br><br> Video | [[Media: Providing-Application-level-Assurance-through-DNSSEC-final.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[H.....t.....t....p.......p....o....s....t]]<br>Onn Chee & Tom Brennan <br><br>[http://vimeo.com/groups/asdc10/videos/18818757 Video] | [http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Slides]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Understanding How They Attack Your Weaknesses: CAPEC]]<br>Sean Barnum<br><br><br><br>Making Security Measurable<br>Video | [[Media:Making_Security_Measurable_-_CWE_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br><br><br>Understanding How They Attack Your Weaknesses<br>Video | [[Media:Understanding_How_They_Attack_Your_Weaknesses-CAPEC_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:10 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="2" | Break<br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="1" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:10-2:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking Oracle From Web Apps]]<br>Sumit Siddharth<br><br> Video | [[Media: Hacking_Oracle_From_Web_Apps_2.0.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[GuardRails: A Nearly Painless Solution to Insecure Web Applications|GuardRails: A (Nearly) Painless Solution to Insecure Web Applications]]<br>Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri<br><br> Video | [[Media:Guardrails_owasp_final.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Framed! Security-patching Common Web Development Frameworks]] - Panel<br><br>[http://vimeo.com/groups/asdc10/videos/18808494 Video]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 2:55-3:10 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:SecureIdeas_30X65.png|link=http://www.secureideas.net]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 3:10-3:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[wXf: Web Exploitation Framework]]<br>Ken Johnson and Chris Gates<br><br>[http://vimeo.com/groups/asdc10/videos/19104630 Video] | [[Media: WXf_ASDC_Presentation.odp.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Strengths of Combining Code Review with Application Penetration Testing]]<br>Dave Wichers<br><br>[http://vimeo.com/groups/asdc10/videos/19104928 Video] | [[Media: 2010-DC_The_Power_of_Code_Review.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Dealing with Web Application Security, Regulation Style]]<br>Andrew Weidenhamer<br><br> Video | [[Media: Andrew_Weidenhamer_AppSecDC_Presentation.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Ensuring Software Assurance Process Maturity]]<br>Edmund Wotring<br><br> Video | [[Media:20101110_-_Ensuring_Software_Assurance_Process_Maturity_-_Final.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:00-4:45 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="5" | [[Pen-Test Panel]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Botnet Resistant Coding: Protecting Your Users from Script Kiddies]]<br>Fabian Rothschild and Peter Greko<br><br> Video | [[Media:OWASP_Bot_res_enc.pptx|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" rowspan="1" | [[OWASP Broken Web Applications Project Update]]<br>Chuck Willis<br>Video | [[Media:Chuck_Willis_OWASPBWA_for_OWASP_AppSecDC_2010-11-10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[People, Process, and Technology: OWASP Impact on the SwA Processes and Practices Working Group]]<br>Michele Moss<br><br>[http://vimeo.com/groups/asdc10/videos/19105480 Video] | [[Media: OWASP_DC_2010_Moss_fin.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation]]<br>Joshua Windsor and Joshua Pauli<br>Video | [[Media: Smashing_WebGoat_-_AppSecDC_Presentation.odp.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:45-4:50 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:50-5:35 <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners]]<br>David Shelly, Randy Marchany & Joseph Tront<br><br>[http://vimeo.com/groups/asdc10/videos/18984178 Video] | [[Media:Closing_the_Gap_AppSecDC_Shelly.ppt|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Using Misuse Cases to Articulate Vulnerabilities to Stakeholders]]<br>Scott Mendenhall<br>Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Federal Perspectives on Application Security]] - Panel<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incident Database (WHID) Report]]<br>Ryan Barnett<br>Video | [[Media:AppSecDC_2010-WHID_Report-Ryan_Barnett.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:30-7:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Cocktails sponsored by [[Image:Trustwave50x250.png|link=https://www.trustwave.com/]]<br />
<!-- Day 1 --><br />
|}<br />
====Plenary Day 2 - 11/11==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 2 - Nov 11th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''New Frontiers (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''OWASP (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Process (145A)'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:55 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:55-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Day 2 Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Ron Ross|Keynote: Ron Ross]]<br>National Institute of Standards and Technology<br>[http://vimeo.com/groups/asdc10/videos/18826138 Video] | [[Media: OWASP-11-11-2010-Ross.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:15 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Trustwave30x150.png|link=https://www.trustwave.com/]] <br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:15-11:00 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking SAP BusinessObjects]]<br>Joshua Abraham and Will Vandevanter<br><br> Video | Slides <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Cloudy with a chance of hack!]]<br>Lars Ewe<br><br> Video | [[Media:OWASP_Cloudy_with_a_chance_of_hack_Nov_2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Don't Judge a Website by its Icon - Read the Label!|Don’t Judge a Website by its Icon – Read the Label!]]<br>Jeff Williams<br><br>Video | [[Media:2010-11_OWASP_Software_Labels.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers]]<br>Dan Cornell<br><br>[http://vimeo.com/groups/asdc10/videos/18980995 Video] | [[Media: ApplicationPortfolioRiskRanking_BanishingFUDWithStructureAndNumbers_Content.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:00-11:05 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:05-11:50 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Deconstructing ColdFusion ]]<br>Chris Eng and Brandon Creighton<br><br> Video | [[Media: OWASP_AppSec_DC_2010_-_Deconstructing_ColdFusion.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Declarative Web Security]]<br>Brandon Sterne<br><br> [http://vimeo.com/groups/asdc10/videos/18984410 Video] | [[Media: Mozilla_OWASP_AppSec_2010_DC.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Secure Coding Practices Quick Reference Guide]]<br>Keith Turpin<br><br>[http://vimeo.com/groups/asdc10/videos/19105173 Video] | [[Media: Secure_Coding_Practices_Quick_Ref_4.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Code Reviewing Strategies]]<br>Andrew Wilson and John Hoopes<br><br> Video | [[Media:CodeReviewStrategies.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:50-11:55 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:55-12:40 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Friendly Traitor 2 Features are hot but giving up our secrets is not!]]<br>Kevin Johnson and Mike Poor<br><br>[http://vimeo.com/groups/asdc10/videos/18810353 Video] | [[Media: Friendly_Traitor_2.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Exploiting the media for fun and profit. Analysis of a new type of web application attacks through media files]]<br>Aleksandr Yampolskiy<br><br> Video | [[Media:Exploiting_Media_For_Fun_and_Profit.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Open Source Web Entry Firewall]]<br>Ivan Buetler<br><br> Video | [[Media: AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Microsoft's Security Development Lifecycle for Agile Development]]<br>Nick Coblentz<br><br>[http://vimeo.com/groups/asdc10/videos/19105707 Video] | [[Media:OWASP_AppSec_DC_2010_-_Microsoft_SDL-Agile_Presentation_-_Nick_Coblentz_2010-11-11.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:40-1:40 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:40-2:25 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking .NET Applications at Runtime: A Dynamic Attack]]<br>Jon McCoy<br><br>[http://vimeo.com/groups/asdc10/videos/18984620 Video] | [[Media: AppSecDC_-_Attacking_.NET_Applications_at_Runtime.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Life in the Clouds: a Service Provider's View]]<br>Michael Smith<br><br>[http://vimeo.com/groups/asdc10/videos/18820461 Video] | [[Media: Life_In_the_Clouds.Smith.AppSecDC2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Solving Real World Problems with ESAPI]]<br>Chris Schmidt<br><br> Video | [[Media:ESAPI-2010-AppSecDC.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Financial Services Panel]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:25-2:30 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:30-3:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[JavaSnoop: How to hack anything written in Java]]<br>Arshan Dabirsiaghi<br><br>[http://vimeo.com/groups/asdc10/videos/19051012 Video] | [[Media:JavaSnoop_-_OWASP_AppSec_DC_2010.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Social Zombies Gone Wild: Totally Exposed and Uncensored]]<br>Kevin Johnson and Tom Eston<br><br>[http://vimeo.com/groups/asdc10/videos/18827316 Video] | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Attack Detection and Prevention with OWASP AppSensor]]<br>Colin Watson<br><br> Video | [[Media:AppSecDC-colin-watson-appsensor.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 3:15-3:30 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC-2010-Syngress75x30.gif|link=http://www.syngress.com/]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 3:30-4:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Unlocking the Toolkit: Attacking Google Web Toolkit]]<br>Ron Gutierrez<br><br> Video | [[Media: Attacking_Google_Web_Toolkit.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications]]<br>Dan Cornell<br><br> Video | [[Media: SmartPhonesDumbApps_OWASPDC_20101111_Content.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ModSecurity Core Rule Set]]<br>Ryan Barnett<br><br> Video | [[Media:AppSecDC_2010-ModSecurityCRS_Ryan_Barnett.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Implementing a Secure Software Development Program]]<br>Darren Death<br><br> Video | Slides<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:15-4:20 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 4:20-5:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Constricting the Web: Offensive Python for Web Hackers]]<br>Marcin Wielgoszewski and Nathan Hamiel<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Threats from Economical Improvement]]<br>Eduardo Neves<br><br> Video | [[Media: Threats_from_Economical_Improvement_OWASP_AppSec_2010_LR.key.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ESAPI SwingSet]]<br>Fabio Cerullo<br><br> Video | [[Media:Esapi_swingset_talk_dc.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform]]<br>Benjamin Tomhave<br><br> Video | [[Media: Carrot-stick-consequences-AppSecDC-2010.key.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:05-5:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Closing Remarks/Prizes<br>The OWASP AppSec DC Team<!-- Day 2 --><br />
|}<br />
<headertabs /><br />
<br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2010]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2010_Schedule&diff=103378
OWASP AppSec DC 2010 Schedule
2011-02-04T17:26:42Z
<p>Spinkham: More vimeo video links</p>
<hr />
<div>__NOTOC__ <br />
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]] <br />
<br />
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]<br />
<br><br />
<br><br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
====Training 11/08====<br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 1 - Nov 8th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security <br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
<!-- Training Day 1 --><br />
|}<br />
====Training 11/09==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 2 - Nov 9th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''159B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
<!-- Training Day 2 --><br />
|}<br />
====Plenary Day 1 - 11/10==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 1 - Nov 10th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Defense (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Government (145A)'''<br />
|- valign="bottom<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:50 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:50-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Neal Ziring|Keynote: Neal Ziring]]<br>National Security Agency<br>[http://vimeo.com/groups/asdc10/videos/18820731 Video] | [[Media: OWASP-appsec2010-app_assurance-nziring-20101110.ppt | Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | OWASP Status Update<br>[[OWASP:About#Global_Board_Members| OWASP Board]]<br>[http://vimeo.com/groups/asdc10/videos/18821089 Video] | [http://www.owasp.org/images/0/0f/OWASPDC2010-v1.pdf Slides]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:30-10:45 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Redspin30x120.png|link=http://www.redspin.com]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:45-11:30 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Python Basics for Web App Pentesters]]<br>Justin Searle <br><br> Video | [[Media: Python_Basics_for_Web_App_Pentesters.zip|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Drive By Downloads: How To Avoid Getting A Cap Popped In Your App]]<br>Neil Daswani<br><br> Video | [[Media:OWASP_Dasient_11_10_10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Secure Code Review: Enterprise Metrics]]<br>Richard Tychansky<br><br>Video | [[Media:OWASP_-_Secure_Code_Review_Enterprise_Metrics.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Cyber-Assurance Ecosystem - Automation Activities for Securing the Enterprise]]<br>Joe Jarzombek & Tom Millar<br><br>[http://vimeo.com/groups/asdc10/videos/18802696 Video] | [[Media:SwA_SCRM_10Nov2010_jj.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:30-11:35 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:35-12:20 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[White and Black box testing of Lotus Domino Applications]]<br>Ari Elias-bachrach and Casey Pike<br><br> Video | [[Media: Domino_testing_presentation.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Protecting Federal Government from Web 2.0 Application Security Risks]]<br>Sarbari Gupta<br><br> Video | [[Media: Protecting_Federal_Government_from_Web_2.0_Application_Security_Risks_-_Sarbari_Gupta_FINAL.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Measuring Security: 5 KPIs for Successful Web App Security Programs]]<br>Rafal Los<br><br>[http://vimeo.com/groups/asdc10/videos/18820054 Video] | [[Media:Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Security Risk and the Software Supply Chain]]<br>Karen Goertzel<br><br> Video | [[Media:BoozAllen-AppSecDC2010-sw_scrm.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:20-1:20 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Pen Testing with Iron]]<br>Andrew Wilson <br><br> Video | [[Media:PenTestingWithIron.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Providing application-level assurance through DNSSEC]]<br>Suresh Krishnaswamy, Wes Hardaker and Russ Mundy<br><br> Video | [[Media: Providing-Application-level-Assurance-through-DNSSEC-final.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[H.....t.....t....p.......p....o....s....t]]<br>Onn Chee & Tom Brennan <br><br>[http://vimeo.com/groups/asdc10/videos/18818757 Video] | [http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Slides]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Understanding How They Attack Your Weaknesses: CAPEC]]<br>Sean Barnum<br><br><br><br>Making Security Measurable<br>Video | [[Media:Making_Security_Measurable_-_CWE_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br><br><br>Understanding How They Attack Your Weaknesses<br>Video | [[Media:Understanding_How_They_Attack_Your_Weaknesses-CAPEC_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:10 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="2" | Break<br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="1" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:10-2:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking Oracle From Web Apps]]<br>Sumit Siddharth<br><br> Video | [[Media: Hacking_Oracle_From_Web_Apps_2.0.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[GuardRails: A Nearly Painless Solution to Insecure Web Applications|GuardRails: A (Nearly) Painless Solution to Insecure Web Applications]]<br>Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri<br><br> Video | [[Media:Guardrails_owasp_final.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Framed! Security-patching Common Web Development Frameworks]] - Panel<br><br>[http://vimeo.com/groups/asdc10/videos/18808494 Video]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 2:55-3:10 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:SecureIdeas_30X65.png|link=http://www.secureideas.net]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 3:10-3:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[wXf: Web Exploitation Framework]]<br>Ken Johnson and Chris Gates<br><br> Video | [[Media: WXf_ASDC_Presentation.odp.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Strengths of Combining Code Review with Application Penetration Testing]]<br>Dave Wichers<br><br> Video | [[Media: 2010-DC_The_Power_of_Code_Review.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Dealing with Web Application Security, Regulation Style]]<br>Andrew Weidenhamer<br><br> Video | [[Media: Andrew_Weidenhamer_AppSecDC_Presentation.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Ensuring Software Assurance Process Maturity]]<br>Edmund Wotring<br><br> Video | [[Media:20101110_-_Ensuring_Software_Assurance_Process_Maturity_-_Final.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:00-4:45 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="5" | [[Pen-Test Panel]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Botnet Resistant Coding: Protecting Your Users from Script Kiddies]]<br>Fabian Rothschild and Peter Greko<br><br> Video | [[Media:OWASP_Bot_res_enc.pptx|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" rowspan="1" | [[OWASP Broken Web Applications Project Update]]<br>Chuck Willis<br>Video | [[Media:Chuck_Willis_OWASPBWA_for_OWASP_AppSecDC_2010-11-10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[People, Process, and Technology: OWASP Impact on the SwA Processes and Practices Working Group]]<br>Michele Moss<br><br> Video | [[Media: OWASP_DC_2010_Moss_fin.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation]]<br>Joshua Windsor and Joshua Pauli<br>Video | [[Media: Smashing_WebGoat_-_AppSecDC_Presentation.odp.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:45-4:50 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:50-5:35 <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners]]<br>David Shelly, Randy Marchany & Joseph Tront<br><br>[http://vimeo.com/groups/asdc10/videos/18984178 Video] | [[Media:Closing_the_Gap_AppSecDC_Shelly.ppt|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Using Misuse Cases to Articulate Vulnerabilities to Stakeholders]]<br>Scott Mendenhall<br>Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Federal Perspectives on Application Security]] - Panel<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incident Database (WHID) Report]]<br>Ryan Barnett<br>Video | [[Media:AppSecDC_2010-WHID_Report-Ryan_Barnett.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:30-7:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Cocktails sponsored by [[Image:Trustwave50x250.png|link=https://www.trustwave.com/]]<br />
<!-- Day 1 --><br />
|}<br />
====Plenary Day 2 - 11/11==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 2 - Nov 11th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''New Frontiers (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''OWASP (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Process (145A)'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:55 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:55-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Day 2 Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Ron Ross|Keynote: Ron Ross]]<br>National Institute of Standards and Technology<br>[http://vimeo.com/groups/asdc10/videos/18826138 Video] | [[Media: OWASP-11-11-2010-Ross.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:15 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Trustwave30x150.png|link=https://www.trustwave.com/]] <br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:15-11:00 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking SAP BusinessObjects]]<br>Joshua Abraham and Will Vandevanter<br><br> Video | Slides <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Cloudy with a chance of hack!]]<br>Lars Ewe<br><br> Video | [[Media:OWASP_Cloudy_with_a_chance_of_hack_Nov_2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Don't Judge a Website by its Icon - Read the Label!|Don’t Judge a Website by its Icon – Read the Label!]]<br>Jeff Williams<br><br>Video | [[Media:2010-11_OWASP_Software_Labels.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers]]<br>Dan Cornell<br><br>[http://vimeo.com/groups/asdc10/videos/18980995 Video] | [[Media: ApplicationPortfolioRiskRanking_BanishingFUDWithStructureAndNumbers_Content.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:00-11:05 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:05-11:50 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Deconstructing ColdFusion ]]<br>Chris Eng and Brandon Creighton<br><br> Video | [[Media: OWASP_AppSec_DC_2010_-_Deconstructing_ColdFusion.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Declarative Web Security]]<br>Brandon Sterne<br><br> [http://vimeo.com/groups/asdc10/videos/18984410 Video] | [[Media: Mozilla_OWASP_AppSec_2010_DC.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Secure Coding Practices Quick Reference Guide]]<br>Keith Turpin<br><br> Video | [[Media: Secure_Coding_Practices_Quick_Ref_4.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Code Reviewing Strategies]]<br>Andrew Wilson and John Hoopes<br><br> Video | [[Media:CodeReviewStrategies.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:50-11:55 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:55-12:40 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Friendly Traitor 2 Features are hot but giving up our secrets is not!]]<br>Kevin Johnson and Mike Poor<br><br>[http://vimeo.com/groups/asdc10/videos/18810353 Video] | [[Media: Friendly_Traitor_2.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Exploiting the media for fun and profit. Analysis of a new type of web application attacks through media files]]<br>Aleksandr Yampolskiy<br><br> Video | [[Media:Exploiting_Media_For_Fun_and_Profit.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Open Source Web Entry Firewall]]<br>Ivan Buetler<br><br> Video | [[Media: AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Microsoft's Security Development Lifecycle for Agile Development]]<br>Nick Coblentz<br><br> Video | [[Media:OWASP_AppSec_DC_2010_-_Microsoft_SDL-Agile_Presentation_-_Nick_Coblentz_2010-11-11.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:40-1:40 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:40-2:25 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking .NET Applications at Runtime: A Dynamic Attack]]<br>Jon McCoy<br><br>[http://vimeo.com/groups/asdc10/videos/18984620 Video] | [[Media: AppSecDC_-_Attacking_.NET_Applications_at_Runtime.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Life in the Clouds: a Service Provider's View]]<br>Michael Smith<br><br>[http://vimeo.com/groups/asdc10/videos/18820461 Video] | [[Media: Life_In_the_Clouds.Smith.AppSecDC2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Solving Real World Problems with ESAPI]]<br>Chris Schmidt<br><br> Video | [[Media:ESAPI-2010-AppSecDC.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Financial Services Panel]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:25-2:30 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:30-3:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[JavaSnoop: How to hack anything written in Java]]<br>Arshan Dabirsiaghi<br><br> Video | [[Media:JavaSnoop_-_OWASP_AppSec_DC_2010.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Social Zombies Gone Wild: Totally Exposed and Uncensored]]<br>Kevin Johnson and Tom Eston<br><br>[http://vimeo.com/groups/asdc10/videos/18827316 Video] | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Attack Detection and Prevention with OWASP AppSensor]]<br>Colin Watson<br><br> Video | [[Media:AppSecDC-colin-watson-appsensor.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 3:15-3:30 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC-2010-Syngress75x30.gif|link=http://www.syngress.com/]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 3:30-4:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Unlocking the Toolkit: Attacking Google Web Toolkit]]<br>Ron Gutierrez<br><br> Video | [[Media: Attacking_Google_Web_Toolkit.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications]]<br>Dan Cornell<br><br> Video | [[Media: SmartPhonesDumbApps_OWASPDC_20101111_Content.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ModSecurity Core Rule Set]]<br>Ryan Barnett<br><br> Video | [[Media:AppSecDC_2010-ModSecurityCRS_Ryan_Barnett.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Implementing a Secure Software Development Program]]<br>Darren Death<br><br> Video | Slides<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:15-4:20 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 4:20-5:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Constricting the Web: Offensive Python for Web Hackers]]<br>Marcin Wielgoszewski and Nathan Hamiel<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Threats from Economical Improvement]]<br>Eduardo Neves<br><br> Video | [[Media: Threats_from_Economical_Improvement_OWASP_AppSec_2010_LR.key.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ESAPI SwingSet]]<br>Fabio Cerullo<br><br> Video | [[Media:Esapi_swingset_talk_dc.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform]]<br>Benjamin Tomhave<br><br> Video | [[Media: Carrot-stick-consequences-AppSecDC-2010.key.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:05-5:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Closing Remarks/Prizes<br>The OWASP AppSec DC Team<!-- Day 2 --><br />
|}<br />
<headertabs /><br />
<br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2010]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2010_Schedule&diff=103377
OWASP AppSec DC 2010 Schedule
2011-02-04T17:23:30Z
<p>Spinkham: More vimeo video links</p>
<hr />
<div>__NOTOC__ <br />
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]] <br />
<br />
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]<br />
<br><br />
<br><br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
====Training 11/08====<br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 1 - Nov 8th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security <br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
<!-- Training Day 1 --><br />
|}<br />
====Training 11/09==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 2 - Nov 9th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''159B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
<!-- Training Day 2 --><br />
|}<br />
====Plenary Day 1 - 11/10==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 1 - Nov 10th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Defense (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Government (145A)'''<br />
|- valign="bottom<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:50 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:50-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Neal Ziring|Keynote: Neal Ziring]]<br>National Security Agency<br>[http://vimeo.com/groups/asdc10/videos/18820731 Video] | [[Media: OWASP-appsec2010-app_assurance-nziring-20101110.ppt | Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | OWASP Status Update<br>[[OWASP:About#Global_Board_Members| OWASP Board]]<br>[http://vimeo.com/groups/asdc10/videos/18821089 Video] | [http://www.owasp.org/images/0/0f/OWASPDC2010-v1.pdf Slides]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:30-10:45 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Redspin30x120.png|link=http://www.redspin.com]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:45-11:30 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Python Basics for Web App Pentesters]]<br>Justin Searle <br><br> Video | [[Media: Python_Basics_for_Web_App_Pentesters.zip|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Drive By Downloads: How To Avoid Getting A Cap Popped In Your App]]<br>Neil Daswani<br><br> Video | [[Media:OWASP_Dasient_11_10_10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Secure Code Review: Enterprise Metrics]]<br>Richard Tychansky<br><br>Video | [[Media:OWASP_-_Secure_Code_Review_Enterprise_Metrics.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Cyber-Assurance Ecosystem - Automation Activities for Securing the Enterprise]]<br>Joe Jarzombek & Tom Millar<br><br>[http://vimeo.com/groups/asdc10/videos/18802696 Video] | [[Media:SwA_SCRM_10Nov2010_jj.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:30-11:35 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:35-12:20 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[White and Black box testing of Lotus Domino Applications]]<br>Ari Elias-bachrach and Casey Pike<br><br> Video | [[Media: Domino_testing_presentation.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Protecting Federal Government from Web 2.0 Application Security Risks]]<br>Sarbari Gupta<br><br> Video | [[Media: Protecting_Federal_Government_from_Web_2.0_Application_Security_Risks_-_Sarbari_Gupta_FINAL.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Measuring Security: 5 KPIs for Successful Web App Security Programs]]<br>Rafal Los<br><br>[http://vimeo.com/groups/asdc10/videos/18820054 Video] | [[Media:Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Security Risk and the Software Supply Chain]]<br>Karen Goertzel<br><br> Video | [[Media:BoozAllen-AppSecDC2010-sw_scrm.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:20-1:20 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Pen Testing with Iron]]<br>Andrew Wilson <br><br> Video | [[Media:PenTestingWithIron.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Providing application-level assurance through DNSSEC]]<br>Suresh Krishnaswamy, Wes Hardaker and Russ Mundy<br><br> Video | [[Media: Providing-Application-level-Assurance-through-DNSSEC-final.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[H.....t.....t....p.......p....o....s....t]]<br>Onn Chee & Tom Brennan <br><br>[http://vimeo.com/groups/asdc10/videos/18818757 Video] | [http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Slides]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Understanding How They Attack Your Weaknesses: CAPEC]]<br>Sean Barnum<br><br><br><br>Making Security Measurable<br>Video | [[Media:Making_Security_Measurable_-_CWE_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br><br><br>Understanding How They Attack Your Weaknesses<br>Video | [[Media:Understanding_How_They_Attack_Your_Weaknesses-CAPEC_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:10 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="2" | Break<br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="1" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:10-2:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking Oracle From Web Apps]]<br>Sumit Siddharth<br><br> Video | [[Media: Hacking_Oracle_From_Web_Apps_2.0.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[GuardRails: A Nearly Painless Solution to Insecure Web Applications|GuardRails: A (Nearly) Painless Solution to Insecure Web Applications]]<br>Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri<br><br> Video | [[Media:Guardrails_owasp_final.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Framed! Security-patching Common Web Development Frameworks]] - Panel<br><br>[http://vimeo.com/groups/asdc10/videos/18808494 Video]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 2:55-3:10 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:SecureIdeas_30X65.png|link=http://www.secureideas.net]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 3:10-3:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[wXf: Web Exploitation Framework]]<br>Ken Johnson and Chris Gates<br><br> Video | [[Media: WXf_ASDC_Presentation.odp.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Strengths of Combining Code Review with Application Penetration Testing]]<br>Dave Wichers<br><br> Video | [[Media: 2010-DC_The_Power_of_Code_Review.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Dealing with Web Application Security, Regulation Style]]<br>Andrew Weidenhamer<br><br> Video | [[Media: Andrew_Weidenhamer_AppSecDC_Presentation.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Ensuring Software Assurance Process Maturity]]<br>Edmund Wotring<br><br> Video | [[Media:20101110_-_Ensuring_Software_Assurance_Process_Maturity_-_Final.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:00-4:45 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="5" | [[Pen-Test Panel]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Botnet Resistant Coding: Protecting Your Users from Script Kiddies]]<br>Fabian Rothschild and Peter Greko<br><br> Video | [[Media:OWASP_Bot_res_enc.pptx|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" rowspan="1" | [[OWASP Broken Web Applications Project Update]]<br>Chuck Willis<br>Video | [[Media:Chuck_Willis_OWASPBWA_for_OWASP_AppSecDC_2010-11-10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[People, Process, and Technology: OWASP Impact on the SwA Processes and Practices Working Group]]<br>Michele Moss<br><br> Video | [[Media: OWASP_DC_2010_Moss_fin.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation]]<br>Joshua Windsor and Joshua Pauli<br>Video | [[Media: Smashing_WebGoat_-_AppSecDC_Presentation.odp.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:45-4:50 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:50-5:35 <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners]]<br>David Shelly, Randy Marchany & Joseph Tront<br><br> Video | [[Media:Closing_the_Gap_AppSecDC_Shelly.ppt|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Using Misuse Cases to Articulate Vulnerabilities to Stakeholders]]<br>Scott Mendenhall<br>Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Federal Perspectives on Application Security]] - Panel<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incident Database (WHID) Report]]<br>Ryan Barnett<br>Video | [[Media:AppSecDC_2010-WHID_Report-Ryan_Barnett.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:30-7:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Cocktails sponsored by [[Image:Trustwave50x250.png|link=https://www.trustwave.com/]]<br />
<!-- Day 1 --><br />
|}<br />
====Plenary Day 2 - 11/11==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 2 - Nov 11th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''New Frontiers (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''OWASP (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Process (145A)'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:55 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:55-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Day 2 Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Ron Ross|Keynote: Ron Ross]]<br>National Institute of Standards and Technology<br>Video | [[Media: OWASP-11-11-2010-Ross.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:15 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Trustwave30x150.png|link=https://www.trustwave.com/]] <br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:15-11:00 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking SAP BusinessObjects]]<br>Joshua Abraham and Will Vandevanter<br><br> Video | Slides <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Cloudy with a chance of hack!]]<br>Lars Ewe<br><br> Video | [[Media:OWASP_Cloudy_with_a_chance_of_hack_Nov_2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Don't Judge a Website by its Icon - Read the Label!|Don’t Judge a Website by its Icon – Read the Label!]]<br>Jeff Williams<br><br>Video | [[Media:2010-11_OWASP_Software_Labels.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers]]<br>Dan Cornell<br><br> Video | [[Media: ApplicationPortfolioRiskRanking_BanishingFUDWithStructureAndNumbers_Content.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:00-11:05 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:05-11:50 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Deconstructing ColdFusion ]]<br>Chris Eng and Brandon Creighton<br><br> Video | [[Media: OWASP_AppSec_DC_2010_-_Deconstructing_ColdFusion.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Declarative Web Security]]<br>Brandon Sterne<br><br> [http://vimeo.com/groups/asdc10/videos/18984410 Video] | [[Media: Mozilla_OWASP_AppSec_2010_DC.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Secure Coding Practices Quick Reference Guide]]<br>Keith Turpin<br><br> Video | [[Media: Secure_Coding_Practices_Quick_Ref_4.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Code Reviewing Strategies]]<br>Andrew Wilson and John Hoopes<br><br> Video | [[Media:CodeReviewStrategies.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:50-11:55 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:55-12:40 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Friendly Traitor 2 Features are hot but giving up our secrets is not!]]<br>Kevin Johnson and Mike Poor<br><br>[http://vimeo.com/groups/asdc10/videos/18810353 Video] | [[Media: Friendly_Traitor_2.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Exploiting the media for fun and profit. Analysis of a new type of web application attacks through media files]]<br>Aleksandr Yampolskiy<br><br> Video | [[Media:Exploiting_Media_For_Fun_and_Profit.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Open Source Web Entry Firewall]]<br>Ivan Buetler<br><br> Video | [[Media: AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Microsoft's Security Development Lifecycle for Agile Development]]<br>Nick Coblentz<br><br> Video | [[Media:OWASP_AppSec_DC_2010_-_Microsoft_SDL-Agile_Presentation_-_Nick_Coblentz_2010-11-11.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:40-1:40 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:40-2:25 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking .NET Applications at Runtime: A Dynamic Attack]]<br>Jon McCoy<br><br> Video | [[Media: AppSecDC_-_Attacking_.NET_Applications_at_Runtime.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Life in the Clouds: a Service Provider's View]]<br>Michael Smith<br><br>[http://vimeo.com/groups/asdc10/videos/18820461 Video] | [[Media: Life_In_the_Clouds.Smith.AppSecDC2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Solving Real World Problems with ESAPI]]<br>Chris Schmidt<br><br> Video | [[Media:ESAPI-2010-AppSecDC.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Financial Services Panel]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:25-2:30 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:30-3:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[JavaSnoop: How to hack anything written in Java]]<br>Arshan Dabirsiaghi<br><br> Video | [[Media:JavaSnoop_-_OWASP_AppSec_DC_2010.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Social Zombies Gone Wild: Totally Exposed and Uncensored]]<br>Kevin Johnson and Tom Eston<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Attack Detection and Prevention with OWASP AppSensor]]<br>Colin Watson<br><br> Video | [[Media:AppSecDC-colin-watson-appsensor.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 3:15-3:30 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC-2010-Syngress75x30.gif|link=http://www.syngress.com/]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 3:30-4:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Unlocking the Toolkit: Attacking Google Web Toolkit]]<br>Ron Gutierrez<br><br> Video | [[Media: Attacking_Google_Web_Toolkit.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications]]<br>Dan Cornell<br><br> Video | [[Media: SmartPhonesDumbApps_OWASPDC_20101111_Content.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ModSecurity Core Rule Set]]<br>Ryan Barnett<br><br> Video | [[Media:AppSecDC_2010-ModSecurityCRS_Ryan_Barnett.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Implementing a Secure Software Development Program]]<br>Darren Death<br><br> Video | Slides<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:15-4:20 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 4:20-5:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Constricting the Web: Offensive Python for Web Hackers]]<br>Marcin Wielgoszewski and Nathan Hamiel<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Threats from Economical Improvement]]<br>Eduardo Neves<br><br> Video | [[Media: Threats_from_Economical_Improvement_OWASP_AppSec_2010_LR.key.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ESAPI SwingSet]]<br>Fabio Cerullo<br><br> Video | [[Media:Esapi_swingset_talk_dc.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform]]<br>Benjamin Tomhave<br><br> Video | [[Media: Carrot-stick-consequences-AppSecDC-2010.key.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:05-5:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Closing Remarks/Prizes<br>The OWASP AppSec DC Team<!-- Day 2 --><br />
|}<br />
<headertabs /><br />
<br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2010]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2010_Schedule&diff=103376
OWASP AppSec DC 2010 Schedule
2011-02-04T17:18:55Z
<p>Spinkham: More video links</p>
<hr />
<div>__NOTOC__ <br />
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]] <br />
<br />
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]<br />
<br><br />
<br><br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
====Training 11/08====<br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 1 - Nov 8th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security <br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
<!-- Training Day 1 --><br />
|}<br />
====Training 11/09==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 2 - Nov 9th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''159B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
<!-- Training Day 2 --><br />
|}<br />
====Plenary Day 1 - 11/10==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 1 - Nov 10th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Defense (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Government (145A)'''<br />
|- valign="bottom<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:50 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:50-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Neal Ziring|Keynote: Neal Ziring]]<br>National Security Agency<br>Video | [[Media: OWASP-appsec2010-app_assurance-nziring-20101110.ppt | Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | OWASP Status Update<br>[[OWASP:About#Global_Board_Members| OWASP Board]]<br>[http://vimeo.com/groups/asdc10/videos/18821089 Video] | [http://www.owasp.org/images/0/0f/OWASPDC2010-v1.pdf Slides]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:30-10:45 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Redspin30x120.png|link=http://www.redspin.com]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:45-11:30 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Python Basics for Web App Pentesters]]<br>Justin Searle <br><br> Video | [[Media: Python_Basics_for_Web_App_Pentesters.zip|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Drive By Downloads: How To Avoid Getting A Cap Popped In Your App]]<br>Neil Daswani<br><br> Video | [[Media:OWASP_Dasient_11_10_10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Secure Code Review: Enterprise Metrics]]<br>Richard Tychansky<br><br>Video | [[Media:OWASP_-_Secure_Code_Review_Enterprise_Metrics.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Cyber-Assurance Ecosystem - Automation Activities for Securing the Enterprise]]<br>Joe Jarzombek & Tom Millar<br><br>[http://vimeo.com/groups/asdc10/videos/18802696 Video] | [[Media:SwA_SCRM_10Nov2010_jj.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:30-11:35 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:35-12:20 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[White and Black box testing of Lotus Domino Applications]]<br>Ari Elias-bachrach and Casey Pike<br><br> Video | [[Media: Domino_testing_presentation.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Protecting Federal Government from Web 2.0 Application Security Risks]]<br>Sarbari Gupta<br><br> Video | [[Media: Protecting_Federal_Government_from_Web_2.0_Application_Security_Risks_-_Sarbari_Gupta_FINAL.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Measuring Security: 5 KPIs for Successful Web App Security Programs]]<br>Rafal Los<br><br> Video | [[Media:Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Security Risk and the Software Supply Chain]]<br>Karen Goertzel<br><br> Video | [[Media:BoozAllen-AppSecDC2010-sw_scrm.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:20-1:20 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Pen Testing with Iron]]<br>Andrew Wilson <br><br> Video | [[Media:PenTestingWithIron.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Providing application-level assurance through DNSSEC]]<br>Suresh Krishnaswamy, Wes Hardaker and Russ Mundy<br><br> Video | [[Media: Providing-Application-level-Assurance-through-DNSSEC-final.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[H.....t.....t....p.......p....o....s....t]]<br>Onn Chee & Tom Brennan <br><br>[http://vimeo.com/groups/asdc10/videos/18818757 Video] | [http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Slides]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Understanding How They Attack Your Weaknesses: CAPEC]]<br>Sean Barnum<br><br><br><br>Making Security Measurable<br>Video | [[Media:Making_Security_Measurable_-_CWE_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br><br><br>Understanding How They Attack Your Weaknesses<br>Video | [[Media:Understanding_How_They_Attack_Your_Weaknesses-CAPEC_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:10 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="2" | Break<br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="1" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:10-2:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking Oracle From Web Apps]]<br>Sumit Siddharth<br><br> Video | [[Media: Hacking_Oracle_From_Web_Apps_2.0.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[GuardRails: A Nearly Painless Solution to Insecure Web Applications|GuardRails: A (Nearly) Painless Solution to Insecure Web Applications]]<br>Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri<br><br> Video | [[Media:Guardrails_owasp_final.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Framed! Security-patching Common Web Development Frameworks]] - Panel<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 2:55-3:10 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:SecureIdeas_30X65.png|link=http://www.secureideas.net]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 3:10-3:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[wXf: Web Exploitation Framework]]<br>Ken Johnson and Chris Gates<br><br> Video | [[Media: WXf_ASDC_Presentation.odp.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Strengths of Combining Code Review with Application Penetration Testing]]<br>Dave Wichers<br><br> Video | [[Media: 2010-DC_The_Power_of_Code_Review.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Dealing with Web Application Security, Regulation Style]]<br>Andrew Weidenhamer<br><br> Video | [[Media: Andrew_Weidenhamer_AppSecDC_Presentation.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Ensuring Software Assurance Process Maturity]]<br>Edmund Wotring<br><br> Video | [[Media:20101110_-_Ensuring_Software_Assurance_Process_Maturity_-_Final.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:00-4:45 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="5" | [[Pen-Test Panel]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Botnet Resistant Coding: Protecting Your Users from Script Kiddies]]<br>Fabian Rothschild and Peter Greko<br><br> Video | [[Media:OWASP_Bot_res_enc.pptx|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" rowspan="1" | [[OWASP Broken Web Applications Project Update]]<br>Chuck Willis<br>Video | [[Media:Chuck_Willis_OWASPBWA_for_OWASP_AppSecDC_2010-11-10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[People, Process, and Technology: OWASP Impact on the SwA Processes and Practices Working Group]]<br>Michele Moss<br><br> Video | [[Media: OWASP_DC_2010_Moss_fin.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation]]<br>Joshua Windsor and Joshua Pauli<br>Video | [[Media: Smashing_WebGoat_-_AppSecDC_Presentation.odp.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:45-4:50 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:50-5:35 <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners]]<br>David Shelly, Randy Marchany & Joseph Tront<br><br> Video | [[Media:Closing_the_Gap_AppSecDC_Shelly.ppt|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Using Misuse Cases to Articulate Vulnerabilities to Stakeholders]]<br>Scott Mendenhall<br>Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Federal Perspectives on Application Security]] - Panel<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incident Database (WHID) Report]]<br>Ryan Barnett<br>Video | [[Media:AppSecDC_2010-WHID_Report-Ryan_Barnett.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:30-7:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Cocktails sponsored by [[Image:Trustwave50x250.png|link=https://www.trustwave.com/]]<br />
<!-- Day 1 --><br />
|}<br />
====Plenary Day 2 - 11/11==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 2 - Nov 11th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''New Frontiers (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''OWASP (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Process (145A)'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:55 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:55-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Day 2 Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Ron Ross|Keynote: Ron Ross]]<br>National Institute of Standards and Technology<br>Video | [[Media: OWASP-11-11-2010-Ross.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:15 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Trustwave30x150.png|link=https://www.trustwave.com/]] <br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:15-11:00 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking SAP BusinessObjects]]<br>Joshua Abraham and Will Vandevanter<br><br> Video | Slides <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Cloudy with a chance of hack!]]<br>Lars Ewe<br><br> Video | [[Media:OWASP_Cloudy_with_a_chance_of_hack_Nov_2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Don't Judge a Website by its Icon - Read the Label!|Don’t Judge a Website by its Icon – Read the Label!]]<br>Jeff Williams<br><br>Video | [[Media:2010-11_OWASP_Software_Labels.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers]]<br>Dan Cornell<br><br> Video | [[Media: ApplicationPortfolioRiskRanking_BanishingFUDWithStructureAndNumbers_Content.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:00-11:05 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:05-11:50 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Deconstructing ColdFusion ]]<br>Chris Eng and Brandon Creighton<br><br> Video | [[Media: OWASP_AppSec_DC_2010_-_Deconstructing_ColdFusion.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Declarative Web Security]]<br>Brandon Sterne<br><br> [http://vimeo.com/groups/asdc10/videos/18984410 Video] | [[Media: Mozilla_OWASP_AppSec_2010_DC.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Secure Coding Practices Quick Reference Guide]]<br>Keith Turpin<br><br> Video | [[Media: Secure_Coding_Practices_Quick_Ref_4.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Code Reviewing Strategies]]<br>Andrew Wilson and John Hoopes<br><br> Video | [[Media:CodeReviewStrategies.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:50-11:55 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:55-12:40 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Friendly Traitor 2 Features are hot but giving up our secrets is not!]]<br>Kevin Johnson and Mike Poor<br><br>[http://vimeo.com/groups/asdc10/videos/18810353 Video] | [[Media: Friendly_Traitor_2.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Exploiting the media for fun and profit. Analysis of a new type of web application attacks through media files]]<br>Aleksandr Yampolskiy<br><br> Video | [[Media:Exploiting_Media_For_Fun_and_Profit.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Open Source Web Entry Firewall]]<br>Ivan Buetler<br><br> Video | [[Media: AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Microsoft's Security Development Lifecycle for Agile Development]]<br>Nick Coblentz<br><br> Video | [[Media:OWASP_AppSec_DC_2010_-_Microsoft_SDL-Agile_Presentation_-_Nick_Coblentz_2010-11-11.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:40-1:40 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:40-2:25 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking .NET Applications at Runtime: A Dynamic Attack]]<br>Jon McCoy<br><br> Video | [[Media: AppSecDC_-_Attacking_.NET_Applications_at_Runtime.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Life in the Clouds: a Service Provider's View]]<br>Michael Smith<br><br> Video | [[Media: Life_In_the_Clouds.Smith.AppSecDC2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Solving Real World Problems with ESAPI]]<br>Chris Schmidt<br><br> Video | [[Media:ESAPI-2010-AppSecDC.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Financial Services Panel]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:25-2:30 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:30-3:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[JavaSnoop: How to hack anything written in Java]]<br>Arshan Dabirsiaghi<br><br> Video | [[Media:JavaSnoop_-_OWASP_AppSec_DC_2010.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Social Zombies Gone Wild: Totally Exposed and Uncensored]]<br>Kevin Johnson and Tom Eston<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Attack Detection and Prevention with OWASP AppSensor]]<br>Colin Watson<br><br> Video | [[Media:AppSecDC-colin-watson-appsensor.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 3:15-3:30 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC-2010-Syngress75x30.gif|link=http://www.syngress.com/]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 3:30-4:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Unlocking the Toolkit: Attacking Google Web Toolkit]]<br>Ron Gutierrez<br><br> Video | [[Media: Attacking_Google_Web_Toolkit.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications]]<br>Dan Cornell<br><br> Video | [[Media: SmartPhonesDumbApps_OWASPDC_20101111_Content.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ModSecurity Core Rule Set]]<br>Ryan Barnett<br><br> Video | [[Media:AppSecDC_2010-ModSecurityCRS_Ryan_Barnett.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Implementing a Secure Software Development Program]]<br>Darren Death<br><br> Video | Slides<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:15-4:20 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 4:20-5:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Constricting the Web: Offensive Python for Web Hackers]]<br>Marcin Wielgoszewski and Nathan Hamiel<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Threats from Economical Improvement]]<br>Eduardo Neves<br><br> Video | [[Media: Threats_from_Economical_Improvement_OWASP_AppSec_2010_LR.key.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ESAPI SwingSet]]<br>Fabio Cerullo<br><br> Video | [[Media:Esapi_swingset_talk_dc.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform]]<br>Benjamin Tomhave<br><br> Video | [[Media: Carrot-stick-consequences-AppSecDC-2010.key.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:05-5:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Closing Remarks/Prizes<br>The OWASP AppSec DC Team<!-- Day 2 --><br />
|}<br />
<headertabs /><br />
<br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2010]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2010_Schedule&diff=103375
OWASP AppSec DC 2010 Schedule
2011-02-04T17:15:13Z
<p>Spinkham: Added Declarative Web Security video link</p>
<hr />
<div>__NOTOC__ <br />
[[Image:468x60-banner-2010.gif|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]] <br />
<br />
[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] | [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] | [http://www.dcconvention.com/ Walter E. Washington Convention Center]<br />
<br><br />
<br><br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
====Training 11/08====<br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 1 - Nov 8th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security <br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Art of Exploiting SQL Injections]] <br>Sumit Siddharth, 7Safe Limited<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[WebAppSec.php: Developing Secure Web Applications]]<br>Robert Zakon<br />
<!-- Training Day 1 --><br />
|}<br />
====Training 11/09==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="8" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Training Day 2 - Nov 9th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''149A''' <br />
| width="150" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''149B''' <br />
| width="150" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''154A''' <br />
| width="150" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''155'''<br />
| width="150" valign="middle" height="40" bgcolor="#BCA57A" align="center" | '''154B'''<br />
| width="150" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''159B'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-12:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:00-13:00 <br />
| valign="middle" height="40" bgcolor="#909090" align="center" colspan="7" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 13:00-17:00 <br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | Day 1:<br>[[Assessing and Exploiting Web Applications with Samurai-WTF]]<br>Justin Searle, InGuardians<br />
| width="150" valign="middle" height="120" bgcolor="#ffdf80" align="center" | Day 1:<br>[[Leading an AppSec Initiative ]]<br>Jeff Williams, Aspect Security<br />
| width="150" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | Day 1:<br>[[Remote Testing for Common Web Application Security Threats]]<br>David Rhoades, Maven Security<br />
| width="150" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Java Security Overview ]]<br>Zoltán Hornák, SEARCH-LAB<br />
| width="150" valign="middle" height="120" bgcolor="#BCA57A" align="center" | [[Software Security Remediation: How to Fix Application Vulnerabilities ]]<br>Dan Cornell, Denim Group<br />
| width="150" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Threat Modeling Express]]<br>Rohit Sethi & Oliver Ng, Security Compass<br />
<!-- Training Day 2 --><br />
|}<br />
====Plenary Day 1 - 11/10==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 1 - Nov 10th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''Defense (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''Metrics (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Government (145A)'''<br />
|- valign="bottom<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:50 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:50-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Welcome and Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Neal Ziring|Keynote: Neal Ziring]]<br>National Security Agency<br>Video | [[Media: OWASP-appsec2010-app_assurance-nziring-20101110.ppt | Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | OWASP Status Update<br>[[OWASP:About#Global_Board_Members| OWASP Board]]<br>Video | [http://www.owasp.org/images/0/0f/OWASPDC2010-v1.pdf Slides]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:30-10:45 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Redspin30x120.png|link=http://www.redspin.com]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:45-11:30 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Python Basics for Web App Pentesters]]<br>Justin Searle <br><br> Video | [[Media: Python_Basics_for_Web_App_Pentesters.zip|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Drive By Downloads: How To Avoid Getting A Cap Popped In Your App]]<br>Neil Daswani<br><br> Video | [[Media:OWASP_Dasient_11_10_10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Secure Code Review: Enterprise Metrics]]<br>Richard Tychansky<br><br>Video | [[Media:OWASP_-_Secure_Code_Review_Enterprise_Metrics.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Cyber-Assurance Ecosystem - Automation Activities for Securing the Enterprise]]<br>Joe Jarzombek & Tom Millar<br><br> Video | [[Media:SwA_SCRM_10Nov2010_jj.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:30-11:35 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:35-12:20 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[White and Black box testing of Lotus Domino Applications]]<br>Ari Elias-bachrach and Casey Pike<br><br> Video | [[Media: Domino_testing_presentation.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Protecting Federal Government from Web 2.0 Application Security Risks]]<br>Sarbari Gupta<br><br> Video | [[Media: Protecting_Federal_Government_from_Web_2.0_Application_Security_Risks_-_Sarbari_Gupta_FINAL.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Measuring Security: 5 KPIs for Successful Web App Security Programs]]<br>Rafal Los<br><br> Video | [[Media:Magic_Numbers_-_5_KPIs_for_Measuring_WebAppSec_Program_Success_v3.2.pdf | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Security Risk and the Software Supply Chain]]<br>Karen Goertzel<br><br> Video | [[Media:BoozAllen-AppSecDC2010-sw_scrm.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:20-1:20 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:20-2:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Pen Testing with Iron]]<br>Andrew Wilson <br><br> Video | [[Media:PenTestingWithIron.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Providing application-level assurance through DNSSEC]]<br>Suresh Krishnaswamy, Wes Hardaker and Russ Mundy<br><br> Video | [[Media: Providing-Application-level-Assurance-through-DNSSEC-final.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[H.....t.....t....p.......p....o....s....t]]<br>Onn Chee & Tom Brennan <br><br> Video | [http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Slides]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Understanding How They Attack Your Weaknesses: CAPEC]]<br>Sean Barnum<br><br><br><br>Making Security Measurable<br>Video | [[Media:Making_Security_Measurable_-_CWE_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br><br><br>Understanding How They Attack Your Weaknesses<br>Video | [[Media:Understanding_How_They_Attack_Your_Weaknesses-CAPEC_-_OWASP_AppSec_DC_2010_(Barnum).pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:05-2:10 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="2" | Break<br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="1" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:10-2:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking Oracle From Web Apps]]<br>Sumit Siddharth<br><br> Video | [[Media: Hacking_Oracle_From_Web_Apps_2.0.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[GuardRails: A Nearly Painless Solution to Insecure Web Applications|GuardRails: A (Nearly) Painless Solution to Insecure Web Applications]]<br>Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri<br><br> Video | [[Media:Guardrails_owasp_final.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Framed! Security-patching Common Web Development Frameworks]] - Panel<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 2:55-3:10 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:SecureIdeas_30X65.png|link=http://www.secureideas.net]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 3:10-3:55 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[wXf: Web Exploitation Framework]]<br>Ken Johnson and Chris Gates<br><br> Video | [[Media: WXf_ASDC_Presentation.odp.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[The Strengths of Combining Code Review with Application Penetration Testing]]<br>Dave Wichers<br><br> Video | [[Media: 2010-DC_The_Power_of_Code_Review.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Dealing with Web Application Security, Regulation Style]]<br>Andrew Weidenhamer<br><br> Video | [[Media: Andrew_Weidenhamer_AppSecDC_Presentation.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Ensuring Software Assurance Process Maturity]]<br>Edmund Wotring<br><br> Video | [[Media:20101110_-_Ensuring_Software_Assurance_Process_Maturity_-_Final.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 3:55-4:00 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:00-4:45 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" rowspan="5" | [[Pen-Test Panel]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Botnet Resistant Coding: Protecting Your Users from Script Kiddies]]<br>Fabian Rothschild and Peter Greko<br><br> Video | [[Media:OWASP_Bot_res_enc.pptx|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" rowspan="1" | [[OWASP Broken Web Applications Project Update]]<br>Chuck Willis<br>Video | [[Media:Chuck_Willis_OWASPBWA_for_OWASP_AppSecDC_2010-11-10.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[People, Process, and Technology: OWASP Impact on the SwA Processes and Practices Working Group]]<br>Michele Moss<br><br> Video | [[Media: OWASP_DC_2010_Moss_fin.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation]]<br>Joshua Windsor and Joshua Pauli<br>Video | [[Media: Smashing_WebGoat_-_AppSecDC_Presentation.odp.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:45-4:50 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="2"| 4:50-5:35 <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" rowspan="2" | [[Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners]]<br>David Shelly, Randy Marchany & Joseph Tront<br><br> Video | [[Media:Closing_the_Gap_AppSecDC_Shelly.ppt|Slides]]<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[Using Misuse Cases to Articulate Vulnerabilities to Stakeholders]]<br>Scott Mendenhall<br>Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="2" | [[Federal Perspectives on Application Security]] - Panel<br />
|- valign="bottom"<br />
| width="200" valign="middle" height="90" bgcolor="#a0c0e0" align="center" | [[The Web Hacking Incident Database (WHID) Report]]<br>Ryan Barnett<br>Video | [[Media:AppSecDC_2010-WHID_Report-Ryan_Barnett.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:30-7:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Cocktails sponsored by [[Image:Trustwave50x250.png|link=https://www.trustwave.com/]]<br />
<!-- Day 1 --><br />
|}<br />
====Plenary Day 2 - 11/11==== <br />
{| cellspacing="0" border="2"<br />
|- valign="middle"<br />
| height="60" align="center" colspan="5" style="background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;" | <font size="5">'''Plenary Day 2 - Nov 11th 2010'''</font><br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | &nbsp; <br />
| width="200" valign="middle" height="40" bgcolor="#c0a0a0" align="center" | '''Offense (147B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#ffdf80" align="center" | '''New Frontiers (147A)''' <br />
| width="200" valign="middle" height="40" bgcolor="#a0c0e0" align="center" | '''OWASP (145B)''' <br />
| width="200" valign="middle" height="40" bgcolor="#b3ff99" align="center" | '''Process (145A)'''<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 07:30-08:55 <br />
| valign="middle" bgcolor="#e0e0e0" align="center" colspan="4" | Registration<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 08:55-09:00 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Day 2 Opening Remarks<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 09:00-10:00 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | [[AppSec DC 2010 Keynote Ron Ross|Keynote: Ron Ross]]<br>National Institute of Standards and Technology<br>Video | [[Media: OWASP-11-11-2010-Ross.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:00-10:15 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:Trustwave30x150.png|link=https://www.trustwave.com/]] <br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 10:15-11:00 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking SAP BusinessObjects]]<br>Joshua Abraham and Will Vandevanter<br><br> Video | Slides <br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Cloudy with a chance of hack!]]<br>Lars Ewe<br><br> Video | [[Media:OWASP_Cloudy_with_a_chance_of_hack_Nov_2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Don't Judge a Website by its Icon - Read the Label!|Don’t Judge a Website by its Icon – Read the Label!]]<br>Jeff Williams<br><br>Video | [[Media:2010-11_OWASP_Software_Labels.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers]]<br>Dan Cornell<br><br> Video | [[Media: ApplicationPortfolioRiskRanking_BanishingFUDWithStructureAndNumbers_Content.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:00-11:05 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:05-11:50 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Deconstructing ColdFusion ]]<br>Chris Eng and Brandon Creighton<br><br> Video | [[Media: OWASP_AppSec_DC_2010_-_Deconstructing_ColdFusion.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Declarative Web Security]]<br>Brandon Sterne<br><br> [http://vimeo.com/groups/asdc10/videos/18984410 Video] | [[Media: Mozilla_OWASP_AppSec_2010_DC.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[The Secure Coding Practices Quick Reference Guide]]<br>Keith Turpin<br><br> Video | [[Media: Secure_Coding_Practices_Quick_Ref_4.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Code Reviewing Strategies]]<br>Andrew Wilson and John Hoopes<br><br> Video | [[Media:CodeReviewStrategies.pptx|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 11:50-11:55 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 11:55-12:40 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Friendly Traitor 2 Features are hot but giving up our secrets is not!]]<br>Kevin Johnson and Mike Poor<br><br> Video | [[Media: Friendly_Traitor_2.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Exploiting the media for fun and profit. Analysis of a new type of web application attacks through media files]]<br>Aleksandr Yampolskiy<br><br> Video | [[Media:Exploiting_Media_For_Fun_and_Profit.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Open Source Web Entry Firewall]]<br>Ivan Buetler<br><br> Video | [[Media: AppSecDC_Open_Source_Web_Entry_Server_V2.2.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Microsoft's Security Development Lifecycle for Agile Development]]<br>Nick Coblentz<br><br> Video | [[Media:OWASP_AppSec_DC_2010_-_Microsoft_SDL-Agile_Presentation_-_Nick_Coblentz_2010-11-11.pdf|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="40" bgcolor="#7b8abd" | 12:40-1:40 <br />
| valign="middle" height="40" bgcolor="#e0e0e0" align="center" colspan="4" | Lunch<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 1:40-2:25 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Hacking .NET Applications at Runtime: A Dynamic Attack]]<br>Jon McCoy<br><br> Video | [[Media: AppSecDC_-_Attacking_.NET_Applications_at_Runtime.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Life in the Clouds: a Service Provider's View]]<br>Michael Smith<br><br> Video | [[Media: Life_In_the_Clouds.Smith.AppSecDC2010.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Solving Real World Problems with ESAPI]]<br>Chris Schmidt<br><br> Video | [[Media:ESAPI-2010-AppSecDC.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" rowspan="3"| [[Financial Services Panel]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 2:25-2:30 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="3" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" rowspan="1"| 2:30-3:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[JavaSnoop: How to hack anything written in Java]]<br>Arshan Dabirsiaghi<br><br> Video | [[Media:JavaSnoop_-_OWASP_AppSec_DC_2010.pptx|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Social Zombies Gone Wild: Totally Exposed and Uncensored]]<br>Kevin Johnson and Tom Eston<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[Attack Detection and Prevention with OWASP AppSensor]]<br>Colin Watson<br><br> Video | [[Media:AppSecDC-colin-watson-appsensor.ppt|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" bgcolor="#7b8abd" | 3:15-3:30 <br />
| valign="middle" height="30" bgcolor="#e0e0e0" align="center" colspan="4" | Coffee Break sponsored by [[Image:AppSecDC-2010-Syngress75x30.gif|link=http://www.syngress.com/]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 3:30-4:15 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Unlocking the Toolkit: Attacking Google Web Toolkit]]<br>Ron Gutierrez<br><br> Video | [[Media: Attacking_Google_Web_Toolkit.ppt | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Smart Phones with Dumb Apps: Threat Modeling for Mobile Applications]]<br>Dan Cornell<br><br> Video | [[Media: SmartPhonesDumbApps_OWASPDC_20101111_Content.pdf|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ModSecurity Core Rule Set]]<br>Ryan Barnett<br><br> Video | [[Media:AppSecDC_2010-ModSecurityCRS_Ryan_Barnett.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[Implementing a Secure Software Development Program]]<br>Darren Death<br><br> Video | Slides<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="5" bgcolor="#7b8abd" rowspan="1"| 4:15-4:20 <br />
| valign="middle" height="5" bgcolor="#e0e0e0" align="center" colspan="4" | Break<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="120" bgcolor="#7b8abd" | 4:20-5:05 <br />
| width="200" valign="middle" height="120" bgcolor="#c0a0a0" align="center" | [[Constricting the Web: Offensive Python for Web Hackers]]<br>Marcin Wielgoszewski and Nathan Hamiel<br><br> Video | Slides<br />
| width="200" valign="middle" height="120" bgcolor="#ffdf80" align="center" | [[Threats from Economical Improvement]]<br>Eduardo Neves<br><br> Video | [[Media: Threats_from_Economical_Improvement_OWASP_AppSec_2010_LR.key.zip | Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#a0c0e0" align="center" | [[OWASP ESAPI SwingSet]]<br>Fabio Cerullo<br><br> Video | [[Media:Esapi_swingset_talk_dc.ppt|Slides]]<br />
| width="200" valign="middle" height="120" bgcolor="#b3ff99" align="center" | [[The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform]]<br>Benjamin Tomhave<br><br> Video | [[Media: Carrot-stick-consequences-AppSecDC-2010.key.zip|Slides]]<br />
|- valign="bottom"<br />
| width="72" valign="middle" height="60" bgcolor="#7b8abd" | 5:05-5:30 <br />
| valign="middle" height="60" bgcolor="#e0e0e0" align="center" colspan="4" | Closing Remarks/Prizes<br>The OWASP AppSec DC Team<!-- Day 2 --><br />
|}<br />
<headertabs /><br />
<br />
[[OWASP AppSec DC 2010|Main Conference Page]] | [[:Category:AppSec DC 2010 Presentations|Presentations Page]] | [[:Category:AppSec DC 2010 Training|Training Page]]<br />
<br />
[[Category:OWASP_AppSec_Conference]] [[Category:OWASP_AppSec_DC_2010]]</div>
Spinkham
https://wiki.owasp.org/index.php?title=Phoenix/Tools&diff=95182
Phoenix/Tools
2010-12-04T00:34:58Z
<p>Spinkham: Add Pixy/* PHP static analysis and file inclusion scanning */</p>
<hr />
<div>__NOTOC__<br />
<p>Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].</p><br />
<br />
==LiveCDs==<br />
[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LiveCD]<br /><br />
Web Security Dojo - http://dojo.mavensecurity.com/<br /><br />
Samurai WTF - http://samurai.inguardians.com<br /><br />
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br /><br />
moth - http://www.bonsai-sec.com/en/research/moth.php<br /><br />
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/<br />
<br />
==Test sites / testing grounds==<br />
SPI Dynamics (live) - http://zero.webappsecurity.com/<br /><br />
Cenzic (live) - http://crackme.cenzic.com/<br /><br />
Watchfire (live) - http://demo.testfire.net/<br /><br />
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com<br /><br />
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven<br /><br />
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp<br /><br />
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html<br /><br />
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project<br /><br />
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator<br /><br />
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/<br /><br />
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/<br /><br />
Google’s web application training - http://jarlsberg.appspot.com/part1/ <br /><br />
<br />
<br />
==HTTP proxying / editing==<br />
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br /><br />
Burp - http://www.portswigger.net/<br /><br />
Paros - http://www.parosproxy.org/<br /><br />
Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project<br /><br />
Paros fork #2: Andiparos - http://code.google.com/p/andiparos/<br /><br />
Fiddler - http://www.fiddlertool.com/<br /><br />
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br /><br />
Suru - http://www.sensepost.com/research/suru/<br /><br />
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br /><br />
Charles - http://www.xk72.com/charles/<br /><br />
Odysseus - http://www.bindshell.net/tools/odysseus<br /><br />
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br /><br />
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br /><br />
JS Commander - http://jscmd.rubyforge.org/<br /><br />
Ratproxy - http://code.google.com/p/ratproxy/<br /><br />
<br />
==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==<br />
Wfuzz - http://www.edge-security.com/wfuzz.php<br /><br />
ProxMon - http://www.isecpartners.com/proxmon.html<br /><br />
Wapiti - http://wapiti.sourceforge.net/<br /><br />
Grabber - http://rgaucher.info/beta/grabber/<br /><br />
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py<br /><br />
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br /><br />
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe<br /><br />
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br /><br />
JBroFuzz - http://www.owasp.org/index.php/JBroFuzz<br /><br />
J-Baah - http://www.sensepost.com/labs/tools/pentest/j-baah<br /><br />
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br /><br />
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br /><br />
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br /><br />
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter<br /><br />
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br /><br />
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br /><br />
RFuzz - http://rfuzz.rubyforge.org/<br /><br />
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br /><br />
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br /><br />
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br /><br />
WSTool - http://wstool.sourceforge.net/<br /><br />
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br /><br />
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br /><br />
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br /><br />
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br /><br />
<br />
==HTTP general testing / fingerprinting==<br />
Wbox: HTTP testing tool - http://hping.org/wbox/<br /><br />
ht://Check - http://htcheck.sourceforge.net/<br /><br />
Mumsie - http://www.lurhq.com/tools/mumsie.html<br /><br />
WebInject - http://www.webinject.org/<br /><br />
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br /><br />
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br /><br />
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br /><br />
Load-balancing detector - http://ge.mine.nu/lbd.html<br /><br />
HMAP - http://ujeni.murkyroc.com/hmap/<br /><br />
Net-Square: httprint - http://net-square.com/httprint/<br /><br />
Wpoison: http stress testing - http://wpoison.sourceforge.net/<br /><br />
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br /><br />
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br /><br />
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br /><br />
Nikto - http://www.cirt.net/code/nikto.shtml<br /><br />
Websecurify - http://www.websecurify.com<br/><br />
twill - http://twill.idyll.org/<br /><br />
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<br /><br />
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br /><br />
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html<br /><br />
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled<br />
- http://sf.net/projects/hackfox<br />
<br />
==Browser-based HTTP tampering / editing / replaying==<br />
TamperIE - http://www.bayden.com/Other/<br /><br />
isr-form - http://www.infobyte.com.ar/developments.html<br /><br />
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br /><br />
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br /><br />
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/<br /><br />
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/<br /><br />
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/<br /><br />
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/<br /><br />
<br />
==Cookie editing / poisoning==<br />
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br /><br />
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br /><br />
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br /><br />
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/<br /><br />
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br /><br />
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br /><br />
<br />
==Ajax and XHR scanning==<br />
Sahi - http://sahi.co.in/<br /><br />
scRUBYt - http://scrubyt.org/<br /><br />
jQuery - http://jquery.com/<br /><br />
jquery-include - http://www.gnucitizen.org/projects/jquery-include<br /><br />
Sprajax - http://www.denimgroup.com/sprajax.html<br /><br />
Watir - http://wtr.rubyforge.org/<br /><br />
Watij - http://watij.com/<br /><br />
Watin - http://watin.sourceforge.net/<br /><br />
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br /><br />
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br /><br />
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/<br /><br />
Firebug Lite - http://www.getfirebug.com/lite.html<br /><br />
firewaitr - http://code.google.com/p/firewatir/<br /><br />
<br />
==RSS extensions and caching==<br />
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/<br /><br />
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/<br /><br />
<br />
==SQL injection scanning==<br />
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br /><br />
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br /><br />
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br /><br />
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br /><br />
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br /><br />
sqlmap - http://sqlmap.sourceforge.net/<br /><br />
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br /><br />
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br /><br />
PRIAMOS - http://www.priamos-project.com/<br /><br />
<br />
==Web application security malware, backdoors, and evil code==<br />
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/<br /><br />
Jikto - http://busin3ss.name/jikto-in-the-wild/<br /><br />
XSS Shell - http://ferruh.mavituna.com/article/?1338<br /><br />
XSS-Proxy - http://xss-proxy.sourceforge.net<br /><br />
AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br /><br />
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br /><br />
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br /><br />
BeEF - http://www.bindshell.net/tools/beef/<br /><br />
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br /><br />
What is my IP address? - http://reglos.de/myaddress/<br /><br />
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br /><br />
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/<br /><br />
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br /><br />
Technika - http://www.gnucitizen.org/projects/technika/<br /><br />
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br /><br />
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br /><br />
<br />
==Web application services that aid in web application security assessment==<br />
Netcraft - http://www.netcraft.net<br /><br />
AboutURL - http://www.abouturl.com/<br /><br />
The Scrutinizer - http://www.scrutinizethis.com/<br /><br />
net.toolkit - http://clez.net/<br /><br />
ServerSniff - http://www.serversniff.net/<br /><br />
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br /><br />
Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br /><br />
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address<br /><br />
PHP charset encoding - http://h4k.in/encoding<br /><br />
data: URL testcases - http://h4k.in/dataurl<br /><br />
<br />
<br />
==Browser-based security fuzzing / checking==<br />
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi<br /><br />
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br /><br />
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/<br /><br />
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br /><br />
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br /><br />
COMRaider - http://labs.idefense.com<br /><br />
bcheck - http://bcheck.scanit.be/bcheck/<br /><br />
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br /><br />
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp<br /><br />
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br /><br />
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br /><br />
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br /><br />
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br /><br />
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br /><br />
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br /><br />
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br /><br />
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324<br /><br />
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br /><br />
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br /><br />
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285<br />
<br />
==PHP static analysis and file inclusion scanning==<br />
Pixy: Open source flow based discovery of XSS and SQLi - http://pixybox.seclab.tuwien.ac.at/pixy/<br /><br />
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/<br /><br />
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php<br /><br />
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25<br/><br />
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br /><br />
<br />
==PHP Defensive Tools==<br />
<br />
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/<br />
<br />
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey<br />
<br />
<br />
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. <br />
http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip<br />
<br />
<br />
PHP-Login-Info-Checker - Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic<br />
<br />
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip<br />
<br />
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip<br />
<br />
<br />
php-DDOS-Shield - A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/<br />
<br />
<br />
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip<br />
http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar<br />
<br />
==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==<br />
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br /><br />
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/<br /><br />
dotnetids - http://code.google.com/p/dotnetids/<br /><br />
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br /><br />
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/<br /><br />
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br /><br />
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br /><br />
mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br /><br />
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br /><br />
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br /><br />
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99<br /><br />
Akismet: blog spam defense - http://akismet.com/<br /><br />
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br /><br />
<br />
==Web services enumeration / scanning / fuzzing==<br />
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio<br /><br />
Net-square: wsChess - http://net-square.com/wschess/index.shtml<br /><br />
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br /><br />
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br /><br />
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br /><br />
<br />
==Web application non-specific static source-code analysis==<br />
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br /><br />
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br /><br />
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br /><br />
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/<br /><br />
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html<br /><br />
A smaller, but also good list - http://spinroot.com/static/<br /><br />
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/<br /><br />
<br />
==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==<br />
RATS - http://www.securesoftware.com/resources/download_rats.html<br /><br />
ITS4 - http://www.cigital.com/its4/<br /><br />
FlawFinder - http://www.dwheeler.com/flawfinder/<br /><br />
Splint - http://www.splint.org/<br /><br />
Uno - http://spinroot.com/uno/<br /><br />
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net<br /><br />
Valgrind - http://www.valgrind.org/<br /><br />
<br />
==Java static analysis, security frameworks, and web application security tools==<br />
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ <br/><br />
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html<br/><br />
HDIV Struts - http://hdiv.org/<br /><br />
Orizon - http://sourceforge.net/projects/orizon/<br /><br />
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br /><br />
PMD - http://pmd.sourceforge.net/<br /><br />
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br /><br />
EMMA - http://emma.sourceforge.net/<br /><br />
JLint - http://jlint.sourceforge.net/<br /><br />
Java PathFinder - http://javapathfinder.sourceforge.net/<br /><br />
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/<br /><br />
Checkstyle - http://checkstyle.sourceforge.net/<br /><br />
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br /><br />
tinapoc - http://sourceforge.net/projects/tinapoc<br /><br />
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br /><br />
Solex - http://solex.sourceforge.net/<br /><br />
Java Explorer - http://metal.hurlant.com/jexplore/<br /><br />
HTTPClient - http://www.innovation.ch/java/HTTPClient/<br /><br />
another HttpClient - http://jakarta.apache.org/commons/httpclient/<br /><br />
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html<br /><br />
<br />
==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==<br />
* Visual Studio 2008 Code Analysis, available in:<br />
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and <br />
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)<br />
* Visual Studio 2005 Code Analyzer, available in:<br />
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx<br />
* FxCop:<br />
** (blog) http://blogs.msdn.com/fxcop/<br />
** (download) http://code.msdn.microsoft.com/codeanalysis<br />
* Microsoft internal tools you can't have yet:<br />
** http://www.microsoft.com/windows/cse/pa_projects.mspx <br />
** http://research.microsoft.com/Pex/ <br />
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf<br /><br />
<br />
==Threat modeling==<br />
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br /><br />
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br /><br />
Octotrike - http://www.octotrike.org/<br /><br />
<br />
==Add-ons for Firefox that help with general web application security==<br />
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br /><br />
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br /><br />
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br /><br />
Public Fox - https://addons.mozilla.org/firefox/3911/<br /><br />
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br /><br />
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br /><br />
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br /><br />
IE Tab - https://addons.mozilla.org/firefox/1419/<br /><br />
User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br /><br />
ServerSwitcher - https://addons.mozilla.org/firefox/2409/<br /><br />
HeaderMonitor - https://addons.mozilla.org/firefox/575/<br /><br />
RefControl - https://addons.mozilla.org/firefox/953/<br /><br />
refspoof - https://addons.mozilla.org/firefox/667/<br /><br />
No-Referrer - https://addons.mozilla.org/firefox/1999/<br /><br />
LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br /><br />
SpiderZilla - http://spiderzilla.mozdev.org/<br /><br />
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br /><br />
Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br /><br />
<br />
==Add-ons for Firefox that help with Javascript and Ajax web application security==<br />
Selenium IDE - http://www.openqa.org/selenium-ide/<br /><br />
Firebug - http://www.joehewitt.com/software/firebug/<br /><br />
Venkman - http://www.mozilla.org/projects/venkman/<br /><br />
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br /><br />
Greasemonkey - http://www.greasespot.net/<br /><br />
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br /><br />
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br /><br />
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/<br /><br />
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/<br /><br />
<br />
==Bookmarklets that aid in web application security==<br />
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br /><br />
BMlets - http://optools.awardspace.com/bmlet.html<br /><br />
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br /><br />
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide<br />
rich functionality - http://www.blummy.com/<br /><br />
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html<br /><br />
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/<br /><br />
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/<br /><br />
<br />
==SSL certificate checking / scanning==<br />
SSL Labs - https://www.ssllabs.com/ssldb/<br /><br />
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br /><br />
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip<br /><br />
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br /><br />
<br />
==Honeyclients, Web Application, and Web Proxy honeypots==<br />
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ <br /><br />
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br /><br />
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br /><br />
Google Hack Honeypot - http://ghh.sourceforge.net/<br /><br />
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br /><br />
SpyBye - http://www.monkey.org/~provos/spybye/<br /><br />
Honeytokens - http://www.securityfocus.com/infocus/1713<br /><br />
<br />
==Blackhat SEO and maybe some whitehat SEO==<br />
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br /><br />
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br /><br />
SEOQuake (Firefox Add-on) - http://www.seoquake.com/<br /><br />
Analytics seo - http://www.analyticsseo.com/<br /><br />
<br />
==Footprinting for web application security==<br />
Evolution - http://www.paterva.com/evolution-e.html<br /><br />
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/<br /><br />
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br /><br />
Edge-Security tools - http://www.edge-security.com/soft.php<br /><br />
Fierce Domain Scanner - http://ha.ckers.org/fierce/<br /><br />
Googlegath - http://www.nothink.org/perl/googlegath/<br /><br />
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br /><br />
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br /><br />
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/<br /><br />
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br /><br />
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/<br /><br />
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/<br /><br />
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/<br /><br />
<br />
==Database security assessment==<br />
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br /><br />
<br />
==Browser Defenses==<br />
DieHard - http://www.diehard-software.org/<br /><br />
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br /><br />
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br /><br />
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br /><br />
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br /><br />
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br /><br />
NoScript (Firefox Add-on) - http://www.noscript.net/<br /><br />
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/<br /><br />
Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br /><br />
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br /><br />
SafeCache (Firefox Add-on) - http://www.safecache.com/<br /><br />
SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br /><br />
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br /><br />
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/<br /><br />
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br /><br />
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/<br /><br />
FireKeeper - http://firekeeper.mozdev.org/<br /><br />
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey<br />
<br />
==Browser Privacy==<br />
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br /><br />
Privacy Bird - http://www.privacybird.com/<br /><br />
<br />
==Application and protocol fuzzing (random instead of targeted)==<br />
Sulley - http://fuzzing.org/<br /><br />
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br /><br />
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br /><br />
autodafé: an act of software torture - http://autodafe.sourceforge.net/<br /><br />
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br /></div>
Spinkham
https://wiki.owasp.org/index.php?title=Phoenix/Tools&diff=95180
Phoenix/Tools
2010-12-04T00:30:49Z
<p>Spinkham: Add j-baah, change Jbrofuzz link to OWASP page /* RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools */</p>
<hr />
<div>__NOTOC__<br />
<p>Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].</p><br />
<br />
==LiveCDs==<br />
[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LiveCD]<br /><br />
Web Security Dojo - http://dojo.mavensecurity.com/<br /><br />
Samurai WTF - http://samurai.inguardians.com<br /><br />
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br /><br />
moth - http://www.bonsai-sec.com/en/research/moth.php<br /><br />
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/<br />
<br />
==Test sites / testing grounds==<br />
SPI Dynamics (live) - http://zero.webappsecurity.com/<br /><br />
Cenzic (live) - http://crackme.cenzic.com/<br /><br />
Watchfire (live) - http://demo.testfire.net/<br /><br />
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com<br /><br />
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven<br /><br />
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp<br /><br />
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html<br /><br />
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project<br /><br />
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator<br /><br />
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/<br /><br />
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/<br /><br />
Google’s web application training - http://jarlsberg.appspot.com/part1/ <br /><br />
<br />
<br />
==HTTP proxying / editing==<br />
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br /><br />
Burp - http://www.portswigger.net/<br /><br />
Paros - http://www.parosproxy.org/<br /><br />
Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project<br /><br />
Paros fork #2: Andiparos - http://code.google.com/p/andiparos/<br /><br />
Fiddler - http://www.fiddlertool.com/<br /><br />
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br /><br />
Suru - http://www.sensepost.com/research/suru/<br /><br />
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br /><br />
Charles - http://www.xk72.com/charles/<br /><br />
Odysseus - http://www.bindshell.net/tools/odysseus<br /><br />
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br /><br />
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br /><br />
JS Commander - http://jscmd.rubyforge.org/<br /><br />
Ratproxy - http://code.google.com/p/ratproxy/<br /><br />
<br />
==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==<br />
Wfuzz - http://www.edge-security.com/wfuzz.php<br /><br />
ProxMon - http://www.isecpartners.com/proxmon.html<br /><br />
Wapiti - http://wapiti.sourceforge.net/<br /><br />
Grabber - http://rgaucher.info/beta/grabber/<br /><br />
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py<br /><br />
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br /><br />
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe<br /><br />
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br /><br />
JBroFuzz - http://www.owasp.org/index.php/JBroFuzz<br /><br />
J-Baah - http://www.sensepost.com/labs/tools/pentest/j-baah<br /><br />
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br /><br />
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br /><br />
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br /><br />
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter<br /><br />
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br /><br />
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br /><br />
RFuzz - http://rfuzz.rubyforge.org/<br /><br />
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br /><br />
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br /><br />
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br /><br />
WSTool - http://wstool.sourceforge.net/<br /><br />
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br /><br />
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br /><br />
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br /><br />
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br /><br />
<br />
==HTTP general testing / fingerprinting==<br />
Wbox: HTTP testing tool - http://hping.org/wbox/<br /><br />
ht://Check - http://htcheck.sourceforge.net/<br /><br />
Mumsie - http://www.lurhq.com/tools/mumsie.html<br /><br />
WebInject - http://www.webinject.org/<br /><br />
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br /><br />
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br /><br />
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br /><br />
Load-balancing detector - http://ge.mine.nu/lbd.html<br /><br />
HMAP - http://ujeni.murkyroc.com/hmap/<br /><br />
Net-Square: httprint - http://net-square.com/httprint/<br /><br />
Wpoison: http stress testing - http://wpoison.sourceforge.net/<br /><br />
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br /><br />
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br /><br />
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br /><br />
Nikto - http://www.cirt.net/code/nikto.shtml<br /><br />
Websecurify - http://www.websecurify.com<br/><br />
twill - http://twill.idyll.org/<br /><br />
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<br /><br />
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br /><br />
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html<br /><br />
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled<br />
- http://sf.net/projects/hackfox<br />
<br />
==Browser-based HTTP tampering / editing / replaying==<br />
TamperIE - http://www.bayden.com/Other/<br /><br />
isr-form - http://www.infobyte.com.ar/developments.html<br /><br />
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br /><br />
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br /><br />
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/<br /><br />
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/<br /><br />
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/<br /><br />
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/<br /><br />
<br />
==Cookie editing / poisoning==<br />
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br /><br />
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br /><br />
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br /><br />
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/<br /><br />
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br /><br />
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br /><br />
<br />
==Ajax and XHR scanning==<br />
Sahi - http://sahi.co.in/<br /><br />
scRUBYt - http://scrubyt.org/<br /><br />
jQuery - http://jquery.com/<br /><br />
jquery-include - http://www.gnucitizen.org/projects/jquery-include<br /><br />
Sprajax - http://www.denimgroup.com/sprajax.html<br /><br />
Watir - http://wtr.rubyforge.org/<br /><br />
Watij - http://watij.com/<br /><br />
Watin - http://watin.sourceforge.net/<br /><br />
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br /><br />
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br /><br />
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/<br /><br />
Firebug Lite - http://www.getfirebug.com/lite.html<br /><br />
firewaitr - http://code.google.com/p/firewatir/<br /><br />
<br />
==RSS extensions and caching==<br />
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/<br /><br />
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/<br /><br />
<br />
==SQL injection scanning==<br />
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br /><br />
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br /><br />
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br /><br />
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br /><br />
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br /><br />
sqlmap - http://sqlmap.sourceforge.net/<br /><br />
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br /><br />
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br /><br />
PRIAMOS - http://www.priamos-project.com/<br /><br />
<br />
==Web application security malware, backdoors, and evil code==<br />
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/<br /><br />
Jikto - http://busin3ss.name/jikto-in-the-wild/<br /><br />
XSS Shell - http://ferruh.mavituna.com/article/?1338<br /><br />
XSS-Proxy - http://xss-proxy.sourceforge.net<br /><br />
AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br /><br />
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br /><br />
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br /><br />
BeEF - http://www.bindshell.net/tools/beef/<br /><br />
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br /><br />
What is my IP address? - http://reglos.de/myaddress/<br /><br />
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br /><br />
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/<br /><br />
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br /><br />
Technika - http://www.gnucitizen.org/projects/technika/<br /><br />
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br /><br />
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br /><br />
<br />
==Web application services that aid in web application security assessment==<br />
Netcraft - http://www.netcraft.net<br /><br />
AboutURL - http://www.abouturl.com/<br /><br />
The Scrutinizer - http://www.scrutinizethis.com/<br /><br />
net.toolkit - http://clez.net/<br /><br />
ServerSniff - http://www.serversniff.net/<br /><br />
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br /><br />
Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br /><br />
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address<br /><br />
PHP charset encoding - http://h4k.in/encoding<br /><br />
data: URL testcases - http://h4k.in/dataurl<br /><br />
<br />
<br />
==Browser-based security fuzzing / checking==<br />
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi<br /><br />
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br /><br />
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/<br /><br />
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br /><br />
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br /><br />
COMRaider - http://labs.idefense.com<br /><br />
bcheck - http://bcheck.scanit.be/bcheck/<br /><br />
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br /><br />
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp<br /><br />
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br /><br />
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br /><br />
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br /><br />
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br /><br />
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br /><br />
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br /><br />
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br /><br />
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324<br /><br />
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br /><br />
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br /><br />
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285<br />
<br />
==PHP static analysis and file inclusion scanning==<br />
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/<br /><br />
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php<br /><br />
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25<br/><br />
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br /><br />
<br />
==PHP Defensive Tools==<br />
<br />
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/<br />
<br />
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey<br />
<br />
<br />
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. <br />
http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip<br />
<br />
<br />
PHP-Login-Info-Checker - Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic<br />
<br />
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip<br />
<br />
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip<br />
<br />
<br />
php-DDOS-Shield - A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/<br />
<br />
<br />
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip<br />
http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar<br />
<br />
==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==<br />
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br /><br />
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/<br /><br />
dotnetids - http://code.google.com/p/dotnetids/<br /><br />
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br /><br />
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/<br /><br />
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br /><br />
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br /><br />
mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br /><br />
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br /><br />
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br /><br />
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99<br /><br />
Akismet: blog spam defense - http://akismet.com/<br /><br />
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br /><br />
<br />
==Web services enumeration / scanning / fuzzing==<br />
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio<br /><br />
Net-square: wsChess - http://net-square.com/wschess/index.shtml<br /><br />
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br /><br />
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br /><br />
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br /><br />
<br />
==Web application non-specific static source-code analysis==<br />
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br /><br />
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br /><br />
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br /><br />
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/<br /><br />
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html<br /><br />
A smaller, but also good list - http://spinroot.com/static/<br /><br />
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/<br /><br />
<br />
==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==<br />
RATS - http://www.securesoftware.com/resources/download_rats.html<br /><br />
ITS4 - http://www.cigital.com/its4/<br /><br />
FlawFinder - http://www.dwheeler.com/flawfinder/<br /><br />
Splint - http://www.splint.org/<br /><br />
Uno - http://spinroot.com/uno/<br /><br />
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net<br /><br />
Valgrind - http://www.valgrind.org/<br /><br />
<br />
==Java static analysis, security frameworks, and web application security tools==<br />
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ <br/><br />
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html<br/><br />
HDIV Struts - http://hdiv.org/<br /><br />
Orizon - http://sourceforge.net/projects/orizon/<br /><br />
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br /><br />
PMD - http://pmd.sourceforge.net/<br /><br />
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br /><br />
EMMA - http://emma.sourceforge.net/<br /><br />
JLint - http://jlint.sourceforge.net/<br /><br />
Java PathFinder - http://javapathfinder.sourceforge.net/<br /><br />
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/<br /><br />
Checkstyle - http://checkstyle.sourceforge.net/<br /><br />
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br /><br />
tinapoc - http://sourceforge.net/projects/tinapoc<br /><br />
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br /><br />
Solex - http://solex.sourceforge.net/<br /><br />
Java Explorer - http://metal.hurlant.com/jexplore/<br /><br />
HTTPClient - http://www.innovation.ch/java/HTTPClient/<br /><br />
another HttpClient - http://jakarta.apache.org/commons/httpclient/<br /><br />
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html<br /><br />
<br />
==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==<br />
* Visual Studio 2008 Code Analysis, available in:<br />
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and <br />
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)<br />
* Visual Studio 2005 Code Analyzer, available in:<br />
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx<br />
* FxCop:<br />
** (blog) http://blogs.msdn.com/fxcop/<br />
** (download) http://code.msdn.microsoft.com/codeanalysis<br />
* Microsoft internal tools you can't have yet:<br />
** http://www.microsoft.com/windows/cse/pa_projects.mspx <br />
** http://research.microsoft.com/Pex/ <br />
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf<br /><br />
<br />
==Threat modeling==<br />
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br /><br />
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br /><br />
Octotrike - http://www.octotrike.org/<br /><br />
<br />
==Add-ons for Firefox that help with general web application security==<br />
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br /><br />
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br /><br />
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br /><br />
Public Fox - https://addons.mozilla.org/firefox/3911/<br /><br />
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br /><br />
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br /><br />
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br /><br />
IE Tab - https://addons.mozilla.org/firefox/1419/<br /><br />
User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br /><br />
ServerSwitcher - https://addons.mozilla.org/firefox/2409/<br /><br />
HeaderMonitor - https://addons.mozilla.org/firefox/575/<br /><br />
RefControl - https://addons.mozilla.org/firefox/953/<br /><br />
refspoof - https://addons.mozilla.org/firefox/667/<br /><br />
No-Referrer - https://addons.mozilla.org/firefox/1999/<br /><br />
LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br /><br />
SpiderZilla - http://spiderzilla.mozdev.org/<br /><br />
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br /><br />
Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br /><br />
<br />
==Add-ons for Firefox that help with Javascript and Ajax web application security==<br />
Selenium IDE - http://www.openqa.org/selenium-ide/<br /><br />
Firebug - http://www.joehewitt.com/software/firebug/<br /><br />
Venkman - http://www.mozilla.org/projects/venkman/<br /><br />
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br /><br />
Greasemonkey - http://www.greasespot.net/<br /><br />
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br /><br />
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br /><br />
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/<br /><br />
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/<br /><br />
<br />
==Bookmarklets that aid in web application security==<br />
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br /><br />
BMlets - http://optools.awardspace.com/bmlet.html<br /><br />
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br /><br />
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide<br />
rich functionality - http://www.blummy.com/<br /><br />
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html<br /><br />
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/<br /><br />
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/<br /><br />
<br />
==SSL certificate checking / scanning==<br />
SSL Labs - https://www.ssllabs.com/ssldb/<br /><br />
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br /><br />
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip<br /><br />
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br /><br />
<br />
==Honeyclients, Web Application, and Web Proxy honeypots==<br />
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ <br /><br />
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br /><br />
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br /><br />
Google Hack Honeypot - http://ghh.sourceforge.net/<br /><br />
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br /><br />
SpyBye - http://www.monkey.org/~provos/spybye/<br /><br />
Honeytokens - http://www.securityfocus.com/infocus/1713<br /><br />
<br />
==Blackhat SEO and maybe some whitehat SEO==<br />
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br /><br />
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br /><br />
SEOQuake (Firefox Add-on) - http://www.seoquake.com/<br /><br />
Analytics seo - http://www.analyticsseo.com/<br /><br />
<br />
==Footprinting for web application security==<br />
Evolution - http://www.paterva.com/evolution-e.html<br /><br />
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/<br /><br />
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br /><br />
Edge-Security tools - http://www.edge-security.com/soft.php<br /><br />
Fierce Domain Scanner - http://ha.ckers.org/fierce/<br /><br />
Googlegath - http://www.nothink.org/perl/googlegath/<br /><br />
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br /><br />
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br /><br />
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/<br /><br />
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br /><br />
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/<br /><br />
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/<br /><br />
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/<br /><br />
<br />
==Database security assessment==<br />
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br /><br />
<br />
==Browser Defenses==<br />
DieHard - http://www.diehard-software.org/<br /><br />
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br /><br />
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br /><br />
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br /><br />
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br /><br />
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br /><br />
NoScript (Firefox Add-on) - http://www.noscript.net/<br /><br />
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/<br /><br />
Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br /><br />
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br /><br />
SafeCache (Firefox Add-on) - http://www.safecache.com/<br /><br />
SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br /><br />
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br /><br />
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/<br /><br />
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br /><br />
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/<br /><br />
FireKeeper - http://firekeeper.mozdev.org/<br /><br />
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey<br />
<br />
==Browser Privacy==<br />
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br /><br />
Privacy Bird - http://www.privacybird.com/<br /><br />
<br />
==Application and protocol fuzzing (random instead of targeted)==<br />
Sulley - http://fuzzing.org/<br /><br />
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br /><br />
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br /><br />
autodafé: an act of software torture - http://autodafe.sourceforge.net/<br /><br />
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br /></div>
Spinkham
https://wiki.owasp.org/index.php?title=Phoenix/Tools&diff=95178
Phoenix/Tools
2010-12-04T00:29:36Z
<p>Spinkham: Move J-Baah and jbrofuzz to fuzzers section /* HTTP proxying / editing */</p>
<hr />
<div>__NOTOC__<br />
<p>Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].</p><br />
<br />
==LiveCDs==<br />
[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LiveCD]<br /><br />
Web Security Dojo - http://dojo.mavensecurity.com/<br /><br />
Samurai WTF - http://samurai.inguardians.com<br /><br />
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br /><br />
moth - http://www.bonsai-sec.com/en/research/moth.php<br /><br />
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/<br />
<br />
==Test sites / testing grounds==<br />
SPI Dynamics (live) - http://zero.webappsecurity.com/<br /><br />
Cenzic (live) - http://crackme.cenzic.com/<br /><br />
Watchfire (live) - http://demo.testfire.net/<br /><br />
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com<br /><br />
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven<br /><br />
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp<br /><br />
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html<br /><br />
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project<br /><br />
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator<br /><br />
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/<br /><br />
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/<br /><br />
Google’s web application training - http://jarlsberg.appspot.com/part1/ <br /><br />
<br />
<br />
==HTTP proxying / editing==<br />
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br /><br />
Burp - http://www.portswigger.net/<br /><br />
Paros - http://www.parosproxy.org/<br /><br />
Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project<br /><br />
Paros fork #2: Andiparos - http://code.google.com/p/andiparos/<br /><br />
Fiddler - http://www.fiddlertool.com/<br /><br />
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br /><br />
Suru - http://www.sensepost.com/research/suru/<br /><br />
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br /><br />
Charles - http://www.xk72.com/charles/<br /><br />
Odysseus - http://www.bindshell.net/tools/odysseus<br /><br />
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br /><br />
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br /><br />
JS Commander - http://jscmd.rubyforge.org/<br /><br />
Ratproxy - http://code.google.com/p/ratproxy/<br /><br />
<br />
==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==<br />
Wfuzz - http://www.edge-security.com/wfuzz.php<br /><br />
ProxMon - http://www.isecpartners.com/proxmon.html<br /><br />
Wapiti - http://wapiti.sourceforge.net/<br /><br />
Grabber - http://rgaucher.info/beta/grabber/<br /><br />
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py<br /><br />
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br /><br />
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe<br /><br />
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br /><br />
JBroFuzz - http://sourceforge.net/projects/jbrofuzz<br /><br />
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br /><br />
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br /><br />
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br /><br />
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter<br /><br />
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br /><br />
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br /><br />
RFuzz - http://rfuzz.rubyforge.org/<br /><br />
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br /><br />
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br /><br />
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br /><br />
WSTool - http://wstool.sourceforge.net/<br /><br />
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br /><br />
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br /><br />
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br /><br />
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br /><br />
<br />
==HTTP general testing / fingerprinting==<br />
Wbox: HTTP testing tool - http://hping.org/wbox/<br /><br />
ht://Check - http://htcheck.sourceforge.net/<br /><br />
Mumsie - http://www.lurhq.com/tools/mumsie.html<br /><br />
WebInject - http://www.webinject.org/<br /><br />
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br /><br />
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br /><br />
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br /><br />
Load-balancing detector - http://ge.mine.nu/lbd.html<br /><br />
HMAP - http://ujeni.murkyroc.com/hmap/<br /><br />
Net-Square: httprint - http://net-square.com/httprint/<br /><br />
Wpoison: http stress testing - http://wpoison.sourceforge.net/<br /><br />
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br /><br />
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br /><br />
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br /><br />
Nikto - http://www.cirt.net/code/nikto.shtml<br /><br />
Websecurify - http://www.websecurify.com<br/><br />
twill - http://twill.idyll.org/<br /><br />
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<br /><br />
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br /><br />
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html<br /><br />
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled<br />
- http://sf.net/projects/hackfox<br />
<br />
==Browser-based HTTP tampering / editing / replaying==<br />
TamperIE - http://www.bayden.com/Other/<br /><br />
isr-form - http://www.infobyte.com.ar/developments.html<br /><br />
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br /><br />
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br /><br />
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/<br /><br />
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/<br /><br />
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/<br /><br />
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/<br /><br />
<br />
==Cookie editing / poisoning==<br />
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br /><br />
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br /><br />
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br /><br />
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/<br /><br />
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br /><br />
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br /><br />
<br />
==Ajax and XHR scanning==<br />
Sahi - http://sahi.co.in/<br /><br />
scRUBYt - http://scrubyt.org/<br /><br />
jQuery - http://jquery.com/<br /><br />
jquery-include - http://www.gnucitizen.org/projects/jquery-include<br /><br />
Sprajax - http://www.denimgroup.com/sprajax.html<br /><br />
Watir - http://wtr.rubyforge.org/<br /><br />
Watij - http://watij.com/<br /><br />
Watin - http://watin.sourceforge.net/<br /><br />
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br /><br />
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br /><br />
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/<br /><br />
Firebug Lite - http://www.getfirebug.com/lite.html<br /><br />
firewaitr - http://code.google.com/p/firewatir/<br /><br />
<br />
==RSS extensions and caching==<br />
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/<br /><br />
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/<br /><br />
<br />
==SQL injection scanning==<br />
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br /><br />
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br /><br />
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br /><br />
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br /><br />
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br /><br />
sqlmap - http://sqlmap.sourceforge.net/<br /><br />
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br /><br />
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br /><br />
PRIAMOS - http://www.priamos-project.com/<br /><br />
<br />
==Web application security malware, backdoors, and evil code==<br />
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/<br /><br />
Jikto - http://busin3ss.name/jikto-in-the-wild/<br /><br />
XSS Shell - http://ferruh.mavituna.com/article/?1338<br /><br />
XSS-Proxy - http://xss-proxy.sourceforge.net<br /><br />
AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br /><br />
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br /><br />
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br /><br />
BeEF - http://www.bindshell.net/tools/beef/<br /><br />
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br /><br />
What is my IP address? - http://reglos.de/myaddress/<br /><br />
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br /><br />
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/<br /><br />
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br /><br />
Technika - http://www.gnucitizen.org/projects/technika/<br /><br />
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br /><br />
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br /><br />
<br />
==Web application services that aid in web application security assessment==<br />
Netcraft - http://www.netcraft.net<br /><br />
AboutURL - http://www.abouturl.com/<br /><br />
The Scrutinizer - http://www.scrutinizethis.com/<br /><br />
net.toolkit - http://clez.net/<br /><br />
ServerSniff - http://www.serversniff.net/<br /><br />
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br /><br />
Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br /><br />
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address<br /><br />
PHP charset encoding - http://h4k.in/encoding<br /><br />
data: URL testcases - http://h4k.in/dataurl<br /><br />
<br />
<br />
==Browser-based security fuzzing / checking==<br />
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi<br /><br />
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br /><br />
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/<br /><br />
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br /><br />
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br /><br />
COMRaider - http://labs.idefense.com<br /><br />
bcheck - http://bcheck.scanit.be/bcheck/<br /><br />
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br /><br />
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp<br /><br />
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br /><br />
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br /><br />
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br /><br />
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br /><br />
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br /><br />
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br /><br />
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br /><br />
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324<br /><br />
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br /><br />
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br /><br />
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285<br />
<br />
==PHP static analysis and file inclusion scanning==<br />
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/<br /><br />
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php<br /><br />
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25<br/><br />
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br /><br />
<br />
==PHP Defensive Tools==<br />
<br />
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/<br />
<br />
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey<br />
<br />
<br />
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. <br />
http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip<br />
<br />
<br />
PHP-Login-Info-Checker - Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic<br />
<br />
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip<br />
<br />
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip<br />
<br />
<br />
php-DDOS-Shield - A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/<br />
<br />
<br />
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip<br />
http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar<br />
<br />
==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==<br />
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br /><br />
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/<br /><br />
dotnetids - http://code.google.com/p/dotnetids/<br /><br />
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br /><br />
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/<br /><br />
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br /><br />
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br /><br />
mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br /><br />
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br /><br />
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br /><br />
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99<br /><br />
Akismet: blog spam defense - http://akismet.com/<br /><br />
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br /><br />
<br />
==Web services enumeration / scanning / fuzzing==<br />
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio<br /><br />
Net-square: wsChess - http://net-square.com/wschess/index.shtml<br /><br />
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br /><br />
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br /><br />
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br /><br />
<br />
==Web application non-specific static source-code analysis==<br />
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br /><br />
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br /><br />
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br /><br />
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/<br /><br />
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html<br /><br />
A smaller, but also good list - http://spinroot.com/static/<br /><br />
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/<br /><br />
<br />
==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==<br />
RATS - http://www.securesoftware.com/resources/download_rats.html<br /><br />
ITS4 - http://www.cigital.com/its4/<br /><br />
FlawFinder - http://www.dwheeler.com/flawfinder/<br /><br />
Splint - http://www.splint.org/<br /><br />
Uno - http://spinroot.com/uno/<br /><br />
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net<br /><br />
Valgrind - http://www.valgrind.org/<br /><br />
<br />
==Java static analysis, security frameworks, and web application security tools==<br />
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ <br/><br />
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html<br/><br />
HDIV Struts - http://hdiv.org/<br /><br />
Orizon - http://sourceforge.net/projects/orizon/<br /><br />
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br /><br />
PMD - http://pmd.sourceforge.net/<br /><br />
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br /><br />
EMMA - http://emma.sourceforge.net/<br /><br />
JLint - http://jlint.sourceforge.net/<br /><br />
Java PathFinder - http://javapathfinder.sourceforge.net/<br /><br />
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/<br /><br />
Checkstyle - http://checkstyle.sourceforge.net/<br /><br />
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br /><br />
tinapoc - http://sourceforge.net/projects/tinapoc<br /><br />
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br /><br />
Solex - http://solex.sourceforge.net/<br /><br />
Java Explorer - http://metal.hurlant.com/jexplore/<br /><br />
HTTPClient - http://www.innovation.ch/java/HTTPClient/<br /><br />
another HttpClient - http://jakarta.apache.org/commons/httpclient/<br /><br />
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html<br /><br />
<br />
==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==<br />
* Visual Studio 2008 Code Analysis, available in:<br />
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and <br />
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)<br />
* Visual Studio 2005 Code Analyzer, available in:<br />
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx<br />
* FxCop:<br />
** (blog) http://blogs.msdn.com/fxcop/<br />
** (download) http://code.msdn.microsoft.com/codeanalysis<br />
* Microsoft internal tools you can't have yet:<br />
** http://www.microsoft.com/windows/cse/pa_projects.mspx <br />
** http://research.microsoft.com/Pex/ <br />
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf<br /><br />
<br />
==Threat modeling==<br />
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br /><br />
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br /><br />
Octotrike - http://www.octotrike.org/<br /><br />
<br />
==Add-ons for Firefox that help with general web application security==<br />
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br /><br />
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br /><br />
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br /><br />
Public Fox - https://addons.mozilla.org/firefox/3911/<br /><br />
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br /><br />
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br /><br />
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br /><br />
IE Tab - https://addons.mozilla.org/firefox/1419/<br /><br />
User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br /><br />
ServerSwitcher - https://addons.mozilla.org/firefox/2409/<br /><br />
HeaderMonitor - https://addons.mozilla.org/firefox/575/<br /><br />
RefControl - https://addons.mozilla.org/firefox/953/<br /><br />
refspoof - https://addons.mozilla.org/firefox/667/<br /><br />
No-Referrer - https://addons.mozilla.org/firefox/1999/<br /><br />
LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br /><br />
SpiderZilla - http://spiderzilla.mozdev.org/<br /><br />
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br /><br />
Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br /><br />
<br />
==Add-ons for Firefox that help with Javascript and Ajax web application security==<br />
Selenium IDE - http://www.openqa.org/selenium-ide/<br /><br />
Firebug - http://www.joehewitt.com/software/firebug/<br /><br />
Venkman - http://www.mozilla.org/projects/venkman/<br /><br />
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br /><br />
Greasemonkey - http://www.greasespot.net/<br /><br />
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br /><br />
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br /><br />
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/<br /><br />
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/<br /><br />
<br />
==Bookmarklets that aid in web application security==<br />
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br /><br />
BMlets - http://optools.awardspace.com/bmlet.html<br /><br />
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br /><br />
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide<br />
rich functionality - http://www.blummy.com/<br /><br />
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html<br /><br />
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/<br /><br />
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/<br /><br />
<br />
==SSL certificate checking / scanning==<br />
SSL Labs - https://www.ssllabs.com/ssldb/<br /><br />
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br /><br />
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip<br /><br />
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br /><br />
<br />
==Honeyclients, Web Application, and Web Proxy honeypots==<br />
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ <br /><br />
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br /><br />
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br /><br />
Google Hack Honeypot - http://ghh.sourceforge.net/<br /><br />
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br /><br />
SpyBye - http://www.monkey.org/~provos/spybye/<br /><br />
Honeytokens - http://www.securityfocus.com/infocus/1713<br /><br />
<br />
==Blackhat SEO and maybe some whitehat SEO==<br />
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br /><br />
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br /><br />
SEOQuake (Firefox Add-on) - http://www.seoquake.com/<br /><br />
Analytics seo - http://www.analyticsseo.com/<br /><br />
<br />
==Footprinting for web application security==<br />
Evolution - http://www.paterva.com/evolution-e.html<br /><br />
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/<br /><br />
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br /><br />
Edge-Security tools - http://www.edge-security.com/soft.php<br /><br />
Fierce Domain Scanner - http://ha.ckers.org/fierce/<br /><br />
Googlegath - http://www.nothink.org/perl/googlegath/<br /><br />
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br /><br />
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br /><br />
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/<br /><br />
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br /><br />
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/<br /><br />
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/<br /><br />
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/<br /><br />
<br />
==Database security assessment==<br />
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br /><br />
<br />
==Browser Defenses==<br />
DieHard - http://www.diehard-software.org/<br /><br />
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br /><br />
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br /><br />
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br /><br />
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br /><br />
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br /><br />
NoScript (Firefox Add-on) - http://www.noscript.net/<br /><br />
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/<br /><br />
Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br /><br />
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br /><br />
SafeCache (Firefox Add-on) - http://www.safecache.com/<br /><br />
SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br /><br />
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br /><br />
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/<br /><br />
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br /><br />
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/<br /><br />
FireKeeper - http://firekeeper.mozdev.org/<br /><br />
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey<br />
<br />
==Browser Privacy==<br />
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br /><br />
Privacy Bird - http://www.privacybird.com/<br /><br />
<br />
==Application and protocol fuzzing (random instead of targeted)==<br />
Sulley - http://fuzzing.org/<br /><br />
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br /><br />
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br /><br />
autodafé: an act of software torture - http://autodafe.sourceforge.net/<br /><br />
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br /></div>
Spinkham
https://wiki.owasp.org/index.php?title=Phoenix/Tools&diff=95175
Phoenix/Tools
2010-12-04T00:22:47Z
<p>Spinkham: Added JbroFuzz, J-Baah, ZAP, and Andiparos /* HTTP proxying / editing */</p>
<hr />
<div>__NOTOC__<br />
<p>Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].</p><br />
<br />
==LiveCDs==<br />
[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LiveCD]<br /><br />
Web Security Dojo - http://dojo.mavensecurity.com/<br /><br />
Samurai WTF - http://samurai.inguardians.com<br /><br />
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br /><br />
moth - http://www.bonsai-sec.com/en/research/moth.php<br /><br />
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/<br />
<br />
==Test sites / testing grounds==<br />
SPI Dynamics (live) - http://zero.webappsecurity.com/<br /><br />
Cenzic (live) - http://crackme.cenzic.com/<br /><br />
Watchfire (live) - http://demo.testfire.net/<br /><br />
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com<br /><br />
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven<br /><br />
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp<br /><br />
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html<br /><br />
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project<br /><br />
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator<br /><br />
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/<br /><br />
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/<br /><br />
Google’s web application training - http://jarlsberg.appspot.com/part1/ <br /><br />
<br />
<br />
==HTTP proxying / editing==<br />
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br /><br />
Burp - http://www.portswigger.net/<br /><br />
Paros - http://www.parosproxy.org/<br /><br />
Paros fork #1: Zed Attack Proxy (ZAP) - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project<br /><br />
Paros fork #2: Andiparos - http://code.google.com/p/andiparos/<br /><br />
Fiddler - http://www.fiddlertool.com/<br /><br />
JBroFuzz - http://www.owasp.org/index.php/JBroFuzz<br /><br />
J-Baah - http://www.sensepost.com/labs/tools/pentest/j-baah<br /><br />
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br /><br />
Suru - http://www.sensepost.com/research/suru/<br /><br />
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br /><br />
Charles - http://www.xk72.com/charles/<br /><br />
Odysseus - http://www.bindshell.net/tools/odysseus<br /><br />
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br /><br />
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br /><br />
JS Commander - http://jscmd.rubyforge.org/<br /><br />
Ratproxy - http://code.google.com/p/ratproxy/<br /><br />
<br />
==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==<br />
Wfuzz - http://www.edge-security.com/wfuzz.php<br /><br />
ProxMon - http://www.isecpartners.com/proxmon.html<br /><br />
Wapiti - http://wapiti.sourceforge.net/<br /><br />
Grabber - http://rgaucher.info/beta/grabber/<br /><br />
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py<br /><br />
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br /><br />
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe<br /><br />
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br /><br />
JBroFuzz - http://sourceforge.net/projects/jbrofuzz<br /><br />
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br /><br />
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br /><br />
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br /><br />
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter<br /><br />
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br /><br />
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br /><br />
RFuzz - http://rfuzz.rubyforge.org/<br /><br />
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br /><br />
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br /><br />
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br /><br />
WSTool - http://wstool.sourceforge.net/<br /><br />
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br /><br />
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br /><br />
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br /><br />
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br /><br />
<br />
==HTTP general testing / fingerprinting==<br />
Wbox: HTTP testing tool - http://hping.org/wbox/<br /><br />
ht://Check - http://htcheck.sourceforge.net/<br /><br />
Mumsie - http://www.lurhq.com/tools/mumsie.html<br /><br />
WebInject - http://www.webinject.org/<br /><br />
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br /><br />
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br /><br />
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br /><br />
Load-balancing detector - http://ge.mine.nu/lbd.html<br /><br />
HMAP - http://ujeni.murkyroc.com/hmap/<br /><br />
Net-Square: httprint - http://net-square.com/httprint/<br /><br />
Wpoison: http stress testing - http://wpoison.sourceforge.net/<br /><br />
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br /><br />
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br /><br />
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br /><br />
Nikto - http://www.cirt.net/code/nikto.shtml<br /><br />
Websecurify - http://www.websecurify.com<br/><br />
twill - http://twill.idyll.org/<br /><br />
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<br /><br />
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br /><br />
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html<br /><br />
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled<br />
- http://sf.net/projects/hackfox<br />
<br />
==Browser-based HTTP tampering / editing / replaying==<br />
TamperIE - http://www.bayden.com/Other/<br /><br />
isr-form - http://www.infobyte.com.ar/developments.html<br /><br />
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br /><br />
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br /><br />
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/<br /><br />
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/<br /><br />
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/<br /><br />
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/<br /><br />
<br />
==Cookie editing / poisoning==<br />
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br /><br />
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br /><br />
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br /><br />
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/<br /><br />
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br /><br />
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br /><br />
<br />
==Ajax and XHR scanning==<br />
Sahi - http://sahi.co.in/<br /><br />
scRUBYt - http://scrubyt.org/<br /><br />
jQuery - http://jquery.com/<br /><br />
jquery-include - http://www.gnucitizen.org/projects/jquery-include<br /><br />
Sprajax - http://www.denimgroup.com/sprajax.html<br /><br />
Watir - http://wtr.rubyforge.org/<br /><br />
Watij - http://watij.com/<br /><br />
Watin - http://watin.sourceforge.net/<br /><br />
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br /><br />
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br /><br />
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/<br /><br />
Firebug Lite - http://www.getfirebug.com/lite.html<br /><br />
firewaitr - http://code.google.com/p/firewatir/<br /><br />
<br />
==RSS extensions and caching==<br />
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/<br /><br />
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/<br /><br />
<br />
==SQL injection scanning==<br />
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br /><br />
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br /><br />
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br /><br />
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br /><br />
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br /><br />
sqlmap - http://sqlmap.sourceforge.net/<br /><br />
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br /><br />
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br /><br />
PRIAMOS - http://www.priamos-project.com/<br /><br />
<br />
==Web application security malware, backdoors, and evil code==<br />
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/<br /><br />
Jikto - http://busin3ss.name/jikto-in-the-wild/<br /><br />
XSS Shell - http://ferruh.mavituna.com/article/?1338<br /><br />
XSS-Proxy - http://xss-proxy.sourceforge.net<br /><br />
AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br /><br />
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br /><br />
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br /><br />
BeEF - http://www.bindshell.net/tools/beef/<br /><br />
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br /><br />
What is my IP address? - http://reglos.de/myaddress/<br /><br />
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br /><br />
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/<br /><br />
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br /><br />
Technika - http://www.gnucitizen.org/projects/technika/<br /><br />
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br /><br />
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br /><br />
<br />
==Web application services that aid in web application security assessment==<br />
Netcraft - http://www.netcraft.net<br /><br />
AboutURL - http://www.abouturl.com/<br /><br />
The Scrutinizer - http://www.scrutinizethis.com/<br /><br />
net.toolkit - http://clez.net/<br /><br />
ServerSniff - http://www.serversniff.net/<br /><br />
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br /><br />
Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br /><br />
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address<br /><br />
PHP charset encoding - http://h4k.in/encoding<br /><br />
data: URL testcases - http://h4k.in/dataurl<br /><br />
<br />
<br />
==Browser-based security fuzzing / checking==<br />
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi<br /><br />
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br /><br />
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/<br /><br />
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br /><br />
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br /><br />
COMRaider - http://labs.idefense.com<br /><br />
bcheck - http://bcheck.scanit.be/bcheck/<br /><br />
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br /><br />
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp<br /><br />
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br /><br />
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br /><br />
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br /><br />
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br /><br />
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br /><br />
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br /><br />
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br /><br />
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324<br /><br />
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br /><br />
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br /><br />
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285<br />
<br />
==PHP static analysis and file inclusion scanning==<br />
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/<br /><br />
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php<br /><br />
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25<br/><br />
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br /><br />
<br />
==PHP Defensive Tools==<br />
<br />
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/<br />
<br />
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey<br />
<br />
<br />
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. <br />
http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip<br />
<br />
<br />
PHP-Login-Info-Checker - Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic<br />
<br />
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip<br />
<br />
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip<br />
<br />
<br />
php-DDOS-Shield - A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/<br />
<br />
<br />
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip<br />
http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar<br />
<br />
==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==<br />
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br /><br />
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/<br /><br />
dotnetids - http://code.google.com/p/dotnetids/<br /><br />
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br /><br />
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/<br /><br />
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br /><br />
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br /><br />
mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br /><br />
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br /><br />
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br /><br />
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99<br /><br />
Akismet: blog spam defense - http://akismet.com/<br /><br />
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br /><br />
<br />
==Web services enumeration / scanning / fuzzing==<br />
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio<br /><br />
Net-square: wsChess - http://net-square.com/wschess/index.shtml<br /><br />
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br /><br />
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br /><br />
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br /><br />
<br />
==Web application non-specific static source-code analysis==<br />
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br /><br />
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br /><br />
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br /><br />
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/<br /><br />
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html<br /><br />
A smaller, but also good list - http://spinroot.com/static/<br /><br />
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/<br /><br />
<br />
==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==<br />
RATS - http://www.securesoftware.com/resources/download_rats.html<br /><br />
ITS4 - http://www.cigital.com/its4/<br /><br />
FlawFinder - http://www.dwheeler.com/flawfinder/<br /><br />
Splint - http://www.splint.org/<br /><br />
Uno - http://spinroot.com/uno/<br /><br />
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net<br /><br />
Valgrind - http://www.valgrind.org/<br /><br />
<br />
==Java static analysis, security frameworks, and web application security tools==<br />
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ <br/><br />
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html<br/><br />
HDIV Struts - http://hdiv.org/<br /><br />
Orizon - http://sourceforge.net/projects/orizon/<br /><br />
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br /><br />
PMD - http://pmd.sourceforge.net/<br /><br />
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br /><br />
EMMA - http://emma.sourceforge.net/<br /><br />
JLint - http://jlint.sourceforge.net/<br /><br />
Java PathFinder - http://javapathfinder.sourceforge.net/<br /><br />
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/<br /><br />
Checkstyle - http://checkstyle.sourceforge.net/<br /><br />
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br /><br />
tinapoc - http://sourceforge.net/projects/tinapoc<br /><br />
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br /><br />
Solex - http://solex.sourceforge.net/<br /><br />
Java Explorer - http://metal.hurlant.com/jexplore/<br /><br />
HTTPClient - http://www.innovation.ch/java/HTTPClient/<br /><br />
another HttpClient - http://jakarta.apache.org/commons/httpclient/<br /><br />
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html<br /><br />
<br />
==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==<br />
* Visual Studio 2008 Code Analysis, available in:<br />
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and <br />
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)<br />
* Visual Studio 2005 Code Analyzer, available in:<br />
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx<br />
* FxCop:<br />
** (blog) http://blogs.msdn.com/fxcop/<br />
** (download) http://code.msdn.microsoft.com/codeanalysis<br />
* Microsoft internal tools you can't have yet:<br />
** http://www.microsoft.com/windows/cse/pa_projects.mspx <br />
** http://research.microsoft.com/Pex/ <br />
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf<br /><br />
<br />
==Threat modeling==<br />
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br /><br />
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br /><br />
Octotrike - http://www.octotrike.org/<br /><br />
<br />
==Add-ons for Firefox that help with general web application security==<br />
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br /><br />
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br /><br />
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br /><br />
Public Fox - https://addons.mozilla.org/firefox/3911/<br /><br />
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br /><br />
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br /><br />
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br /><br />
IE Tab - https://addons.mozilla.org/firefox/1419/<br /><br />
User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br /><br />
ServerSwitcher - https://addons.mozilla.org/firefox/2409/<br /><br />
HeaderMonitor - https://addons.mozilla.org/firefox/575/<br /><br />
RefControl - https://addons.mozilla.org/firefox/953/<br /><br />
refspoof - https://addons.mozilla.org/firefox/667/<br /><br />
No-Referrer - https://addons.mozilla.org/firefox/1999/<br /><br />
LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br /><br />
SpiderZilla - http://spiderzilla.mozdev.org/<br /><br />
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br /><br />
Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br /><br />
<br />
==Add-ons for Firefox that help with Javascript and Ajax web application security==<br />
Selenium IDE - http://www.openqa.org/selenium-ide/<br /><br />
Firebug - http://www.joehewitt.com/software/firebug/<br /><br />
Venkman - http://www.mozilla.org/projects/venkman/<br /><br />
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br /><br />
Greasemonkey - http://www.greasespot.net/<br /><br />
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br /><br />
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br /><br />
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/<br /><br />
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/<br /><br />
<br />
==Bookmarklets that aid in web application security==<br />
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br /><br />
BMlets - http://optools.awardspace.com/bmlet.html<br /><br />
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br /><br />
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide<br />
rich functionality - http://www.blummy.com/<br /><br />
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html<br /><br />
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/<br /><br />
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/<br /><br />
<br />
==SSL certificate checking / scanning==<br />
SSL Labs - https://www.ssllabs.com/ssldb/<br /><br />
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br /><br />
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip<br /><br />
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br /><br />
<br />
==Honeyclients, Web Application, and Web Proxy honeypots==<br />
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ <br /><br />
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br /><br />
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br /><br />
Google Hack Honeypot - http://ghh.sourceforge.net/<br /><br />
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br /><br />
SpyBye - http://www.monkey.org/~provos/spybye/<br /><br />
Honeytokens - http://www.securityfocus.com/infocus/1713<br /><br />
<br />
==Blackhat SEO and maybe some whitehat SEO==<br />
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br /><br />
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br /><br />
SEOQuake (Firefox Add-on) - http://www.seoquake.com/<br /><br />
Analytics seo - http://www.analyticsseo.com/<br /><br />
<br />
==Footprinting for web application security==<br />
Evolution - http://www.paterva.com/evolution-e.html<br /><br />
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/<br /><br />
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br /><br />
Edge-Security tools - http://www.edge-security.com/soft.php<br /><br />
Fierce Domain Scanner - http://ha.ckers.org/fierce/<br /><br />
Googlegath - http://www.nothink.org/perl/googlegath/<br /><br />
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br /><br />
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br /><br />
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/<br /><br />
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br /><br />
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/<br /><br />
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/<br /><br />
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/<br /><br />
<br />
==Database security assessment==<br />
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br /><br />
<br />
==Browser Defenses==<br />
DieHard - http://www.diehard-software.org/<br /><br />
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br /><br />
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br /><br />
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br /><br />
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br /><br />
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br /><br />
NoScript (Firefox Add-on) - http://www.noscript.net/<br /><br />
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/<br /><br />
Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br /><br />
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br /><br />
SafeCache (Firefox Add-on) - http://www.safecache.com/<br /><br />
SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br /><br />
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br /><br />
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/<br /><br />
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br /><br />
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/<br /><br />
FireKeeper - http://firekeeper.mozdev.org/<br /><br />
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey<br />
<br />
==Browser Privacy==<br />
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br /><br />
Privacy Bird - http://www.privacybird.com/<br /><br />
<br />
==Application and protocol fuzzing (random instead of targeted)==<br />
Sulley - http://fuzzing.org/<br /><br />
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br /><br />
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br /><br />
autodafé: an act of software torture - http://autodafe.sourceforge.net/<br /><br />
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br /></div>
Spinkham
https://wiki.owasp.org/index.php?title=Phoenix/Tools&diff=95170
Phoenix/Tools
2010-12-04T00:10:32Z
<p>Spinkham: Change moth to more descriptive link/* LiveCDs */</p>
<hr />
<div>__NOTOC__<br />
<p>Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].</p><br />
<br />
==LiveCDs==<br />
[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LiveCD]<br /><br />
Web Security Dojo - http://dojo.mavensecurity.com/<br /><br />
Samurai WTF - http://samurai.inguardians.com<br /><br />
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br /><br />
moth - http://www.bonsai-sec.com/en/research/moth.php<br /><br />
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/<br />
<br />
==Test sites / testing grounds==<br />
SPI Dynamics (live) - http://zero.webappsecurity.com/<br /><br />
Cenzic (live) - http://crackme.cenzic.com/<br /><br />
Watchfire (live) - http://demo.testfire.net/<br /><br />
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com<br /><br />
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven<br /><br />
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp<br /><br />
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html<br /><br />
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project<br /><br />
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator<br /><br />
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/<br /><br />
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/<br /><br />
Google’s web application training - http://jarlsberg.appspot.com/part1/ <br /><br />
<br />
<br />
==HTTP proxying / editing==<br />
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br /><br />
Burp - http://www.portswigger.net/<br /><br />
Paros - http://www.parosproxy.org/<br /><br />
Fiddler - http://www.fiddlertool.com/<br /><br />
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br /><br />
Suru - http://www.sensepost.com/research/suru/<br /><br />
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br /><br />
Charles - http://www.xk72.com/charles/<br /><br />
Odysseus - http://www.bindshell.net/tools/odysseus<br /><br />
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br /><br />
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br /><br />
JS Commander - http://jscmd.rubyforge.org/<br /><br />
Ratproxy - http://code.google.com/p/ratproxy/<br /><br />
<br />
==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==<br />
Wfuzz - http://www.edge-security.com/wfuzz.php<br /><br />
ProxMon - http://www.isecpartners.com/proxmon.html<br /><br />
Wapiti - http://wapiti.sourceforge.net/<br /><br />
Grabber - http://rgaucher.info/beta/grabber/<br /><br />
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py<br /><br />
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br /><br />
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe<br /><br />
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br /><br />
JBroFuzz - http://sourceforge.net/projects/jbrofuzz<br /><br />
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br /><br />
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br /><br />
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br /><br />
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter<br /><br />
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br /><br />
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br /><br />
RFuzz - http://rfuzz.rubyforge.org/<br /><br />
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br /><br />
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br /><br />
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br /><br />
WSTool - http://wstool.sourceforge.net/<br /><br />
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br /><br />
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br /><br />
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br /><br />
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br /><br />
<br />
==HTTP general testing / fingerprinting==<br />
Wbox: HTTP testing tool - http://hping.org/wbox/<br /><br />
ht://Check - http://htcheck.sourceforge.net/<br /><br />
Mumsie - http://www.lurhq.com/tools/mumsie.html<br /><br />
WebInject - http://www.webinject.org/<br /><br />
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br /><br />
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br /><br />
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br /><br />
Load-balancing detector - http://ge.mine.nu/lbd.html<br /><br />
HMAP - http://ujeni.murkyroc.com/hmap/<br /><br />
Net-Square: httprint - http://net-square.com/httprint/<br /><br />
Wpoison: http stress testing - http://wpoison.sourceforge.net/<br /><br />
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br /><br />
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br /><br />
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br /><br />
Nikto - http://www.cirt.net/code/nikto.shtml<br /><br />
Websecurify - http://www.websecurify.com<br/><br />
twill - http://twill.idyll.org/<br /><br />
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<br /><br />
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br /><br />
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html<br /><br />
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled<br />
- http://sf.net/projects/hackfox<br />
<br />
==Browser-based HTTP tampering / editing / replaying==<br />
TamperIE - http://www.bayden.com/Other/<br /><br />
isr-form - http://www.infobyte.com.ar/developments.html<br /><br />
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br /><br />
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br /><br />
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/<br /><br />
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/<br /><br />
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/<br /><br />
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/<br /><br />
<br />
==Cookie editing / poisoning==<br />
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br /><br />
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br /><br />
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br /><br />
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/<br /><br />
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br /><br />
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br /><br />
<br />
==Ajax and XHR scanning==<br />
Sahi - http://sahi.co.in/<br /><br />
scRUBYt - http://scrubyt.org/<br /><br />
jQuery - http://jquery.com/<br /><br />
jquery-include - http://www.gnucitizen.org/projects/jquery-include<br /><br />
Sprajax - http://www.denimgroup.com/sprajax.html<br /><br />
Watir - http://wtr.rubyforge.org/<br /><br />
Watij - http://watij.com/<br /><br />
Watin - http://watin.sourceforge.net/<br /><br />
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br /><br />
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br /><br />
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/<br /><br />
Firebug Lite - http://www.getfirebug.com/lite.html<br /><br />
firewaitr - http://code.google.com/p/firewatir/<br /><br />
<br />
==RSS extensions and caching==<br />
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/<br /><br />
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/<br /><br />
<br />
==SQL injection scanning==<br />
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br /><br />
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br /><br />
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br /><br />
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br /><br />
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br /><br />
sqlmap - http://sqlmap.sourceforge.net/<br /><br />
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br /><br />
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br /><br />
PRIAMOS - http://www.priamos-project.com/<br /><br />
<br />
==Web application security malware, backdoors, and evil code==<br />
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/<br /><br />
Jikto - http://busin3ss.name/jikto-in-the-wild/<br /><br />
XSS Shell - http://ferruh.mavituna.com/article/?1338<br /><br />
XSS-Proxy - http://xss-proxy.sourceforge.net<br /><br />
AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br /><br />
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br /><br />
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br /><br />
BeEF - http://www.bindshell.net/tools/beef/<br /><br />
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br /><br />
What is my IP address? - http://reglos.de/myaddress/<br /><br />
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br /><br />
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/<br /><br />
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br /><br />
Technika - http://www.gnucitizen.org/projects/technika/<br /><br />
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br /><br />
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br /><br />
<br />
==Web application services that aid in web application security assessment==<br />
Netcraft - http://www.netcraft.net<br /><br />
AboutURL - http://www.abouturl.com/<br /><br />
The Scrutinizer - http://www.scrutinizethis.com/<br /><br />
net.toolkit - http://clez.net/<br /><br />
ServerSniff - http://www.serversniff.net/<br /><br />
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br /><br />
Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br /><br />
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address<br /><br />
PHP charset encoding - http://h4k.in/encoding<br /><br />
data: URL testcases - http://h4k.in/dataurl<br /><br />
<br />
<br />
==Browser-based security fuzzing / checking==<br />
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi<br /><br />
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br /><br />
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/<br /><br />
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br /><br />
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br /><br />
COMRaider - http://labs.idefense.com<br /><br />
bcheck - http://bcheck.scanit.be/bcheck/<br /><br />
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br /><br />
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp<br /><br />
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br /><br />
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br /><br />
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br /><br />
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br /><br />
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br /><br />
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br /><br />
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br /><br />
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324<br /><br />
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br /><br />
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br /><br />
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285<br />
<br />
==PHP static analysis and file inclusion scanning==<br />
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/<br /><br />
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php<br /><br />
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25<br/><br />
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br /><br />
<br />
==PHP Defensive Tools==<br />
<br />
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/<br />
<br />
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey<br />
<br />
<br />
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. <br />
http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip<br />
<br />
<br />
PHP-Login-Info-Checker - Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic<br />
<br />
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip<br />
<br />
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip<br />
<br />
<br />
php-DDOS-Shield - A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/<br />
<br />
<br />
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip<br />
http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar<br />
<br />
==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==<br />
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br /><br />
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/<br /><br />
dotnetids - http://code.google.com/p/dotnetids/<br /><br />
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br /><br />
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/<br /><br />
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br /><br />
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br /><br />
mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br /><br />
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br /><br />
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br /><br />
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99<br /><br />
Akismet: blog spam defense - http://akismet.com/<br /><br />
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br /><br />
<br />
==Web services enumeration / scanning / fuzzing==<br />
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio<br /><br />
Net-square: wsChess - http://net-square.com/wschess/index.shtml<br /><br />
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br /><br />
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br /><br />
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br /><br />
<br />
==Web application non-specific static source-code analysis==<br />
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br /><br />
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br /><br />
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br /><br />
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/<br /><br />
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html<br /><br />
A smaller, but also good list - http://spinroot.com/static/<br /><br />
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/<br /><br />
<br />
==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==<br />
RATS - http://www.securesoftware.com/resources/download_rats.html<br /><br />
ITS4 - http://www.cigital.com/its4/<br /><br />
FlawFinder - http://www.dwheeler.com/flawfinder/<br /><br />
Splint - http://www.splint.org/<br /><br />
Uno - http://spinroot.com/uno/<br /><br />
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net<br /><br />
Valgrind - http://www.valgrind.org/<br /><br />
<br />
==Java static analysis, security frameworks, and web application security tools==<br />
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ <br/><br />
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html<br/><br />
HDIV Struts - http://hdiv.org/<br /><br />
Orizon - http://sourceforge.net/projects/orizon/<br /><br />
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br /><br />
PMD - http://pmd.sourceforge.net/<br /><br />
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br /><br />
EMMA - http://emma.sourceforge.net/<br /><br />
JLint - http://jlint.sourceforge.net/<br /><br />
Java PathFinder - http://javapathfinder.sourceforge.net/<br /><br />
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/<br /><br />
Checkstyle - http://checkstyle.sourceforge.net/<br /><br />
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br /><br />
tinapoc - http://sourceforge.net/projects/tinapoc<br /><br />
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br /><br />
Solex - http://solex.sourceforge.net/<br /><br />
Java Explorer - http://metal.hurlant.com/jexplore/<br /><br />
HTTPClient - http://www.innovation.ch/java/HTTPClient/<br /><br />
another HttpClient - http://jakarta.apache.org/commons/httpclient/<br /><br />
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html<br /><br />
<br />
==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==<br />
* Visual Studio 2008 Code Analysis, available in:<br />
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and <br />
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)<br />
* Visual Studio 2005 Code Analyzer, available in:<br />
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx<br />
* FxCop:<br />
** (blog) http://blogs.msdn.com/fxcop/<br />
** (download) http://code.msdn.microsoft.com/codeanalysis<br />
* Microsoft internal tools you can't have yet:<br />
** http://www.microsoft.com/windows/cse/pa_projects.mspx <br />
** http://research.microsoft.com/Pex/ <br />
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf<br /><br />
<br />
==Threat modeling==<br />
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br /><br />
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br /><br />
Octotrike - http://www.octotrike.org/<br /><br />
<br />
==Add-ons for Firefox that help with general web application security==<br />
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br /><br />
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br /><br />
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br /><br />
Public Fox - https://addons.mozilla.org/firefox/3911/<br /><br />
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br /><br />
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br /><br />
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br /><br />
IE Tab - https://addons.mozilla.org/firefox/1419/<br /><br />
User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br /><br />
ServerSwitcher - https://addons.mozilla.org/firefox/2409/<br /><br />
HeaderMonitor - https://addons.mozilla.org/firefox/575/<br /><br />
RefControl - https://addons.mozilla.org/firefox/953/<br /><br />
refspoof - https://addons.mozilla.org/firefox/667/<br /><br />
No-Referrer - https://addons.mozilla.org/firefox/1999/<br /><br />
LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br /><br />
SpiderZilla - http://spiderzilla.mozdev.org/<br /><br />
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br /><br />
Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br /><br />
<br />
==Add-ons for Firefox that help with Javascript and Ajax web application security==<br />
Selenium IDE - http://www.openqa.org/selenium-ide/<br /><br />
Firebug - http://www.joehewitt.com/software/firebug/<br /><br />
Venkman - http://www.mozilla.org/projects/venkman/<br /><br />
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br /><br />
Greasemonkey - http://www.greasespot.net/<br /><br />
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br /><br />
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br /><br />
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/<br /><br />
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/<br /><br />
<br />
==Bookmarklets that aid in web application security==<br />
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br /><br />
BMlets - http://optools.awardspace.com/bmlet.html<br /><br />
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br /><br />
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide<br />
rich functionality - http://www.blummy.com/<br /><br />
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html<br /><br />
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/<br /><br />
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/<br /><br />
<br />
==SSL certificate checking / scanning==<br />
SSL Labs - https://www.ssllabs.com/ssldb/<br /><br />
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br /><br />
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip<br /><br />
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br /><br />
<br />
==Honeyclients, Web Application, and Web Proxy honeypots==<br />
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ <br /><br />
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br /><br />
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br /><br />
Google Hack Honeypot - http://ghh.sourceforge.net/<br /><br />
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br /><br />
SpyBye - http://www.monkey.org/~provos/spybye/<br /><br />
Honeytokens - http://www.securityfocus.com/infocus/1713<br /><br />
<br />
==Blackhat SEO and maybe some whitehat SEO==<br />
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br /><br />
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br /><br />
SEOQuake (Firefox Add-on) - http://www.seoquake.com/<br /><br />
Analytics seo - http://www.analyticsseo.com/<br /><br />
<br />
==Footprinting for web application security==<br />
Evolution - http://www.paterva.com/evolution-e.html<br /><br />
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/<br /><br />
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br /><br />
Edge-Security tools - http://www.edge-security.com/soft.php<br /><br />
Fierce Domain Scanner - http://ha.ckers.org/fierce/<br /><br />
Googlegath - http://www.nothink.org/perl/googlegath/<br /><br />
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br /><br />
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br /><br />
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/<br /><br />
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br /><br />
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/<br /><br />
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/<br /><br />
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/<br /><br />
<br />
==Database security assessment==<br />
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br /><br />
<br />
==Browser Defenses==<br />
DieHard - http://www.diehard-software.org/<br /><br />
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br /><br />
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br /><br />
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br /><br />
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br /><br />
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br /><br />
NoScript (Firefox Add-on) - http://www.noscript.net/<br /><br />
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/<br /><br />
Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br /><br />
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br /><br />
SafeCache (Firefox Add-on) - http://www.safecache.com/<br /><br />
SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br /><br />
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br /><br />
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/<br /><br />
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br /><br />
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/<br /><br />
FireKeeper - http://firekeeper.mozdev.org/<br /><br />
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey<br />
<br />
==Browser Privacy==<br />
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br /><br />
Privacy Bird - http://www.privacybird.com/<br /><br />
<br />
==Application and protocol fuzzing (random instead of targeted)==<br />
Sulley - http://fuzzing.org/<br /><br />
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br /><br />
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br /><br />
autodafé: an act of software torture - http://autodafe.sourceforge.net/<br /><br />
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br /></div>
Spinkham
https://wiki.owasp.org/index.php?title=Phoenix/Tools&diff=95168
Phoenix/Tools
2010-12-04T00:08:55Z
<p>Spinkham: Add and clean up livecds /* LiveCDs */</p>
<hr />
<div>__NOTOC__<br />
<p>Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].</p><br />
<br />
==LiveCDs==<br />
[http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project OWASP LiveCD]<br /><br />
Web Security Dojo - http://dojo.mavensecurity.com/<br /><br />
Samurai WTF - http://samurai.inguardians.com<br /><br />
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br /><br />
moth - http://sourceforge.net/projects/w3af/files/moth/moth/<br /><br />
OWASP Broken Web Applications - http://code.google.com/p/owaspbwa/<br />
<br />
==Test sites / testing grounds==<br />
SPI Dynamics (live) - http://zero.webappsecurity.com/<br /><br />
Cenzic (live) - http://crackme.cenzic.com/<br /><br />
Watchfire (live) - http://demo.testfire.net/<br /><br />
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com<br /><br />
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven<br /><br />
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp<br /><br />
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html<br /><br />
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project<br /><br />
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator<br /><br />
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/<br /><br />
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/<br /><br />
Google’s web application training - http://jarlsberg.appspot.com/part1/ <br /><br />
<br />
<br />
==HTTP proxying / editing==<br />
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br /><br />
Burp - http://www.portswigger.net/<br /><br />
Paros - http://www.parosproxy.org/<br /><br />
Fiddler - http://www.fiddlertool.com/<br /><br />
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br /><br />
Suru - http://www.sensepost.com/research/suru/<br /><br />
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br /><br />
Charles - http://www.xk72.com/charles/<br /><br />
Odysseus - http://www.bindshell.net/tools/odysseus<br /><br />
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br /><br />
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br /><br />
JS Commander - http://jscmd.rubyforge.org/<br /><br />
Ratproxy - http://code.google.com/p/ratproxy/<br /><br />
<br />
==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==<br />
Wfuzz - http://www.edge-security.com/wfuzz.php<br /><br />
ProxMon - http://www.isecpartners.com/proxmon.html<br /><br />
Wapiti - http://wapiti.sourceforge.net/<br /><br />
Grabber - http://rgaucher.info/beta/grabber/<br /><br />
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py<br /><br />
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br /><br />
EnDe - http://www.owasp.org/index.php/Category:OWASP_EnDe<br /><br />
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br /><br />
JBroFuzz - http://sourceforge.net/projects/jbrofuzz<br /><br />
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br /><br />
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br /><br />
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br /><br />
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter<br /><br />
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br /><br />
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br /><br />
RFuzz - http://rfuzz.rubyforge.org/<br /><br />
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br /><br />
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br /><br />
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br /><br />
WSTool - http://wstool.sourceforge.net/<br /><br />
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br /><br />
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br /><br />
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br /><br />
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br /><br />
<br />
==HTTP general testing / fingerprinting==<br />
Wbox: HTTP testing tool - http://hping.org/wbox/<br /><br />
ht://Check - http://htcheck.sourceforge.net/<br /><br />
Mumsie - http://www.lurhq.com/tools/mumsie.html<br /><br />
WebInject - http://www.webinject.org/<br /><br />
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br /><br />
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br /><br />
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br /><br />
Load-balancing detector - http://ge.mine.nu/lbd.html<br /><br />
HMAP - http://ujeni.murkyroc.com/hmap/<br /><br />
Net-Square: httprint - http://net-square.com/httprint/<br /><br />
Wpoison: http stress testing - http://wpoison.sourceforge.net/<br /><br />
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br /><br />
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br /><br />
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br /><br />
Nikto - http://www.cirt.net/code/nikto.shtml<br /><br />
Websecurify - http://www.websecurify.com<br/><br />
twill - http://twill.idyll.org/<br /><br />
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<br /><br />
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br /><br />
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html<br /><br />
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled<br />
- http://sf.net/projects/hackfox<br />
<br />
==Browser-based HTTP tampering / editing / replaying==<br />
TamperIE - http://www.bayden.com/Other/<br /><br />
isr-form - http://www.infobyte.com.ar/developments.html<br /><br />
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br /><br />
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br /><br />
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/<br /><br />
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/<br /><br />
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/<br /><br />
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/<br /><br />
<br />
==Cookie editing / poisoning==<br />
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br /><br />
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br /><br />
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br /><br />
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/<br /><br />
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br /><br />
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br /><br />
<br />
==Ajax and XHR scanning==<br />
Sahi - http://sahi.co.in/<br /><br />
scRUBYt - http://scrubyt.org/<br /><br />
jQuery - http://jquery.com/<br /><br />
jquery-include - http://www.gnucitizen.org/projects/jquery-include<br /><br />
Sprajax - http://www.denimgroup.com/sprajax.html<br /><br />
Watir - http://wtr.rubyforge.org/<br /><br />
Watij - http://watij.com/<br /><br />
Watin - http://watin.sourceforge.net/<br /><br />
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br /><br />
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br /><br />
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/<br /><br />
Firebug Lite - http://www.getfirebug.com/lite.html<br /><br />
firewaitr - http://code.google.com/p/firewatir/<br /><br />
<br />
==RSS extensions and caching==<br />
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/<br /><br />
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/<br /><br />
<br />
==SQL injection scanning==<br />
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br /><br />
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br /><br />
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br /><br />
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br /><br />
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br /><br />
sqlmap - http://sqlmap.sourceforge.net/<br /><br />
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br /><br />
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br /><br />
PRIAMOS - http://www.priamos-project.com/<br /><br />
<br />
==Web application security malware, backdoors, and evil code==<br />
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/<br /><br />
Jikto - http://busin3ss.name/jikto-in-the-wild/<br /><br />
XSS Shell - http://ferruh.mavituna.com/article/?1338<br /><br />
XSS-Proxy - http://xss-proxy.sourceforge.net<br /><br />
AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br /><br />
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br /><br />
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br /><br />
BeEF - http://www.bindshell.net/tools/beef/<br /><br />
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br /><br />
What is my IP address? - http://reglos.de/myaddress/<br /><br />
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br /><br />
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/<br /><br />
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br /><br />
Technika - http://www.gnucitizen.org/projects/technika/<br /><br />
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br /><br />
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br /><br />
<br />
==Web application services that aid in web application security assessment==<br />
Netcraft - http://www.netcraft.net<br /><br />
AboutURL - http://www.abouturl.com/<br /><br />
The Scrutinizer - http://www.scrutinizethis.com/<br /><br />
net.toolkit - http://clez.net/<br /><br />
ServerSniff - http://www.serversniff.net/<br /><br />
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br /><br />
Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br /><br />
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address<br /><br />
PHP charset encoding - http://h4k.in/encoding<br /><br />
data: URL testcases - http://h4k.in/dataurl<br /><br />
<br />
<br />
==Browser-based security fuzzing / checking==<br />
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi<br /><br />
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br /><br />
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/<br /><br />
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br /><br />
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br /><br />
COMRaider - http://labs.idefense.com<br /><br />
bcheck - http://bcheck.scanit.be/bcheck/<br /><br />
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br /><br />
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp<br /><br />
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br /><br />
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br /><br />
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br /><br />
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br /><br />
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br /><br />
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br /><br />
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br /><br />
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324<br /><br />
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br /><br />
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br /><br />
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285<br />
<br />
==PHP static analysis and file inclusion scanning==<br />
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/<br /><br />
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php<br /><br />
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25<br/><br />
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br /><br />
<br />
==PHP Defensive Tools==<br />
<br />
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/<br />
<br />
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey<br />
<br />
<br />
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. <br />
http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip<br />
<br />
<br />
PHP-Login-Info-Checker - Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic<br />
<br />
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip<br />
<br />
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip<br />
<br />
<br />
php-DDOS-Shield - A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/<br />
<br />
<br />
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip<br />
http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar<br />
<br />
==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==<br />
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br /><br />
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/<br /><br />
dotnetids - http://code.google.com/p/dotnetids/<br /><br />
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br /><br />
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/<br /><br />
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br /><br />
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br /><br />
mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br /><br />
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br /><br />
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br /><br />
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99<br /><br />
Akismet: blog spam defense - http://akismet.com/<br /><br />
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br /><br />
<br />
==Web services enumeration / scanning / fuzzing==<br />
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio<br /><br />
Net-square: wsChess - http://net-square.com/wschess/index.shtml<br /><br />
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br /><br />
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br /><br />
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br /><br />
<br />
==Web application non-specific static source-code analysis==<br />
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br /><br />
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br /><br />
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br /><br />
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/<br /><br />
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html<br /><br />
A smaller, but also good list - http://spinroot.com/static/<br /><br />
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/<br /><br />
<br />
==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==<br />
RATS - http://www.securesoftware.com/resources/download_rats.html<br /><br />
ITS4 - http://www.cigital.com/its4/<br /><br />
FlawFinder - http://www.dwheeler.com/flawfinder/<br /><br />
Splint - http://www.splint.org/<br /><br />
Uno - http://spinroot.com/uno/<br /><br />
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net<br /><br />
Valgrind - http://www.valgrind.org/<br /><br />
<br />
==Java static analysis, security frameworks, and web application security tools==<br />
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ <br/><br />
CodePro Analytix - http://code.google.com/webtoolkit/tools/codepro/doc/index.html<br/><br />
HDIV Struts - http://hdiv.org/<br /><br />
Orizon - http://sourceforge.net/projects/orizon/<br /><br />
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br /><br />
PMD - http://pmd.sourceforge.net/<br /><br />
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br /><br />
EMMA - http://emma.sourceforge.net/<br /><br />
JLint - http://jlint.sourceforge.net/<br /><br />
Java PathFinder - http://javapathfinder.sourceforge.net/<br /><br />
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/<br /><br />
Checkstyle - http://checkstyle.sourceforge.net/<br /><br />
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br /><br />
tinapoc - http://sourceforge.net/projects/tinapoc<br /><br />
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br /><br />
Solex - http://solex.sourceforge.net/<br /><br />
Java Explorer - http://metal.hurlant.com/jexplore/<br /><br />
HTTPClient - http://www.innovation.ch/java/HTTPClient/<br /><br />
another HttpClient - http://jakarta.apache.org/commons/httpclient/<br /><br />
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html<br /><br />
<br />
==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==<br />
* Visual Studio 2008 Code Analysis, available in:<br />
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and <br />
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)<br />
* Visual Studio 2005 Code Analyzer, available in:<br />
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx<br />
* FxCop:<br />
** (blog) http://blogs.msdn.com/fxcop/<br />
** (download) http://code.msdn.microsoft.com/codeanalysis<br />
* Microsoft internal tools you can't have yet:<br />
** http://www.microsoft.com/windows/cse/pa_projects.mspx <br />
** http://research.microsoft.com/Pex/ <br />
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf<br /><br />
<br />
==Threat modeling==<br />
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br /><br />
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br /><br />
Octotrike - http://www.octotrike.org/<br /><br />
<br />
==Add-ons for Firefox that help with general web application security==<br />
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br /><br />
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br /><br />
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br /><br />
Public Fox - https://addons.mozilla.org/firefox/3911/<br /><br />
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br /><br />
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br /><br />
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br /><br />
IE Tab - https://addons.mozilla.org/firefox/1419/<br /><br />
User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br /><br />
ServerSwitcher - https://addons.mozilla.org/firefox/2409/<br /><br />
HeaderMonitor - https://addons.mozilla.org/firefox/575/<br /><br />
RefControl - https://addons.mozilla.org/firefox/953/<br /><br />
refspoof - https://addons.mozilla.org/firefox/667/<br /><br />
No-Referrer - https://addons.mozilla.org/firefox/1999/<br /><br />
LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br /><br />
SpiderZilla - http://spiderzilla.mozdev.org/<br /><br />
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br /><br />
Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br /><br />
<br />
==Add-ons for Firefox that help with Javascript and Ajax web application security==<br />
Selenium IDE - http://www.openqa.org/selenium-ide/<br /><br />
Firebug - http://www.joehewitt.com/software/firebug/<br /><br />
Venkman - http://www.mozilla.org/projects/venkman/<br /><br />
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br /><br />
Greasemonkey - http://www.greasespot.net/<br /><br />
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br /><br />
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br /><br />
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/<br /><br />
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/<br /><br />
<br />
==Bookmarklets that aid in web application security==<br />
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br /><br />
BMlets - http://optools.awardspace.com/bmlet.html<br /><br />
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br /><br />
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide<br />
rich functionality - http://www.blummy.com/<br /><br />
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html<br /><br />
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/<br /><br />
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/<br /><br />
<br />
==SSL certificate checking / scanning==<br />
SSL Labs - https://www.ssllabs.com/ssldb/<br /><br />
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br /><br />
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip<br /><br />
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br /><br />
<br />
==Honeyclients, Web Application, and Web Proxy honeypots==<br />
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ <br /><br />
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br /><br />
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br /><br />
Google Hack Honeypot - http://ghh.sourceforge.net/<br /><br />
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br /><br />
SpyBye - http://www.monkey.org/~provos/spybye/<br /><br />
Honeytokens - http://www.securityfocus.com/infocus/1713<br /><br />
<br />
==Blackhat SEO and maybe some whitehat SEO==<br />
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br /><br />
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br /><br />
SEOQuake (Firefox Add-on) - http://www.seoquake.com/<br /><br />
Analytics seo - http://www.analyticsseo.com/<br /><br />
<br />
==Footprinting for web application security==<br />
Evolution - http://www.paterva.com/evolution-e.html<br /><br />
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/<br /><br />
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br /><br />
Edge-Security tools - http://www.edge-security.com/soft.php<br /><br />
Fierce Domain Scanner - http://ha.ckers.org/fierce/<br /><br />
Googlegath - http://www.nothink.org/perl/googlegath/<br /><br />
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br /><br />
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br /><br />
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/<br /><br />
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br /><br />
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/<br /><br />
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/<br /><br />
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/<br /><br />
<br />
==Database security assessment==<br />
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br /><br />
<br />
==Browser Defenses==<br />
DieHard - http://www.diehard-software.org/<br /><br />
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br /><br />
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br /><br />
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br /><br />
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br /><br />
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br /><br />
NoScript (Firefox Add-on) - http://www.noscript.net/<br /><br />
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/<br /><br />
Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br /><br />
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br /><br />
SafeCache (Firefox Add-on) - http://www.safecache.com/<br /><br />
SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br /><br />
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br /><br />
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/<br /><br />
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br /><br />
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/<br /><br />
FireKeeper - http://firekeeper.mozdev.org/<br /><br />
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey<br />
<br />
==Browser Privacy==<br />
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br /><br />
Privacy Bird - http://www.privacybird.com/<br /><br />
<br />
==Application and protocol fuzzing (random instead of targeted)==<br />
Sulley - http://fuzzing.org/<br /><br />
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br /><br />
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br /><br />
autodafé: an act of software torture - http://autodafe.sourceforge.net/<br /><br />
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br /></div>
Spinkham
https://wiki.owasp.org/index.php?title=Projects/OWASP_Secure_Web_Application_Framework_Manifesto/Releases/Current/Manifesto&diff=92687
Projects/OWASP Secure Web Application Framework Manifesto/Releases/Current/Manifesto
2010-11-10T23:18:17Z
<p>Spinkham: /* Requirement Description */ Add benifits of CSP reporting</p>
<hr />
<div>''Secure Web Application Framework Manifesto''<br />
<br />
Authors: Tom Aratyn, Sahba Kazerooni, Patrick Szeto, & Rohit Sethi<br />
<br />
Version 0.08<br />
<br />
http://www.securitycompass.com<br />
<br />
labs@securitycompass.com<br />
<br />
<br />
= Mission Statement =<br />
The Secure Web Application Framework Manifesto is a document detailing a specific set of security requirements for developers of web application frameworks to adhere to. The manifesto centers around the following beliefs:<br />
<br />
* Frameworks that are ‘secure by default’ will yield a dramatic reduction in the number of common web application security vulnerabilities.<br />
* Application security experts should provide, on a regularly basis, updated guidance to framework developers on how to incorporate mechanisms to avoid newly discovered vulnerabilities.<br />
<br />
= Introduction =<br />
Developers are increasingly relying on scaffolding-based systems like Rails and Django to build applications. The number of web application frameworks, scaffolding or otherwise, is constantly growing and it's becoming increasingly clear that securing these frameworks will be a major boon for the future of secure web applications.<br />
<br />
In the words of Jeff Williams, we have plenty of "painkillers" for web application framework developers to follow such as lists of vulnerabilities to avoid. The Security Analysis of Core J2EE Patterns was our first attempt at providing "vitamins" or positive advice to framework developers on what they should do to incorporate security into their design. Recognizing that many developers are gravitating to leveraging web application frameworks, we decided it was time to provide a list of positive features that these frameworks should include.<br />
<br />
This "Secure Web Application Framework Manifesto" must, of course, be a living document. At any given point, it should provide a minimum baseline of what a web application framework should include to appeal to security-conscious developers. We contend that if such a web application framework is broadly adopted, it will have far reaching effects into web application security.<br />
<br />
Adhering to the manifesto is only a starting point. Developers still can, and surely will, introduce vulnerabilities not covered by the manifesto; especially those pertaining to their core domain such as fine-grained authorization. Secure-by-default frameworks are compliments but not substitutes for developer security awareness. <br />
<br />
The Manifesto is not an exhaustive specification. It is designed to provide a minimum standard for frameworks to adhere to in order to facilitate development of secure web applications. Some of these features will come with tradeoffs in performance or usability. Security features should be turned on by default with the option to turn them off explicitly. In some cases, the usability or performance trade-offs may be so great that framework developers will turn the features off by default. Such decisions should be the exception and not the norm.<br />
<br />
== Acknowledgements ==<br />
We owe a debt of gratitude to Arshan Dabirsiaghi and the entire OWASP [http://www.owasp.org/index.php/Category:Intrinsic_Security_Working_Group Intrinsic Security Working Group]. The ISWG aims to measure the security of various frameworks – the inverse of the Secure Web Application Framework Manifesto, which aims to provide the measuring stick itself. Although we initially started this manifesto independent of their work, cross referencing their requirements helped us identify gaps in the Manifesto.<br />
<br />
Similarly, James Landis was kind enough to provide us with a similar body of work he put together in defining requirements for a secure web application framework. His ideas also helped shape the manifesto.<br />
<br />
We also would like to thank the following individuals for their insight and support in creating the manifesto:<br />
<br />
* Jim Manico<br />
* Dinis Cruz<br />
* James McGovern<br />
* Paco Hope<br />
* Paul Johnston<br />
<br />
= Requirements =<br />
== Injection Prevention ==<br />
Confounding data with executable code is the cause of the most pervasive application security problems: Cross Site Scripting (XSS), SQL injection, buffer overflow and several others. The fundamental problem arises when developers can mix user-supplied or user-influenced data, such as HTTP parameters, with static or system-generated code. The resultant data is then executed or otherwise interpreted by a process which can no longer differentiate the code from the data. An obvious example of this principle at work is [http://www.owasp.org/index.php/SQL_Injection SQL injection]. Pseudo code:<br />
<br />
bad_query = "select * from accounts where accountid = '" + user_supplied_value + "'";<br />
DatabaseTool.executeQuery(bad_query);<br />
<br />
In this example, the database tool has no way to differentiate which parts of the query variable came from the string literal and which parts came from the user supplied value. Most modern programming languages and development frameworks offer a way around this by offering parameterized queries or prepared statements.<br />
<br />
Pseudo code:<br />
<br />
PreparedStatement good_query = "select * from accounts where accountid = ?";<br />
good_query.setParameter(1, user_supplied_value)<br />
DatabaseTool.executeParameterizedQuery(good_query);<br />
<br />
DatabaseTool has a few ways to protect against the vulnerability in the second example. For example, the tool could pre-compile the string literal and pass the parameters to the database separately. The database is then responsible for not misinterpreting any portion of the user supplied data as SQL code. Such an approach renders SQL injection impossible. <br />
<br />
Another approach is to encode unsafe data in a context relevant format. For example: to mitigate against Cross Site Scripting, a secure web application framework could automatically HTML, HTML attribute, cascading style sheet, or JavaScript encode nearly all non alpha-numeric characters depending on the context. The encoding functions in the [http://code.google.com/p/owasp-esapi-java/ OWASP ESAPI project for Java] serve as an excellent reference for this approach. <br />
<br />
<br />
=== Provide Tools that Output Data Which is Safe from Interpretation by Browsers ===<br />
==== Requirement Description ====<br />
Provide tools that take potentially dangerous data, such as user-supplied input, and outputs the data to Hyper Text Markup Language (HTML), Cascading Style Sheet (CSS), or client-side script. The data should be outputted in such a way that all supported web browsers will not interpret the result as including meta-characters for code. In particular, the output should not contain valid HTML markup, CSS code, or client-side script code such as JavaScript. Tag libraries must, by default, employ these tools when outputting user-supplied data.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/XSS Cross Site Scripting (XSS)]<br />
<br />
==== Implementation Suggestions ====<br />
The most common implementation of this feature is to escape potentially dangerous characters such that they will not be interpreted by the browser as HTML markup, CSS code, or JavaScript. Most implementations use HTML entities, CSS escaping, and JavaScript escaping respectively. <br />
<br />
Knowing which form of escaping to use means understanding where the data will be output. The Open Web Application Security Project (OWASP) Enterprise Security Application Programming Interface (ESAPI) for Java project provides multiple [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc5/org/owasp/esapi/Encoder.html encoding functions] and requires the developer to select the correct function depending on context.<br />
<br />
If a framework is context aware (i.e. understands whether data will be output to HTML, CSS, or JavaScript) then it can automatically select the correct encoding format. Although not always possible, such functionality is ideally suited for template-based server pages such as ASP, JSP, or PHP. See [http://googleonlinesecurity.blogspot.com/2009/03/reducing-xss-by-way-of-automatic.html Google’s template system]. <br />
<br />
An important consideration is which characters to encode versus which characters to leave unencoded. Excessive encoding may mean extra performance and transmission costs, whereas under encoding may mean missing dangerous characters and leaving applications susceptible to attack. Where possible, decide upon a whitelist of valid characters, such as characters within the Unicode Alpha or Numeric classes, and encode all other characters.<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration/sample code, and all other documentation, always use these tools to output data to HTML, JavaScript, or CSS. <br />
<br />
<nowiki>The only exception should be for functions that must, by design, output valid HTML markup, JavaScript, CSS – for example, a tag that generates “<b>” and “</b>” markers to denote bold text.</nowiki><br />
<br />
<br />
=== Provide Parameterized Query Functionality for SQL Statements ===<br />
==== Requirement Description ====<br />
Provide tools that allow developers to create static SQL String literals with the ability to bind parameters at runtime. This functionality is commonly referred to as Parameterized Queries or Prepared Statements. Databases must not interpret bound parameters as valid SQL escape sequences, such as an apostrophe to delimit a string. Note that that term “parameterized ''query''” does not just refer to Select statements, it also refers to other common SQL statements, such as Insert, Update, and Delete<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/SQL_Injection SQL injection] <br />
<br />
==== Implementation Suggestions ====<br />
Two common implementations include:<br />
* Pre-compiling the string literal and transmitting the parameters to the database separately. The database is then responsible for maintaining a distinction between the SQL statement and the parameters<br />
<br />
* Contextual escaping, similar to the defense described in “3.1.1Data Which is Safe from Interpretation by Browsers”. Note that any such escaping should account for different possible encoding formats of the underlying database<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration '''always '''use parameterized queries; '''never '''use dynamic statements consisting of dynamically concatenated string literals and parameters.<br />
<br />
<br />
=== Provide Tools that Output Data Which is Safe from Interpretation by XML Processors ===<br />
==== Requirement Description ====<br />
Provide tools that take potentially dangerous data, such as user-supplied input, and outputs the data to XML. The data should be outputted in such a way that an XML validator, parser, or other processor will not interpret the result as including meta-characters for XML code. In particular, the output should not contain XML element, XML attribute, XML comment, CData, Document Type Definition (DTD), XML Stylesheet, preprocessing, or any other XML tags. <br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29 XML injection]<br />
<br />
==== Implementation Suggestions ====<br />
The most common implementation of this feature is to escape potentially dangerous characters using [http://www.xml.com/pub/a/2001/01/31/qanda.html XML entities] and / or [http://www.w3.org/TR/2004/REC-xml-20040204/ numeric character reference]. Unlike “3.1.1Data Which is Safe from Interpretation by Browsers”, this requirement applies to a single output type, and does not encompass the same complexities associated with Cross Site Scripting mitigation. See the Open Web Application Security Project (OWASP) Enterprise Security Application Programming Interface (ESAPI) for Java project provides an example of [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc5/org/owasp/esapi/Encoder.html XML encoding].<br />
<br />
An important consideration is which characters to encode versus which characters to leave unencoded. Excessive encoding may mean extra performance and transmission costs, whereas under encoding may mean missing dangerous characters and leaving applications susceptible to attack. Where possible, decide upon a whitelist of valid characters, such as characters within the Unicode Alpha or Numeric classes, and encode all other characters.<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration/sample code, and all other documentation, always use these tools to output data to XML. <br />
<br />
Pseudo code:<br />
<br />
xmlText = <nowiki>“<element>” + SafeXMLFunction(userParameter) + “</element>”</nowiki><br />
<br />
The only exception should be for functions that must, by design, output valid XML tags – for example, a function that generates standard Simple Object Access Protocol (SOAP) element tags.<br />
<br />
<br />
=== Provide Parameterized Query Functionality for XPath Statements ===<br />
==== Requirement Description ====<br />
Provide tools that allow developers to create static XPath String literals with the ability to bind parameters at runtime, similar to Parameterized Queries for SQL. XPath engines must not interpret bound parameters as valid XML escape sequences, such as an apostrophe to delimit a string. <br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/XPATH_Injection XPath injection]<br />
<br />
==== Implementation Suggestions ====<br />
As with SQL Parameterized Queries, two possible implementations include:<br />
<br />
•Pre-compiling the string literal and transmitting the parameters to the XPath engine separately. The XPath engine is then responsible for maintaining a distinction between the XPath statement and the parameters (see [http://blogs.msdn.com/shjin/archive/2005/07/25/443077.aspx this article]<nowiki> from the Microsoft Developer Network [MSDN])</nowiki><br />
<br />
•Contextual escaping, similar to the defense described in “3.1.1Provide Tools that Output Data Which is Safe from Interpretation by Browsers”. Note that any such escaping should account for different possible encoding formats of the underlying database<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration/sample code, and all other documentation, always use these tools to perform XPath queries. <br />
<br />
<br />
=== Provide Parameterized Query Functionality for LDAP Statements ===<br />
==== Requirement Description ====<br />
Provide tools that allow developers to create static Lightweight Directory Access Protocol (LDAP) String literals with the ability to bind parameters at runtime, similar to Parameterized Queries for SQL. LDAP directories must not interpret bound parameters as valid LDAP escape sequences, such as an asterisk to denote a wildcard character . <br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/LDAP_injection LDAP injection]<br />
<br />
==== Implementation Suggestions ====<br />
As with SQL Parameterized Queries, two possible implementations include:<br />
<br />
•Pre-compiling the string literal and transmitting the parameters to the LDAP directory separately. The LDAP engine is then responsible for maintaining a distinction between the LDAP Path statement and the parameters<br />
<br />
•Contextual escaping, similar to the defense described in “3.1.1Provide Tools that Output Data Which is Safe from Interpretation by Browsers”. Note that any such escaping should account for different possible encoding formats of the underlying database<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration/sample code, and all other documentation, always use these tools to perform LDAP queries. <br />
<br />
<br />
=== Disallow Newline Characters from Untrusted Data in HTTP Response Headers ===<br />
==== Requirement Description ====<br />
For all functions that can modify HTTP response headers, such as a redirect function or the “Set-Cookie” header, disallow newline characters in potentially un-trusted parameters. For example, disallow newline characters inside of a cookie value or URL for a redirect. <br />
<br />
Note that the term disallow is purposefully undefined; framework developers should use the best approach to match their needs, such as:<br />
<br />
* Strip newline characters out<br />
** Note that whenever stripping a potentially malicious character, ensure the resuling string is also free from dangerous characters. For example “%%0A0A” would still result in a URL encoded newline character if the “%0A” was stripped out once.<br />
* Cause an error condition<br />
* Replace newline characters with a safe equivalent, such as the literal string “\n” or ”\r”<br />
<br />
Common functions that can modify HTTP response headers include:<br />
<br />
* Setting HTTP status code<br />
* Setting URL for a redirect<br />
* Setting cookie name, value, path, secure flag, HttpOnly flag, or expiry<br />
<br />
Framework developers may wish to provide an option to turn this functionality off for compatibility, performance, or other reasons; however, it must be turned on by default for new applications. Store this configuration setting in a centralized, auditable security settings file.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/HTTP_Response_Splitting HTTP response splitting]<br />
<br />
==== Implementation Suggestions ====<br />
Use a regular expression to replace carriage returns and line feeds with safe equivalents; namely, the string literals “\n” and “\r”.<br />
<br />
==== Documentation Suggestion ====<br />
State that affected methods may not work as intended if users intentionally supply newline characters into HTTP response splitting. Indicate that solution addresses Http Response Splitting and, if appropriate, describe how to turn the feature off along with an appropriate warning of the resultant risk.<br />
<br />
=== Provide Option to Disallow Newline Characters in Text File Logging ===<br />
==== Requirement Description ====<br />
Provide an option in logging functionality to automatically disallow writing newline characters in text file-based logs. Modifying all log statements may incur significant overhead, thus this requirement is an option rather than a default setting. Store this configuration setting in a centralized, auditable security settings file.<br />
<br />
For HTML-based logging use the tools described in “3.1.1Provide Tools that Output Data Which is Safe from Interpretation by Browsers”. For XML-based logging use the tools described in “3.1.3 Data Which is Safe from Interpretation by XML Processors”.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Log_injection Log injection]<br />
<br />
==== Implementation Suggestions ====<br />
Use a regular expression to replace carriage returns and line feeds with safe equivalents; namely, the string literals “\n” and “\r”.<br />
<br />
==== Documentation Suggestion ====<br />
Provide clear instructions on how to modify this setting, as well as the security implications of keeping the default value as turned off.<br />
<br />
== Input Validation ==<br />
=== Provide Configurable Validation for All Forms of User-Supplied Input ===<br />
==== Requirement Description ====<br />
Provide a mechanism to validate the content of all user-supplied input without directly modifying other application code. For example, provide a configuration file that allows users to supply regular expressions to validate HTTP parameters for any page. <br />
<br />
The types of input to validate must include, at a minimum:<br />
<br />
* HTTP request parameter names<br />
* HTTP request parameter values<br />
* HTTP request header names<br />
* HTTP request header values<br />
* URLs<br />
* Cookie names<br />
* Cookie values<br />
* SQL statement results<br />
* Input from a proprietary format, such as Flash Action Message Format <br />
* Remotely accessible Application Program Interfaces (APIs), such as Simple Object Access Protocol (SOAP) or Representational State Transfer (REST) endpoints<br />
<br />
Where possible, store the validation configurations setting in a centralized, standard location. Ideally, developers / administrators should be able to make changes to validation logic during application deployment rather than requiring a rebuild. <br />
<br />
Optionally, provide a tool that allows security auditors to easily determine which forms of input the application is currently validating through the validation engine. <br />
<br />
Optionally, provide sample regular expressions useful for whitelist validation of common data types such as phone numbers, zip codes, etc.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement is part of a defense in depth strategy. Although providing configurable validation does not, in itself, mitigate specific vulnerabilities it does help provide defense in depth. Input validation is particularly useful as additional defense for injection attacks, such as:<br />
<br />
* [http://www.owasp.org/index.php/XSS Cross site scripting (XSS)]<br />
* [http://www.owasp.org/index.php/SQL_Injection SQL injection] <br />
* [http://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29 XML injection]<br />
* [http://www.owasp.org/index.php/XPATH_Injection XPath injection]<br />
* [http://www.owasp.org/index.php/LDAP_injection LDAP injection]<br />
* [http://www.owasp.org/index.php/HTTP_Response_Splitting HTTP response splitting]<br />
* [http://www.owasp.org/index.php/Log_injection Log injection]<br />
<br />
In addition, input validation can help against undiscovered input / injection attacks as well as attacks on downstream systems.<br />
<br />
==== Implementation Suggestions ====<br />
Use a configuration file similar to the [http://struts.apache.org/1.2.4/userGuide/dev_validator.html Apache Struts Validator] plug-in. Note that the Validator plugin only provides input validation for form fields; a secure framework should provide a similar mechanism for ''all'' forms of user-supplied input.<br />
<br />
The architecture of the validation configuration should follow the default application architecture. For example, if the default application uses a single HTML page with many different command parameters to represent different transactions, then the validation framework should allow developers to specify different validation for different commands – distinguishing the “command=” parameter from other parameters.<br />
<br />
==== Documentation Suggestion ====<br />
Demonstrate examples of the validation logic as part of normal application development. Include validation examples in user manuals, tutorials, demonstration/sample code, and all other documentation.<br />
<br />
<br />
=== Use Whitelist Validation for File Paths and Names in File Handling Functionality ===<br />
==== Requirement Description ====<br />
For each supported operating system, only allow legal characters in the file paths and file names in the file handling functionality such as open and save. Disallow, for example, null characters. This functionality is particularly important since file handling often relies on lower-level operating system commands. Strings in operating system functions may be null-terminated even if framework strings are not null-terminated.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference Insecure direct object reference]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Document how this feature works, what impact it may have on file handling, and how to turn it off along with an appropriate warning of the resultant risk.<br />
<br />
<br />
=== Specify an Encoding Format for Every HTTP Response Page ===<br />
==== Requirement Description ====<br />
Assign a consistent encoding format such as UTF-8 to all HTTP response pages unless there is a specific reason to use a different format. Allow developers to define the default encoding format.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/XSS Cross site scripting (XSS)]<br />
** [http://www.juniper.net/security/auto/vulnerabilities/vuln34917.html Obscure cross-site scripting vectors]<br />
<br />
==== Implementation Suggestions ====<br />
Django provides a [http://code.djangoproject.com/wiki/StringEncoding configuration option] for default character set.<br />
<br />
==== Documentation Suggestion ====<br />
Document how this feature works, what impact it may have on internationalization, and how to turn it off along with an appropriate warning of the resultant risk.<br />
<br />
<br />
=== Do Not Accept Characters with Illegal Byte Sequences or Overly Long Forms for a Given Encoding ===<br />
==== Requirement Description ====<br />
Overly long and malformed characters in variable length encoding formats such as UTF-8 can be used to bypass filters and may sometimes be translated to the proper format after sanitization by a different component or application. Only accept legal character sequences.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://capec.mitre.org/data/definitions/80.html Filter bypass]<br />
<br />
==== Implementation Suggestions ====<br />
The W3C provides a [http://www.w3.org/International/questions/qa-forms-utf-8.en.php regular expression] to validate UTF-8 characters.<br />
<br />
==== Documentation Suggestion ====<br />
In reference documentation describe that this feature exists.<br />
<br />
<br />
=== Provide Function to Detect HTTP Parameter Tampering ===<br />
==== Requirement Description ====<br />
In some cases end users should not be able to modify certain parameters, such as some hidden form fields. Provide a server-side mechanism that detects tampering of “read-only” parameters without the overhead of storing these parameters on the server.<br />
<br />
The framework will not necessarily know about ''all ''read-only parameters; however, the framework should be able to automatically identify ''some ''read-only parameters (e.g. hidden form fields with static values), and allow individual developers to identify other read-only parameters. If applied transparently, this feature may break functionality, so provide options to turn the feature on for specific forms or across the application.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Web_Parameter_Tampering Parameter Manipulation]<br />
<br />
==== Implementation Suggestions ====<br />
The .Net framework provides a defense in the form of an [http://en.wikipedia.org/wiki/HMAC HMAC] for [http://msdn.microsoft.com/en-us/library/bb386448.aspx ViewState]. The HMAC solution:<br />
<br />
* Takes a hash of read-only fields in a form prior to sending them to the client<br />
* Encrypts that hash with a secret key stored on the server<br />
* Adds the hashed and encrypted value as an additional hidden field in the form<br />
* Upon form submission, rehashes and re-encrypts the read only client-supplied parameters and compares the hash with the client-supplied HMAC parameter. Any difference indicates that one or more of the read only parameters were tampered with<br />
<br />
==== Documentation Suggestion ====<br />
Provide detailed documentation on how to enable this feature and how it works. Include (if applicable) how the framework creates and stores cryptographic keys, how developers can change cryptographic algorithms, and how to configure the feature to work in load balanced environments. Always enable the feature for read-only form fields in samples and tutorials.<br />
<br />
<br />
=== Automatically Generate Content Security Policy (CSP) Headers ===<br />
==== Requirement Description ====<br />
Mozilla proposed [http://people.mozilla.org/~bsterne/content-security-policy/ CSP] to help protect against Cross Site Scripting. Although CSP, at the time of this writing, is not fully implemented in most browsers, a secure web application framework should proactively provide this control for when CSP becomes standard.<br />
<br />
CSP allows developers to specify which domains a web application allows to host its scripts. A browser that complies with CSP will, when instructed to, only run scripts from the whitelisted domains and avoid executing inline or event handling HTML attribute scripts. CSP also helps protect against [http://ha.ckers.org/blog/20080915/clickjacking/ Clickjacking] by specifying “which sites may embed contents from my site”. Finally, CSP provides for an optional report-url to which all policy violations will be reported, allowing detection of attacks and proactive response to protect non-CSP enabled browsers.<br />
<br />
Automatically generate CSP headers that restrict script access to the application’s domain and prevent inline / event handling HTML attribute scripts unless necessary. Provide tools to easily extend the list of white-listed domains when required. By default, disallow all other sites from being embedded within the application’s contents unless necessary.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/XSS Cross Site Scripting (XSS)]<br />
* [http://www.owasp.org/index.php/Clickjacking Clickjacking]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Document how this feature works, what impact it may have on embedded scripts, and how to turn it off along with an appropriate warning of the resultant risk.<br />
<br />
<br />
=== Automatically Generate Origin Headers ===<br />
==== Requirement Description ====<br />
Mozilla proposed the [http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html Origin Header] to protect against Cross Site Request Forgery (CSRF). Supporting clients send information about the originating domain of each request to the server. <br />
<br />
Where possible, verify that the origin of a request is from the expected domain. In particular, verify that application form fields originate from the application’s domain. Generate errors for requests with invalid origins.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/CSRF Cross Site Request Forgery]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Document how this feature works, what impact it may have on application integration, and how to turn it off along with an appropriate warning of the resultant risk.<br />
<br />
<br />
=== Specify a Default Maximum Payload Size for All Inbound Interfaces ===<br />
==== Requirement Description ====<br />
Check the size of payloads from all inbound interfaces prior to processing. If the payload size exceeds a default maximum generate an error. Allow developers to change the default size and turn off the feature. <br />
<br />
At a minimum, provide payload size checks for:<br />
<br />
* HTTP Requests<br />
** Optionally, provide different configuration for file upload functions to allow for larger payloads<br />
* <nowiki>XML requests (e.g. Simple Object Access Protocol [SOAP])</nowiki><br />
* <nowiki>Any other programmatic interface (e.g. Remote Method Invocation over Internet Inter-Orb Protocol [RMI IIOP])</nowiki><br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Application_Denial_of_Service Denial of Service]<br />
<br />
==== Implementation Suggestions ====<br />
Web servers often provide a maximum configurable HTTP request body size. See the Apache web server [http://httpd.apache.org/docs/2.0/mod/core.html LimitRequestBody directive].<br />
<br />
==== Documentation Suggestion ====<br />
Document how this feature works, what impact it may have on large payloads, and how to turn it off along with an appropriate warning of the resultant risk.<br />
<br />
<br />
== Authentication and Authorization ==<br />
=== Enforce Default Deny Policy for Framework Managed Authorization ===<br />
==== Requirement Description ====<br />
Some frameworks elect to provide managed authorization services, such as determining whether a user has sufficient privileges to view a specific page. Ensure that managed authorization services always deny access by default unless explicitly instructed otherwise.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf HTTP Verb Tampering]<br />
<br />
==== Implementation Suggestions ====<br />
The [http://static.springsource.org/spring-security/site/docs/3.0.x/reference/authz-arch.html Spring Security authorization] module employs default deny using the [http://static.springsource.org/spring-security/site/docs/3.0.x/reference/authz-arch.html RoleVoter] for role-based access control.<br />
<br />
==== Documentation Suggestion ====<br />
Document the default deny behavior when describing the authorization functionality. Provide instructions on how developers can grant access to more users when necessary. If the framework provides a default-accept option, strongly discourage developers from using it and explain the associated risks.<br />
<br />
<br />
=== Provide Indirect Object Reference Functionality ===<br />
==== Requirement Description ====<br />
Provide functionality that creates and translates indirect references for a specific file, a set of files, or all files in a particular directory or directories.<br />
<br />
Applications often allow users to access sensitive resources such as user-specific files from the application server. Direct object references use the actual file name (e.g. “file=statement1.pdf”) whereas indirect object references provide an independent identifier that the application later translates into an actual filename (e.g. “file=a”, where ‘a’ later translates to statement1.pdf).The problem with the former method is that attackers can sometimes access files that they shouldn’t (e.g. “file=../config.xml”). An indirect object reference renders such an attack impossible because the application only provides access to a specified set of files (e.g. all files in a particular directory, or a predefind list of individual files). Unfortunately, the complexity of creating an indirect object reference for each file that is to be accessed by the end user means that many developers end up favoring direct object references. Providing functionality to automate this task incentivizes developers to rely on indirect object references.<br />
<br />
Note that this control applies specifically to resources that require access control. Publicly-accessible static content such as JavaScript or Cascading Style Sheet files that are normally stored on web servers do not necessarily need this protection. On web servers, use operating system or server controls to prevent forcible [http://www.owasp.org/index.php/Path_Traversal Path Traversal] attacks.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference Insecure Direct Object Reference]<br />
<br />
==== Implementation Suggestions ====<br />
See the [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/org/owasp/esapi/reference/IntegerAccessReferenceMap.html ESAPI Java AccessReferenceMap] and [http://support.microsoft.com/kb/910442 .Net’s Web Resource mechanism] for examples of this functionality.<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration/sample code, and all other documentation, always use these tools for accessing server-side files except for publicly-accessible static content (e.g. common JavaScript libraries). <br />
<br />
<br />
=== Provide a Function That Hashes and Salts Input with Random Bytes ===<br />
Provide all the functionality necessary for a developer to implement secure authentication. In particular, authentication should use a secure hashing algorithm salted with a fixed length random byte sequence (see). Both the hashing algorithm and salt length should be configurable in case a particular hashing function is defeated in the future. Secure web application frameworks should default to stronger, slower hashing algorithms (e.g. SHA-2) instead of fast algorithms (e.g. MD5 and SHA-1) to mitigate the risk of off-line brute forcing.<br />
<br />
==== Requirement Description ====<br />
Provide the following two functions:<br />
<br />
# A function that hashes user input using a configurable, strong hashing algorithm (e.g. SHA-2) and adds a configurable-length random salt value<br />
# A function that checks equality of a plaintext value with a hashed, salted value derived from function 1)<br />
<br />
Developers can use these two functions respectively to facilitate securely storing a new password (e.g. new user registration or password reset) and to authenticate a user against a securely stored password.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://en.wikipedia.org/wiki/Rainbow_tables Rainbow tables]<br />
* [http://www.owasp.org/index.php/Top_10_2007-A8 Insecure cryptographic storage]<br />
<br />
==== Implementation Suggestions ====<br />
[http://www.jasypt.org/encrypting-passwords.html Jasypt] exposes passwordEncryptor.encryptPassword() for function 1) and passwordEncryptor.checkPassword for function 2). See [http://www.jasypt.org/howtoencryptuserpasswords.html this explanation] for details on how Jasypt stores the salt value and uses it for password comparisons.<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration/sample code, and all other documentation, always use these functions for new user registration, password change, and password-based authentication.<br />
<br />
== Session Management ==<br />
=== Use Cryptographically Secure Random Numbers for Session IDs ===<br />
==== Requirement Description ====<br />
Create session IDs from Cryptogaphically Strong Random Number Generators such as Java’s [http://java.sun.com/j2se/1.4.2/docs/api/java/security/SecureRandom.html SecureRandom] rather than a pseudo random number generator like the [http://www.aquaphoenix.com/ref/gnu_c_library/libc_255.html rand()] function in C.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Insufficient_entropy_in_pseudo-random_number_generator Insufficient entropy in pseudo random number generators]<br />
<br />
==== Implementation Suggestions ====<br />
Tomcat uses [http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html SecureRandom numbers] for Session IDs by default.<br />
<br />
==== Documentation Suggestion ====<br />
Describe how the framework generates session IDs in documentation.<br />
<br />
<br />
=== Provide Automatic Anti-CSRF Tokens ===<br />
==== Requirement Description ====<br />
Many web application frameworks create or render links and pages derived from form submission pages. Provide an option to transparently add and validate [http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet anti-CSRF tokens] to form submissions where possible. <br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/CSRF Cross Site Request Forgery]<br />
<br />
==== Implementation Suggestions ====<br />
[http://docs.djangoproject.com/en/dev/ref/contrib/csrf/ Django] provides this functionality optionally.<br />
<br />
==== Documentation Suggestion ====<br />
Where possible, turn this feature on in all user manuals, tutorials, demonstration/sample code, and all other documentation. Explain how the feature works and the risk associated with not using it.<br />
<br />
<br />
=== Automatically Reset Session IDs After Authentication ===<br />
==== Requirement Description ====<br />
Change the Session ID of a user after successful authentication. Note that this feature requires knowledge of when authentication occurs. Such knowledge is trivial in framework-managed authentication but more difficult if developers elect to use custom or third party authentication. Provide a hook for the developer to tell the framework when authentication occurs in cases where the framework can’t make that determination automatically (e.g. user.hasAuthenticated() ). <br />
<br />
If developers can associate server-side state with a session then retain that state when the session ID changes.<br />
<br />
In some cases, particularly when working with legacy components, changing session IDs after authentication may break functionality. Provide an option to disable this functionality.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Session_Fixation Session fixation] <br />
<br />
==== Implementation Suggestions ====<br />
Spring Security has built-in [http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html session fixation defense].<br />
<br />
==== Documentation Suggestion ====<br />
Always keep this functionality enabled on in all user manuals, tutorials, demonstration/sample code, and all other documentation. Explain how the feature works and the risk associated with not using it.<br />
<br />
<br />
=== Apply HttpOnly Flag to Session ID Cookie by Default ===<br />
==== Requirement Description ====<br />
Append the “[http://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29 HttpOnly]” flag to session cookies by default, with an option to turn that feature off. <br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/XSS Cross Site Scripting (XSS)]<br />
<br />
==== Implementation Suggestions ====<br />
The .Net framework provide the ability to add the [http://msdn.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx HttpOnly] flag to cookie flags, although the feature isn’t enabled by default.<br />
<br />
==== Documentation Suggestion ====<br />
Always keep this functionality enabled on in all user manuals, tutorials, demonstration/sample code, and all other documentation. Explain how the feature works and the risk associated with not using it.<br />
<br />
<br />
=== Provide Configuration Option to Apply Secure Flag to Session ID Cookie ===<br />
==== Requirement Description ====<br />
Most development frameworks make the default assumption that the application works over plaintext HTTP. In cases where the framework can be sure that the application uses SSL for the entire session (e.g. if the application container has SSL enabled), append the “[http://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29 secure]” flag to session cookies by default, with an option to turn that feature off. <br />
<br />
For cases where the framework cannot be sure that the application uses SSL for the entire session (e.g. a separate hardware device provides SSL and proxies plaintext HTTP to the application server), provide a simple configuration option for developers to add the “[http://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29 secure]” flag to session cookies.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Session_hijacking_attack Session hijacking]<br />
<br />
==== Implementation Suggestions ====<br />
The .Net framework provide the ability to add the [http://msdn.microsoft.com/en-us/library/system.web.httpcookie.secure%28v=VS.100%29.aspx secure] flag to cookies, although the feature isn’t enabled by default.<br />
<br />
==== Documentation Suggestion ====<br />
Always keep this functionality enabled on in all user manuals, tutorials, demonstration/sample code, and all other documentation. Explain how the feature works and the risk associated with not using it.<br />
<br />
<br />
=== Provide Configurable Inactive and Absolute Session Timeouts ===<br />
==== Requirement Description ====<br />
Provide an option to define both inactive (i.e. after a period of inactivity) and hard/absolute session timeout (i.e. period of time, regardless of amount of activity). Provide default values for both values. Provide an option to turn either or both timeouts.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Session_hijacking_attack Session hijacking]<br />
<br />
==== Implementation Suggestions ====<br />
Java Servlet containers provide [http://tomcat.apache.org/tomcat-5.5-doc/appdev/web.xml.txt configurable inactive timeout] values.<br />
<br />
==== Documentation Suggestion ====<br />
Explain how both features work and the risk associated with not using them.<br />
<br />
<br />
=== Provide a Configuration Option to Tie Session IDs to an IP Address, Subnet, or a List of IP Ranges ===<br />
==== Requirement Description ====<br />
Some application developers opt to correlate a session ID to the client’s IP address. After session generation, the application verifies that each request comes from the expected IP address thereby mitigating the risk of session hijacking. Provide an option to seamlessly deliver this functionality.<br />
<br />
In practice, session IP correlation on large networks is difficult if not impossible due to a variety of networking features – in particular, proxy servers such as [http://webmaster.info.aol.com/proxyinfo.html AOL proxy]. Provide options to help address this by, for example, allowing developers to specify a subnet length and verifying that each request comes from the same subnet. For example, if a developer configures session subnet correlation with a 24 bit subnet, then the application should permit requests from ''10.1.1''.3 and ''10.1.1''.5 to access the same session but it should not allow requests from ''10.1.2''.3 to access the same session.<br />
<br />
To deal with known proxy servers, such as AOL proxy, the framework should also allow developer to specify one or more lists of IP ranges. If a clients IP falls into one of ranges then ensure that all future requests for that same session come from the same list. For example, if one request comes from the set of AOL proxy IPs then all future requests for that session should come the AOL proxy IPs.<br />
<br />
Turn this feature off by default. Each application may require considerable time to configure for this feature to work properly.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Session_hijacking_attack Session hijacking]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Document how the feature works and how to turn it on. Provide a tutorial or other guidance on how to setup this feature for an application such that it doesn’t break availability. <br />
<br />
<br />
== XML Specific ==<br />
=== Disable the Following Unsafe Features by Default ===<br />
==== Requirement Description ====<br />
Over the years, security researchers have discovered several vulnerabilities in XML libraries – particularly [http://projects.webappsec.org/XML-Attribute-Blowup parsers] and [http://msdn.microsoft.com/en-us/magazine/ee335713.aspx validators]. Disallow dangerous functionality be default, namely:<br />
<br />
* [http://www.securiteam.com/securitynews/6D0100A5PU.html External entity] resolution<br />
* DTDs defined [http://www.javacommerce.com/displaypage.jsp?name=dtd.sql&id=18238 internally within XML] files<br />
* [http://www.w3.org/TR/xml-stylesheet/ XML Stylesheet Language Transforms (XSLTs) processing instructions] within an XML document’s prolog<br />
* [http://xml.apache.org/xalan-j/extensions.html XSLT extensions] that provide direct access to the operating system, such as Java [http://java.sun.com/j2se/1.4.2/docs/api/java/lang/Runtime.html runtime objects] or .Net [http://msdn.microsoft.com/en-us/library/system.diagnostics.process.aspx System.Diagnostics.Process]<br />
** Ideally, take a default deny approach to XSLT extensions and only allow known safe extensions with the option to turn on other extensions<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.securiteam.com/securitynews/6D0100A5PU.html External entity attacks]<br />
* [https://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf XSLT command injection]<br />
* [http://msdn.microsoft.com/en-us/magazine/ee335713.aspx XML bombs]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Always have the unsafe features turned off in sample code, unless explicitly necessary. Explain the potential risk of turning any of these features on.<br />
<br />
== Cryptography ==<br />
=== Provide Tools for Transparent Database Encryption ===<br />
==== Requirement Description ====<br />
Provide configuration options to seamlessly encrypt columns within a database when the framework handles database interaction. Object Relational Mapping (ORM) libraries in particular should allow developers to configure column-level encryption.<br />
<br />
See “Encrypt Passwords and Keys Stored in Configuration Files” for more information on how to protect the encryption key.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Insecure_Storage Insecure cryptographic storage]<br />
<br />
==== Implementation Suggestions ====<br />
[https://www.hibernate.org/415.html Hibernate in Java] provides seamless, configurable database encryption.<br />
<br />
==== Documentation Suggestion ====<br />
Document how the feature works and how to turn it on. Provide a tutorial or other guidance on how to use this feature.<br />
<br />
<br />
=== Provide Configurable Cryptographic Algorithms ===<br />
==== Requirement Description ====<br />
Hard-coding specific encryption algorithms and parameters such as key size may leave applications vulnerable to common attacks if a particular algorithm is ever compromised. Allow developers to configure the algorithm and parameters such as key strengths. <br />
<br />
Favor modes with secure random Initialization Vectors (IVs) rather than modes without IVs such [http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation as Electronic Code Book (ECB)].<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Insecure_Storage Insecure cryptographic storage]<br />
<br />
==== Implementation Suggestions ====<br />
See Java’s [http://java.sun.com/j2se/1.5.0/docs/api/java/security/Provider.html security provider architecture].<br />
<br />
Developers in non-compiled languages such as PHP, Ruby, and Python often favor scripts written in that programming language rather than static configuration files. Frameworks written in such languages should decouple application code from specific encryption algorithms, either by introducing a static configuration file or calling a utility class (e.g. HashingUtility.hash() rather than SHA2.hash()).<br />
<br />
==== Documentation Suggestion ====<br />
Clearly explain how to configure cryptographic algorithms. Provide strong default options (such as [http://csrc.nist.gov/groups/ST/toolkit/index.html NIST approved] algorithms and parameters).<br />
<br />
<br />
=== Follow the TLS Protection Cheatsheet for TLS/SSL Implementations ===<br />
==== Requirement Description ====<br />
Attackers have discovered several attacks on TLS/SSL implementations and X509 certificates: [http://www.scanit.be/uploads/ssl%20security%20in%20be%20-%2003-2008.pdf downgrade attacks], [http://extendedsubset.com/?p=8 plaintext injection during renegotiation] [http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf null prefix attacks], [http://www.thoughtcrime.org/papers/ocsp-attack.pdf circumventing Online Certificate Status Protocol (OCSP) controls], and several [http://www.blackhat.com/presentations/bh-usa-09/MARLINSPIKE/BHUSA09-Marlinspike-DefeatSSL-SLIDES.pdf others]. <br />
<br />
Reuse libraries that already account for these attacks rather than writing new libraries. Note that some of the attacks, such as [http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf null prefix attacks], are actually attacks against the client; however, these attacks also apply to the server during [http://en.wikipedia.org/wiki/Mutual_authentication mutual authentication].<br />
<br />
Providing an exhaustive set of requirements for TLS/SSL is beyond the scope of this manifesto. Consult the [http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheatsheet] for comprehensive guidance. SSL Labs maintains an [https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide_2009.pdf SSL Server Rating] guide that provides guidelines around certificate type, key size, cipher strength, key exchange algorithm, and protocol. <br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Top_10_2007-Insecure_Communications Insecure communications]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Clearly explain how to configure TLS. Provide specific guidance on how to deploy a server for optimum TLS/SSL security.<br />
<br />
<br />
== Configuration Security ==<br />
=== Encrypt Passwords and Keys Stored in Configuration Files ===<br />
==== Requirement Description ====<br />
Web application frameworks often store plaintext system passwords and keys in configuration files. For example, several frameworks use plaintext configuration files for [http://www.dotnetjohn.com/articles.aspx?articleid=3 database connection strings], [https://www.hibernate.org/415.html database encryption keys], [http://forums.asp.net/p/1086890/1651644.aspx Lightweight Directory Access Protocol (LDAP) connection strings], [http://www.digicert.com/ssl-certificate-installation-tomcat.htm keystore passwords], and other values. Attackers who are able to exploit other vulnerabilities are sometimes able to view the contents of files. <br />
<br />
Provide native support for encrypted properties in configuration files. <br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Broken_Authentication_and_Session_Management Broken authentication (plaintext credential storage)]<br />
<br />
==== Implementation Suggestions ====<br />
Developers will always run into the problem of providing some sort of password or key to decrypt encrypted credentials. While no solution is perfect, frameworks can employ one of several password / key storage options:<br />
<br />
* Store a private key, unique for each machine, as a binary file that can only be accessed by the application server. While this control succeeds in preventing attackers from viewing plaintext passwords in configuration files, it does not prevent attackers from first accessing the binary key and then the configuration file using the same exploit. This should be the minimum security option. See [http://download.oracle.com/docs/cd/E12840_01/wls/docs103/admin_ref/utils.html Weblogic].<br />
* Store the decryption key / password in a file, similar to the preceding option. Use operating system controls to ensure that file is only accessible by a separate launching process – not the application server. The launching process can then pass in the key / password as a command line argument when launching the application server. This way, a user who exploits the application server may not necessarily have access to the decryption key itself.<br />
* Support passphrases from an environment variable and/or web-form. This solution takes more work and possibly manual intervention but greatly decreases the risk of an attacker being able to find plaintext passwords in configuration files. See [http://www.jasypt.org/encrypting-configuration.html Jasypt]<br />
* Leverage a distributed service, such as the .Net Data Protection API (DPAPI) [http://msdn.microsoft.com/en-us/library/ms998280.aspx User Store] key storage. This restricts key access to a particular user, so other users on the same machine (including local administrators) cannot access that key.<br />
<br />
==== Documentation Suggestion ====<br />
Always use the most secure possible credential storage in all user manuals, tutorials, demonstration/sample code, and all other documentation. Explain how the features work and the risk associated with not using them.<br />
<br />
<br />
== File Upload ==<br />
=== File Upload Tools Should Supports Pluggable Anti Malware Scanning Solutions ===<br />
==== Requirement Description ====<br />
Framework-managed file upload tools should facilitate safe file uploads by providing configuration options to support for library-based third party anti-virus scanning solutions, such as [http://www.clamav.net/ Clam AV].<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution Malicious file execution]<br />
* [http://www.owasp.org/index.php/Unrestricted_File_Upload Unrestricted file upload]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Document how to use the pluggable anti-malware feature. Provide Application Programming Interface (API) details on how third parties can hook into the framework.<br />
<br />
=== File Upload Tool Should Provide Options to Disallow Saving Outside of a Specified Directory ===<br />
==== Requirement Description ====<br />
Framework-managed file upload tools should disallow saving a file outside of a configurable specified directory and, optionally, any subdirectories (see the Unix [http://unixwiz.net/techtips/chroot-practices.html chroot] command).<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Unrestricted_File_Upload Unrestricted file upload]<br />
<br />
==== Implementation Suggestions ====<br />
You may wish to allow developers to specify absolute paths or relative paths to the application’s root. Restrict file upload to a relative path by default (e.g. /app/uploads directory).<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration/sample code, and all other documentation, always use this feature with file upload. Document the risks associated with turning this feature off.<br />
<br />
<br />
=== Provide a File Upload Tool that Supports Pluggable Content Validation ===<br />
==== Requirement Description ====<br />
Framework-managed file upload tools should facilitate safe file uploads by providing configuration options to support for library-based third party solutions that validate the contents of a particular file type. For example, a PDF validator might ensure that a given file is indeed a PDF and does not contain any executable code or dangerous PDF extensions.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution Malicious file execution]<br />
* [http://www.owasp.org/index.php/Unrestricted_File_Upload Unrestricted file upload]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Document how to use the pluggable validation feature. Provide options to associate different validation libraries for different extensions. Provide Application Programming Interface (API) details on how third parties can hook into the framework.<br />
<br />
<br />
== Miscellaneous ==<br />
=== Provide Security Specific Logs and Log All Attack Points Specified in AppSensor ===<br />
==== Requirement Description ====<br />
Provide a security-specific log and turn it on by default. Automatically log potential attacks using all of the attack points documented in the [http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project OWASP AppSensor Project]. <br />
<br />
Ensure consistent use of event IDs (e.g. SE5 for source change of IP during session). Developers should be able to log to the security-specific log as well.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/ApplicationLayerIntrustionDetection Insufficient application intrusion detection]<br />
<br />
==== Implementation Suggestions ====<br />
See the [http://code.google.com/p/appsensor/source/browse/ AppSensor code].<br />
<br />
==== Documentation Suggestion ====<br />
Explain what the security log is, how it works, how and what to add to it, and the format for log entries. Expose details of the log format so that log analysis / Security Event Manager (SEM) tools can detect potential attacks.<br />
<br />
<br />
=== Automatically Generate X-Frame-Options Header ===<br />
==== Requirement Description ====<br />
Browsers such as Internet Explorer 8+ support the [http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-FRAME-OPTIONS] header. Automatically set the X-FRAME-OPTIONS value to DENY by default or SAMEORIGIN if the application requires nested frames from within the same application.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.sectheory.com/clickjacking.htm Clickjacking]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
In all user manuals, tutorials, demonstration/sample code, and all other documentation, always use this feature. Document the risks associated with turning this feature off or providing an overly broad policy.<br />
<br />
<br />
=== Provide Arithmetic Utilities that Protect Against Integer and Floating Point Overflow and Underflow ===<br />
==== Requirement Description ====<br />
Many programming languages such as Java are vulnerable to Integer and floating point [http://www.javacoffeebreak.com/books/extracts/javanotesv3/c9/s1.html overflow] and underflow. Provide libraries that encapsulate basic arithmetic operations (e..g addition, subtraction, multiplication, division) and throw errors / exceptions upon overflow or underflow conditions. <br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Integer_overflow Numeric overflow]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Always use these encapsulation functions when performing normal arithmetic in all user manuals, tutorials, demonstration/sample code, and all other documentation.<br />
<br />
<br />
=== Provide Support for Pluggable Anti-Automation ===<br />
==== Requirement Description ====<br />
Provide a mechanism for application administrators to make use of third-party anti-automation techniques such as [http://recaptcha.net/captcha.html CAPTCHA] on certain pages. Which type of anti-automation mechanism and the implementation of that technique should be configurable. Provide an Application Programming Interface (API) to allow third party providers to plug-in anti automation into the framework. Using a pluggable architecture will promote loose coupling and allow developers to change anti-automation techniques with minor impact to the rest of the application. Developers should be able to change anti-automation techniques because attackers often find ways to [http://caca.zoy.org/wiki/PWNtcha break anti-automation].<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Brute_force_attack Brute force attacks]<br />
* [http://www.owasp.org/index.php/Testing_for_user_enumeration_%28OWASP-AT-002%29 User enumeration]<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Always use anti-automation for user registration and forgot password in all user manuals, tutorials, demonstration/sample code, and all other documentation. Document how to change the automation provider. Provide Application Programming Interface (API) details on how third parties can hook into the framework.<br />
<br />
<br />
=== Return Generic Error Pages by Default ===<br />
==== Requirement Description ====<br />
Generate error pages devoid of application details such as stack traces by default. In order to facilitate troubleshooting, add detailed error messages to an error log and optionally include a reference number to the log in the error page.<br />
<br />
==== Relevant Weaknesses ====<br />
This requirement mitigates the following weaknesses:<br />
<br />
* [http://www.owasp.org/index.php/Missing_Error_Handling Missing error handling]<br />
<br />
==== Implementation Suggestions ====<br />
Developers can implement [http://msdn.microsoft.com/en-us/library/aa479319.aspx generic error pages] in ASP.Net through configuration.<br />
<br />
==== Documentation Suggestion ====<br />
Always keep this feature turned on in all user manuals, tutorials, demonstration/sample code, and all other documentation. <br />
<br />
=== Centralized Security Configuration Options ===<br />
==== Requirement Description ====<br />
Many of the requirements in this document require configuration options (e.g. “3.2.1Provide Configurable Validation for All Forms of User-Supplied Input”). Consolidate as many security-relevant configuration options into a single security configuration file. Consolidated security configuration helps facilitate auditing.<br />
<br />
==== Relevant Weaknesses ====<br />
* N/.A<br />
<br />
==== Implementation Suggestions ====<br />
N/A<br />
<br />
==== Documentation Suggestion ====<br />
Describe all security configuration options in documentation.</div>
Spinkham
https://wiki.owasp.org/index.php?title=Phoenix/Tools&diff=52103
Phoenix/Tools
2009-01-26T16:00:10Z
<p>Spinkham: </p>
<hr />
<div>__NOTOC__<br />
<p>Please send comments or questions to the [https://lists.owasp.org/mailman/listinfo/owasp-phoenix Phoenix-OWASP mailing-list].</p><br />
<br />
==LiveCDs==<br />
Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso - http://www.packetfocus.com/hackos/<br /><br />
DVL (Damn Vulnerable Linux) - http://www.damnvulnerablelinux.org/<br /><br />
<br />
==Test sites / testing grounds==<br />
SPI Dynamics (live) - http://zero.webappsecurity.com/<br /><br />
Cenzic (live) - http://crackme.cenzic.com/<br /><br />
Watchfire (live) - http://demo.testfire.net/<br /><br />
Acunetix (live) - http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com<br /><br />
WebMaven / Buggy Bank - http://www.mavensecurity.com/webmaven<br /><br />
Foundstone SASS tools - http://www.foundstone.com/us/resources-free-tools.asp<br /><br />
Updated HackmeBank - http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html<br /><br />
OWASP WebGoat - http://www.owasp.org/index.php/OWASP_WebGoat_Project<br /><br />
OWASP SiteGenerator - http://www.owasp.org/index.php/Owasp_SiteGenerator<br /><br />
Stanford SecuriBench - http://suif.stanford.edu/~livshits/securibench/<br /><br />
SecuriBench Micro - http://suif.stanford.edu/~livshits/work/securibench-micro/<br /><br />
<br />
==HTTP proxying / editing==<br />
WebScarab - http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project<br /><br />
Burp - http://www.portswigger.net/<br /><br />
Paros - http://www.parosproxy.org/<br /><br />
Fiddler - http://www.fiddlertool.com/<br /><br />
Web Proxy Editor - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
Pantera - http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project<br /><br />
Suru - http://www.sensepost.com/research/suru/<br /><br />
httpedit (curses-based) - http://www.neutralbit.com/en/rd/httpedit/<br /><br />
Charles - http://www.xk72.com/charles/<br /><br />
Odysseus - http://www.bindshell.net/tools/odysseus<br /><br />
Burp, Paros, and WebScarab for Mac OS X - http://www.corsaire.com/downloads/<br /><br />
Web-application scanning tool from `Network Security Tools'/O'Reilly - http://examples.oreilly.com/networkst/<br /><br />
JS Commander - http://jscmd.rubyforge.org/<br /><br />
Ratproxy - http://code.google.com/p/ratproxy/<br /><br />
<br />
==RSnake's XSS cheat sheet based-tools, webapp fuzzing, and encoding tools==<br />
Wfuzz - http://www.edge-security.com/wfuzz.php<br /><br />
ProxMon - http://www.isecpartners.com/proxmon.html<br /><br />
Wapiti - http://wapiti.sourceforge.net/<br /><br />
Grabber - http://rgaucher.info/beta/grabber/<br /><br />
XSSScan - http://darkcode.ath.cx/scanners/XSSscan.py<br /><br />
CAL9000 - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project<br /><br />
HTMangLe - http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm<br /><br />
JBroFuzz - http://sourceforge.net/projects/jbrofuzz<br /><br />
XSSFuzz - http://ha.ckers.org/blog/20060921/xssfuzz-released/<br /><br />
WhiteAcid's XSS Assistant - http://www.whiteacid.org/greasemonkey/<br /><br />
Overlong UTF - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
[TGZ] MielieTool (SensePost Research) - http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz<br /><br />
RegFuzzer: test your regular expression filter - http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter<br /><br />
screamingCobra - http://www.dachb0den.com/projects/screamingcobra.html<br /><br />
SPIKE and SPIKE Proxy - http://immunitysec.com/resources-freesoftware.shtml<br /><br />
RFuzz - http://rfuzz.rubyforge.org/<br /><br />
WebFuzz - http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999<br /><br />
TestMaker - http://www.pushtotest.com/Docs/downloads/features.html<br /><br />
ASP Auditor - http://michaeldaw.org/projects/asp-auditor-v2/<br /><br />
WSTool - http://wstool.sourceforge.net/<br /><br />
Web Hack Control Center (WHCC) - http://ussysadmin.com/whcc/<br /><br />
Web Text Converter - http://www.microsoft.com/mspress/companion/0-7356-2187-X/<br /><br />
HackBar (Firefox Add-on) - https://addons.mozilla.org/firefox/3899/<br /><br />
Net-Force Tools (NF-Tools, Firefox Add-on) - http://www.net-force.nl/library/downloads/<br /><br />
PostIntercepter (Greasemonkey script) - http://userscripts.org/scripts/show/743<br /><br />
<br />
==HTTP general testing / fingerprinting==<br />
Wbox: HTTP testing tool - http://hping.org/wbox/<br /><br />
ht://Check - http://htcheck.sourceforge.net/<br /><br />
Mumsie - http://www.lurhq.com/tools/mumsie.html<br /><br />
WebInject - http://www.webinject.org/<br /><br />
Torture.pl Home Page - http://stein.cshl.org/~lstein/torture/<br /><br />
JoeDog's Seige - http://www.joedog.org/JoeDog/Siege/<br /><br />
OPEN-LABS: metoscan (http method testing) - http://www.open-labs.org/<br /><br />
Load-balancing detector - http://ge.mine.nu/lbd.html<br /><br />
HMAP - http://ujeni.murkyroc.com/hmap/<br /><br />
Net-Square: httprint - http://net-square.com/httprint/<br /><br />
Wpoison: http stress testing - http://wpoison.sourceforge.net/<br /><br />
Net-square: MSNPawn - http://net-square.com/msnpawn/index.shtml<br /><br />
hcraft: HTTP Vuln Request Crafter - http://druid.caughq.org/projects/hcraft/<br /><br />
rfp.labs: LibWhisker - http://www.wiretrip.net/rfp/lw.asp<br /><br />
Nikto - http://www.cirt.net/code/nikto.shtml<br /><br />
twill - http://twill.idyll.org/<br /><br />
DirBuster - http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project<br /><br />
[ZIP] DFF Scanner - http://security-net.biz/files/dff/DFF.zip<br /><br />
[ZIP] The Elza project - http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html<br /><br />
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled<br />
- http://sf.net/projects/hackfox<br />
<br />
==Browser-based HTTP tampering / editing / replaying==<br />
TamperIE - http://www.bayden.com/Other/<br /><br />
isr-form - http://www.infobyte.com.ar/developments.html<br /><br />
Modify Headers (Firefox Add-on) - http://modifyheaders.mozdev.org/<br /><br />
Tamper Data (Firefox Add-on) - http://tamperdata.mozdev.org/<br /><br />
UrlParams (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1290/<br /><br />
TestGen4Web (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1385/<br /><br />
DOM Inspector / Inspect This (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/<br /><br />
LiveHTTPHeaders / Header Monitor (Firefox Add-on) - http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/<br /><br />
<br />
==Cookie editing / poisoning==<br />
[TGZ] stompy: session id tool - http://lcamtuf.coredump.cx/stompy.tgz<br /><br />
Add'N Edit Cookies (AnEC, Firefox Add-on) - http://addneditcookies.mozdev.org/<br /><br />
CookieCuller (Firefox Add-on) - http://cookieculler.mozdev.org/<br /><br />
CookiePie (Firefox Add-on) - http://www.nektra.com/oss/firefox/extensions/cookiepie/<br /><br />
CookieSpy - http://www.codeproject.com/shell/cookiespy.asp<br /><br />
Cookies Explorer - http://www.dutchduck.com/Features/Cookies.aspx<br /><br />
<br />
==Ajax and XHR scanning==<br />
Sahi - http://sahi.co.in/<br /><br />
scRUBYt - http://scrubyt.org/<br /><br />
jQuery - http://jquery.com/<br /><br />
jquery-include - http://www.gnucitizen.org/projects/jquery-include<br /><br />
Sprajax - http://www.denimgroup.com/sprajax.html<br /><br />
Watir - http://wtr.rubyforge.org/<br /><br />
Watij - http://watij.com/<br /><br />
Watin - http://watin.sourceforge.net/<br /><br />
RBNarcissus - http://idontsmoke.co.uk/2005/rbnarcissus/<br /><br />
SpiderTest (Spider Fuzz plugin) - http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin<br /><br />
Javascript Inline Debugger (jasildbg) - http://jasildbg.googlepages.com/<br /><br />
Firebug Lite - http://www.getfirebug.com/lite.html<br /><br />
firewaitr - http://code.google.com/p/firewatir/<br /><br />
<br />
==RSS extensions and caching==<br />
LiveLines (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/324/<br /><br />
rss-cache - http://www.dubfire.net/chris/projects/rss-cache/<br /><br />
<br />
==SQL injection scanning==<br />
0x90.org: home of Absinthe, Mezcal, etc - http://0x90.org/releases.php<br /><br />
SQLiX - http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project<br /><br />
sqlninja: a SQL Server injection and takover tool - http://sqlninja.sourceforge.net/<br /><br />
JustinClarke's SQL Brute - http://www.justinclarke.com/archives/2006/03/sqlbrute.html<br /><br />
BobCat - http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html<br /><br />
sqlmap - http://sqlmap.sourceforge.net/<br /><br />
Scully: SQL Server DB Front-End and Brute-Forcer - http://www.sensepost.com/research/scully/<br /><br />
FG-Injector - http://www.flowgate.net/?lang=en&seccion=herramientas<br /><br />
PRIAMOS - http://www.priamos-project.com/<br /><br />
<br />
==Web application security malware, backdoors, and evil code==<br />
W3AF: Web Application Attack and Audit Framework - http://w3af.sourceforge.net/<br /><br />
Jikto - http://busin3ss.name/jikto-in-the-wild/<br /><br />
XSS Shell - http://ferruh.mavituna.com/article/?1338<br /><br />
XSS-Proxy - http://xss-proxy.sourceforge.net<br /><br />
AttackAPI - http://www.gnucitizen.org/projects/attackapi/<br /><br />
FFsniFF - http://azurit.elbiahosting.sk/ffsniff/<br /><br />
HoneyBlog's web-based junkyard - http://honeyblog.org/junkyard/web-based/<br /><br />
BeEF - http://www.bindshell.net/tools/beef/<br /><br />
Firefox Extension Scanner (FEX) - http://www.gnucitizen.org/projects/fex/<br /><br />
What is my IP address? - http://reglos.de/myaddress/<br /><br />
xRumer: blogspam automation tool - http://www.botmaster.net/movies/XFull.htm<br /><br />
SpyJax - http://www.merchantos.com/makebeta/tools/spyjax/<br /><br />
Greasecarnaval - http://www.gnucitizen.org/projects/greasecarnaval<br /><br />
Technika - http://www.gnucitizen.org/projects/technika/<br /><br />
Load-AttackAPI bookmarklet - http://www.gnucitizen.org/projects/load-attackapi-bookmarklet<br /><br />
MD's Projects: JS port scanner, pinger, backdoors, etc - http://michaeldaw.org/my-projects/<br /><br />
<br />
==Web application services that aid in web application security assessment==<br />
Netcraft - http://www.netcraft.net<br /><br />
AboutURL - http://www.abouturl.com/<br /><br />
The Scrutinizer - http://www.scrutinizethis.com/<br /><br />
net.toolkit - http://clez.net/<br /><br />
ServerSniff - http://www.serversniff.net/<br /><br />
Online Microsoft script decoder - http://www.greymagic.com/security/tools/decoder/<br /><br />
Webmaster-Toolkit - http://www.webmaster-toolkit.com/<br /><br />
myIPNeighbbors, et al - http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address<br /><br />
PHP charset encoding - http://h4k.in/encoding<br /><br />
data: URL testcases - http://h4k.in/dataurl<br /><br />
<br />
==Browser-based security fuzzing / checking==<br />
Zalewski's MangleMe - http://lcamtuf.coredump.cx/mangleme/mangle.cgi<br /><br />
hdm's tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan - http://metasploit.com/users/hdm/tools/<br /><br />
Peach Fuzzer Framework - http://peachfuzz.sourceforge.net/<br /><br />
TagBruteForcer - http://research.eeye.com/html/tools/RT20060801-3.html<br /><br />
PROTOS Test-Suite: c05-http-reply - http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html<br /><br />
COMRaider - http://labs.idefense.com<br /><br />
bcheck - http://bcheck.scanit.be/bcheck/<br /><br />
Stop-Phishing: Projects page - http://www.indiana.edu/~phishing/?projects<br /><br />
LinkScanner - http://linkscanner.explabs.com/linkscanner/default.asp<br /><br />
BrowserCheck - http://www.heise-security.co.uk/services/browsercheck/<br /><br />
Cross-browser Exploit Tests - http://www.jungsonnstudios.com/cool.php<br /><br />
Stealing information using DNS pinning demo - http://www.jumperz.net/index.php?i=2&a=1&b=7<br /><br />
Javascript Website Login Checker - http://ha.ckers.org/weird/javascript-website-login-checker.html<br /><br />
Mozilla Activex - http://www.iol.ie/~locka/mozilla/mozilla.htm<br /><br />
Jungsonn's Black Dragon Project - http://blackdragon.jungsonnstudios.com/<br /><br />
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) - http://ha.ckers.org/mr-t/<br /><br />
Vulnerable Adobe Plugin Detection For UXSS PoC - http://www.0x000000.com/?i=324<br /><br />
About Flash: is your flash up-to-date? - http://www.macromedia.com/software/flash/about/<br /><br />
Test your installation of Java software - http://java.com/en/download/installed.jsp?detect=jre&try=1<br /><br />
WebPageFingerprint - Light-weight Greasemonkey Fuzzer - http://userscripts.org/scripts/show/30285<br />
<br />
==PHP static analysis and file inclusion scanning==<br />
PHP-SAT.org: Static analysis for PHP - http://www.program-transformation.org/PHP/<br /><br />
Unl0ck Research Team: tool for searching in google for include bugs - http://unl0ck.net/tools.php<br /><br />
FIS: File Inclusion Scanner - http://www.segfault.gr/index.php?cat_id=3&cont_id=25<br/><br />
PHPSecAudit - http://developer.spikesource.com/projects/phpsecaudit<br /><br />
<br />
==PHP Defensive Tools==<br />
<br />
PHPInfoSec - Check phpinfo configuration for security - http://phpsec.org/projects/phpsecinfo/<br />
<br />
A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey<br />
<br />
<br />
Php-Brute-Force-Attack Detector - Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. <br />
http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip<br />
<br />
<br />
PHP-Login-Info-Checker - Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic<br />
<br />
http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip<br />
<br />
http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip<br />
<br />
<br />
php-DDOS-Shield - A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/<br />
<br />
<br />
PHPMySpamFIGHTER - http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip<br />
http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar<br />
<br />
==Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources==<br />
APIDS on Wikipedia - http://en.wikipedia.org/wiki/APIDS<br /><br />
PHP Intrusion Detection System (PHP-IDS) - http://php-ids.org/ http://code.google.com/p/phpids/<br /><br />
dotnetids - http://code.google.com/p/dotnetids/<br /><br />
Secure Science InterScout - http://www.securescience.com/home/newsandevents/news/interscout1.0.html<br /><br />
Remo: whitelist rule editor for mod_security - http://remo.netnea.com/<br /><br />
GotRoot: ModSecuirty rules - http://www.gotroot.com/tiki-index.php?page=mod_security+rules<br /><br />
The Web Security Gateway (WSGW) - http://wsgw.sourceforge.net/<br /><br />
mod_security rules generator - http://noeljackson.com/tools/modsecurity/<br /><br />
Mod_Anti_Tamper - http://www.wisec.it/projects.php?id=3<br /><br />
[TGZ] Automatic Rules Generation for Mod_Security - http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz<br /><br />
AQTRONIX WebKnight - http://www.aqtronix.com/?PageID=99<br /><br />
Akismet: blog spam defense - http://akismet.com/<br /><br />
Samoa: Formal tools for securing web services - http://research.microsoft.com/projects/samoa/<br /><br />
<br />
==Web services enumeration / scanning / fuzzing==<br />
WebServiceStudio2.0 - http://www.codeplex.com/WebserviceStudio<br /><br />
Net-square: wsChess - http://net-square.com/wschess/index.shtml<br /><br />
WSFuzzer - http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project<br /><br />
SIFT: web method search tool - http://www.sift.com.au/73/171/sift-web-method-search-tool.htm<br /><br />
iSecPartners: WSMap, WSBang, etc - http://www.isecpartners.com/tools.html<br /><br />
<br />
==Web application non-specific static source-code analysis==<br />
Pixy: a static analysis tool for detecting XSS vulnerabilities - http://www.seclab.tuwien.ac.at/projects/pixy/<br /><br />
Brixoft.Net: Source Edit - http://www.brixoft.net/prodinfo.asp?id=1<br /><br />
Security compass web application auditing tools (SWAAT) - http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project<br /><br />
An even more complete list here - http://www.cs.cmu.edu/~aldrich/courses/654/tools/<br /><br />
A nice list that claims some demos available - http://www.cs.cmu.edu/~aldrich/courses/413/tools.html<br /><br />
A smaller, but also good list - http://spinroot.com/static/<br /><br />
<br />
==Static analysis for C/C++ (CGI, ISAPI, etc) in web applications==<br />
RATS - http://www.securesoftware.com/resources/download_rats.html<br /><br />
ITS4 - http://www.cigital.com/its4/<br /><br />
FlawFinder - http://www.dwheeler.com/flawfinder/<br /><br />
Splint - http://www.splint.org/<br /><br />
Uno - http://spinroot.com/uno/<br /><br />
BOON (Buffer Overrun detectiON) - http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net<br /><br />
Valgrind - http://www.valgrind.org/<br /><br />
<br />
==Java static analysis, security frameworks, and web application security tools==<br />
LAPSE - http://suif.stanford.edu/~livshits/work/lapse/ <br/><br />
HDIV Struts - http://hdiv.org/<br /><br />
Orizon - http://sourceforge.net/projects/orizon/<br /><br />
FindBugs: Find bugs in Java programs - http://findbugs.sourceforge.net/<br /><br />
PMD - http://pmd.sourceforge.net/<br /><br />
CUTE: A Concolic Unit Testing Engine for C and Java - http://osl.cs.uiuc.edu/~ksen/cute/<br /><br />
EMMA - http://emma.sourceforge.net/<br /><br />
JLint - http://jlint.sourceforge.net/<br /><br />
Java PathFinder - http://javapathfinder.sourceforge.net/<br /><br />
Fujaba: Move between UML and Java source code - http://wwwcs.uni-paderborn.de/cs/fujaba/<br /><br />
Checkstyle - http://checkstyle.sourceforge.net/<br /><br />
Cookie Revolver Security Framework - http://sourceforge.net/projects/cookie-revolver<br /><br />
tinapoc - http://sourceforge.net/projects/tinapoc<br /><br />
jarsigner - http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html<br /><br />
Solex - http://solex.sourceforge.net/<br /><br />
Java Explorer - http://metal.hurlant.com/jexplore/<br /><br />
HTTPClient - http://www.innovation.ch/java/HTTPClient/<br /><br />
another HttpClient - http://jakarta.apache.org/commons/httpclient/<br /><br />
a list of code coverage and analysis tools for Java - http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html<br /><br />
<br />
==Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET==<br />
* Visual Studio 2008 Code Analysis, available in:<br />
** VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and <br />
** VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)<br />
* Visual Studio 2005 Code Analyzer, available in:<br />
** Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
** Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)<br />
* Web Development Helper - http://www.nikhilk.net/Project.WebDevHelper.aspx<br />
* FxCop:<br />
** (blog) http://blogs.msdn.com/fxcop/<br />
** (download) http://code.msdn.microsoft.com/codeanalysis<br />
* Microsoft internal tools you can't have yet:<br />
** http://www.microsoft.com/windows/cse/pa_projects.mspx <br />
** http://research.microsoft.com/Pex/ <br />
** http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf<br /><br />
<br />
==Threat modeling==<br />
Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) - http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en<br /><br />
Amenaza: Attack Tree Modeling (SecurITree) - http://www.amenaza.com/software.php<br /><br />
Octotrike - http://www.octotrike.org/<br /><br />
<br />
==Add-ons for Firefox that help with general web application security==<br />
Web Developer Toolbar - https://addons.mozilla.org/firefox/60/<br /><br />
Plain Old Webserver (POW) - https://addons.mozilla.org/firefox/3002/<br /><br />
XML Developer Toolbar - https://addons.mozilla.org/firefox/2897/<br /><br />
Public Fox - https://addons.mozilla.org/firefox/3911/<br /><br />
XForms Buddy - http://beaufour.dk/index.php?sec=misc&pagename=xforms<br /><br />
MR Tech Local Install - http://www.mrtech.com/extensions/local_install/<br /><br />
Nightly Tester Tools - http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html<br /><br />
IE Tab - https://addons.mozilla.org/firefox/1419/<br /><br />
User-Agent Switcher - https://addons.mozilla.org/firefox/59/<br /><br />
ServerSwitcher - https://addons.mozilla.org/firefox/2409/<br /><br />
HeaderMonitor - https://addons.mozilla.org/firefox/575/<br /><br />
RefControl - https://addons.mozilla.org/firefox/953/<br /><br />
refspoof - https://addons.mozilla.org/firefox/667/<br /><br />
No-Referrer - https://addons.mozilla.org/firefox/1999/<br /><br />
LocationBar^2 - https://addons.mozilla.org/firefox/4014/<br /><br />
SpiderZilla - http://spiderzilla.mozdev.org/<br /><br />
Slogger - https://addons.mozilla.org/en-US/firefox/addon/143<br /><br />
Fire Encrypter - https://addons.mozilla.org/firefox/3208/<br /><br />
<br />
==Add-ons for Firefox that help with Javascript and Ajax web application security==<br />
Selenium IDE - http://www.openqa.org/selenium-ide/<br /><br />
Firebug - http://www.joehewitt.com/software/firebug/<br /><br />
Venkman - http://www.mozilla.org/projects/venkman/<br /><br />
Chickenfoot - http://groups.csail.mit.edu/uid/chickenfoot/<br /><br />
Greasemonkey - http://www.greasespot.net/<br /><br />
Greasemonkey compiler - http://www.letitblog.com/greasemonkey-compiler/<br /><br />
User script compiler - http://arantius.com/misc/greasemonkey/script-compiler<br /><br />
Extension Developer's Extension (Firefox Add-on) - http://ted.mielczarek.org/code/mozilla/extensiondev/<br /><br />
Smart Middle Click (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/3885/<br /><br />
<br />
==Bookmarklets that aid in web application security==<br />
RSnake's security bookmarklets - http://ha.ckers.org/bookmarklets.html<br /><br />
BMlets - http://optools.awardspace.com/bmlet.html<br /><br />
Huge list of bookmarklets - http://www.squarefree.com/bookmarklets/<br /><br />
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide<br />
rich functionality - http://www.blummy.com/<br /><br />
Bookmarklets every blogger should have - http://www.micropersuasion.com/2005/10/bookmarklets_ev.html<br /><br />
Flat Bookmark Editing (Firefox Add-on) - http://n01se.net/chouser/proj/mozhack/<br /><br />
OpenBook and Update Bookmark (Firefox Add-ons) - http://www.chuonthis.com/extensions/<br /><br />
<br />
==SSL certificate checking / scanning==<br />
[ZIP] THCSSLCheck - http://thc.org/root/tools/THCSSLCheck.zip<br /><br />
[ZIP] Foundstone SSLDigger - http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip<br /><br />
Cert Viewer Plus (Firefox Add-on) - https://addons.mozilla.org/firefox/1964/<br /><br />
<br />
==Honeyclients, Web Application, and Web Proxy honeypots==<br />
Honeyclient Project: an open-source honeyclient - http://www.honeyclient.org/trac/ <br /><br />
HoneyC: the low-interaction honeyclient - http://honeyc.sourceforge.net/<br /><br />
Capture: a high-interaction honeyclient - http://capture-hpc.sourceforge.net/<br /><br />
Google Hack Honeypot - http://ghh.sourceforge.net/<br /><br />
PHP.Hop - PHP Honeynet Project - http://www.rstack.org/phphop/<br /><br />
SpyBye - http://www.monkey.org/~provos/spybye/<br /><br />
Honeytokens - http://www.securityfocus.com/infocus/1713<br /><br />
<br />
==Blackhat SEO and maybe some whitehat SEO==<br />
SearchStatus (Firefox Add-on) - http://www.quirk.biz/searchstatus/<br /><br />
SEO for Firefox (Firefox Add-on) - http://tools.seobook.com/firefox/seo-for-firefox.html<br /><br />
SEOQuake (Firefox Add-on) - http://www.seoquake.com/<br /><br />
<br />
==Footprinting for web application security==<br />
Evolution - http://www.paterva.com/evolution-e.html<br /><br />
GooSweep - http://www.mcgrewsecurity.com/projects/goosweep/<br /><br />
Aura: Google API Utility Tools - http://www.sensepost.com/research/aura/<br /><br />
Edge-Security tools - http://www.edge-security.com/soft.php<br /><br />
Fierce Domain Scanner - http://ha.ckers.org/fierce/<br /><br />
Googlegath - http://www.nothink.org/perl/googlegath/<br /><br />
Advanced Dork (Firefox Add-on) - https://addons.mozilla.org/firefox/2144/<br /><br />
Passive Cache (Firefox Add-on) - https://addons.mozilla.org/firefox/977/<br /><br />
CacheOut! (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1453/<br /><br />
BugMeNot Extension (Firefox Add-on) - http://roachfiend.com/archives/2005/02/07/bugmenot/<br /><br />
TrashMail.net Extension (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1813/<br /><br />
DiggiDig (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2819/<br /><br />
Digger (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1467/<br /><br />
<br />
==Database security assessment==<br />
Scuba by Imperva Database Vulnerability Scanner - http://www.imperva.com/scuba/<br /><br />
<br />
==Browser Defenses==<br />
DieHard - http://www.diehard-software.org/<br /><br />
LocalRodeo (Firefox Add-on) - http://databasement.net/labs/localrodeo/<br /><br />
NoMoXSS - http://www.seclab.tuwien.ac.at/projects/jstaint/<br /><br />
Request Rodeo - http://savannah.nongnu.org/projects/requestrodeo<br /><br />
FlashBlock (Firefox Add-on) - http://flashblock.mozdev.org/<br /><br />
CookieSafe (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2497<br /><br />
NoScript (Firefox Add-on) - http://www.noscript.net/<br /><br />
FormFox (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1579/<br /><br />
Adblock (Firefox Add-on) - http://adblock.mozdev.org/<br /><br />
httpOnly in Firefox (Firefox Add-on) - http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html<br /><br />
SafeCache (Firefox Add-on) - http://www.safecache.com/<br /><br />
SafeHistory (Firefox Add-on) - http://www.safehistory.com/<br /><br />
PrefBar (Firefox Add-on) - http://prefbar.mozdev.org/<br /><br />
All-in-One Sidebar (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/1027/<br /><br />
QArchive.org web file checker (Firefox Add-on) - https://addons.mozilla.org/firefox/4115/<br /><br />
Update Notified (Firefox Add-on) - https://addons.mozilla.org/en-US/firefox/addon/2098/<br /><br />
FireKeeper - http://firekeeper.mozdev.org/<br /><br />
Greasemonkey: XSS Malware Script Detector - http://yehg.net/lab/#tools.greasemonkey<br />
<br />
==Browser Privacy==<br />
TrackMeNot (Firefox Add-on) - https://addons.mozilla.org/firefox/3173/<br /><br />
Privacy Bird - http://www.privacybird.com/<br /><br />
<br />
==Application and protocol fuzzing (random instead of targeted)==<br />
Sulley - http://fuzzing.org/<br /><br />
taof: The Art of Fuzzing - http://sourceforge.net/projects/taof/<br /><br />
zzuf: multipurpose fuzzer - http://sam.zoy.org/zzuf/<br /><br />
autodafé: an act of software torture - http://autodafe.sourceforge.net/<br /><br />
EFS and GPF: Evolutionary Fuzzing System - http://www.appliedsec.com/resources.html<br /></div>
Spinkham