OWASP - User contributions [en]

OWASP Code Review V2 Table of Contents

2015-06-28T18:48:13Z

Yiannis: Added the section entitled 'Code Review for Backdoors'

= '''OWASP Code Review Guide v2.0:''' =

==Forward==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
'''[[CRV2_Forward|Content here]]'''

== Code Review Guide Introduction==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
'''[[CRV2_Introduction|Content here]]'''

=== What is source code review and Static Analysis ===
=== What is Code Review ===
# Author - Zyad Mghazli, Eoin Keary
# New Section
''' [[CRV2_WhatIsCodeReview|Content here]]'''

=== Manual Review - Pros and Cons ===
# Author - Zyad Mghazli, Eoin Keary,Gary David Robinson
# New Section
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
# [[CRV2_ManualReviewProsCons|Put content here]]

=== Advantages of Code Review to Development Practices ===
# Author - Gary David Robinson
# New Section
# [[CRV2_AdvantagesToDevPractices|Put content here]]

=== Why code review ===
==== Scope and Objective of secure code review ====
# Author - Ashish Rao
# [[CRV2_WhyCodeReview|Put content here]]

=== We can't hack ourselves secure ===
# Author - Eoin Keary
# New Section
# [[CRV2_CantHackSecure|Put content here]]

=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - eoin Keary
# New Section
# [[CRV2_360Review|Put content here]]

=== Can static code analyzers do it all? ===
# Author - Ashish Rao
# New Section
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]

=Methodology=
===The code review approach===
#Author - Johanna Curiel
# [[CRV2_CodeReviewApproach|Put content here]]

==== Preparation and context ====
# Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
# [[CRV2_PrepContext|Put content here]]

====Application Threat Modeling====
#Author - Larry Conklin
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
# [[CRV2_AppThreatModeling|Put content here]]

====Understanding Code layout/Design/Architecture====
#Author - Open
# [[CRV2_CodeLayoutDesignArch|Put content here]]
====Understanding Business Logic====
#[[CRV2_BusinessLogic|Put content here]]

===SDLC Integration===
#Author - Larry Conklin
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
# [[CRV2_SDLCInt|Put content here]]

====Deployment Models====
=====Secure deployment configurations=====
#Author -
# [[CRV2_SecDepConfig|Put content here]]

# New Section
=====Metrics and code review=====
#Author -Anthony.Scotka@tea.state.tx.us
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
# [[CRV2_MetricsCodeRev|Put content here]]

=====Source and sink reviews=====
#Author - Open
# New Section
# [[CRV2_SourceSinkRev|Put content here]]

=====Code review Coverage=====
#Author - Open
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
# [[CRV2_CodeRevCoverage|Put content here]]

=====Design Reviews=====
#Author - Ashish Rao
*Why to review design?
**Building security in design - secure by design principle
**Design Areas to be reviewed
**Common Design Flaws
# [[CRV2_DesignRev|Put content here]]

=====A Risk based approach to code review=====
#Author - Gary David Robinson
#New Section
*"Doing things right or doing the right things..."
**"Not all bugs are equal
# [[CRV2_RiskBasedApproach|Put content here]]

====Crawling code====
#Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
*API of Interest:
**Java
**.NET
**PHP
**RUBY
*Frameworks:
**Spring
**.NET MVC
**Struts
**Zend
#New Section
*Searching for code in C/C++
#Author - Gary David Robinson

# [[CRV2_CrawlingCode|Put content here]]

====Code reviews and Compliance====
#Author -Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
# [[CRV2_CodeRevCompliance|Put content here]]

=Reviewing by Technical Control=
===Reviewing code for Authentication controls===
#Author - Gary Robinson
# [[CRV2_AuthControls|Put content here]]

====Forgot password====
#Author Abbas Naderi, Larry Conklin
# [[CRV2_ForgotPassword|Put content here]]

====CAPTCHA====
#Author Larry Conklin, Joan Renchie
'''[[CRV2_CAPTCHA|Content here]]'''

====Out of Band considerations====
#Author - Gary Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
# [[CRV2_OutofBand|Put content here]]

===Reviewing code Authorization weakness===
#Author Eoin Keary .NET MVC added
# [[CRV2_AuthorizationWeaknesses|Put content here]]

====Checking authz upon every request====
#Author - Abbas Naderi
# [[CRV2_CheckAuthzEachRequest|Put content here]]

====Reducing the attack surface====
#Author Gary Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
# [[CRV2_ReducingAttSurf|Put content here]]

====SSL/TLS Implementations====
#Author - Eoin Keary
# [[CRV2_SSL-TLS|Put content here]]

====Reviewing code for Session handling====
#Author - Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
# [[CRV2_SessionHandling|Put content here]]

====Reviewing client side code====
#New Section
# [[CRV2_ClientSideCodeIntro|Put content here]]

=====Javascript=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJScript|Put content here]]

=====JSON=====
#Author - Open
# [[CRV2_ClientSideCodeJSon|Put content here]]

=====Content Security Policy=====
#Author - Open
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]

====="Jacking"/Framing=====
#Author - Eoin Keary
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]

=====HTML 5?=====
#Author - Open
# [[CRV2_ClientSideCodeHTML5|Put content here]]

=====Browser Defenses=====
#Author - Open
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]

=====etc...=====

====Review code for input validation====
#Author - Open
# [[CRV2_InputValIntro|Put content here]]

=====Regex Gotchas=====
#Author - Open
#New Section
# [[CRV2_InputValRegexGotchas|Put content here]]

=====ESAPI=====
#Author - Open
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValESAPI|Put content here]]

=====Microsoft Web Protection Library=====
#Author - Michael Hidalgo
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValMicrosoftWebProtectionLibrary|Put content here]]

====Reviewing code for contextual encoding====
[[Overall approach to content encoding and anti XSS]]
=====HTML Attribute=====
#Author - Eoin Keary
# [[CRV2_ContextEncHTMLAttribute|Put content here]]

=====HTML Entity=====
#Author - Eoin Keary
# [[CRV2_ContextEncHTMLEntity|Put content here]]

=====Javascript Parameters=====
#Author - Eoin Keary
# [[CRV2_ContextEncJscriptParams|Put content here]]

=====JQuery=====
#Author - Open
# [[CRV2_ContextEncJQuery|Put content here]]

====Reviewing file and resource handling code====
#Author - Open
# [[CRV2_FileResourceHandling|Put content here]]

====Resource Exhaustion - error handling====
#Author - Open
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]

=====native calls=====
#Author Open
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]

====Reviewing Logging code - Detective Security====
#Author - Gary Robinson
* Where to Log
* What to log
* What not to log
* How to log
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
# [[CRV2_LoggingCode|Put content here]]

====Reviewing Error handling and Error messages====
#Author - Gary David Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
# [[CRV2_ErrorHandlingMessages|Put content here]]

====Reviewing Security alerts====
#Author - Gary Robinson
# [[CRV2_SecurityAlerts|Put content here]]

====Review for active defense====
#Author - Colin Watson
# [[CRV2_ActiveDefense|Put content here]]

====Reviewing Secure Storage====
#Author - Open source
# New Section
# [[CRV2_SecureStorage|Put content here]]

====Hashing & Salting - When, How and Where====
=====Encryption=====
======.NET======
#Author Larry Conklin, Joan Renchie
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
'''[[CRV2_HashingandSaltingdotNet|Content here]]'''

=Reviewing by Vulnerability=
===Review Code for XSS===
#Author Examples added by Eoin Keary
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
# [[CRV2_RevCodeXSS|Put content here]]

===Persistent - The Anti pattern===
#Author
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Eoin Keary
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]

====.Java====
#Author Johanna Curiel
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]

====PHP====
#Author Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]

====Ruby====
#Author Open
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]

===Reflected - The Anti pattern===
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]

====.Java====
#Author Johanna Curiel
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]

====PHP====
#Author Abbas Naderi
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]

====Ruby====
# Author - Open
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]

===Stored - The Anti pattern===
# Author - Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]

====.Java====
#Author Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]

====PHP====
#Author Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]

====Ruby====
#Author - Johanna Curiel
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]

===DOM XSS ===
#Author Larry Conklin
# [[CRV2_DOMXSS|Put content here]]

===JQuery mistakes===
#Author
# [[CRV2_JQueryMistakes|Put content here]]

===Reviewing code for SQL Injection===
#Author Gary Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
# [[CRV2_RevCodeSQLInjection|Put content here]]

====PHP====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjPHP|Put content here]]

====Java====
#Author - Johanna Curiel
# [[CRV2_SQLInjJava|Put content here]]

====.NET====
#Author - Open
# [[CRV2_SQLInjdotNET|Put content here]]

====HQL====
#Author - Open
# [[CRV2_SQLInjHQL|Put content here]]

===The Anti pattern===
#Author Larry Conklin
#[[CRV2_AntiPattern| Content here]]
https://www.owasp.org/index.php/CRV2_AntiPattern
====PHP====
#Author -
# [[CRV2_AntiPatternPHP|Put content here]]

====Java====
#Author -
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
# [[CRV2_AntiPatternJava|Put content here]]

====.NET====
#Author Open
# [[CRV2_AntiPatterndotNet|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_AntiPatternRuby|Put content here]]

====Cold Fusion====
#Author - Open
# [[CRV2_AntiPatternColdFusion|Put content here]]

===Reviewing code for CSRF Issues===
#Author Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# This page needs to be deleted. [[CRV2_CSRFIssues|Put content here]]

===(This task has been deleted) Transactional logic / Non idempotent functions / State Changing Functions===
# [[CRV2_TransLogic|Put content here]]

===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Open
# [[CRV2_PoorLogic|Put content here]]

===Reviewing Secure Communications===
====.NET Config====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_SecCommsdotNet|Put content here]]

====Spring Config====
#Author - Open
# [[CRV2_SecCommsSpringConfig|Put content here]]

====HTTP Headers====
#Author Gary Robinson
# [[CRV2_SecCommsHTTPHdrs|Put content here]]

===Tech-Stack pitfalls===
#Author Open
# [[CRV2_TechStackPitfalls|Put content here]]

===Framework specific Issues===
====Spring====
#Author - Open
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]

====Struts====
#Author - Open
# [[CRV2_FrameworkSpecIssuesStruts|Put content here]]

====Drupal====
#Author Open
# [[CRV2_FrameworkSpecIssuesDrupal|Put content here]]

====Ruby on Rails====
#Author - Open
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]

====Django====
#Author Open
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]

====.NET Security / MVC====
#Author Johanna Curiel, Eoin Keary
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]

====Security in ASP.NET applications====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]

=====Strongly Named Assemblies=====
#Author Johanna Curiel, Larry Conklin
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]

======Round Tripping======
# Author - Open
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]

======How to prevent Round tripping======
# Author - Open
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]

=====Setting the right Configurations=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]

=====Authentication Options=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]

=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]

=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]

=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]

====PHP Specific Issues====
#Author Open
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]

====Classic ASP====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]

====C#====
#Author Open
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]

====C/C++====
#Author Open
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]

====Objective C====
#Author Open
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]

====Java====
#Author Open
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]

====Android====
#Author Open
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]

====Coldfusion====
#Author Open
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]

====CodeIgniter====

# Author Open
# [[CRV2_FrameworkSpecIssuesCodeIgniter|Put content here]]

=Security code review for Agile development=
#Author Carlos Pantelides
# [[CRV2_CodeReviewAgile|Put content here]]

=Code Review for Backdoors=
#Author Yiannis Pavlosoglou
The review of a piece of source code for backdoors has one excruciating difference to a traditional source code review: The fact that someone with 'commit' or 'write' access to the source code repository has malicious intentions spanning well beyond their current developer remit. Because of this difference, a code review for backdoors is often seen as a very specialised review and can sometimes be considered not a code review per say.

A traditional code review has the objective of determining if a vulnerability is present within the code, further to this if the vulnerability is exploitable and under what conditions. A code review for backdoors has the objective to determine if a certain portion of the codebase is carrying code that is unnecessary for the logic and implementation of the use cases it serves.

Further to this, the reviewer, looks for the trigger points of that logic. Typical examples include a branch statement going off to a part of assembly or obfuscated code. The reviewer is looking for patterns of abnormality in terms of code segments that would not be expected to be present under normal conditions.

An excellent introduction into how to look for rootkits in the Java programming language can be found [https://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-EnterpriseJavaRootkits-PAPER.pdf here]. In this paper J. Williams covers a variety of backdoor examples including file system access through a web server, as well as time based attacks involving a key aspect of malicious functionality been made available after a certain amount of time. Such examples form the foundation of what any reviewer for back doors should try to automate, regardless of the language in which the review is taking place.

=Code Review Tools=
https://www.owasp.org/index.php/CRV2_CodeReviewTools

User:Yiannis

2014-12-28T17:04:55Z

Yiannis: Some 2014 risk engineering references

There is a world of numbers, hiding behind letters, inside computers, this is what stimulates my work. I am currently employed in IT risk management within the financial industry, running a team of technical risk assessors. Prior to this, I spent 5 years in the world of professional penetration testing. I focused my career evolution on assisting large scale projects actually implement secure development practices. This included teaching developers how to write secure code. For OWASP, I was the project leader for JBroFuzz and used to chair the Global Industry Committee. I am on the Application Security Advisory Board of the (ISC)2. My academic qualifications include a [http://wrap.warwick.ac.uk/1193/ PhD in information security], designing routing protocols for ad-hoc networks. I am a certified scrum master and hold the CISSP certification.

'''Information Assurance: Risk Management & Risk Control'''

*2014 - ISC2 EMEA Congress [http://emeacongress.isc2.org/events/-isc-security-congress-emea-2014/custom-36-fab6fa4c21114b97b700ecf2b6b9bf01.aspx Risk Engineering]
*2014 - ISC2 Security Congress Atlanta [https://congress.isc2.org/session/session-3248-building-agile-risk-assessment-program-keeping-pace-hackers Building an Agile Risk Assessment Program - Keeping Up with the Pace of Hackers]

'''Application Security'''

*2011 - Web-Spa [http://code.google.com/p/web-spa/ Single Request Authorisation Web Knocking]
*2011 - Port Knocking Web Implementations [http://www.portknocking.org/view/implementations Ideas for more ports]
*2011 - Swiss Cyber Storm [https://www.swisscyberstorm.com/speakers/pavlosoglou.html Protecting Web Applications through Port Knocking]
*2009 - WebGoat Off-By-One Lesson [http://webgoat.googlecode.com/svn-history/r436/trunk/webgoat/src/main/java/org/owasp/webgoat/lessons/OffByOne.java WebGoat Off-By-One Lesson Remains to be Published]

'''OWASP Life in Bullets:'''

*2010 - Bletchley Park ISSA UK [http://www.issa-uk.org/newsletters/ISSANewsletterApril2010.pdf Hacking for Queen and Country]
*2010 - OWASP GitHub [http://www.owasp.org/index.php/Category:OWASP_GitHub http://www.owasp.org/index.php/Category:OWASP_GitHub]
*2010 - OWASP London [http://www.owasp.org/index.php/London#Thursday.2C_January_14th_2010 http://www.owasp.org/index.php/London#Thursday.2C_January_14th_2010]
**Penetration Testing with Selenium
*2009 - OWASP Global Industry Committee [http://www.owasp.org/index.php/Global_Industry_Committee http://www.owasp.org/index.php/Global_Industry_Committee]
*2008 - OWASP NYC Conference [http://video.google.com/videoplay?docid=-1551704659206071145# http://video.google.com/videoplay?docid=-1551704659206071145#]
**JBroFuzz - Building a Java Fuzzer
*2008 - Deepsec Vienna [http://2008.deepsec.net/ http://2008.deepsec.net/]
**Hybrid Code Auditing: A Dataflow Source Code Review Methodology
*2007 - OWASP New York/New Jersey [http://www.owasp.org/images/4/4e/OWASP_NY_07-Financial-Real-Time-Threats_Pavlosoglou.ppt http://www.owasp.org/images/4/4e/OWASP_NY_07-Financial-Real-Time-Threats_Pavlosoglou.ppt]
**Financial Real-Time Threats: Impacting Trading Floor Operations
*2006 - JBroFuzz Project Leader [http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz]
** JBroFuzz Mailing List

'''Project Involvement'''

*DirBuster - [http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project]
*JBroFuzz - [http://www.owasp.org/index.php/JBroFuzz http://www.owasp.org/index.php/JBroFuzz]

'''Contact'''

Yiannis Pavlosoglou yiannis@owasp.org

JBroFuzz

2014-11-09T09:45:56Z

Yiannis: /* Source Code */

{|
|-
! width="700" align="center" | 
! width="500" align="center" | 
|-
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]
| align="right" |

|}
==== Main ====

This project is currently inactive. If you would like more information on the OWASP JBroFuzz Project, please [http://owasp4.owasp.org/contactus.html Contact Us].

[[Image:JBroFuzz-ScreenShot.png|thumb|300px|right|JBroFuzz Screen Shot]][[Image:JBroFuzz-SplashScreen.jpg|thumb|300px|right|JBroFuzz Splash Screen]][[Image:Jbrofuzz-fuzz-header.png|thumb|300px|right|Default Fuzzing Header]][[Image:Jbrofuzz-results.png|thumb|300px|right|Results Screenshot]]
'''JBroFuzz''' is a web application fuzzer for requests being made over [http://en.wikipedia.org/wiki/HTTP HTTP] or [http://en.wikipedia.org/wiki/Https HTTPS]. Its purpose is to provide a single, portable application that offers stable web protocol fuzzing capabilities.

'''Current version is 2.4'''. Get it from the [http://sourceforge.net/projects/jbrofuzz/ SourceForge Download Section].

[[Image:JBroFuzzDownload.png |
link=http://sourceforge.net/project/platformdownload.php?group_id=180679]]

'''Release Notes (2.4):'''

* Commandline support - main class analyzing and executing the commandline options
* Added --no-execute option to command line support
* Added "Connection: close" preference option to be added to the headers automatically
* Massive UI revamp for Fuzzing Tab: Contains 3 Sub-Tabs: Input, Output, On the wire
* Introduction of Fuzzing Transforms for those double-URL, triple-Base64 encodings
* Added HTTP proxy support & authentication for checking updates
* EncoderHashWindow improvements in keeping history within different row selections
* Fixed ZBase32 Encoding/Decoding to work as Phil wants it to
* Prefix/Suffix in Fuzzer Transforms: http://www.owasp.org/index.php/OWASP_JBroFuzz_Tutorial#Added_Fuzzer_Transformations
* Added a plain-text encoder, similar to Zero-Fuzzer for theoretical completeness
* Fixed a bunch of supposed "security holes" reported by static analyzers
* Small Oracle payloads update

==Vulnerability Identification==

JBroFuzz generates requests, puts them on the wire and records the corresponding responses received back. It does not attempt to identify if a particular site is vulnerable or not; this requires further human analysis.

However, certain payloads included in fuzzers that can be used to generate requests (e.g. XSS) are crafted to attempt to successfully exploit flaws. Such flaws represent previously known vulnerabilities for web applications. JBroFuzz groups fuzzers with their corresponding payloads into a number of categories, depending on previously known vulnerabilities.

Thus, the human analyst would have to select the fuzzers to use in order to test against a particular set of vulnerabilities and review the results in order to recognize if exploitation succeeded or not.

==JBroFuzz Documentation==

===Online Documentation===

[[OWASP JBroFuzz Tutorial|JBroFuzz Tutorial]]

[[OWASP JBroFuzz FAQ|Frequently Asked Questions (FAQs)]]

[[OWASP JBroFuzz Install Guide|JBroFuzz Install Guide]]

[[OWASP JBroFuzz Payloads and Fuzzers|JBroFuzz Payloads and Fuzzers]]

===Built-in Documentation===

Frequently Asked Questions: <code>Help -> FAQ</code>

Help Topics: <code>Help -> Topics</code>

==Application Overview==

The components of JBroFuzz are presented into tabs, with more options (encodings, hash calculator, headers from popular browsers) available under the <code>Tools</code> option. The basic components are:

'''Fuzzing''' The fuzzing tab is the main tab of JBroFuzz, responsible for all fuzzing operations performed over the network. Depending on the fuzzer payloads selected, it creates the malformed data for each request, puts it on the wire and writes the response to a file.

'''Graphing''' The graphing tab is responsible for graphing (in a variety of forms) the responses received while fuzzing. This tab can offer a clear indication of a response that is different then the rest received, an indication of further examination being required.

'''Payloads''' The payloads tab is a collection of fuzzers with their corresponding payloads that can be used while fuzzing. Payloads are added to the request in the fuzzing tab; a more clear view of what payloads are available, how they are grouped and what properties each fuzzer has can be seen in this tab.

'''Headers''' The headers window is a collection of browser headers that can be used while fuzzing. Headers are obtained from different browsers on different platforms and operating systems. This tab is provided, as many web applications respond differently to different browser impersonation attacks.

'''System''' The system tab represents the logging console of JBroFuzz at runtime. Here you can access java runtime information, see any errors that might occur and also track operation in terms of events being logged.

==Roadmap==

Building a web application fuzzer that sits at the rim of breaking known protocol specifications, can be a very time consuming exercise. Thus, JBroFuzz has a roadmap, based on how much time it would take to achieve each task.

You can find the [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz_Project_-_Roadmap project roadmap here].

==Source Code==

JBroFuzz is written in Java and requires a [http://www.java.com 1.6 JRE/JDK] (or higher) installed, to run. It is constituted of more or less 70 classes, using, in total, 10 external libraries. It builds under [http://ant.apache.org/ Apache Ant].

'''[http://sourceforge.net/svn/?group_id=180679 SVN (Subversion)]''' is a tool used by many software developers to manage changes within their source code tree. This project's SourceForge.net Subversion repository can be checked out through SVN with the following instruction set:

<code>
svn co https://svn.code.sf.net/p/jbrofuzz/code/ jbrofuzz
</code>

If the above sounds a bit greek, you can also browse through the complete source code at:

<code>
[http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/ http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/]
</code>

==Feedback and Participation==

We hope you find the OWASP JBroFuzz Project useful. Please contribute to the project by volunteering for one of the tasks on the roadmap, sending your comments, questions, and suggestions to <code>subere@uncon.org</code>.

To join the OWASP JBroFuzz Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz subscription page.]

[[OWASP JBroFuzz Hashes|Release SHA1SUM]]







==== Project About ====
{{:Projects/OWASP JBroFuzz Project | Project About}}

__NOTOC__
<headertabs/>

[[Category:OWASP Project|JBroFuzz]]
[[Category:OWASP Tool]]
[[Category:OWASP Download]]
[[Category:OWASP Release Quality Tool]]

OWASP WebSpa Project

2014-10-02T22:05:14Z

Yiannis: /* Roadmap */

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; What does the ASCII-Art for WebSpa look like?
__
/\ \
__ __ __ __\ \ \____ ____ _____ __
/\ \/\ \/\ \ /'__`\ \ '__`\ _______ /',__\/\ '__`\ /'__`\
\ \ \_/ \_/ \/\ __/\ \ \L\ \/\______\/\__, `\ \ \L\ \/\ \L\.\_
\ \___x___/'\ \____\\ \_,__/\/______/\/\____/\ \ ,__/\ \__/.\_\
\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/__/\/_/
\ \_\
\/_/

The font is Larry 3D generated [http://patorjk.com/software/taag/#p=display&f=Larry%203D&t=web-spa here].

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* [[User:Oliver_M.|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
- FIXED: Modified the checking of 2 arrays being equal to be constant in time (Ticket #27)
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if they want to connect web servers with untrusted certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-10-02T22:00:29Z

Yiannis: /* Roadmap */

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; What does the ASCII-Art for WebSpa look like?
__
/\ \
__ __ __ __\ \ \____ ____ _____ __
/\ \/\ \/\ \ /'__`\ \ '__`\ _______ /',__\/\ '__`\ /'__`\
\ \ \_/ \_/ \/\ __/\ \ \L\ \/\______\/\__, `\ \ \L\ \/\ \L\.\_
\ \___x___/'\ \____\\ \_,__/\/______/\/\____/\ \ ,__/\ \__/.\_\
\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/__/\/_/
\ \_\
\/_/

The font is Larry 3D generated [http://patorjk.com/software/taag/#p=display&f=Larry%203D&t=web-spa here].

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* [[User:Oliver_M.|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if they want to connect web servers with untrusted certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-10-02T11:48:37Z

Yiannis: /* FAQs */

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; What does the ASCII-Art for WebSpa look like?
__
/\ \
__ __ __ __\ \ \____ ____ _____ __
/\ \/\ \/\ \ /'__`\ \ '__`\ _______ /',__\/\ '__`\ /'__`\
\ \ \_/ \_/ \/\ __/\ \ \L\ \/\______\/\__, `\ \ \L\ \/\ \L\.\_
\ \___x___/'\ \____\\ \_,__/\/______/\/\____/\ \ ,__/\ \__/.\_\
\/__//__/ \/____/ \/___/ \/___/ \ \ \/ \/__/\/_/
\ \_\
\/_/

The font is Larry 3D generated [http://patorjk.com/software/taag/#p=display&f=Larry%203D&t=web-spa here].

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* [[User:Oliver_M.|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-09-30T12:08:05Z

Yiannis: /* People */

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* [[User:Oliver_M.|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-09-30T12:07:26Z

Yiannis: /* People */

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* [[User:Oliver_M|Oliver Merki]] - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-09-30T12:02:08Z

Yiannis: /* People */

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* [[User:Yiannis|Yiannis Pavlosoglou]] - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-09-28T09:36:36Z

Yiannis: /* FAQs */ Added 2 questions in the FAQ section of WebSpa

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [19 Aug 2014] Our project was featured in the OWASP Connector newsletter. [http://hosted-p0.vresp.com/1479611/4d8d3315c2/ARCHIVE (link)]
* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from Google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Who are the actors required in order to use the WebSpa tool?

There are two actors, the WebSpa administrator and the WebSpa user. Ultimately, they could be the same person. The administrator agrees with each user what each of their allowed O/S commands are, while the user, well, executes these commands on the server by using the client.

; How does the crypto of WebSpa work?
: From the perspective of cryptographic engineering, WebSpa uses a hash [http://en.wikipedia.org/wiki/Commitment_scheme commitment scheme], where the commit phase during which a value is chosen is done using an out of band channel. WebSpa focuses on receiving a value specified through a single request from the client and processing it on the server.

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-09-08T21:15:23Z

Yiannis: Replaced web-spa with WebSpa in a few places to show consistency of terminology

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

If port knocking is defined as "a form of host-to-host communication in which information flows across closed ports" then we define web knocking as "a form of host-to-host communication in which information flows across erroneous URLs". Finally, in an attempt to mirror the operation of Single Packet Authorisation (SPA), the entirety of a user's action is submitted through a single GET request.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named WebSpa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; WebSpa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using WebSpa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with WebSpa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for WebSpa
=================================================

The following programs must be installed in order
for WebSpa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2015) ==

WebSpa_v0.9 will be major release and include a comprehensive redesign of the WebKnock format in order to improve overall security and robustness of the request. The tickets for this release are:

44 New WebKnock request format should be defined
42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx

== Release 0.85 (Q1/2015) ==
WebSpa_v0.85 will offer improved usability features, which will simplify installing, configuring and running WebSpa. The tickets for this release are:

40 Log to /var/log instead of a log.txt file
15 Add easy way to run the server as a background daemon

== Release 0.8 (Q4/2014) ==

WebSpa_v0.8 will be sort of a proof-of-concept of WebSpa. A stable version to demonstrate the concept of WebKnocking, however, with some limitations with regards to usability/configuration and modularity (e.g. changing the hashing algorithm). The tickets for this release are:

43 Change SSL configuration to allow wget
41 WebSpa administrator to WebSpa user output
38 umask 077 should be added to webspa.sh
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-05-08T00:39:49Z

Yiannis: /* Quick Download */

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

[http://sourceforge.net/projects/webspa/files/webspa-07.zip/download WebSpa v0.7]

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2014) ==

WebSpa_v0.9 will examine attacks on the web knocking tool and propose controls in order to address the issues in question.

== Release 0.8 (Q2/2014) ==

WebSpa_v0.8 will incorporate in the server side component (run with -server option) the ability for a WebSpa administrator to generate a single output of all actions available for a user of WebSpa. The 12 tickets for this release are:

42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
41 WebSpa administrator to WebSpa user output
40 Log to /var/log instead of a log.txt file
38 umask 077 should be added to webspa.sh
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
15 Add easy way to run the server as a background daemon
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-05-08T00:34:24Z

Yiannis: Updated the format for the roadmap for release 0.8

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* http://sourceforge.net/projects/webspa/files/latest/download?source=files

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2014) ==

WebSpa_v0.9 will examine attacks on the web knocking tool and propose controls in order to address the issues in question.

== Release 0.8 (Q2/2014) ==

WebSpa_v0.8 will incorporate in the server side component (run with -server option) the ability for a WebSpa administrator to generate a single output of all actions available for a user of WebSpa. The 12 tickets for this release are:

42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
41 WebSpa administrator to WebSpa user output
40 Log to /var/log instead of a log.txt file
38 umask 077 should be added to webspa.sh
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
15 Add easy way to run the server as a background daemon
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-05-08T00:32:41Z

Yiannis: Updated the roadmap for release 0.8

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* http://sourceforge.net/projects/webspa/files/latest/download?source=files

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q3/2014) ==

WebSpa_v0.9 will examine attacks on the web knocking tool and propose controls in order to address the issues in question.

== Release 0.8 (Q2/2014) ==

WebSpa_v0.8 will incorporate in the server side component (run with -server option) the ability for a WebSpa administrator to generate a single output of all actions available for a user of WebSpa. The 12 tickets for this release are:

42 Do not limit the web knock to 100 characters, instead use SHA-512 lengths
41 WebSpa administrator to WebSpa user output
40 Log to /var/log instead of a log.txt file
38 umask 077 should be added to webspa.sh
35 A threat model for WebSpa should be created and reviewed
33 Apache should be replaced by nginx
32 A known_hosts file should be used to maintain the list of successfully verified keys
31 Verification of server's public key fingerprint should be possible
30 Help Files Update (0.8)
27 Arrays.equals is not a constant time function
15 Add easy way to run the server as a background daemon
2 Create maven build task for release

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-05-07T18:46:41Z

Yiannis: Reported the video update in the "News" tab

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* http://sourceforge.net/projects/webspa/files/latest/download?source=files

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [07 May 2014] Added four video links in the respective "Video" tab, referencing YouTube
* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q2-Q3/2014) ==

WebSpa_v0.9 will examine attacks on the web knocking tool and propose controls in order to address the issues in question.

== Release 0.8 (Q2/2014) ==

WebSpa_v0.8 will incorporate in the server side component (run with -server option) the ability for a WebSpa administrator to generate a single output of all actions available for a Web Knocking user.

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

OWASP WebSpa Project

2014-05-07T18:42:57Z

Yiannis: Added four video links in the respective "Video" tab, referencing YouTube

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

http://sourceforge.net/projects/webspa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* http://sourceforge.net/projects/webspa/files/latest/download?source=files

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|S386azVcj-c|300|right|Linux Poweroff on Apache via Web Knocking with Web-Spa (_v0.7) }}
|
{{#ev:youtube|eHlYnWyf35E|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.5) }}
|-
|
{{#ev:youtube|_VU26ZGG7D8|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4 )}}
|
{{#ev:youtube|pKF_NxHnoyA|300|right|Enabling SSH via Web Knocking with Web-Spa (_v0.4) }}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [24 Apr 2014] Version 0.7 has been release and can now be found in the download section. Also, we welcome Paweł and Joël to the team.
* [20 Mar 2014] [http://www.eventbrite.co.uk/e/owasp-london-chapter-meeting-march-2014-tickets-10063386861 WebSpa has been presented during OWASP London Chapter Meeting]
* [16 Mar 2014] WebSpa has a new contributor – Paweł Goleń. Paweł welcome in the team!
* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can now be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Can one deploy WebSpa over HTTP?
: Yes, WebSpa can be deployed over HTTP, however for security reasons it is highly recommended to utilize HTTPS.

; How to report a WebSpa bug?
:To report a WebSpa bug please feel free to create a ticket on the [http://sourceforge.net/p/webspa/tickets/?source=navbar sourceforge.net]. A sourceforge account is necessary. If you don’t own a sourceforge account you may send an e-mail to one of the contributors.

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou - Inception & Development
* Patryk Arciszewski - Theoretician & Documentation
* Paweł Goleń - Breaking & Infrastructure
* Joël Rouiller - Development & Optimisation
* Oliver Merki - Leader & Operations

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q2-Q3/2014) ==

WebSpa_v0.9 will examine attacks on the web knocking tool and propose controls in order to address the issues in question.

== Release 0.8 (Q2/2014) ==

WebSpa_v0.8 will incorporate in the server side component (run with -server option) the ability for a WebSpa administrator to generate a single output of all actions available for a Web Knocking user.

== [http://sourceforge.net/projects/webspa/files/webspa-07.zip/download Release 0.7 (24/Apr/2014)] ==

This is the current release of WebSpa.

WebSpa _v0.7 offers enhanced user administration functionality. The WebSpa client now offers the possibility for a user to connect to a web server with an untrusted/self-signed certificate.

- NEW: The WebSpa client asks the user if he wants to connect web servers with unknown/untrusted/self-signed certificates. (Ticket #28)
- NEW: Introduced ‘passwd’ command, which allows the WebSpa administrator to modify a user’s password.
- NEW: Introduced ‘pass-phrase show’ command, which allows the WebSpa administrator to print a user’s pass-phrase to the screen.
- FIXED: Array is no longer sorted, which reduced the entropy of the web-knock. (Ticket #24)
- FIXED: Reworked and added test cases.
- FIXED: Removed dependency on Spring security. (Ticket #18)

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Testing Guide Introduction

2014-04-01T22:34:51Z

Yiannis: Testing Guide V4: Review_v1

{{Template:OWASP Testing Guide v4}}

=== The OWASP Testing Project ===
----
The OWASP Testing Project has been in development for many years. With this project, we want to help people understand the ''what'', ''why'', ''when'', ''where'', and ''how'' of testing their web applications. For this reason, we have avoided merely providing a simple checklist or prescription of issues that should be addressed. The outcome of this project is a complete Testing Framework, from which others can build their own testing programs or qualify other people’s processes. The Testing Guide describes in details both the general Testing Framework and the techniques required to implement the framework in practice.

Writing the Testing Guide has proven to be a difficult task. It has been a challenge to obtain consensus and develop the content that allows people to apply the concepts described here, while enabling them to work in their own environment and culture. It has also been a challenge to change the focus of web application testing from penetration testing to testing integrated in the software development life cycle.

However, we are very satisfied with the results we have reached. Many industry experts and those responsible for software security at some of the largest companies in the world are validating the Testing Framework. This framework helps organizations test their web applications in order to build reliable and secure software, rather than simply highlighting areas of weakness, although the latter is certainly a byproduct of many of OWASP’s guides and checklists. As such, we have made some hard decisions about the appropriateness of certain testing techniques and technologies, which we fully understand will not be agreed upon by everyone. However, OWASP is able to take the high ground and change culture over time through awareness and education based on consensus and experience.

The rest of this guide is organized as follows. This introduction covers the pre-requisites of testing web applications: the scope of testing, the principles of successful testing, and testing techniques. Chapter 3 presents the OWASP Testing Framework and explains its techniques and tasks in relation to the various phases of the software development life cycle. Chapter 4 covers how to test for specific vulnerabilities (e.g., SQL Injection) by code inspection and penetration testing.

'''Measuring (in)security: the Economics of Insecure Software''' 
A basic tenet of software engineering is that you can't control what you can't measure [1]. Security testing is no different. Unfortunately, measuring security is a notoriously difficult process. We will not cover this topic in detail here, since it would take a guide on its own (for an introduction, see [2]).

One aspect that we want to emphasize, however, is that security measurements are, by necessity, about both the specific, technical issues (e.g., how prevalent a certain vulnerability is) and how these affect the economics of software. We find that most technical people understand at least the basic issues, or have a deeper understanding, of the vulnerabilities. Sadly, few are able to translate that technical knowledge into monetary terms, and, thereby, quantify the potential cost of vulnerabilities to the application owner's business. We believe that until this happens, CIOs will not be able to develop an accurate return on security investment and, subsequently, assign appropriate budgets for software security. 
While estimating the cost of insecure software may appear a daunting task, recently there has been a significant amount of work in this direction. For example, in June 2002, the US National Institute of Standards (NIST) published a survey on the cost of insecure software to the US economy due to inadequate software testing [3]. Interestingly, they estimate that a better testing infrastructure would save more than a third of these costs, or about $22 billion a year. More recently, the links between economics and security have been studied by academic researchers. See [4] for more information about some of these efforts.

The framework described in this document encourages people to measure security throughout their entire development process. They can then relate the cost of insecure software to the impact it has on their business, and consequently develop appropriate business decisions (resources) to manage the risk. Remember: measuring and testing web applications is even more critical than for other software, since web applications are exposed to millions of users through the Internet.

'''What is Testing''' 
What do we mean by testing? During the development life cycle of a web application, many things need to be tested. The Merriam-Webster Dictionary describes testing as:
* To put to test or proof.
* To undergo a test.
* To be assigned a standing or evaluation based on tests.
For the purposes of this document, testing is a process of comparing the state of a system/application against a set of criteria. In the security industry, people frequently test against a set of mental criteria that are neither well defined nor complete. For this reason and others, many outsiders regard security testing as a black art. This document’s aim is to change that perception and to make it easier for people without in-depth security knowledge to make a difference.

'''Why Testing''' 
This document is designed to help organizations understand what comprises a testing program, and to help them identify the steps that they need to undertake to build and operate that testing program on their web applications. It is intended to give a broad view of the elements required to make a comprehensive web application security program. This guide can be used as a reference and as a methodology to help determine the gap between your existing practices and industry best practices. This guide allows organizations to compare themselves against industry peers, understand the magnitude of resources required to test and maintain their software, or prepare for an audit. This chapter does not go into the technical details of how to test an application, as the intent is to provide a typical security organizational framework. The technical details about how to test an application, as part of a penetration test or code review will be covered in the remaining parts of this document.

'''When to Test''' 
Most people today don’t test the software until it has already been created and is in the deployment phase of its life cycle (i.e., code has been created and instantiated into a working web application). This is generally a very ineffective and cost-prohibitive practice. One of the best methods to prevent security bugs from appearing in production applications is to improve the Software Development Life Cycle (SDLC) by including security in each of its phases. An SDLC is a structure imposed on the development of software artifacts. If an SDLC is not currently being used in your environment, it is time to pick one! The following figure shows a generic SDLC model as well as the (estimated) increasing cost of fixing security bugs in such a model.

<center>[[Image:SDLC.jpg]] 
''Figure 1: Generic SDLC Model'' </center>

Companies should inspect their overall SDLC to ensure that security is an integral part of the development process. SDLCs should include security tests to ensure security is adequately covered and controls are effective throughout the development process.

'''What to Test''' 
It can be helpful to think of software development as a combination of people, process, and technology. If these are the factors that "create" software, then it is logical that these are the factors that must be tested. Today most people generally test the technology or the software itself.

An effective testing program should have components that test ''People'' – to ensure that there is adequate education and awareness; ''Process'' – to ensure that there are adequate policies and standards and that people know how to follow these policies; ''Technology'' – to ensure that the process has been effective in its implementation. Unless a holistic approach is adopted, testing just the technical implementation of an application will not uncover management or operational vulnerabilities that could be present. By testing the people, policies, and processes, an organization can catch issues that would later manifest themselves into defects in the technology, thus eradicating bugs early and identifying the root causes of defects. Likewise, testing only some of the technical issues that can be present in a system will result in an incomplete and inaccurate security posture assessment. Denis Verdon, Head of Information Security at [http://www.fnf.com Fidelity National Financial] presented an excellent analogy for this misconception at the OWASP AppSec 2004 Conference in New York [5]: "If cars were built like applications [...] safety tests would assume frontal impact only. Cars would not be roll tested, or tested for stability in emergency maneuvers, brake effectiveness, side impact, and resistance to theft." 

'''Feedback and Comments''' 
As with all OWASP projects, we welcome comments and feedback. We especially like to know that our work is being used and that it is effective and accurate.

==Principles of Testing==

There are some common misconceptions when developing a testing methodology to weed out security bugs in software. This chapter covers some of the basic principles that should be taken into account by professionals when testing for security bugs in software.

'''There is No Silver Bullet''' 
While it is tempting to think that a security scanner or application firewall will either provide a multitude of defenses or identify a multitude of problems, in reality there are no silver bullets to the problem of insecure software. Application security assessment software, while useful as a first pass to find low-hanging fruit, is generally immature and ineffective at in-depth assessments and at providing adequate test coverage. Remember that security is a process, not a product.

'''Think Strategically, Not Tactically''' 
Over the last few years, security professionals have come to realize the fallacy of the patch-and-penetrate model that was pervasive in information security during the 1990’s. The patch-and-penetrate model involves fixing a reported bug, but without proper investigation of the root cause. This model is usually associated with the window of vulnerability shown in the figure below. The evolution of vulnerabilities in common software used worldwide has shown the ineffectiveness of this model. Fore more information about the window of vulnerability please refer to [6]. Vulnerability studies [7] have shown that with the reaction time of attackers worldwide, the typical window of vulnerability does not provide enough time for patch installation, since the time between a vulnerability being uncovered and an automated attack against it being developed and released is decreasing every year. There are also several wrong assumptions in the patch-and-penetrate model: patches interfere with the normal operations and might break existing applications, and not all the users might (in the end) be aware of a patch’s availability. Consequently not all the product's users will apply patches, either because of this issue or because they lack knowledge about the patch's existence. 

<center>[[Image:WindowExposure.jpg]] 
''Figure 2: Window of Vulnerability''</center> 
To prevent reoccurring security problems within an application, it is essential to build security into the Software Development Life Cycle (SDLC) by developing standards, policies, and guidelines that fit and work within the development methodology. Threat modeling and other techniques should be used to help assign appropriate resources to those parts of a system that are most at risk.
 
'''The SDLC is King''' 
The SDLC is a process that is well-known to developers. By integrating security into each phase of the SDLC, it allows for a holistic approach to application security that leverages the procedures already in place within the organization. Be aware that while the names of the various phases may change depending on the SDLC model used by an organization, each conceptual phase of the archetype SDLC will be used to develop the application (i.e., define, design, develop, deploy, maintain). Each phase has security considerations that should become part of the existing process, to ensure a cost-effective and comprehensive security program.
 
'''Test Early and Test Often''' 
When a bug is detected early within the SDLC, it can be addressed more quickly and at a lower cost. A security bug is no different from a functional or performance-based bug in this regard. A key step in making this possible is to educate the development and QA organizations about common security issues and the ways to detect and prevent them. Although new libraries, tools, or languages might help design better programs (with fewer security bugs), new threats arise constantly and developers must be aware of those that affect the software they are developing. Education in security testing also helps developers acquire the appropriate mindset to test an application from an attacker's perspective. This allows each organization to consider security issues as part of their existing responsibilities.
 
'''Understand the Scope of Security''' 
It is important to know how much security a given project will require. The information and assets that are to be protected should be given a classification that states how they are to be handled (e.g., Confidential, Secret, Top Secret). Discussions should occur with legal council to ensure that any specific security need will be met. In the USA they might come from federal regulations, such as the Gramm-Leach-Bliley Act [8], or from state laws, such as the California SB-1386 [9]. For organizations based in EU countries, both country-specific regulation and EU Directives might apply. For example, Directive 96/46/EC4 [10] makes it mandatory to treat personal data in applications with due care, whatever the application.
 
'''Develop the Right Mindset''' 
Successfully testing an application for security vulnerabilities requires thinking "outside of the box." Normal use cases will test the normal behavior of the application when a user is using it in the manner that you expect. Good security testing requires going beyond what is expected and thinking like an attacker who is trying to break the application. Creative thinking can help to determine what unexpected data may cause an application to fail in an insecure manner. It can also help find what assumptions made by web developers are not always true and how they can be subverted. This is one of the reasons why automated tools are actually bad at automatically testing for vulnerabilities: this creative thinking must be done on a case-by-case basis and most web applications are being developed in a unique way (even if using common frameworks).
 
'''Understand the Subject''' 
One of the first major initiatives in any good security program should be to require accurate documentation of the application. The architecture, data-flow diagrams, use cases, and more should be written in formal documents and made available for review. The technical specification and application documents should include information that lists not only the desired use cases, but also any specifically disallowed use case. Finally, it is good to have at least a basic security infrastructure that allows the monitoring and trending of attacks against an organization's applications and network (e.g., IDS systems).
 
'''Use the Right Tools''' 
While we have already stated that there is no silver bullet tool, tools do play a critical role in the overall security program. There is a range of open source and commercial tools that can automate many routine security tasks. These tools can simplify and speed up the security process by assisting security personnel in their tasks. It is important to understand exactly what these tools can and cannot do, however, so that they are not oversold or used incorrectly.
 
'''The Devil is in the Details''' 
It is critical not to perform a superficial security review of an application and consider it complete. This will instill a false sense of confidence that can be as dangerous as not having done a security review in the first place. It is vital to carefully review the findings and weed out any false positive that may remain in the report. Reporting an incorrect security finding can often undermine the valid message of the rest of a security report. Care should be taken to verify that every possible section of application logic has been tested, and that every use case scenario was explored for possible vulnerabilities.
 
'''Use Source Code When Available''' 
While black box penetration test results can be impressive and useful to demonstrate how vulnerabilities are exposed in production, they are not the most effective way to secure an application. If the source code for the application is available, it should be given to the security staff to assist them while performing their review. It is possible to discover vulnerabilities within the application source that would be missed during a black box engagement.
 
'''Develop Metrics''' 
An important part of a good security program is the ability to determine if things are getting better. It is important to track the results of testing engagements, and develop metrics that will reveal the application security trends within the organization. These metrics can show if more education and training are required, if there is a particular security mechanism that is not clearly understood by development, and if the total number of security related problems being found each month is going down. Consistent metrics that can be generated in an automated way from available source code will also help the organization in assessing the effectiveness of mechanisms introduced to reduce security bugs in software development. Metrics are not easily developed, so using standard metrics like those provided by the OWASP Metrics project and other organizations might be a good head start. 
'''Document the Test Results''' 
To conclude the testing process, it is important to produce a formal record of what testing actions were taken, by whom, when they were performed, and details of the test findings. It is wise to agree on an acceptable format for the report which is useful to all concerned parties, which may include developers, project management, business owners, IT department, audit, and compliance. The report must be clear to the business owner in identifying where material risks exist and sufficient to get their backing for subsequent mitigation actions. The report must be clear to the developer in pin-pointing the exact function that is affected by the vulnerability, with associated recommendations for resolution in a language that the developer will understand (no pun intended). Last but not least, the report writing should not be overly burdensome on the security tester themselves; security testers are not generally renowned for their creative writing skills, therefore agreeing on a complex report can lead to instances where test results do not get properly documented.

==Testing Techniques Explained==

This section presents a high-level overview of various testing techniques that can be employed when building a testing program. It does not present specific methodologies for these techniques, although Chapter 3 will address this information. This section is included to provide context for the framework presented in the next chapter and to highlight the advantages and disadvantages of some of the techniques that should be considered. In particular, we will cover:
* Manual Inspections & Reviews
* Threat Modeling
* Code Review
* Penetration Testing

=== Manual Inspections & Reviews ===
'''Overview''' 
Manual inspections are human-driven reviews that typically test the security implications of the people, policies, and processes, but can include inspection of technology decisions such as architectural designs. They are usually conducted by analyzing documentation or performing interviews with the designers or system owners. While the concept of manual inspections and human reviews is simple, they can be among the most powerful and effective techniques available. By asking someone how something works and why it was implemented in a specific way, it allows the tester to quickly determine if any security concerns are likely to be evident. Manual inspections and reviews are one of the few ways to test the software development life-cycle process itself and to ensure that there is an adequate policy or skill set in place. As with many things in life, when conducting manual inspections and reviews we suggest you adopt a trust-but-verify model. Not everything everyone tells you or shows you will be accurate. Manual reviews are particularly good for testing whether people understand the security process, have been made aware of policy, and have the appropriate skills to design or implement a secure application. Other activities, including manually reviewing the documentation, secure coding policies, security requirements, and architectural designs, should all be accomplished using manual inspections.

'''Advantages:'''
* Requires no supporting technology
* Can be applied to a variety of situations
* Flexible
* Promotes teamwork
* Early in the SDLC

'''Disadvantages:'''
* Can be time consuming
* Supporting material not always available
* Requires significant human thought and skill to be effective!

=== Threat Modeling ===
'''Overview''' 
Threat modeling has become a popular technique to help system designers think about the security threats that their systems/applications might face. Therefore, threat modeling can be seen as risk assessment for applications. In fact, it enables the designer to develop mitigation strategies for potential vulnerabilities and helps them focus their inevitably limited resources and attention on the parts of the system that most require it. It is recommended that all applications have a threat model developed and documented. Threat models should be created as early as possible in the SDLC, and should be revisited as the application evolves and development progresses. To develop a threat model, we recommend taking a simple approach that follows the NIST 800-30 [11] standard for risk assessment. This approach involves:
* Decomposing the application – understand, through a process of manual inspection, how the application works, its assets, functionality, and connectivity.
* Defining and classifying the assets – classify the assets into tangible and intangible assets and rank them according to business importance.
* Exploring potential vulnerabilities - whether technical, operational, or management.
* Exploring potential threats – develop a realistic view of potential attack vectors from an attacker’s perspective, by using threat scenarios or attack trees.
* Creating mitigation strategies – develop mitigating controls for each of the threats deemed to be realistic. The output from a threat model itself can vary but is typically a collection of lists and diagrams. The OWASP Code Review Guide outlines an Application Threat Modeling methodology that can be used as a reference for the testing applications for potential security flaws in the design of the application. There is no right or wrong way to develop threat models and perform information risk assessments on applications. [12]. 

'''Advantages:'''
* Practical attacker's view of the system
* Flexible
* Early in the SDLC

'''Disadvantages: '''
* Relatively new technique
* Good threat models don’t automatically mean good software

=== Source Code Review ===
'''Overview''' 
Source code review is the process of manually checking a web application's source code for security issues. Many serious security vulnerabilities cannot be detected with any other form of analysis or testing. As the popular saying goes “if you want to know what’s really going on, go straight to the source." Almost all security experts agree that there is no substitute for actually looking at the code. All the information for identifying security problems is there in the code somewhere. Unlike testing third party closed software such as operating systems, when testing web applications (especially if they have been developed in-house) the source code should be made available for testing purposes. Many unintentional but significant security problems are also extremely difficult to discover with other forms of analysis or testing, such as penetration testing, making source code analysis the technique of choice for technical testing. With the source code, a tester can accurately determine what is happening (or is supposed to be happening) and remove the guess work of black box testing. Examples of issues that are particularly conducive to being found through source code reviews include concurrency problems, flawed business logic, access control problems, and cryptographic weaknesses as well as backdoors, Trojans, Easter eggs, time bombs, logic bombs, and other forms of malicious code. These issues often manifest themselves as the most harmful vulnerabilities in web sites. Source code analysis can also be extremely efficient to find implementation issues such as places where input validation was not performed or when fail open control procedures may be present. But keep in mind that operational procedures need to be reviewed as well, since the source code being deployed might not be the same as the one being analyzed herein [13]. 

'''Advantages:'''
* Completeness and effectiveness
* Accuracy
* Fast (for competent reviewers)

'''Disadvantages:'''
* Requires highly skilled security developers
* Can miss issues in compiled libraries
* Cannot detect run-time errors easily
* The source code actually deployed might differ from the one being analyzed

'''For more on code review, checkout the [[OWASP Code Review Project|OWASP code review project]]'''. 

=== Penetration Testing ===
'''Overview''' 
Penetration testing has been a common technique used to test network security for many years. It is also commonly known as black box testing or ethical hacking. Penetration testing is essentially the “art” of testing a running application remotely, without knowing the inner workings of the application itself, to find security vulnerabilities. Typically, the penetration test team would have access to an application as if they were users. The tester acts like an attacker and attempts to find and exploit vulnerabilities. In many cases the tester will be given a valid account on the system. While penetration testing has proven to be effective in network security, the technique does not naturally translate to applications. When penetration testing is performed on networks and operating systems, the majority of the work is involved in finding and then exploiting known vulnerabilities in specific technologies. As web applications are almost exclusively bespoke, penetration testing in the web application arena is more akin to pure research. Penetration testing tools have been developed that automate the process, but, again, with the nature of web applications their effectiveness is usually poor. Many people today use web application penetration testing as their primary security testing technique. Whilst it certainly has its place in a testing program, we do not believe it should be considered as the primary or only testing technique. Gary McGraw in [14] summed up penetration testing well when he said, “If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don’t have a very bad problem”. However, focused penetration testing (i.e., testing that attempts to exploit known vulnerabilities detected in previous reviews) can be useful in detecting if some specific vulnerabilities are actually fixed in the source code deployed on the web site. 

'''Advantages:'''
* Can be fast (and therefore cheap)
* Requires a relatively lower skill-set than source code review
* Tests the code that is actually being exposed

'''Disadvantages:'''
* Too late in the SDLC
* Front impact testing only!

=== The Need for a Balanced Approach ===
With so many techniques and so many approaches to testing the security of web applications, it can be difficult to understand which techniques to use and when to use them.
Experience shows that there is no right or wrong answer to exactly what techniques should be used to build a testing framework. The fact remains that all techniques should probably be used to ensure that all areas that need to be tested are tested. What is clear, however, is that there is no single technique that effectively covers all security testing that must be performed to ensure that all issues have been addressed. Many companies adopt one approach, which has historically been penetration testing. Penetration testing, while useful, cannot effectively address many of the issues that need to be tested, and is simply “too little too late” in the software development life cycle (SDLC).
The correct approach is a balanced one that includes several techniques, from manual reviews to technical testing. The balanced approach is sure to cover testing in all phases of the SDLC. This approach leverages the most appropriate techniques available depending on the current SDLC phase.
Of course there are times and circumstances where only one technique is possible; for example, a test on a web application that has already been created, and where the testing party does not have access to the source code. In this case, penetration testing is clearly better than no testing at all. However, we encourage the testing parties to challenge assumptions, such as no access to source code, and to explore the possibility of more complete testing.
A balanced approach varies depending on many factors, such as the maturity of the testing process and corporate culture. However, it is recommended that a balanced testing framework look something like the representations shown in Figure 3 and Figure 4. The following figure shows a typical proportional representation overlaid onto the software development life cycle. In keeping with research and experience, it is essential that companies place a higher emphasis on the early stages of development.
<center>
[[Image:ProportionSDLC.png]]
 ''Figure 3: Proportion of Test Effort in SDLC''
</center>
The following figure shows a typical proportional representation overlaid onto testing techniques. 
<center>
[[Image:ProportionTest.png]]
 ''Figure 4: Proportion of Test Effort According to Test Technique''
</center>

'''A Note about Web Application Scanners''' 
Many organizations have started to use automated web application scanners. While they undoubtedly have a place in a testing program, we want to highlight some fundamental issues about why we do not believe that automating black box testing is (or will ever be) effective. By highlighting these issues, we are not discouraging web application scanner use. Rather, we are saying that their limitations should be understood, and testing frameworks should be planned appropriately.
NB: OWASP is currently working to develop a web application scanner-benchmarking platform. The following examples indicate why automated black box testing is not effective.
 
'''Example 1: Magic Parameters''' 
Imagine a simple web application that accepts a name-value pair of “magic” and then the value. For simplicity, the GET request may be: ''<nowiki>http://www.host/application?magic=value</nowiki>'' To further simplify the example, the values in this case can only be ASCII characters a – z (upper or lowercase) and integers 0 – 9. The designers of this application created an administrative backdoor during testing, but obfuscated it to prevent the casual observer from discovering it. By submitting the value sf8g7sfjdsurtsdieerwqredsgnfg8d (30 characters), the user will then be logged in and presented with an administrative screen with total control of the application. The HTTP request is now: ''<nowiki>http://www.host/application?magic= sf8g7sfjdsurtsdieerwqredsgnfg8d </nowiki>'' 
Given that all of the other parameters were simple two- and three-characters fields, it is not possible to start guessing combinations at approximately 28 characters. A web application scanner will need to brute force (or guess) the entire key space of 30 characters. That is up to 30^28 permutations, or trillions of HTTP requests! That is an electron in a digital haystack!
The code for this exemplar Magic Parameter check may look like the following: 
public void doPost( HttpServletRequest request, HttpServletResponse response)
{
String magic = “sf8g7sfjdsurtsdieerwqredsgnfg8d”;
boolean admin = magic.equals( request.getParameter(“magic”));
if (admin) doAdmin( request, response);
else …. // normal processing
}
By looking in the code, the vulnerability practically leaps off the page as a potential problem.
 
'''Example 2: Bad Cryptography''' 
Cryptography is widely used in web applications. Imagine that a developer decided to write a simple cryptography algorithm to sign a user in from site A to site B automatically. In his/her wisdom, the developer decides that if a user is logged into site A, then he/she will generate a key using an MD5 hash function that comprises: ''Hash { username : date }'' 
When a user is passed to site B, he/she will send the key on the query string to site B in an HTTP re-direct. Site B independently computes the hash, and compares it to the hash passed on the request. If they match, site B signs the user in as the user they claim to be. Clearly, as we explain the scheme, the inadequacies can be worked out, and it can be seen how anyone that figures it out (or is told how it works, or downloads the information from Bugtraq) can login as any user. Manual inspection, such as a review, would have uncovered this security issue quickly, as would inspection of the code. A black-box web application scanner would have seen a 128-bit hash that changed with each user, and by the nature of hash functions, did not change in any predictable way.
 
'''A Note about Static Source Code Review Tools''' 
Many organizations have started to use static source code scanners. While they undoubtedly have a place in a comprehensive testing program, we want to highlight some fundamental issues about why we do not believe this approach is effective when used alone. Static source code analysis alone cannot identify issues due to flaws in the design since it cannot understand the context in which the code is constructed. Source code analysis tools are useful in determining security issues due to coding errors, however significant manual effort is required to validate the findings.
 

=== Security Requirements Test Derivation ===
If you want to have a successful testing program, you need to know what your testing objectives are. These objectives are specified by security requirements. This section discusses in detail how to document requirements for security testing by deriving them from applicable standards and regulations and positive and negative application requirements. It also discusses how security requirements effectively drive security testing during the SDLC and how security test data can be used to effectively manage software security risks.

'''Testing Objectives''' 
One of the objectives of security testing is to validate that security controls operate as expected. This is documented via ''security requirements'' that describe the functionality of the security control. At a high level, this means proving confidentiality, integrity, and availability of the data as well as the service. The other objective is to validate that security controls are implemented with few or no vulnerabilities. These are common vulnerabilities, such as the [[OWASP Top Ten]], as well as vulnerabilities that have been previously identified with security assessments during the SDLC, such as threat modelling, source code analysis, and penetration test.

'''Security Requirements Documentation''' 
The first step in the documentation of security requirements is to understand the ''business requirements''. A business requirement document could provide the initial, high-level information of the expected functionality for the application. For example, the main purpose of an application may be to provide financial services to customers or shopping and purchasing goods from an on-line catalogue. A security section of the business requirements should highlight the need to protect the customer data as well as to comply with applicable security documentation such as regulations, standards, and policies.

A general checklist of the applicable regulations, standards, and policies serves well the purpose of a preliminary security compliance analysis for web applications. For example, compliance regulations can be identified by checking information about the business sector and the country/state where the application needs to function/operate. Some of these compliance guidelines and regulations might translate in specific technical requirements for security controls. For example, in the case of financial applications, the compliance with FFIEC guidelines for authentication [15] requires that financial institutions implement applications that mitigate weak authentication risks with multi-layered security control and multi factor authentication.

Applicable industry standards for security need also to be captured by the general security requirement checklist. For example, in the case of applications that handle customer credit card data, the compliance with the PCI DSS [16] standard forbids the storage of PINs and CVV2 data and requires that the merchant protect magnetic strip data in storage and transmission with encryption and on display by masking. Such PCI DSS security requirements could be validated via source code analysis.

Another section of the checklist needs to enforce general requirements for compliance with the organization information security standards and policies. From the functional requirements perspective, requirements for the security control need to map to a specific section of the information security standards. An example of such requirement can be: "a password complexity of six alphanumeric characters must be enforced by the authentication controls used by the application." When security requirements map to compliance rules a security test can validate the exposure of compliance risks. If violation with information security standards and policies are found, these will result in a risk that can be documented and that the business has to deal with (i.e., manage). For this reason, since these security compliance requirements are enforceable, they need to be well documented and validated with security tests.

'''Security Requirements Validation''' 
From the functionality perspective, the validation of security requirements is the main objective of security testing, while, from the risk management perspective, this is the objective of information security assessments. At a high level, the main goal of information security assessments is the identification of gaps in security controls, such as lack of basic authentication, authorization, or encryption controls. More in depth, the security assessment objective is risk analysis, such as the identification of potential weaknesses in security controls that ensure the confidentiality, integrity, and availability of the data. For example, when the application deals with personal identifiable information (PII) and sensitive data, the security requirement to be validated is the compliance with the company information security policy requiring encryption of such data in transit and in storage. Assuming encryption is used to protect the data, encryption algorithms and key lengths need to comply with the organization encryption standards. These might require that only certain algorithms and key lengths could be used. For example, a security requirement that can be security tested is verifying that only allowed ciphers are used (e.g., SHA-1, RSA, 3DES) with allowed minimum key lengths (e.g., more than 128 bit for symmetric and more than 1024 for asymmetric encryption).

From the security assessment perspective, security requirements can be validated at different phases of the SDLC by using different artifacts and testing methodologies. For example, threat modeling focuses on identifying security flaws during design, secure code analysis and reviews focus on identifying security issues in source code during development, and penetration testing focuses on identifying vulnerabilities in the application during testing/validation.

Security issues that are identified early in the SDLC can be documented in a test plan so they can be validated later with security tests. By combining the results of different testing techniques, it is possible to derive better security test cases and increase the level of assurance of the security requirements. For example, distinguishing true vulnerabilities from the un-exploitable ones is possible when the results of penetration tests and source code analysis are combined. Considering the security test for a SQL injection vulnerability, for example, a black box test might involve first a scan of the application to fingerprint the vulnerability. The first evidence of a potential SQL injection vulnerability that can be validated is the generation of a SQL exception. A further validation of the SQL vulnerability might involve manually injecting attack vectors to modify the grammar of the SQL query for an information disclosure exploit. This might involve a lot of trial-and-error analysis till the malicious query is executed. Assuming the tester has the source code, she might learn from the source code analysis on how to construct the SQL attack vector that can exploit the vulnerability (e.g., execute a malicious query returning confidential data to unauthorized user).

'''Threats and Countermeasures Taxonomies''' 
A ''threat and countermeasure classification'' that takes into consideration root causes of vulnerabilities is the critical factor to verify that security controls are designed, coded, and built so that the impact due to the exposure of such vulnerabilities is mitigated. In the case of web applications, the exposure of security controls to common vulnerabilities, such as the OWASP Top Ten, can be a good starting point to derive general security requirements. More specifically, the web application security frame [17] provides a classification (e.g. taxonomy) of vulnerabilities that can be documented in different guidelines and standards and validated with security tests.

The focus of a threat and countermeasure categorization is to define security requirements in terms of the threats and the root cause of the vulnerability. A threat can be categorized by using STRIDE [18], for example, as Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. The root cause can be categorized as security flaw in design, a security bug in coding, or an issue due to insecure configuration. For example, the root cause of weak authentication vulnerability might be the lack of mutual authentication when data crosses a trust boundary between the client and server tiers of the application. A security requirement that captures the threat of non-repudiation during an architecture design review allows for the documentation of the requirement for the countermeasure (e.g., mutual authentication) that can be validated later on with security tests.

A threat and countermeasure categorization for vulnerabilities can also be used to document security requirements for secure coding such as secure coding standards. An example of a common coding error in authentication controls consists of applying an hash function to encrypt a password, without applying a seed to the value. From the secure coding perspective, this is a vulnerability that affects the encryption used for authentication with a vulnerability root cause in a coding error. Since the root cause is insecure coding the security requirement can be documented in secure coding standards and validated through secure code reviews during the development phase of the SDLC.

'''Security Testing and Risk Analysis''' 
Security requirements need to take into consideration the severity of the vulnerabilities to support a ''risk mitigation strategy''. Assuming that the organization maintains a repository of vulnerabilities found in applications, i.e., a vulnerability knowledge base, the security issues can be reported by type, issue, mitigation, root cause, and mapped to the applications where they are found. Such a vulnerability knowledge base can also be used to establish a metrics to analyze the effectiveness of the security tests throughout the SDLC.

For example, consider an input validation issue, such as a SQL injection, which was identified via source code analysis and reported with a coding error root cause and input validation vulnerability type. The exposure of such vulnerability can be assessed via a penetration test, by probing input fields with several SQL injection attack vectors. This test might validate that special characters are filtered before hitting the database and mitigate the vulnerability. By combining the results of source code analysis and penetration testing it is possible to determine the likelihood and exposure of the vulnerability and calculate the risk rating of the vulnerability. By reporting vulnerability risk ratings in the findings (e.g., test report) it is possible to decide on the mitigation strategy. For example, high and medium risk vulnerabilities can be prioritized for remediation, while low risk can be fixed in further releases.

By considering the threat scenarios exploiting common vulnerabilities it is possible to identify potential risks for which the application security control needs to be security tested. For example, the OWASP Top Ten vulnerabilities can be mapped to attacks such as phishing, privacy violations, identify theft, system compromise, data alteration or data destruction, financial loss, and reputation loss. Such issues should be documented as part of the threat scenarios. By thinking in terms of threats and vulnerabilities, it is possible to devise a battery of tests that simulate such attack scenarios. Ideally, the organization vulnerability knowledge base can be used to derive security risk driven tests cases to validate the most likely attack scenarios. For example if identity theft is considered high risk, negative test scenarios should validate the mitigation of impacts deriving from the exploit of vulnerabilities in authentication, cryptographic controls, input validation, and authorization controls.

=== Functional and Non Functional Test Requirements ===
'''Functional Security Requirements''' 
From the perspective of functional security requirements, the applicable standards, policies and regulations drive both the need of a type of security control as well as the control functionality. These requirements are also referred to as “positive requirements”, since they state the expected functionality that can be validated through security tests.
Examples of positive requirements are: “the application will lockout the user after six failed logon attempts” or “passwords need to be six min characters, alphanumeric”. The validation of positive requirements consists of asserting the expected functionality and, as such, can be tested by re-creating the testing conditions, and by running the test according to predefined inputs and by asserting the expected outcome as a fail/pass condition.

In order to validate security requirements with security tests, security requirements need to be function driven and highlight the expected functionality (the what) and implicitly the implementation (the how). Examples of high-level security design requirements for authentication can be:
*Protect user credentials and shared secrets in transit and in storage
*Mask any confidential data in display (e.g., passwords, accounts)
*Lock the user account after a certain number of failed login attempts
*Do not show specific validation errors to the user as a result of failed logon
*Only allow passwords that are alphanumeric, include special characters and six characters minimum length, to limit the attack surface
*Allow for password change functionality only to authenticated users by validating the old password, the new password, and the user answer to the challenge question, to prevent brute forcing of a password via password change.
*The password reset form should validate the user’s username and the user’s registered email before sending the temporary password to the user via email. The temporary password issued should be a one time password. A link to the password reset web page will be sent to the user. The password reset web page should validate the user temporary password, the new password, as well as the user answer to the challenge question.

'''Risk Driven Security Requirements''' 
Security tests need also to be risk driven, that is they need to validate the application for unexpected behavior. These are also called “negative requirements”, since they specify what the application should not do.
Examples of "should not do" (negative) requirements are:
* The application should not allow for the data to be altered or destroyed
* The application should not be compromised or misused for unauthorized financial transactions by a malicious user.

Negative requirements are more difficult to test, because there is no expected behavior to look for. This might require a threat analyst to come up with unforeseeable input conditions, causes, and effects. This is where security testing needs to be driven by risk analysis and threat modeling.
The key is to document the threat scenarios and the functionality of the countermeasure as a factor to mitigate a threat. For example, in the case of authentication controls, the following security requirements can be documented from the threats and countermeasure perspective:
*Encrypt authentication data in storage and transit to mitigate risk of information disclosure and authentication protocol attacks
*Encrypt passwords using non reversible encryption such as using a digest (e.g., HASH) and a seed to prevent dictionary attacks
*Lock out accounts after reaching a logon failure threshold and enforce password complexity to mitigate risk of brute force password attacks
*Display generic error messages upon validation of credentials to mitigate risk of account harvesting/enumeration
*Mutually authenticate client and server to prevent non-repudiation and Man In the Middle (MiTM) attacks

Threat modeling artifacts such as threat trees and attack libraries can be useful to derive the negative test scenarios. A threat tree will assume a root attack (e.g., attacker might be able to read other users' messages) and identify different exploits of security controls (e.g., data validation fails because of a SQL injection vulnerability) and necessary countermeasures (e.g., implement data validation and parametrized queries) that could be validated to be effective in mitigating such attacks.

===Security Requirements Derivation Through Use and Misuse Cases===
Pre-requisite in describing the application functionality is to understand what the application is supposed to do and how. This can be done by describing ''use cases''. Use cases, in the graphical form as commonly used in software engineering, show the interactions of actors and their relations, and help to identify the actors in the application, their relationships, the intended sequence of actions for each scenario, alternative actions, special requirements, and pre- and post-conditions. Similar to use cases, ''misuse and abuse cases'' [19] describe unintended and malicious use scenarios of the application. These misuse cases provide a way to describe scenarios of how an attacker could misuse and abuse the application. By going through the individual steps in a use scenario and thinking about how it can be maliciously exploited, potential flaws or aspects of the application that are not well-defined can be discovered. The key is to describe all possible or, at least, the most critical use and misuse scenarios. Misuse scenarios allow the analysis of the application from the attacker's point of view and contribute to identifying potential vulnerabilities and the countermeasures that need to be implemented to mitigate the impact caused by the potential exposure to such vulnerabilities. Given all of the use and abuse cases, it is important to analyze them to determine which of them are the most critical ones and need to be documented in security requirements. The identification of the most critical misuse and abuse cases drives the documentation of security requirements and the necessary controls where security risks should be mitigated.

To derive security requirements from use and misuse case [20] , it is important to define the functional scenarios and the negative scenarios, and put these in graphical form. In the case of derivation of security requirements for authentication, for example, the following step-by-step methodology can be followed.

*Step 1: Describe the Functional Scenario: User authenticates by supplying username and password. The application grants access to users based upon authentication of user credentials by the application and provides specific errors to the user when validation fails.

*Step 2: Describe the Negative Scenario: Attacker breaks the authentication through a brute force/dictionary attack of passwords and account harvesting vulnerabilities in the application. The validation errors provide specific information to an attacker to guess which accounts are actually valid, registered accounts (usernames). The attacker, then, will try to brute force the password for such a valid account. A brute force attack to four minimum length all digit passwords can succeed with a limited number of attempts (i.e., 10^4).

*Step 3: Describe Functional and Negative Scenarios With Use and Misuse Case: The graphical example in Figure below depicts the derivation of security requirements via use and misuse cases. The functional scenario consists of the user actions (entering username and password) and the application actions (authenticating the user and providing an error message if validation fails). The misuse case consists of the attacker actions, i.e., trying to break authentication by brute forcing the password via a dictionary attack and by guessing the valid usernames from error messages. By graphically representing the threats to the user actions (misuses), it is possible to derive the countermeasures as the application actions that mitigate such threats.
[[Image:UseAndMisuseCase.jpg|640px]]

*Step 4: Elicit The Security Requirements. In this case, the following security requirements for authentication are derived:
:1) Passwords need to be alphanumeric, lower and upper case and minimum of seven character length
:2) Accounts need to lockout after five unsuccessful login attempt
:3) Logon error messages need to be generic
These security requirements need to be documented and tested.

===Security Tests Integrated in Developers' and Testers' Workflows===
'''Developers' Security Testing Workflow''' 
Security testing during the development phase of the SDLC represents the first opportunity for developers to ensure that individual software components that they have developed are security tested before they are integrated with other components and built into the application. Software components might consist of software artifacts such as functions, methods, and classes, as well as application programming interfaces, libraries, and executables. For security testing, developers can rely on the results of the source code analysis to verify statically that the developed source code does not include potential vulnerabilities and is compliant with the secure coding standards. Security unit tests can further verify dynamically (i.e., at run time) that the components function as expected. Before integrating both new and existing code changes in the application build, the results of the static and dynamic analysis should be reviewed and validated.
The validation of source code before integration in application builds is usually the responsibility of the senior developer. Such senior developer is also the subject matter expert in software security and his role is to lead the secure code review and make decisions whether to accept the code to be released in the application build or to require further changes and testing. This secure code review workflow can be enforced via formal acceptance as well as a check in a workflow management tool. For example, assuming the typical defect management workflow used for functional bugs, security bugs that have been fixed by a developer can be reported on a defect or change management system. The build master can look at the test results reported by the developers in the tool and grant approvals for checking in the code changes into the application build.

'''Testers' Security Testing Workflow''' 
After components and code changes are tested by developers and checked in to the application build, the most likely next step in the software development process workflow is to perform tests on the application as a whole entity. This level of testing is usually referred to as integrated test and system level test. When security tests are part of these testing activities, they can be used to validate both the security functionality of the application as a whole, as well as the exposure to application level vulnerabilities. These security tests on the application include both white box testing, such as source code analysis, and black box testing, such as penetration testing. Gray box testing is similar to Black box testing. In a gray box testing we can assume we have some partial knowledge about the session management of our application, and that should help us in understanding whether the logout and timeout functions are properly secured.

The target for the security tests is the complete system that is the artifact that will be potentially attacked and includes both whole source code and the executable. One peculiarity of security testing during this phase is that it is possible for security testers to determine whether vulnerabilities can be exploited and expose the application to real risks.
These include common web application vulnerabilities, as well as security issues that have been identified earlier in the SDLC with other activities such as threat modeling, source code analysis, and secure code reviews.

Usually, testing engineers, rather then software developers, perform security tests when the application is in scope for integration system tests. Such testing engineers have security knowledge of web application vulnerabilities, black box and white box security testing techniques, and own the validation of security requirements in this phase. In order to perform such security tests, it is a pre-requisite that security test cases are documented in the security testing guidelines and procedures.

A testing engineer who validates the security of the application in the integrated system environment might release the application for testing in the operational environment (e.g., user acceptance tests). At this stage of the SDLC (i.e., validation), the application functional testing is usually a responsibility of QA testers, while white-hat hackers/security consultants are usually responsible for security testing. Some organizations rely on their own specialized ethical hacking team in order to conduct such tests when a third party assessment is not required (such as for auditing purposes).

Since these tests are the last resort for fixing vulnerabilities before the application is released to production, it is important that such issues are addressed as recommended by the testing team (e.g., the recommendations can include code, design, or configuration change). At this level, security auditors and information security officers discuss the reported security issues and analyze the potential risks according to information risk management procedures. Such procedures might require the developer team to fix all high risk vulnerabilities before the application could be deployed, unless such risks are acknowledged and accepted.

===Developers' Security Tests===
'''Security Testing in the Coding Phase: Unit Tests''' 
From the developer’s perspective, the main objective of security tests is to validate that code is being developed in compliance with secure coding standards requirements. Developers' own coding artifacts such as functions, methods, classes, APIs, and libraries need to be functionally validated before being integrated into the application build.

The security requirements that developers have to follow should be documented in secure coding standards and validated with static and dynamic analysis. As testing activity following a secure code review, unit tests can validate that code changes required by secure code reviews are properly implemented. Secure code reviews and source code analysis through source code analysis tools help developers in identifying security issues in source code as it is developed. By using unit tests and dynamic analysis (e.g., debugging) developers can validate the security functionality of components as well as verify that the countermeasures being developed mitigate any security risks previously identified through threat modeling and source code analysis.

A good practice for developers is to build security test cases as a generic security test suite that is part of the existing unit testing framework. A generic security test suite could be derived from previously defined use and misuse cases to security test functions, methods and classes. A generic security test suite might include security test cases to validate both positive and negative requirements for security controls such as:
* Authentication & Access Control
* Input Validation & Encoding
* Encryption
* User and Session Management
* Error and Exception Handling
* Auditing and Logging

Developers empowered with a source code analysis tool integrated into their IDE, secure coding standards, and a security unit testing framework can assess and verify the security of the software components being developed. Security test cases can be run to identify potential security issues that have root causes in source code: besides input and output validation of parameters entering and exiting the components, these issues include authentication and authorization checks done by the component, protection of the data within the component, secure exception and error handling, and secure auditing and logging. Unit test frameworks such as Junit, Nunit, and CUnit can be adapted to verify security test requirements. In the case of security functional tests, unit level tests can test the functionality of security controls at the software component level, such as functions, methods, or classes. For example, a test case could validate input and output validation (e.g., variable sanitization) and boundary checks for variables by asserting the expected functionality of the component.

The threat scenarios identified with use and misuse cases can be used to document the procedures for testing software components. In the case of authentication components, for example, security unit tests can assert the functionality of setting an account lockout as well as the fact that user input parameters cannot be abused to bypass the account lockout (e.g., by setting the account lockout counter to a negative number). At the component level, security unit tests can validate positive assertions as well as negative assertions, such as errors and exception handling. Exceptions should be caught without leaving the system in an insecure state, such as potential denial of service caused by resources not being deallocated (e.g., connection handles not closed within a final statement block), as well as potential elevation of privileges (e.g., higher privileges acquired before the exception is thrown and not re-set to the previous level before exiting the function). Secure error handling can validate potential information disclosure via informative error messages and stack traces.

Unit level security test cases can be developed by a security engineer who is the subject matter expert in software security and is also responsible for validating that the security issues in the source code have been fixed and can be checked into the integrated system build. Typically, the manager of the application builds also makes sure that third-party libraries and executable files are security assessed for potential vulnerabilities before being integrated in the application build.

Threat scenarios for common vulnerabilities that have root causes in insecure coding can also be documented in the developer’s security testing guide. When a fix is implemented for a coding defect identified with source code analysis, for example, security test cases can verify that the implementation of the code change follows the secure coding requirements documented in the secure coding standards.

Source code analysis and unit tests can validate that the code change mitigates the vulnerability exposed by the previously identified coding defect. The results of automated secure code analysis can also be used as automatic check-in gates for version control: software artifacts cannot be checked into the build with high or medium severity coding issues.

===Functional Testers' Security Tests===
'''Security Testing During the Integration and Validation Phase: Integrated System Tests and Operation Tests''' 
The main objective of integrated system tests is to validate the “defense in depth” concept, that is, that the implementation of security controls provides security at different layers. For example, the lack of input validation when calling a component integrated with the application is often a factor that can be tested with integration testing.

The integration system test environment is also the first environment where testers can simulate real attack scenarios as can be potentially executed by a malicious external or internal user of the application. Security testing at this level can validate whether vulnerabilities are real and can be exploited by attackers. For example, a potential vulnerability found in source code can be rated as high risk because of the exposure to potential malicious users, as well as because of the potential impact (e.g., access to confidential information).
Real attack scenarios can be tested with both manual testing techniques and penetration testing tools. Security tests of this type are also referred to as ethical hacking tests. From the security testing perspective, these are risk driven tests and have the objective to test the application in the operational environment. The target is the application build that is representative of the version of the application being deployed into production.

The execution of security in the integration and validation phase is critical to identifying vulnerabilities due to integration of components as well as validating the exposure of such vulnerabilities. Since application security testing requires a specialized set of skills, which includes both software and security knowledge and is not typical of security engineers, organizations are often required to security-train their software developers on ethical hacking techniques, security assessment procedures and tools. A realistic scenario is to develop such resources in-house and document them in security testing guides and procedures that take into account the developer’s security testing knowledge. A so called “security test cases cheat list or check-list”, for example, can provide simple test cases and attack vectors that can be used by testers to validate exposure to common vulnerabilities such as spoofing, information disclosures, buffer overflows, format strings, SQL injection and XSS injection, XML, SOAP, canonicalization issues, denial of service and managed code and ActiveX controls (e.g., .NET). A first battery of these tests can be performed manually with a very basic knowledge of software security. The first objective of security tests might be the validation of a set of minimum security requirements. These security test cases might consist of manually forcing the application into error and exceptional states, and gathering knowledge from the application behavior. For example, SQL injection vulnerabilities can be tested manually by injecting attack vectors through user input and by checking if SQL exceptions are thrown back the user. The evidence of a SQL exception error might be a manifestation of a vulnerability that can be exploited. A more in-depth security test might require the tester’s knowledge of specialized testing techniques and tools. Besides source code analysis and penetration testing, these techniques include, for example, source code and binary fault injection, fault propagation analysis and code coverage, fuzz testing, and reverse engineering. The security testing guide should provide procedures and recommend tools that can be used by security testers to perform such in-depth security assessments.

The next level of security testing after integration system tests is to perform security tests in the user acceptance environment. There are unique advantages to performing security tests in the operational environment. The user acceptance tests environment (UAT) is the one that is most representative of the release configuration, with the exception of the data (e.g., test data is used in place of real data). A characteristic of security testing in UAT is testing for security configuration issues. In some cases these vulnerabilities might represent high risks. For example, the server that hosts the web application might not be configured with minimum privileges, valid SSL certificate and secure configuration, essential services disabled and web root directory not cleaned from test and administration web pages.

===Security Test Data Analysis and Reporting===
'''Goals for Security Test Metrics and Measurements''' 
The definition of the goals for the security testing metrics and measurements is a pre-requisite for using security testing data for risk analysis and management processes. For example, a measurement such as the total number of vulnerabilities found with security tests might quantify the security posture of the application. These measurements also help to identify security objectives for software security testing: for example, reducing the number of vulnerabilities to an acceptable number (minimum) before the application is deployed into production.

Another manageable goal could be to compare the application security posture against a baseline to assess improvements in application security processes. For example, the security metrics baseline might consist of an application that was tested only with penetration tests. The security data obtained from an application that was also security tested during coding should show an improvement (e.g., fewer number of vulnerabilities) when compared with the baseline.

In traditional software testing, the number of software defects, such as the bugs found in an application, could provide a measure of software quality. Similarly, security testing can provide a measure of software security. From the defect management and reporting perspective, software quality and security testing can use similar categorizations for root causes and defect remediation efforts. From the root cause perspective, a security defect can be due to an error in design (e.g., security flaws) or due to an error in coding (e.g., security bug). From the perspective of the effort required to fix a defect, both security and quality defects can be measured in terms of developer hours to implement the fix, the tools and resources required to fix, and, finally, the cost to implement the fix.

A characteristic of security test data, compared to quality data, is the categorization in terms of the threat, the exposure of the vulnerability, and the potential impact posed by the vulnerability to determine the risk. Testing applications for security consists of managing technical risks to make sure that the application countermeasures meet acceptable levels. For this reason, security testing data needs to support the security risk strategy at critical checkpoints during the SDLC. For example, vulnerabilities found in source code with source code analysis represent an initial measure of risk. Such measure of risk (e.g., high, medium, low) for the vulnerability can be calculated by determining the exposure and likelihood factors and, further, by validating such vulnerability with penetration tests. The risk metrics associated to vulnerabilities found with security tests empower business management to make risk management decisions, such as to decide whether risks can be accepted, mitigated, or transferred at different levels within the organization (e.g., business as well as technical).

When evaluating the security posture of an application, it is important to take into consideration certain factors, such as the size of the application being developed. Application size has been statistically proven to be related to the number of issues found in the application with tests. One measure of application size is the number of line of code (LOC) of the application. Typically, software quality defects range from about 7 to 10 defects per thousand lines of new and changed code [21]. Since testing can reduce the overall number by about 25% with one test alone, it is logical for larger size applications to be tested more and more often than smaller size applications.

When security testing is done in several phases of the SDLC, the test data could prove the capability of the security tests in detecting vulnerabilities as soon as they are introduced, and prove the effectiveness of removing them by implementing countermeasures at different checkpoints of the SDLC. A measurement of this type is also defined as “containment metrics” and provides a measure of the ability of a security assessment performed at each phase of the development process to maintain security within each phase. These containment metrics are also a critical factor in lowering the cost of fixing the vulnerabilities, since it is less expensive to deal with the vulnerabilities when they are found (in the same phase of the SDLC), rather then fixing them later in another phase.

Security test metrics can support security risk, cost, and defect management analysis when it is associated with tangible and timed goals such as:
*Reducing the overall number of vulnerabilities by 30%
*Security issues are expected to be fixed by a certain deadline (e.g., before beta release)

Security test data can be absolute, such as the number of vulnerabilities detected during manual code review, as well as comparative, such as the number of vulnerabilities detected in code reviews vs. penetration tests. To answer questions about the quality of the security process, it is important to determine a baseline for what could be considered acceptable and good.

Security test data can also support specific objectives of the security analysis such as compliance with security regulations and information security standards, management of security processes, the identification of security root causes and process improvements, and security costs vs. benefits analysis.

When security test data is reported it has to provide metrics to support the analysis. The scope of the analysis is the interpretation of test data to find clues about the security of the software being produced as well the effectiveness of the process.
Some examples of clues supported by security test data can be:
*Are vulnerabilities reduced to an acceptable level for release?
*How does the security quality of this product compare with similar software products?
*Are all security test requirements being met?
*What are the major root causes of security issues?
*How numerous are security flaws compared to security bugs?
*Which security activity is most effective in finding vulnerabilities?
*Which team is more productive in fixing security defects and vulnerabilities?
*Which percentage of overall vulnerabilities are high risk?
*Which tools are most effective in detecting security vulnerabilities?
*Which kind of security tests are most effective in finding vulnerabilities (e.g., white box vs. black box) tests?
*How many security issues are found during secure code reviews?
*How many security issues are found during secure design reviews?

In order to make a sound judgment using the testing data, it is important to have a good understanding of the testing process as well as the testing tools. A tool taxonomy should be adopted to decide which security tools should be used. Security tools can be qualified as being good at finding common known vulnerabilities targeting different artifacts.
The issue is that the unknown security issues are not tested: the fact that you come out clean it does not mean that your software or application is good. Some studies [22] have demonstrated that, at best, tools can find 45% of overall vulnerabilities.

Even the most sophisticated automation tools are not a match for an experienced security tester: just relying on successful test results from automation tools will give security practitioners a false sense of security. Typically, the more experienced the security testers are with the security testing methodology and testing tools, the better the results of the security test and analysis will be. It is important that managers making an investment in security testing tools also consider an investment in hiring skilled human resources as well as security test training.

'''Reporting Requirements''' 
The security posture of an application can be characterized from the perspective of the effect, such as number of vulnerabilities and the risk rating of the vulnerabilities, as well as from the perspective of the cause (i.e., origin) such as coding errors, architectural flaws, and configuration issues.

Vulnerabilities can be classified according to different criteria. This can be a statistical categorization, such as the OWASP Top 10 and WASC (Web Application Security Statistics) project, or related to defensive controls as in the case of WASF (Web Application Security Framework) categorization.

When reporting security test data, the best practice is to include the following information, besides the categorization of each vulnerability by type:
*The security threat that the issue is exposed to
*The root cause of security issues (e.g., security bugs, security flaw)
*The testing technique used to find it
*The remediation of the vulnerability (e.g., the countermeasure)
*The risk rating of the vulnerability (High, Medium, Low)

By describing what the security threat is, it will be possible to understand if and why the mitigation control is ineffective in mitigating the threat.

Reporting the root cause of the issue can help pinpoint what needs to be fixed: in the case of a white box testing, for example, the software security root cause of the vulnerability will be the offending source code.

Once issues are reported, it is also important to provide guidance to the software developer on how to re-test and find the vulnerability. This might involve using a white box testing technique (e.g., security code review with a static code analyzer) to find if the code is vulnerable. If a vulnerability can be found via a black box technique (penetration test), the test report also needs to provide information on how to validate the exposure of the vulnerability to the front end (e.g., client).

The information about how to fix the vulnerability should be detailed enough for a developer to implement a fix. It should provide secure coding examples, configuration changes, and provide adequate references.

Finally the risk rating helps to prioritize the remediation effort. Typically, assigning a risk rating to the vulnerability involves a risk analysis based upon factors such as impact and exposure.

'''Business Cases''' 
For the security test metrics to be useful, they need to provide value back to the organization's security test data stakeholders, such as project managers, developers, information security offices, auditors, and chief information officers. The value can be in terms of the business case that each project stakeholder has in terms of role and responsibility.

Software developers look at security test data to show that software is coded more securely and efficiently, so that they can make the case of using source code analysis tools as well as following secure coding standards and attending software security training.

Project managers look for data that allows them to successfully manage and utilize security testing activities and resources according to the project plan. To project managers, security test data can show that projects are on schedule and moving on target for delivery dates and are getting better during tests.

Security test data also helps the business case for security testing if the initiative comes from information security officers (ISOs). For example, it can provide evidence that security testing during the SDLC does not impact the project delivery, but rather reduces the overall workload needed to address vulnerabilities later in production.

To compliance auditors, security test metrics provide a level of software security assurance and confidence that security standard compliance is addressed through the security review processes within the organization.

Finally, Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs), responsible for the budget that needs to be allocated in security resources, look for derivation of a cost/benefit analysis from security test data to make informed decisions on which security activities and tools to invest. One of the metrics that support such analysis is the Return On Investment (ROI) in Security [23]. To derive such metrics from security test data, it is important to quantify the differential between the risk due to the exposure of vulnerabilities and the effectiveness of the security tests in mitigating the security risk, and factor this gap with the cost of the security testing activity or the testing tools adopted.

== References ==
[1] T. DeMarco, ''Controlling Software Projects: Management, Measurement and Estimation'', Yourdon Press, 1982

[2] S. Payne, ''A Guide to Security Metrics'' - http://www.sans.org/reading_room/whitepapers/auditing/55.php

[3] NIST, ''The economic impacts of inadequate infrastructure for software testing'' - http://www.nist.gov/director/planning/upload/report02-3.pdf

[4] Ross Anderson, ''Economics and Security Resource Page'' - http://www.cl.cam.ac.uk/~rja14/econsec.html

[5] Denis Verdon, ''Teaching Developers To Fish'' - [[OWASP AppSec NYC 2004]]

[6] Bruce Schneier, ''Cryptogram Issue #9'' - https://www.schneier.com/crypto-gram-0009.html

[7] Symantec, ''Threat Reports'' - http://www.symantec.com/security_response/publications/threatreport.jsp

[8] FTC, ''The Gramm-Leach Bliley Act'' - http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

[9] Senator Peace and Assembly Member Simitian, ''SB 1386''- http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

[10] European Union, ''Directive 96/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data'' -
http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf

[11] NIST, '' Risk management guide for information technology systems'' - http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

[12] SEI, Carnegie Mellon, ''Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)'' - http://www.cert.org/octave/

[13] Ken Thompson, ''Reflections on Trusting Trust, Reprinted from Communication of the ACM '' - http://cm.bell-labs.com/who/ken/trust.html'' [[Category:FIXME|link not working]]

[14] Gary McGraw, ''Beyond the Badness-ometer'' - http://www.drdobbs.com/security/beyond-the-badness-ometer/189500001

[15] FFIEC, '' Authentication in an Internet Banking Environment'' - http://www.ffiec.gov/pdf/authentication_guidance.pdf

[16] PCI Security Standards Council, ''PCI Data Security Standard'' - https://www.pcisecuritystandards.org/security_standards/index.php

[17] MSDN, ''Cheat Sheet: Web Application Security Frame'' - http://msdn.microsoft.com/en-us/library/ms978518.aspx#tmwacheatsheet_webappsecurityframe

[18] MSDN, ''Improving Web Application Security, Chapter 2, Threat And Countermeasures'' - http://msdn.microsoft.com/en-us/library/aa302418.aspx

[19] Sindre,G. Opdmal A., '' Capturing Security Requirements Through Misuse Cases ' - http://folk.uio.no/nik/2001/21-sindre.pdf

[20] Improving Security Across the Software Development Lifecycle Task Force, ''Referred Data from Caper Johns, Software Assessments, Benchmarks and Best Practices'' - http://www.criminal-justice-careers.com/resources/SDLCFULL.pdf

[21] MITRE, ''Being Explicit About Weaknesses, Slide 30, Coverage of CWE'' - http://cwe.mitre.org/documents/being-explicit/BlackHatDC_BeingExplicit_Slides.ppt

[22] Marco Morana, ''Building Security Into The Software Life Cycle, A Business Case'' - http://www.blackhat.com/presentations/bh-usa-06/bh-us-06-Morana-R3.0.pdf

Testing Guide Introduction

2014-04-01T22:20:01Z

Yiannis: Testing Guide V4: Review_v1

{{Template:OWASP Testing Guide v4}}

=== The OWASP Testing Project ===
----
The OWASP Testing Project has been in development for many years. With this project, we want to help people understand the ''what'', ''why'', ''when'', ''where'', and ''how'' of testing their web applications. For this reason, we have avoided merely providing a simple checklist or prescription of issues that should be addressed. The outcome of this project is a complete Testing Framework, from which others can build their own testing programs or qualify other people’s processes. The Testing Guide describes in details both the general Testing Framework and the techniques required to implement the framework in practice.

Writing the Testing Guide has proven to be a difficult task. It has been a challenge to obtain consensus and develop the content that allows people to apply the concepts described here, while enabling them to work in their own environment and culture. It has also been a challenge to change the focus of web application testing from penetration testing to testing integrated in the software development life cycle.

However, we are very satisfied with the results we have reached. Many industry experts and those responsible for software security at some of the largest companies in the world are validating the Testing Framework. This framework helps organizations test their web applications in order to build reliable and secure software, rather than simply highlighting areas of weakness, although the latter is certainly a byproduct of many of OWASP’s guides and checklists. As such, we have made some hard decisions about the appropriateness of certain testing techniques and technologies, which we fully understand will not be agreed upon by everyone. However, OWASP is able to take the high ground and change culture over time through awareness and education based on consensus and experience.

The rest of this guide is organized as follows. This introduction covers the pre-requisites of testing web applications: the scope of testing, the principles of successful testing, and testing techniques. Chapter 3 presents the OWASP Testing Framework and explains its techniques and tasks in relation to the various phases of the software development life cycle. Chapter 4 covers how to test for specific vulnerabilities (e.g., SQL Injection) by code inspection and penetration testing.

'''Measuring (in)security: the Economics of Insecure Software''' 
A basic tenet of software engineering is that you can't control what you can't measure [1]. Security testing is no different. Unfortunately, measuring security is a notoriously difficult process. We will not cover this topic in detail here, since it would take a guide on its own (for an introduction, see [2]).

One aspect that we want to emphasize, however, is that security measurements are, by necessity, about both the specific, technical issues (e.g., how prevalent a certain vulnerability is) and how these affect the economics of software. We find that most technical people understand at least the basic issues, or have a deeper understanding, of the vulnerabilities. Sadly, few are able to translate that technical knowledge into monetary terms, and, thereby, quantify the potential cost of vulnerabilities to the application owner's business. We believe that until this happens, CIOs will not be able to develop an accurate return on security investment and, subsequently, assign appropriate budgets for software security. 
While estimating the cost of insecure software may appear a daunting task, recently there has been a significant amount of work in this direction. For example, in June 2002, the US National Institute of Standards (NIST) published a survey on the cost of insecure software to the US economy due to inadequate software testing [3]. Interestingly, they estimate that a better testing infrastructure would save more than a third of these costs, or about $22 billion a year. More recently, the links between economics and security have been studied by academic researchers. See [4] for more information about some of these efforts.

The framework described in this document encourages people to measure security throughout their entire development process. They can then relate the cost of insecure software to the impact it has on their business, and consequently develop appropriate business decisions (resources) to manage the risk. Remember: measuring and testing web applications is even more critical than for other software, since web applications are exposed to millions of users through the Internet.

'''What is Testing''' 
What do we mean by testing? During the development life cycle of a web application, many things need to be tested. The Merriam-Webster Dictionary describes testing as:
* To put to test or proof.
* To undergo a test.
* To be assigned a standing or evaluation based on tests.
For the purposes of this document, testing is a process of comparing the state of a system/application against a set of criteria. In the security industry, people frequently test against a set of mental criteria that are neither well defined nor complete. For this reason and others, many outsiders regard security testing as a black art. This document’s aim is to change that perception and to make it easier for people without in-depth security knowledge to make a difference.

'''Why Testing''' 
This document is designed to help organizations understand what comprises a testing program, and to help them identify the steps that they need to undertake to build and operate that testing program on their web applications. It is intended to give a broad view of the elements required to make a comprehensive web application security program. This guide can be used as a reference and as a methodology to help determine the gap between your existing practices and industry best practices. This guide allows organizations to compare themselves against industry peers, understand the magnitude of resources required to test and maintain their software, or prepare for an audit. This chapter does not go into the technical details of how to test an application, as the intent is to provide a typical security organizational framework. The technical details about how to test an application, as part of a penetration test or code review will be covered in the remaining parts of this document.

'''When to Test''' 
Most people today don’t test the software until it has already been created and is in the deployment phase of its life cycle (i.e., code has been created and instantiated into a working web application). This is generally a very ineffective and cost-prohibitive practice. One of the best methods to prevent security bugs from appearing in production applications is to improve the Software Development Life Cycle (SDLC) by including security in each of its phases. An SDLC is a structure imposed on the development of software artifacts. If an SDLC is not currently being used in your environment, it is time to pick one! The following figure shows a generic SDLC model as well as the (estimated) increasing cost of fixing security bugs in such a model.

<center>[[Image:SDLC.jpg]] 
''Figure 1: Generic SDLC Model'' </center>

Companies should inspect their overall SDLC to ensure that security is an integral part of the development process. SDLCs should include security tests to ensure security is adequately covered and controls are effective throughout the development process.

'''What to Test''' 
It can be helpful to think of software development as a combination of people, process, and technology. If these are the factors that "create" software, then it is logical that these are the factors that must be tested. Today most people generally test the technology or the software itself.

An effective testing program should have components that test ''People'' – to ensure that there is adequate education and awareness; ''Process'' – to ensure that there are adequate policies and standards and that people know how to follow these policies; ''Technology'' – to ensure that the process has been effective in its implementation. Unless a holistic approach is adopted, testing just the technical implementation of an application will not uncover management or operational vulnerabilities that could be present. By testing the people, policies, and processes, an organization can catch issues that would later manifest themselves into defects in the technology, thus eradicating bugs early and identifying the root causes of defects. Likewise, testing only some of the technical issues that can be present in a system will result in an incomplete and inaccurate security posture assessment. Denis Verdon, Head of Information Security at [http://www.fnf.com Fidelity National Financial] presented an excellent analogy for this misconception at the OWASP AppSec 2004 Conference in New York [5]: "If cars were built like applications [...] safety tests would assume frontal impact only. Cars would not be roll tested, or tested for stability in emergency maneuvers, brake effectiveness, side impact, and resistance to theft." 

'''Feedback and Comments''' 
As with all OWASP projects, we welcome comments and feedback. We especially like to know that our work is being used and that it is effective and accurate.

==Principles of Testing==

There are some common misconceptions when developing a testing methodology to weed out security bugs in software. This chapter covers some of the basic principles that should be taken into account by professionals when testing for security bugs in software.

'''There is No Silver Bullet''' 
While it is tempting to think that a security scanner or application firewall will either provide a multitude of defenses or identify a multitude of problems, in reality there are no silver bullets to the problem of insecure software. Application security assessment software, while useful as a first pass to find low-hanging fruit, is generally immature and ineffective at in-depth assessments and at providing adequate test coverage. Remember that security is a process, not a product.

'''Think Strategically, Not Tactically''' 
Over the last few years, security professionals have come to realize the fallacy of the patch-and-penetrate model that was pervasive in information security during the 1990’s. The patch-and-penetrate model involves fixing a reported bug, but without proper investigation of the root cause. This model is usually associated with the window of vulnerability shown in the figure below. The evolution of vulnerabilities in common software used worldwide has shown the ineffectiveness of this model. Fore more information about the window of vulnerability please refer to [6]. Vulnerability studies [7] have shown that with the reaction time of attackers worldwide, the typical window of vulnerability does not provide enough time for patch installation, since the time between a vulnerability being uncovered and an automated attack against it being developed and released is decreasing every year. There are also several wrong assumptions in the patch-and-penetrate model: patches interfere with the normal operations and might break existing applications, and not all the users might (in the end) be aware of a patch’s availability. Consequently not all the product's users will apply patches, either because of this issue or because they lack knowledge about the patch's existence. 

<center>[[Image:WindowExposure.jpg]] 
''Figure 2: Window of Vulnerability''</center> 
To prevent reoccurring security problems within an application, it is essential to build security into the Software Development Life Cycle (SDLC) by developing standards, policies, and guidelines that fit and work within the development methodology. Threat modeling and other techniques should be used to help assign appropriate resources to those parts of a system that are most at risk.
 
'''The SDLC is King''' 
The SDLC is a process that is well-known to developers. By integrating security into each phase of the SDLC, it allows for a holistic approach to application security that leverages the procedures already in place within the organization. Be aware that while the names of the various phases may change depending on the SDLC model used by an organization, each conceptual phase of the archetype SDLC will be used to develop the application (i.e., define, design, develop, deploy, maintain). Each phase has security considerations that should become part of the existing process, to ensure a cost-effective and comprehensive security program.
 
'''Test Early and Test Often''' 
When a bug is detected early within the SDLC, it can be addressed more quickly and at a lower cost. A security bug is no different from a functional or performance-based bug in this regard. A key step in making this possible is to educate the development and QA organizations about common security issues and the ways to detect and prevent them. Although new libraries, tools, or languages might help design better programs (with fewer security bugs), new threats arise constantly and developers must be aware of those that affect the software they are developing. Education in security testing also helps developers acquire the appropriate mindset to test an application from an attacker's perspective. This allows each organization to consider security issues as part of their existing responsibilities.
 
'''Understand the Scope of Security''' 
It is important to know how much security a given project will require. The information and assets that are to be protected should be given a classification that states how they are to be handled (e.g., Confidential, Secret, Top Secret). Discussions should occur with legal council to ensure that any specific security need will be met. In the USA they might come from federal regulations, such as the Gramm-Leach-Bliley Act [8], or from state laws, such as the California SB-1386 [9]. For organizations based in EU countries, both country-specific regulation and EU Directives might apply. For example, Directive 96/46/EC4 [10] makes it mandatory to treat personal data in applications with due care, whatever the application.
 
'''Develop the Right Mindset''' 
Successfully testing an application for security vulnerabilities requires thinking "outside of the box." Normal use cases will test the normal behavior of the application when a user is using it in the manner that you expect. Good security testing requires going beyond what is expected and thinking like an attacker who is trying to break the application. Creative thinking can help to determine what unexpected data may cause an application to fail in an insecure manner. It can also help find what assumptions made by web developers are not always true and how they can be subverted. This is one of the reasons why automated tools are actually bad at automatically testing for vulnerabilities: this creative thinking must be done on a case-by-case basis and most web applications are being developed in a unique way (even if using common frameworks).
 
'''Understand the Subject''' 
One of the first major initiatives in any good security program should be to require accurate documentation of the application. The architecture, data-flow diagrams, use cases, and more should be written in formal documents and made available for review. The technical specification and application documents should include information that lists not only the desired use cases, but also any specifically disallowed use case. Finally, it is good to have at least a basic security infrastructure that allows the monitoring and trending of attacks against an organization's applications and network (e.g., IDS systems).
 
'''Use the Right Tools''' 
While we have already stated that there is no silver bullet tool, tools do play a critical role in the overall security program. There is a range of open source and commercial tools that can automate many routine security tasks. These tools can simplify and speed up the security process by assisting security personnel in their tasks. It is important to understand exactly what these tools can and cannot do, however, so that they are not oversold or used incorrectly.
 
'''The Devil is in the Details''' 
It is critical not to perform a superficial security review of an application and consider it complete. This will instill a false sense of confidence that can be as dangerous as not having done a security review in the first place. It is vital to carefully review the findings and weed out any false positive that may remain in the report. Reporting an incorrect security finding can often undermine the valid message of the rest of a security report. Care should be taken to verify that every possible section of application logic has been tested, and that every use case scenario was explored for possible vulnerabilities.
 
'''Use Source Code When Available''' 
While black box penetration test results can be impressive and useful to demonstrate how vulnerabilities are exposed in production, they are not the most effective way to secure an application. If the source code for the application is available, it should be given to the security staff to assist them while performing their review. It is possible to discover vulnerabilities within the application source that would be missed during a black box engagement.
 
'''Develop Metrics''' 
An important part of a good security program is the ability to determine if things are getting better. It is important to track the results of testing engagements, and develop metrics that will reveal the application security trends within the organization. These metrics can show if more education and training are required, if there is a particular security mechanism that is not clearly understood by development, and if the total number of security related problems being found each month is going down. Consistent metrics that can be generated in an automated way from available source code will also help the organization in assessing the effectiveness of mechanisms introduced to reduce security bugs in software development. Metrics are not easily developed, so using standard metrics like those provided by the OWASP Metrics project and other organizations might be a good head start. 
'''Document the Test Results''' 
To conclude the testing process, it is important to produce a formal record of what testing actions were taken, by whom, when they were performed, and details of the test findings. It is wise to agree on an acceptable format for the report which is useful to all concerned parties, which may include developers, project management, business owners, IT department, audit, and compliance. The report must be clear to the business owner in identifying where material risks exist and sufficient to get their backing for subsequent mitigation actions. The report must be clear to the developer in pin-pointing the exact function that is affected by the vulnerability, with associated recommendations for resolution in a language that the developer will understand (no pun intended). Last but not least, the report writing should not be overly burdensome on the security tester themselves; security testers are not generally renowned for their creative writing skills, therefore agreeing on a complex report can lead to instances where test results do not get properly documented.

==Testing Techniques Explained==

This section presents a high-level overview of various testing techniques that can be employed when building a testing program. It does not present specific methodologies for these techniques, although Chapter 3 will address this information. This section is included to provide context for the framework presented in the next chapter and to highlight the advantages and disadvantages of some of the techniques that should be considered. In particular, we will cover:
* Manual Inspections & Reviews
* Threat Modeling
* Code Review
* Penetration Testing

=== Manual Inspections & Reviews ===
'''Overview''' 
Manual inspections are human-driven reviews that typically test the security implications of the people, policies, and processes, but can include inspection of technology decisions such as architectural designs. They are usually conducted by analyzing documentation or performing interviews with the designers or system owners. While the concept of manual inspections and human reviews is simple, they can be among the most powerful and effective techniques available. By asking someone how something works and why it was implemented in a specific way, it allows the tester to quickly determine if any security concerns are likely to be evident. Manual inspections and reviews are one of the few ways to test the software development life-cycle process itself and to ensure that there is an adequate policy or skill set in place. As with many things in life, when conducting manual inspections and reviews we suggest you adopt a trust-but-verify model. Not everything everyone tells you or shows you will be accurate. Manual reviews are particularly good for testing whether people understand the security process, have been made aware of policy, and have the appropriate skills to design or implement a secure application. Other activities, including manually reviewing the documentation, secure coding policies, security requirements, and architectural designs, should all be accomplished using manual inspections.

'''Advantages:'''
* Requires no supporting technology
* Can be applied to a variety of situations
* Flexible
* Promotes teamwork
* Early in the SDLC

'''Disadvantages:'''
* Can be time consuming
* Supporting material not always available
* Requires significant human thought and skill to be effective!

=== Threat Modeling ===
'''Overview''' 
Threat modeling has become a popular technique to help system designers think about the security threats that their systems/applications might face. Therefore, threat modeling can be seen as risk assessment for applications. In fact, it enables the designer to develop mitigation strategies for potential vulnerabilities and helps them focus their inevitably limited resources and attention on the parts of the system that most require it. It is recommended that all applications have a threat model developed and documented. Threat models should be created as early as possible in the SDLC, and should be revisited as the application evolves and development progresses. To develop a threat model, we recommend taking a simple approach that follows the NIST 800-30 [11] standard for risk assessment. This approach involves:
* Decomposing the application – understand, through a process of manual inspection, how the application works, its assets, functionality, and connectivity.
* Defining and classifying the assets – classify the assets into tangible and intangible assets and rank them according to business importance.
* Exploring potential vulnerabilities - whether technical, operational, or management.
* Exploring potential threats – develop a realistic view of potential attack vectors from an attacker’s perspective, by using threat scenarios or attack trees.
* Creating mitigation strategies – develop mitigating controls for each of the threats deemed to be realistic. The output from a threat model itself can vary but is typically a collection of lists and diagrams. The OWASP Code Review Guide outlines an Application Threat Modeling methodology that can be used as a reference for the testing applications for potential security flaws in the design of the application. There is no right or wrong way to develop threat models and perform information risk assessments on applications. [12]. 

'''Advantages:'''
* Practical attacker's view of the system
* Flexible
* Early in the SDLC

'''Disadvantages: '''
* Relatively new technique
* Good threat models don’t automatically mean good software

=== Source Code Review ===
'''Overview''' 
Source code review is the process of manually checking a web application's source code for security issues. Many serious security vulnerabilities cannot be detected with any other form of analysis or testing. As the popular saying goes “if you want to know what’s really going on, go straight to the source." Almost all security experts agree that there is no substitute for actually looking at the code. All the information for identifying security problems is there in the code somewhere. Unlike testing third party closed software such as operating systems, when testing web applications (especially if they have been developed in-house) the source code should be made available for testing purposes. Many unintentional but significant security problems are also extremely difficult to discover with other forms of analysis or testing, such as penetration testing, making source code analysis the technique of choice for technical testing. With the source code, a tester can accurately determine what is happening (or is supposed to be happening) and remove the guess work of black box testing. Examples of issues that are particularly conducive to being found through source code reviews include concurrency problems, flawed business logic, access control problems, and cryptographic weaknesses as well as backdoors, Trojans, Easter eggs, time bombs, logic bombs, and other forms of malicious code. These issues often manifest themselves as the most harmful vulnerabilities in web sites. Source code analysis can also be extremely efficient to find implementation issues such as places where input validation was not performed or when fail open control procedures may be present. But keep in mind that operational procedures need to be reviewed as well, since the source code being deployed might not be the same as the one being analyzed herein [13]. 

'''Advantages:'''
* Completeness and effectiveness
* Accuracy
* Fast (for competent reviewers)

'''Disadvantages:'''
* Requires highly skilled security developers
* Can miss issues in compiled libraries
* Cannot detect run-time errors easily
* The source code actually deployed might differ from the one being analyzed

'''For more on code review, checkout the [[OWASP Code Review Project|OWASP code review project]]'''. 

=== Penetration Testing ===
'''Overview''' 
Penetration testing has been a common technique used to test network security for many years. It is also commonly known as black box testing or ethical hacking. Penetration testing is essentially the “art” of testing a running application remotely, without knowing the inner workings of the application itself, to find security vulnerabilities. Typically, the penetration test team would have access to an application as if they were users. The tester acts like an attacker and attempts to find and exploit vulnerabilities. In many cases the tester will be given a valid account on the system. While penetration testing has proven to be effective in network security, the technique does not naturally translate to applications. When penetration testing is performed on networks and operating systems, the majority of the work is involved in finding and then exploiting known vulnerabilities in specific technologies. As web applications are almost exclusively bespoke, penetration testing in the web application arena is more akin to pure research. Penetration testing tools have been developed that automate the process, but, again, with the nature of web applications their effectiveness is usually poor. Many people today use web application penetration testing as their primary security testing technique. Whilst it certainly has its place in a testing program, we do not believe it should be considered as the primary or only testing technique. Gary McGraw in [14] summed up penetration testing well when he said, “If you fail a penetration test you know you have a very bad problem indeed. If you pass a penetration test you do not know that you don’t have a very bad problem”. However, focused penetration testing (i.e., testing that attempts to exploit known vulnerabilities detected in previous reviews) can be useful in detecting if some specific vulnerabilities are actually fixed in the source code deployed on the web site. 

'''Advantages:'''
* Can be fast (and therefore cheap)
* Requires a relatively lower skill-set than source code review
* Tests the code that is actually being exposed

'''Disadvantages:'''
* Too late in the SDLC
* Front impact testing only!

=== The Need for a Balanced Approach ===
With so many techniques and so many approaches to testing the security of web applications, it can be difficult to understand which techniques to use and when to use them.
Experience shows that there is no right or wrong answer to exactly what techniques should be used to build a testing framework. The fact remains that all techniques should probably be used to ensure that all areas that need to be tested are tested. What is clear, however, is that there is no single technique that effectively covers all security testing that must be performed to ensure that all issues have been addressed. Many companies adopt one approach, which has historically been penetration testing. Penetration testing, while useful, cannot effectively address many of the issues that need to be tested, and is simply “too little too late” in the software development life cycle (SDLC).
The correct approach is a balanced one that includes several techniques, from manual reviews to technical testing. The balanced approach is sure to cover testing in all phases of the SDLC. This approach leverages the most appropriate techniques available depending on the current SDLC phase.
Of course there are times and circumstances where only one technique is possible; for example, a test on a web application that has already been created, and where the testing party does not have access to the source code. In this case, penetration testing is clearly better than no testing at all. However, we encourage the testing parties to challenge assumptions, such as no access to source code, and to explore the possibility of more complete testing.
A balanced approach varies depending on many factors, such as the maturity of the testing process and corporate culture. However, it is recommended that a balanced testing framework look something like the representations shown in Figure 3 and Figure 4. The following figure shows a typical proportional representation overlaid onto the software development life cycle. In keeping with research and experience, it is essential that companies place a higher emphasis on the early stages of development.
<center>
[[Image:ProportionSDLC.png]]
 ''Figure 3: Proportion of Test Effort in SDLC''
</center>
The following figure shows a typical proportional representation overlaid onto testing techniques. 
<center>
[[Image:ProportionTest.png]]
 ''Figure 4: Proportion of Test Effort According to Test Technique''
</center>

'''A Note about Web Application Scanners''' 
Many organizations have started to use automated web application scanners. While they undoubtedly have a place in a testing program, we want to highlight some fundamental issues about why we do not believe that automating black box testing is (or will ever be) effective. By highlighting these issues, we are not discouraging web application scanner use. Rather, we are saying that their limitations should be understood, and testing frameworks should be planned appropriately.
NB: OWASP is currently working to develop a web application scanner-benchmarking platform. The following examples indicate why automated black box testing is not effective.
 
'''Example 1: Magic Parameters''' 
Imagine a simple web application that accepts a name-value pair of “magic” and then the value. For simplicity, the GET request may be: ''<nowiki>http://www.host/application?magic=value</nowiki>'' To further simplify the example, the values in this case can only be ASCII characters a – z (upper or lowercase) and integers 0 – 9. The designers of this application created an administrative backdoor during testing, but obfuscated it to prevent the casual observer from discovering it. By submitting the value sf8g7sfjdsurtsdieerwqredsgnfg8d (30 characters), the user will then be logged in and presented with an administrative screen with total control of the application. The HTTP request is now: ''<nowiki>http://www.host/application?magic= sf8g7sfjdsurtsdieerwqredsgnfg8d </nowiki>'' 
Given that all of the other parameters were simple two- and three-characters fields, it is not possible to start guessing combinations at approximately 28 characters. A web application scanner will need to brute force (or guess) the entire key space of 30 characters. That is up to 30^28 permutations, or trillions of HTTP requests! That is an electron in a digital haystack!
The code for this exemplar Magic Parameter check may look like the following: 
public void doPost( HttpServletRequest request, HttpServletResponse response)
{
String magic = “sf8g7sfjdsurtsdieerwqredsgnfg8d”;
boolean admin = magic.equals( request.getParameter(“magic”));
if (admin) doAdmin( request, response);
else …. // normal processing
}
By looking in the code, the vulnerability practically leaps off the page as a potential problem.
 
'''Example 2: Bad Cryptography''' 
Cryptography is widely used in web applications. Imagine that a developer decided to write a simple cryptography algorithm to sign a user in from site A to site B automatically. In his/her wisdom, the developer decides that if a user is logged into site A, then he/she will generate a key using an MD5 hash function that comprises: ''Hash { username : date }'' 
When a user is passed to site B, he/she will send the key on the query string to site B in an HTTP re-direct. Site B independently computes the hash, and compares it to the hash passed on the request. If they match, site B signs the user in as the user they claim to be. Clearly, as we explain the scheme, the inadequacies can be worked out, and it can be seen how anyone that figures it out (or is told how it works, or downloads the information from Bugtraq) can login as any user. Manual inspection, such as a review, would have uncovered this security issue quickly, as would inspection of the code. A black-box web application scanner would have seen a 128-bit hash that changed with each user, and by the nature of hash functions, did not change in any predictable way.
 
'''A Note about Static Source Code Review Tools''' 
Many organizations have started to use static source code scanners. While they undoubtedly have a place in a comprehensive testing program, we want to highlight some fundamental issues about why we do not believe this approach is effective when used alone. Static source code analysis alone cannot identify issues due to flaws in the design since it cannot understand the context in which the code is constructed. Source code analysis tools are useful in determining security issues due to coding errors, however significant manual effort is required to validate the findings.
 

=== Security Requirements Test Derivation ===
If you want to have a successful testing program, you need to know what the objectives of the testing are. These objectives are specified by security requirements. This section discusses in detail how to document requirements for security testing by deriving them from applicable standards and regulations and positive and negative application requirements. It also discusses how security requirements effectively drive security testing during the SDLC and how security test data can be used to effectively manage software security risks.

'''Testing Objectives''' 
One of the objectives of security testing is to validate that security controls function as expected. This is documented via ''security requirements'' that describe the functionality of the security control. At a high level, this means proving confidentiality, integrity, and availability of the data as well as the service. The other objective is to validate that security controls are implemented with few or no vulnerabilities. These are common vulnerabilities, such as the [[OWASP Top Ten]], as well as vulnerabilities that are previously identified with security assessments during the SDLC, such as threat modeling, source code analysis, and penetration test.

'''Security Requirements Documentation''' 
The first step in the documentation of security requirements is to understand the ''business requirements''. A business requirement document could provide the initial, high-level information of the expected functionality for the application. For example, the main purpose of an application may be to provide financial services to customers or shopping and purchasing goods from an on-line catalogue. A security section of the business requirements should highlight the need to protect the customer data as well as to comply with applicable security documentation such as regulations, standards, and policies.

A general checklist of the applicable regulations, standards, and policies serves well the purpose of a preliminary security compliance analysis for web applications. For example, compliance regulations can be identified by checking information about the business sector and the country/state where the application needs to function/operate. Some of these compliance guidelines and regulations might translate in specific technical requirements for security controls. For example, in the case of financial applications, the compliance with FFIEC guidelines for authentication [15] requires that financial institutions implement applications that mitigate weak authentication risks with multi-layered security control and multi factor authentication.

Applicable industry standards for security need also to be captured by the general security requirement checklist. For example, in the case of applications that handle customer credit card data, the compliance with the PCI DSS [16] standard forbids the storage of PINs and CVV2 data and requires that the merchant protect magnetic strip data in storage and transmission with encryption and on display by masking. Such PCI DSS security requirements could be validated via source code analysis.

Another section of the checklist needs to enforce general requirements for compliance with the organization information security standards and policies. From the functional requirements perspective, requirements for the security control need to map to a specific section of the information security standards. An example of such requirement can be: "a password complexity of six alphanumeric characters must be enforced by the authentication controls used by the application." When security requirements map to compliance rules a security test can validate the exposure of compliance risks. If violation with information security standards and policies are found, these will result in a risk that can be documented and that the business has to deal with (i.e., manage). For this reason, since these security compliance requirements are enforceable, they need to be well documented and validated with security tests.

'''Security Requirements Validation''' 
From the functionality perspective, the validation of security requirements is the main objective of security testing, while, from the risk management perspective, this is the objective of information security assessments. At a high level, the main goal of information security assessments is the identification of gaps in security controls, such as lack of basic authentication, authorization, or encryption controls. More in depth, the security assessment objective is risk analysis, such as the identification of potential weaknesses in security controls that ensure the confidentiality, integrity, and availability of the data. For example, when the application deals with personal identifiable information (PII) and sensitive data, the security requirement to be validated is the compliance with the company information security policy requiring encryption of such data in transit and in storage. Assuming encryption is used to protect the data, encryption algorithms and key lengths need to comply with the organization encryption standards. These might require that only certain algorithms and key lengths could be used. For example, a security requirement that can be security tested is verifying that only allowed ciphers are used (e.g., SHA-1, RSA, 3DES) with allowed minimum key lengths (e.g., more than 128 bit for symmetric and more than 1024 for asymmetric encryption).

From the security assessment perspective, security requirements can be validated at different phases of the SDLC by using different artifacts and testing methodologies. For example, threat modeling focuses on identifying security flaws during design, secure code analysis and reviews focus on identifying security issues in source code during development, and penetration testing focuses on identifying vulnerabilities in the application during testing/validation.

Security issues that are identified early in the SDLC can be documented in a test plan so they can be validated later with security tests. By combining the results of different testing techniques, it is possible to derive better security test cases and increase the level of assurance of the security requirements. For example, distinguishing true vulnerabilities from the un-exploitable ones is possible when the results of penetration tests and source code analysis are combined. Considering the security test for a SQL injection vulnerability, for example, a black box test might involve first a scan of the application to fingerprint the vulnerability. The first evidence of a potential SQL injection vulnerability that can be validated is the generation of a SQL exception. A further validation of the SQL vulnerability might involve manually injecting attack vectors to modify the grammar of the SQL query for an information disclosure exploit. This might involve a lot of trial-and-error analysis till the malicious query is executed. Assuming the tester has the source code, she might learn from the source code analysis on how to construct the SQL attack vector that can exploit the vulnerability (e.g., execute a malicious query returning confidential data to unauthorized user).

'''Threats and Countermeasures Taxonomies''' 
A ''threat and countermeasure classification'' that takes into consideration root causes of vulnerabilities is the critical factor to verify that security controls are designed, coded, and built so that the impact due to the exposure of such vulnerabilities is mitigated. In the case of web applications, the exposure of security controls to common vulnerabilities, such as the OWASP Top Ten, can be a good starting point to derive general security requirements. More specifically, the web application security frame [17] provides a classification (e.g. taxonomy) of vulnerabilities that can be documented in different guidelines and standards and validated with security tests.

The focus of a threat and countermeasure categorization is to define security requirements in terms of the threats and the root cause of the vulnerability. A threat can be categorized by using STRIDE [18], for example, as Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. The root cause can be categorized as security flaw in design, a security bug in coding, or an issue due to insecure configuration. For example, the root cause of weak authentication vulnerability might be the lack of mutual authentication when data crosses a trust boundary between the client and server tiers of the application. A security requirement that captures the threat of non-repudiation during an architecture design review allows for the documentation of the requirement for the countermeasure (e.g., mutual authentication) that can be validated later on with security tests.

A threat and countermeasure categorization for vulnerabilities can also be used to document security requirements for secure coding such as secure coding standards. An example of a common coding error in authentication controls consists of applying an hash function to encrypt a password, without applying a seed to the value. From the secure coding perspective, this is a vulnerability that affects the encryption used for authentication with a vulnerability root cause in a coding error. Since the root cause is insecure coding the security requirement can be documented in secure coding standards and validated through secure code reviews during the development phase of the SDLC.

'''Security Testing and Risk Analysis''' 
Security requirements need to take into consideration the severity of the vulnerabilities to support a ''risk mitigation strategy''. Assuming that the organization maintains a repository of vulnerabilities found in applications, i.e., a vulnerability knowledge base, the security issues can be reported by type, issue, mitigation, root cause, and mapped to the applications where they are found. Such a vulnerability knowledge base can also be used to establish a metrics to analyze the effectiveness of the security tests throughout the SDLC.

For example, consider an input validation issue, such as a SQL injection, which was identified via source code analysis and reported with a coding error root cause and input validation vulnerability type. The exposure of such vulnerability can be assessed via a penetration test, by probing input fields with several SQL injection attack vectors. This test might validate that special characters are filtered before hitting the database and mitigate the vulnerability. By combining the results of source code analysis and penetration testing it is possible to determine the likelihood and exposure of the vulnerability and calculate the risk rating of the vulnerability. By reporting vulnerability risk ratings in the findings (e.g., test report) it is possible to decide on the mitigation strategy. For example, high and medium risk vulnerabilities can be prioritized for remediation, while low risk can be fixed in further releases.

By considering the threat scenarios exploiting common vulnerabilities it is possible to identify potential risks for which the application security control needs to be security tested. For example, the OWASP Top Ten vulnerabilities can be mapped to attacks such as phishing, privacy violations, identify theft, system compromise, data alteration or data destruction, financial loss, and reputation loss. Such issues should be documented as part of the threat scenarios. By thinking in terms of threats and vulnerabilities, it is possible to devise a battery of tests that simulate such attack scenarios. Ideally, the organization vulnerability knowledge base can be used to derive security risk driven tests cases to validate the most likely attack scenarios. For example if identity theft is considered high risk, negative test scenarios should validate the mitigation of impacts deriving from the exploit of vulnerabilities in authentication, cryptographic controls, input validation, and authorization controls.

=== Functional and Non Functional Test Requirements ===
'''Functional Security Requirements''' 
From the perspective of functional security requirements, the applicable standards, policies and regulations drive both the need of a type of security control as well as the control functionality. These requirements are also referred to as “positive requirements”, since they state the expected functionality that can be validated through security tests.
Examples of positive requirements are: “the application will lockout the user after six failed logon attempts” or “passwords need to be six min characters, alphanumeric”. The validation of positive requirements consists of asserting the expected functionality and, as such, can be tested by re-creating the testing conditions, and by running the test according to predefined inputs and by asserting the expected outcome as a fail/pass condition.

In order to validate security requirements with security tests, security requirements need to be function driven and highlight the expected functionality (the what) and implicitly the implementation (the how). Examples of high-level security design requirements for authentication can be:
*Protect user credentials and shared secrets in transit and in storage
*Mask any confidential data in display (e.g., passwords, accounts)
*Lock the user account after a certain number of failed login attempts
*Do not show specific validation errors to the user as a result of failed logon
*Only allow passwords that are alphanumeric, include special characters and six characters minimum length, to limit the attack surface
*Allow for password change functionality only to authenticated users by validating the old password, the new password, and the user answer to the challenge question, to prevent brute forcing of a password via password change.
*The password reset form should validate the user’s username and the user’s registered email before sending the temporary password to the user via email. The temporary password issued should be a one time password. A link to the password reset web page will be sent to the user. The password reset web page should validate the user temporary password, the new password, as well as the user answer to the challenge question.

'''Risk Driven Security Requirements''' 
Security tests need also to be risk driven, that is they need to validate the application for unexpected behavior. These are also called “negative requirements”, since they specify what the application should not do.
Examples of "should not do" (negative) requirements are:
* The application should not allow for the data to be altered or destroyed
* The application should not be compromised or misused for unauthorized financial transactions by a malicious user.

Negative requirements are more difficult to test, because there is no expected behavior to look for. This might require a threat analyst to come up with unforeseeable input conditions, causes, and effects. This is where security testing needs to be driven by risk analysis and threat modeling.
The key is to document the threat scenarios and the functionality of the countermeasure as a factor to mitigate a threat. For example, in the case of authentication controls, the following security requirements can be documented from the threats and countermeasure perspective:
*Encrypt authentication data in storage and transit to mitigate risk of information disclosure and authentication protocol attacks
*Encrypt passwords using non reversible encryption such as using a digest (e.g., HASH) and a seed to prevent dictionary attacks
*Lock out accounts after reaching a logon failure threshold and enforce password complexity to mitigate risk of brute force password attacks
*Display generic error messages upon validation of credentials to mitigate risk of account harvesting/enumeration
*Mutually authenticate client and server to prevent non-repudiation and Man In the Middle (MiTM) attacks

Threat modeling artifacts such as threat trees and attack libraries can be useful to derive the negative test scenarios. A threat tree will assume a root attack (e.g., attacker might be able to read other users' messages) and identify different exploits of security controls (e.g., data validation fails because of a SQL injection vulnerability) and necessary countermeasures (e.g., implement data validation and parametrized queries) that could be validated to be effective in mitigating such attacks.

===Security Requirements Derivation Through Use and Misuse Cases===
Pre-requisite in describing the application functionality is to understand what the application is supposed to do and how. This can be done by describing ''use cases''. Use cases, in the graphical form as commonly used in software engineering, show the interactions of actors and their relations, and help to identify the actors in the application, their relationships, the intended sequence of actions for each scenario, alternative actions, special requirements, and pre- and post-conditions. Similar to use cases, ''misuse and abuse cases'' [19] describe unintended and malicious use scenarios of the application. These misuse cases provide a way to describe scenarios of how an attacker could misuse and abuse the application. By going through the individual steps in a use scenario and thinking about how it can be maliciously exploited, potential flaws or aspects of the application that are not well-defined can be discovered. The key is to describe all possible or, at least, the most critical use and misuse scenarios. Misuse scenarios allow the analysis of the application from the attacker's point of view and contribute to identifying potential vulnerabilities and the countermeasures that need to be implemented to mitigate the impact caused by the potential exposure to such vulnerabilities. Given all of the use and abuse cases, it is important to analyze them to determine which of them are the most critical ones and need to be documented in security requirements. The identification of the most critical misuse and abuse cases drives the documentation of security requirements and the necessary controls where security risks should be mitigated.

To derive security requirements from use and misuse case [20] , it is important to define the functional scenarios and the negative scenarios, and put these in graphical form. In the case of derivation of security requirements for authentication, for example, the following step-by-step methodology can be followed.

*Step 1: Describe the Functional Scenario: User authenticates by supplying username and password. The application grants access to users based upon authentication of user credentials by the application and provides specific errors to the user when validation fails.

*Step 2: Describe the Negative Scenario: Attacker breaks the authentication through a brute force/dictionary attack of passwords and account harvesting vulnerabilities in the application. The validation errors provide specific information to an attacker to guess which accounts are actually valid, registered accounts (usernames). The attacker, then, will try to brute force the password for such a valid account. A brute force attack to four minimum length all digit passwords can succeed with a limited number of attempts (i.e., 10^4).

*Step 3: Describe Functional and Negative Scenarios With Use and Misuse Case: The graphical example in Figure below depicts the derivation of security requirements via use and misuse cases. The functional scenario consists of the user actions (entering username and password) and the application actions (authenticating the user and providing an error message if validation fails). The misuse case consists of the attacker actions, i.e., trying to break authentication by brute forcing the password via a dictionary attack and by guessing the valid usernames from error messages. By graphically representing the threats to the user actions (misuses), it is possible to derive the countermeasures as the application actions that mitigate such threats.
[[Image:UseAndMisuseCase.jpg|640px]]

*Step 4: Elicit The Security Requirements. In this case, the following security requirements for authentication are derived:
:1) Passwords need to be alphanumeric, lower and upper case and minimum of seven character length
:2) Accounts need to lockout after five unsuccessful login attempt
:3) Logon error messages need to be generic
These security requirements need to be documented and tested.

===Security Tests Integrated in Developers' and Testers' Workflows===
'''Developers' Security Testing Workflow''' 
Security testing during the development phase of the SDLC represents the first opportunity for developers to ensure that individual software components that they have developed are security tested before they are integrated with other components and built into the application. Software components might consist of software artifacts such as functions, methods, and classes, as well as application programming interfaces, libraries, and executables. For security testing, developers can rely on the results of the source code analysis to verify statically that the developed source code does not include potential vulnerabilities and is compliant with the secure coding standards. Security unit tests can further verify dynamically (i.e., at run time) that the components function as expected. Before integrating both new and existing code changes in the application build, the results of the static and dynamic analysis should be reviewed and validated.
The validation of source code before integration in application builds is usually the responsibility of the senior developer. Such senior developer is also the subject matter expert in software security and his role is to lead the secure code review and make decisions whether to accept the code to be released in the application build or to require further changes and testing. This secure code review workflow can be enforced via formal acceptance as well as a check in a workflow management tool. For example, assuming the typical defect management workflow used for functional bugs, security bugs that have been fixed by a developer can be reported on a defect or change management system. The build master can look at the test results reported by the developers in the tool and grant approvals for checking in the code changes into the application build.

'''Testers' Security Testing Workflow''' 
After components and code changes are tested by developers and checked in to the application build, the most likely next step in the software development process workflow is to perform tests on the application as a whole entity. This level of testing is usually referred to as integrated test and system level test. When security tests are part of these testing activities, they can be used to validate both the security functionality of the application as a whole, as well as the exposure to application level vulnerabilities. These security tests on the application include both white box testing, such as source code analysis, and black box testing, such as penetration testing. Gray box testing is similar to Black box testing. In a gray box testing we can assume we have some partial knowledge about the session management of our application, and that should help us in understanding whether the logout and timeout functions are properly secured.

The target for the security tests is the complete system that is the artifact that will be potentially attacked and includes both whole source code and the executable. One peculiarity of security testing during this phase is that it is possible for security testers to determine whether vulnerabilities can be exploited and expose the application to real risks.
These include common web application vulnerabilities, as well as security issues that have been identified earlier in the SDLC with other activities such as threat modeling, source code analysis, and secure code reviews.

Usually, testing engineers, rather then software developers, perform security tests when the application is in scope for integration system tests. Such testing engineers have security knowledge of web application vulnerabilities, black box and white box security testing techniques, and own the validation of security requirements in this phase. In order to perform such security tests, it is a pre-requisite that security test cases are documented in the security testing guidelines and procedures.

A testing engineer who validates the security of the application in the integrated system environment might release the application for testing in the operational environment (e.g., user acceptance tests). At this stage of the SDLC (i.e., validation), the application functional testing is usually a responsibility of QA testers, while white-hat hackers/security consultants are usually responsible for security testing. Some organizations rely on their own specialized ethical hacking team in order to conduct such tests when a third party assessment is not required (such as for auditing purposes).

Since these tests are the last resort for fixing vulnerabilities before the application is released to production, it is important that such issues are addressed as recommended by the testing team (e.g., the recommendations can include code, design, or configuration change). At this level, security auditors and information security officers discuss the reported security issues and analyze the potential risks according to information risk management procedures. Such procedures might require the developer team to fix all high risk vulnerabilities before the application could be deployed, unless such risks are acknowledged and accepted.

===Developers' Security Tests===
'''Security Testing in the Coding Phase: Unit Tests''' 
From the developer’s perspective, the main objective of security tests is to validate that code is being developed in compliance with secure coding standards requirements. Developers' own coding artifacts such as functions, methods, classes, APIs, and libraries need to be functionally validated before being integrated into the application build.

The security requirements that developers have to follow should be documented in secure coding standards and validated with static and dynamic analysis. As testing activity following a secure code review, unit tests can validate that code changes required by secure code reviews are properly implemented. Secure code reviews and source code analysis through source code analysis tools help developers in identifying security issues in source code as it is developed. By using unit tests and dynamic analysis (e.g., debugging) developers can validate the security functionality of components as well as verify that the countermeasures being developed mitigate any security risks previously identified through threat modeling and source code analysis.

A good practice for developers is to build security test cases as a generic security test suite that is part of the existing unit testing framework. A generic security test suite could be derived from previously defined use and misuse cases to security test functions, methods and classes. A generic security test suite might include security test cases to validate both positive and negative requirements for security controls such as:
* Authentication & Access Control
* Input Validation & Encoding
* Encryption
* User and Session Management
* Error and Exception Handling
* Auditing and Logging

Developers empowered with a source code analysis tool integrated into their IDE, secure coding standards, and a security unit testing framework can assess and verify the security of the software components being developed. Security test cases can be run to identify potential security issues that have root causes in source code: besides input and output validation of parameters entering and exiting the components, these issues include authentication and authorization checks done by the component, protection of the data within the component, secure exception and error handling, and secure auditing and logging. Unit test frameworks such as Junit, Nunit, and CUnit can be adapted to verify security test requirements. In the case of security functional tests, unit level tests can test the functionality of security controls at the software component level, such as functions, methods, or classes. For example, a test case could validate input and output validation (e.g., variable sanitization) and boundary checks for variables by asserting the expected functionality of the component.

The threat scenarios identified with use and misuse cases can be used to document the procedures for testing software components. In the case of authentication components, for example, security unit tests can assert the functionality of setting an account lockout as well as the fact that user input parameters cannot be abused to bypass the account lockout (e.g., by setting the account lockout counter to a negative number). At the component level, security unit tests can validate positive assertions as well as negative assertions, such as errors and exception handling. Exceptions should be caught without leaving the system in an insecure state, such as potential denial of service caused by resources not being deallocated (e.g., connection handles not closed within a final statement block), as well as potential elevation of privileges (e.g., higher privileges acquired before the exception is thrown and not re-set to the previous level before exiting the function). Secure error handling can validate potential information disclosure via informative error messages and stack traces.

Unit level security test cases can be developed by a security engineer who is the subject matter expert in software security and is also responsible for validating that the security issues in the source code have been fixed and can be checked into the integrated system build. Typically, the manager of the application builds also makes sure that third-party libraries and executable files are security assessed for potential vulnerabilities before being integrated in the application build.

Threat scenarios for common vulnerabilities that have root causes in insecure coding can also be documented in the developer’s security testing guide. When a fix is implemented for a coding defect identified with source code analysis, for example, security test cases can verify that the implementation of the code change follows the secure coding requirements documented in the secure coding standards.

Source code analysis and unit tests can validate that the code change mitigates the vulnerability exposed by the previously identified coding defect. The results of automated secure code analysis can also be used as automatic check-in gates for version control: software artifacts cannot be checked into the build with high or medium severity coding issues.

===Functional Testers' Security Tests===
'''Security Testing During the Integration and Validation Phase: Integrated System Tests and Operation Tests''' 
The main objective of integrated system tests is to validate the “defense in depth” concept, that is, that the implementation of security controls provides security at different layers. For example, the lack of input validation when calling a component integrated with the application is often a factor that can be tested with integration testing.

The integration system test environment is also the first environment where testers can simulate real attack scenarios as can be potentially executed by a malicious external or internal user of the application. Security testing at this level can validate whether vulnerabilities are real and can be exploited by attackers. For example, a potential vulnerability found in source code can be rated as high risk because of the exposure to potential malicious users, as well as because of the potential impact (e.g., access to confidential information).
Real attack scenarios can be tested with both manual testing techniques and penetration testing tools. Security tests of this type are also referred to as ethical hacking tests. From the security testing perspective, these are risk driven tests and have the objective to test the application in the operational environment. The target is the application build that is representative of the version of the application being deployed into production.

The execution of security in the integration and validation phase is critical to identifying vulnerabilities due to integration of components as well as validating the exposure of such vulnerabilities. Since application security testing requires a specialized set of skills, which includes both software and security knowledge and is not typical of security engineers, organizations are often required to security-train their software developers on ethical hacking techniques, security assessment procedures and tools. A realistic scenario is to develop such resources in-house and document them in security testing guides and procedures that take into account the developer’s security testing knowledge. A so called “security test cases cheat list or check-list”, for example, can provide simple test cases and attack vectors that can be used by testers to validate exposure to common vulnerabilities such as spoofing, information disclosures, buffer overflows, format strings, SQL injection and XSS injection, XML, SOAP, canonicalization issues, denial of service and managed code and ActiveX controls (e.g., .NET). A first battery of these tests can be performed manually with a very basic knowledge of software security. The first objective of security tests might be the validation of a set of minimum security requirements. These security test cases might consist of manually forcing the application into error and exceptional states, and gathering knowledge from the application behavior. For example, SQL injection vulnerabilities can be tested manually by injecting attack vectors through user input and by checking if SQL exceptions are thrown back the user. The evidence of a SQL exception error might be a manifestation of a vulnerability that can be exploited. A more in-depth security test might require the tester’s knowledge of specialized testing techniques and tools. Besides source code analysis and penetration testing, these techniques include, for example, source code and binary fault injection, fault propagation analysis and code coverage, fuzz testing, and reverse engineering. The security testing guide should provide procedures and recommend tools that can be used by security testers to perform such in-depth security assessments.

The next level of security testing after integration system tests is to perform security tests in the user acceptance environment. There are unique advantages to performing security tests in the operational environment. The user acceptance tests environment (UAT) is the one that is most representative of the release configuration, with the exception of the data (e.g., test data is used in place of real data). A characteristic of security testing in UAT is testing for security configuration issues. In some cases these vulnerabilities might represent high risks. For example, the server that hosts the web application might not be configured with minimum privileges, valid SSL certificate and secure configuration, essential services disabled and web root directory not cleaned from test and administration web pages.

===Security Test Data Analysis and Reporting===
'''Goals for Security Test Metrics and Measurements''' 
The definition of the goals for the security testing metrics and measurements is a pre-requisite for using security testing data for risk analysis and management processes. For example, a measurement such as the total number of vulnerabilities found with security tests might quantify the security posture of the application. These measurements also help to identify security objectives for software security testing: for example, reducing the number of vulnerabilities to an acceptable number (minimum) before the application is deployed into production.

Another manageable goal could be to compare the application security posture against a baseline to assess improvements in application security processes. For example, the security metrics baseline might consist of an application that was tested only with penetration tests. The security data obtained from an application that was also security tested during coding should show an improvement (e.g., fewer number of vulnerabilities) when compared with the baseline.

In traditional software testing, the number of software defects, such as the bugs found in an application, could provide a measure of software quality. Similarly, security testing can provide a measure of software security. From the defect management and reporting perspective, software quality and security testing can use similar categorizations for root causes and defect remediation efforts. From the root cause perspective, a security defect can be due to an error in design (e.g., security flaws) or due to an error in coding (e.g., security bug). From the perspective of the effort required to fix a defect, both security and quality defects can be measured in terms of developer hours to implement the fix, the tools and resources required to fix, and, finally, the cost to implement the fix.

A characteristic of security test data, compared to quality data, is the categorization in terms of the threat, the exposure of the vulnerability, and the potential impact posed by the vulnerability to determine the risk. Testing applications for security consists of managing technical risks to make sure that the application countermeasures meet acceptable levels. For this reason, security testing data needs to support the security risk strategy at critical checkpoints during the SDLC. For example, vulnerabilities found in source code with source code analysis represent an initial measure of risk. Such measure of risk (e.g., high, medium, low) for the vulnerability can be calculated by determining the exposure and likelihood factors and, further, by validating such vulnerability with penetration tests. The risk metrics associated to vulnerabilities found with security tests empower business management to make risk management decisions, such as to decide whether risks can be accepted, mitigated, or transferred at different levels within the organization (e.g., business as well as technical).

When evaluating the security posture of an application, it is important to take into consideration certain factors, such as the size of the application being developed. Application size has been statistically proven to be related to the number of issues found in the application with tests. One measure of application size is the number of line of code (LOC) of the application. Typically, software quality defects range from about 7 to 10 defects per thousand lines of new and changed code [21]. Since testing can reduce the overall number by about 25% with one test alone, it is logical for larger size applications to be tested more and more often than smaller size applications.

When security testing is done in several phases of the SDLC, the test data could prove the capability of the security tests in detecting vulnerabilities as soon as they are introduced, and prove the effectiveness of removing them by implementing countermeasures at different checkpoints of the SDLC. A measurement of this type is also defined as “containment metrics” and provides a measure of the ability of a security assessment performed at each phase of the development process to maintain security within each phase. These containment metrics are also a critical factor in lowering the cost of fixing the vulnerabilities, since it is less expensive to deal with the vulnerabilities when they are found (in the same phase of the SDLC), rather then fixing them later in another phase.

Security test metrics can support security risk, cost, and defect management analysis when it is associated with tangible and timed goals such as:
*Reducing the overall number of vulnerabilities by 30%
*Security issues are expected to be fixed by a certain deadline (e.g., before beta release)

Security test data can be absolute, such as the number of vulnerabilities detected during manual code review, as well as comparative, such as the number of vulnerabilities detected in code reviews vs. penetration tests. To answer questions about the quality of the security process, it is important to determine a baseline for what could be considered acceptable and good.

Security test data can also support specific objectives of the security analysis such as compliance with security regulations and information security standards, management of security processes, the identification of security root causes and process improvements, and security costs vs. benefits analysis.

When security test data is reported it has to provide metrics to support the analysis. The scope of the analysis is the interpretation of test data to find clues about the security of the software being produced as well the effectiveness of the process.
Some examples of clues supported by security test data can be:
*Are vulnerabilities reduced to an acceptable level for release?
*How does the security quality of this product compare with similar software products?
*Are all security test requirements being met?
*What are the major root causes of security issues?
*How numerous are security flaws compared to security bugs?
*Which security activity is most effective in finding vulnerabilities?
*Which team is more productive in fixing security defects and vulnerabilities?
*Which percentage of overall vulnerabilities are high risk?
*Which tools are most effective in detecting security vulnerabilities?
*Which kind of security tests are most effective in finding vulnerabilities (e.g., white box vs. black box) tests?
*How many security issues are found during secure code reviews?
*How many security issues are found during secure design reviews?

In order to make a sound judgment using the testing data, it is important to have a good understanding of the testing process as well as the testing tools. A tool taxonomy should be adopted to decide which security tools should be used. Security tools can be qualified as being good at finding common known vulnerabilities targeting different artifacts.
The issue is that the unknown security issues are not tested: the fact that you come out clean it does not mean that your software or application is good. Some studies [22] have demonstrated that, at best, tools can find 45% of overall vulnerabilities.

Even the most sophisticated automation tools are not a match for an experienced security tester: just relying on successful test results from automation tools will give security practitioners a false sense of security. Typically, the more experienced the security testers are with the security testing methodology and testing tools, the better the results of the security test and analysis will be. It is important that managers making an investment in security testing tools also consider an investment in hiring skilled human resources as well as security test training.

'''Reporting Requirements''' 
The security posture of an application can be characterized from the perspective of the effect, such as number of vulnerabilities and the risk rating of the vulnerabilities, as well as from the perspective of the cause (i.e., origin) such as coding errors, architectural flaws, and configuration issues.

Vulnerabilities can be classified according to different criteria. This can be a statistical categorization, such as the OWASP Top 10 and WASC (Web Application Security Statistics) project, or related to defensive controls as in the case of WASF (Web Application Security Framework) categorization.

When reporting security test data, the best practice is to include the following information, besides the categorization of each vulnerability by type:
*The security threat that the issue is exposed to
*The root cause of security issues (e.g., security bugs, security flaw)
*The testing technique used to find it
*The remediation of the vulnerability (e.g., the countermeasure)
*The risk rating of the vulnerability (High, Medium, Low)

By describing what the security threat is, it will be possible to understand if and why the mitigation control is ineffective in mitigating the threat.

Reporting the root cause of the issue can help pinpoint what needs to be fixed: in the case of a white box testing, for example, the software security root cause of the vulnerability will be the offending source code.

Once issues are reported, it is also important to provide guidance to the software developer on how to re-test and find the vulnerability. This might involve using a white box testing technique (e.g., security code review with a static code analyzer) to find if the code is vulnerable. If a vulnerability can be found via a black box technique (penetration test), the test report also needs to provide information on how to validate the exposure of the vulnerability to the front end (e.g., client).

The information about how to fix the vulnerability should be detailed enough for a developer to implement a fix. It should provide secure coding examples, configuration changes, and provide adequate references.

Finally the risk rating helps to prioritize the remediation effort. Typically, assigning a risk rating to the vulnerability involves a risk analysis based upon factors such as impact and exposure.

'''Business Cases''' 
For the security test metrics to be useful, they need to provide value back to the organization's security test data stakeholders, such as project managers, developers, information security offices, auditors, and chief information officers. The value can be in terms of the business case that each project stakeholder has in terms of role and responsibility.

Software developers look at security test data to show that software is coded more securely and efficiently, so that they can make the case of using source code analysis tools as well as following secure coding standards and attending software security training.

Project managers look for data that allows them to successfully manage and utilize security testing activities and resources according to the project plan. To project managers, security test data can show that projects are on schedule and moving on target for delivery dates and are getting better during tests.

Security test data also helps the business case for security testing if the initiative comes from information security officers (ISOs). For example, it can provide evidence that security testing during the SDLC does not impact the project delivery, but rather reduces the overall workload needed to address vulnerabilities later in production.

To compliance auditors, security test metrics provide a level of software security assurance and confidence that security standard compliance is addressed through the security review processes within the organization.

Finally, Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs), responsible for the budget that needs to be allocated in security resources, look for derivation of a cost/benefit analysis from security test data to make informed decisions on which security activities and tools to invest. One of the metrics that support such analysis is the Return On Investment (ROI) in Security [23]. To derive such metrics from security test data, it is important to quantify the differential between the risk due to the exposure of vulnerabilities and the effectiveness of the security tests in mitigating the security risk, and factor this gap with the cost of the security testing activity or the testing tools adopted.

== References ==
[1] T. DeMarco, ''Controlling Software Projects: Management, Measurement and Estimation'', Yourdon Press, 1982

[2] S. Payne, ''A Guide to Security Metrics'' - http://www.sans.org/reading_room/whitepapers/auditing/55.php

[3] NIST, ''The economic impacts of inadequate infrastructure for software testing'' - http://www.nist.gov/director/planning/upload/report02-3.pdf

[4] Ross Anderson, ''Economics and Security Resource Page'' - http://www.cl.cam.ac.uk/~rja14/econsec.html

[5] Denis Verdon, ''Teaching Developers To Fish'' - [[OWASP AppSec NYC 2004]]

[6] Bruce Schneier, ''Cryptogram Issue #9'' - https://www.schneier.com/crypto-gram-0009.html

[7] Symantec, ''Threat Reports'' - http://www.symantec.com/security_response/publications/threatreport.jsp

[8] FTC, ''The Gramm-Leach Bliley Act'' - http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act

[9] Senator Peace and Assembly Member Simitian, ''SB 1386''- http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

[10] European Union, ''Directive 96/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data'' -
http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf

[11] NIST, '' Risk management guide for information technology systems'' - http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf

[12] SEI, Carnegie Mellon, ''Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)'' - http://www.cert.org/octave/

[13] Ken Thompson, ''Reflections on Trusting Trust, Reprinted from Communication of the ACM '' - http://cm.bell-labs.com/who/ken/trust.html'' [[Category:FIXME|link not working]]

[14] Gary McGraw, ''Beyond the Badness-ometer'' - http://www.drdobbs.com/security/beyond-the-badness-ometer/189500001

[15] FFIEC, '' Authentication in an Internet Banking Environment'' - http://www.ffiec.gov/pdf/authentication_guidance.pdf

[16] PCI Security Standards Council, ''PCI Data Security Standard'' - https://www.pcisecuritystandards.org/security_standards/index.php

[17] MSDN, ''Cheat Sheet: Web Application Security Frame'' - http://msdn.microsoft.com/en-us/library/ms978518.aspx#tmwacheatsheet_webappsecurityframe

[18] MSDN, ''Improving Web Application Security, Chapter 2, Threat And Countermeasures'' - http://msdn.microsoft.com/en-us/library/aa302418.aspx

[19] Sindre,G. Opdmal A., '' Capturing Security Requirements Through Misuse Cases ' - http://folk.uio.no/nik/2001/21-sindre.pdf

[20] Improving Security Across the Software Development Lifecycle Task Force, ''Referred Data from Caper Johns, Software Assessments, Benchmarks and Best Practices'' - http://www.criminal-justice-careers.com/resources/SDLCFULL.pdf

[21] MITRE, ''Being Explicit About Weaknesses, Slide 30, Coverage of CWE'' - http://cwe.mitre.org/documents/being-explicit/BlackHatDC_BeingExplicit_Slides.ppt

[22] Marco Morana, ''Building Security Into The Software Life Cycle, A Business Case'' - http://www.blackhat.com/presentations/bh-usa-06/bh-us-06-Morana-R3.0.pdf

Testing for Weak SSL/TLS Ciphers, Insufficient Transport Layer Protection (OTG-CRYPST-001)

2014-03-16T23:38:30Z

Yiannis: Testing Guide V4: Review_v1 - More work needed

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==

Sensitive data must be protected when it is transmitted through the network. Such data can include user credentials and credit cards. As a rule of thumb, if data must be protected when it is stored, it must be protected also during transmission.

HTTP is a clear-text protocol and it is normally secured via an SSL/TLS tunnel, resulting in HTTPS traffic [1]. The use of this protocol ensures not only confidentiality, but also authentication. Servers are authenticated using digital certificates and it is also possible to use client certificate for mutual authentication.

Even if high grade ciphers are today supported and normally used, some misconfiguration in the server can be used to force the use of a weak cipher - or at worst no encryption - permitting to an attacker to gain access to the supposed secure communication channel. Other misconfiguration can be used for a Denial of Service attack.

== Description of the Issue ==
If control is missed and HTTP protocol is used to transmit sensitive information is a vulnerability [2] (e.g. credentials transmitted over HTTP [3]) and there are a specific OWASP Testing Guide v4’s test.

If SSL/TLS service is present it is good but it increments the attack surface and some vulnerabilities insist on it, such as:
* SSL/TLS protocols, ciphers, keys and renegotiation must be properly configured.
* Certificate validity must be ensured.
Other vulnerabilities linked to this is:
* Software exposed must be updated due to possibility of known vulnerabilities [4].
* Usage of Secure flag for Session Cookies [5].
* Usage of HTTP Strict Transport Security (HSTS) [6].
* The presence of HTTP and HTTPS both, which can be used to intercept traffic [7], [8].
* The presence of mixed HTTPS and HTTP content in the same page, which can be used to Leak information.

===Sensitive data transmitted in clear-text===
If the application transmits sensitive information via unencrypted channels - e.g. HTTP - it is a vulnerability. Typically it is possible to find BASIC authentication over HTTP, input password or session cookie sent via HTTP and, in general, other information considered by regulations, laws or organization policy.

===Weak SSL/TLS Ciphers/Protocols/Keys===
Historically, there have been limitations set in place by the U.S. government to allow cryptosystems to be exported only for key sizes of at most 40 bits, a key length which could be broken and would allow the decryption of communications. Since then cryptographic export regulations have been relaxed the maximum key size is 128 bits.
It is important to check the SSL configuration being used to avoid putting in place cryptographic support which could be easily defeated. To reach this goal SSL-based services should not offer the possibility to choose weak cipher suite. A cipher suite is specified by an encryption protocol (e.g. DES, RC4, AES), the encryption key length (e.g. 40, 56, or 128 bits), and a hash algorithm (e.g. SHA, MD5) used for integrity checking.
Briefly, the key points for the cipher suite determination are the following:
# The client sends to the server a ClientHello message specifying, among other information, the protocol and the cipher suites that it is able to handle. Note that a client is usually a web browser (most popular SSL client nowadays), but not necessarily, since it can be any SSL-enabled application; the same holds for the server, which needs not to be a web server, though this is the most common case [9].
#The server responds with a ServerHello message, containing the chosen protocol and cipher suite that will be used for that session (in general the server selects the strongest protocol and cipher suite supported by both the client and server).

It is possible (for example, by means of configuration directives) to specify which cipher suites the server will honor. In this way you may control, for example, whether or not conversations with clients will support 40-bit encryption only.

#The server sends its Certificate message and, if client authentication is required, also sends a CertificateRequest message to the client.
#The server sends a ServerHelloDone message and waits for a client response.
#Upon receipt of the ServerHelloDone message, the client verifies the validity of the server's digital certificate.

===SSL certificate validity – client and server===

When accessing a web application via the HTTPS protocol, a secure channel is established between the client and the server. The identity of one (the server) or both parties (client and server) is then established by means of digital certificates. So, once the cipher suite is determined, the “SSL Handshake” continues with the exchange of the certificates, like follow:
# The server sends its Certificate message and, if client authentication is required, also sends a CertificateRequest message to the client.
# The server sends a ServerHelloDone message and waits for a client response.
# Upon receipt of the ServerHelloDone message, the client verifies the validity of the server's digital certificate.

In order for the communication to be set up, a number of checks on the certificates must be passed. While discussing SSL and certificate based authentication is beyond the scope of this Guide, we will focus on the main criteria involved in ascertaining certificate validity:

* Checking if the Certificate Authority (CA) is a known one (meaning one considered trusted);
* Checking that the certificate is currently valid;
* Checking that the name of the site and the name reported in the certificate match.

Let is examine each check more in detail.

* Each browser comes with a preloaded list of trusted CAs, against which the certificate signing CA is compared (this list can be customized and expanded at will). During the initial negotiations with an HTTPS server, if the server certificate relates to a CA unknown to the browser, a warning is usually raised. This happens most often because a web application relies on a certificate signed by a self-established CA. Whether this is to be considered a concern depends on several factors. For example, this may be fine for an Intranet environment (think of corporate web email being provided via HTTPS; here, obviously all users recognize the internal CA as a trusted CA). When a service is provided to the general public via the Internet, however (i.e. when it is important to positively verify the identity of the server we are talking to), it is usually imperative to rely on a trusted CA, one which is recognized by all the user base (and here we stop with our considerations; we won’t delve deeper in the implications of the trust model being used by digital certificates).

* Certificates have an associated period of validity, therefore they may expire. Again, we are warned by the browser about this. A public service needs a temporally valid certificate; otherwise, it means we are talking with a server whose certificate was issued by someone we trust, but has expired without being renewed.

* What if the name on the certificate and the name of the server do not match? If this happens, it might sound suspicious. For a number of reasons, this is not so rare to see. A system may host a number of name-based virtual hosts, which share the same IP address and are identified by means of the HTTP 1.1 Host: header information. In this case, since the SSL handshake checks the server certificate before the HTTP request is processed, it is not possible to assign different certificates to each virtual server. Therefore, if the name of the site and the name reported in the certificate do not match, we have a condition which is typically signaled by the browser. To avoid this, IP-based virtual servers must be used. [33] and [34] describe techniques to deal with this problem and allow name-based virtual hosts to be correctly referenced.

===Other vulnerabilities===
The presence of a new service, listening in a separate tcp port may introduce vulnerabilities such as Infrastructure vulnerability if software is not up to date [4]. Futhermore for a correct protection of data during transmission Session Cookie must use the Secure flag [5] and some directives should be sent to the browser to accept only secure traffic (e.g. HSTS [6], CSP [9]).

Also there are some attacks can be used to intercept traffic if the web server exposes the application on both HTTP and HTTPS [6], [7] or in case of mixed HTTP and HTTPS resources in the same page.

== Black Box testing and example ==

===Testing for sensitive data transmitted in clear-text===
Various typologies of information which must be protected can be also transmitted in clear text. It is possible to check if these information is transmitted over HTTP instead of HTTPS.

Please refer to specific Tests for full details, for credentials [3] and other kind of data [2].

=====Example 1. Basic Authentication over HTTP=====
A typical example is the usage of Basic Authentication over HTTP. Also because with Basic Authentication, after login, credentials are encoded - and not encrypted - into HTTP Headers.
<pre>
$ curl -kis http://example.com/restricted/
HTTP/1.1 401 Authorization Required
Date: Fri, 01 Aug 2013 00:00:00 GMT
WWW-Authenticate: Basic realm="Restricted Area"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 162
Content-Type: text/html

<html><head><title>401 Authorization Required</title></head>
<body bgcolor=white>
<h1>401 Authorization Required</h1>

Invalid login credentials!

</body></html>
</pre>

===Testing for Weak SSL/TLS Ciphers/Protocols/Keys vulnerabilities===
Large number of available cipher suites and quick progress in cryptanalysis makes judging an SSL server a non-trivial task. At the time of writing these criteria are widely recognized as minimum checklist:
* Weak ciphers must not be used (e.g. less than 128 bits [10]; no NULL ciphers suite, due to no encryption used; no Anonymous Diffie-Hellmann, due to not provides authentication).
* Weak protocols must be disabled (e.g. SSLv2 must be disabled, due to known weaknesses in protocol design [11]).
* Renegotiation must be properly configured (e.g. Insecure Renegotiation must be disabled, due to MiTM attacks [12] and Client-initiated Renegotiation must be disabled, due to Denial of Service vulnerability [13]).
* No Export (EXP) level cipher suites, due to can be easly broken [10].
* X.509 certificates key length must be strong (e.g. if RSA or DSA is used the key must be at least 1024 bits).
* X.509 certificates must be signed only with secure hashing algoritms (e.g. not signed using MD5 hash, due to known collision attacks on this hash).
* Keys must be generated with proper entropy (e.g, Weak Key Generated with Debian) [14].
A most complete checklist includes:
* Secure Renegotiation should be enabled.
* MD5 should not be used, due to known collision attacks. [35]
* RC4 should not be used, due to crypto-analytical attacks [15].
* Server should be protected from BEAST Attack [16].
* Server should be protected from CRIME attack, TLS compression must be disabled [17].
* Server should support Forward Secrecy [18].

Following standards can be used as reference while assessing SSL servers:
* PCI-DSS v2.0 in point 4.1 requires compliant parties to use "strong cryptography" without precisely defining key lengths and algorithms. Common interpretation, partially based on previous versions of the standard, is that at least 128 bit key cipher, no export strength algorithms and no SSLv2 should be used [19].
* Qualys SSL Labs Server Rating Guide [14], Depoloyment best practice [10] and SSL Threat Model [20] has been proposed to standardize SSL server assessment and configuration. But is less updated than the SSL Server tool [21].
* OWASP has a lot of resources about SSL/TLS Security [22], [23], [24], [25]. [26].

Some tools and scanners both free - e.g. SSLAudit [28] or SSLScan [29] and commercial - e.g. Tenable Nessus [27], and other used into examples - can be used to assess SSL/TLS vulnerabilities. But due to evolution of these vulnerabilities a good way is also to check them manually with openssl [30] or using tool’s output as an input for manual evaluation using the references on the bottom on the Test to stay updated.

Sometimes the SSL/TLS enabled service is not directly accessible and you can access it only via HTTP proxy using CONNECT method [36]. Most of the tools will try to connect to desired tcp port in order to start SSL/TLS handshake. This will obviously not work since desired port is accessible only via HTTP proxy. You can easily circumvent this by using relaying software such as socat [37].

====Example 2. SSL service recognition via nmap====
First step is to identify ports which have SSL/TLS wrapped services. Typically tcp ports with SSL for web and mail services are - but not limited to - 443 (https), 465 (ssmtp), 585 (imap4-ssl), 993 (imaps), 995 (ssl-pop).
In this example we search for SSL services using nmap with “-sV” option, used for identify services and it is also able to identify SSL services [31]. Other options are for this particular example and must be customized. Often in a Web Application Penetration Test scope is limited to port 80 and 443.

<pre>
$ nmap -sV --reason -PN -n --top-ports 100 www.example.com
Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-01 00:00 CEST
Nmap scan report for www.example.com (127.0.0.1)
Host is up, received user-set (0.20s latency).
Not shown: 89 filtered ports
Reason: 89 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack Pure-FTPd
22/tcp open ssh syn-ack OpenSSH 5.3 (protocol 2.0)
25/tcp open smtp syn-ack Exim smtpd 4.80
26/tcp open smtp syn-ack Exim smtpd 4.80
80/tcp open http syn-ack
110/tcp open pop3 syn-ack Dovecot pop3d
143/tcp open imap syn-ack Dovecot imapd
443/tcp open ssl/http syn-ack Apache
465/tcp open ssl/smtp syn-ack Exim smtpd 4.80
993/tcp open ssl/imap syn-ack Dovecot imapd
995/tcp open ssl/pop3 syn-ack Dovecot pop3d
Service Info: Hosts: example.com
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 131.38 seconds
</pre>

====Example 3. Checking for Certificate information, Weak Ciphers and SSLv2 via nmap====
nmap has two scripts for checking Certificate information, Weak Ciphers and SSLv2 [31].

<pre>
$ nmap --script ssl-cert,ssl-enum-ciphers -p 443,465,993,995 www.example.com
Starting Nmap 6.25 ( http://nmap.org ) at 2013-01-01 00:00 CEST
Nmap scan report for www.example.com (127.0.0.1)
Host is up (0.090s latency).
rDNS record for 127.0.0.1: www.example.com
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=www.example.org
| Issuer: commonName=*******
| Public Key type: rsa
| Public Key bits: 1024
| Not valid before: 2010-01-23T00:00:00+00:00
| Not valid after: 2020-02-28T23:59:59+00:00
| MD5: *******
|_SHA-1: *******
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
465/tcp open smtps
| ssl-cert: Subject: commonName=*.exapmple.com
| Issuer: commonName=*******
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2010-01-23T00:00:00+00:00
| Not valid after: 2020-02-28T23:59:59+00:00
| MD5: *******
|_SHA-1: *******
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
993/tcp open imaps
| ssl-cert: Subject: commonName=*.exapmple.com
| Issuer: commonName=*******
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2010-01-23T00:00:00+00:00
| Not valid after: 2020-02-28T23:59:59+00:00
| MD5: *******
|_SHA-1: *******
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
995/tcp open pop3s
| ssl-cert: Subject: commonName=*.exapmple.com
| Issuer: commonName=*******
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2010-01-23T00:00:00+00:00
| Not valid after: 2020-02-28T23:59:59+00:00
| MD5: *******
|_SHA-1: *******
| ssl-enum-ciphers:
| SSLv3:
| ciphers:
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 8.64 seconds
</pre>

====Example 4 Checking for Client-initiated Renegotiation and Secure Renegotiation via openssl (manually)====
openssl [30] can be used for testing manually SSL/TLS. In this example we try to initiate a renegotiation by client [m] connecting to server with openssl - writing the fist line of an HTTP request, in a new line typing “R”, waiting for renegotiaion and completing the HTTP request - and check if secure renegotiaion is supperted looking server output. Using manual request it is also possible to see if Compression is enabled for TLS in order to check for CRIME [13], check for ciphers and other vulnerabilities.

<pre>
$ openssl s_client -connect www2.example.com:443
CONNECTED(00000003)
depth=2 ******
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:******
i:******
1 s:******
i:******
2 s:******
i:******
---
Server certificate
-----BEGIN CERTIFICATE-----
******
-----END CERTIFICATE-----
subject=******
issuer=******
---
No client certificate CA names sent
---
SSL handshake has read 3558 bytes and written 640 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: ******
Session-ID-ctx:
Master-Key: ******
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: ******
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
</pre>
Now we can write the first line of an HTTP request and then R in a new line.
<pre>
HEAD / HTTP/1.1
R
</pre>
Server is renegotiating
<pre>
RENEGOTIATING
depth=2 C******
verify error:num=20:unable to get local issuer certificate
verify return:0
</pre>
And we can complete our request, checking for response.
<pre>
HEAD / HTTP/1.1

HTTP/1.1 403 Forbidden ( The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. )
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 1792

read:errno=0
</pre>
Even if the HEAD is not permitted, Client-intiated renegotiaion is permitted.

====Example 5. Testing supported Cipher Suites, BEAST and CRIME attacks via TestSSLServer====
TestSSLServer [32] is a script which permits to check cipher suite and also BEAST and CRIME attacks. BEAST (Browser Exploit Against SSL/TLS) exploits a vulnerability of CBC in TLS 1.0. CRIME (Compression Ratio Info-leak Made Easy) exploits a vulnerability of TLS Compression, that sould be disabled. It is really interesting a first fix for BEAST was the usage of RC4, but this is discouraged due to a crypto-analytical attack to RC4 [15].

An online tool to check for these attacks is SSL Labs, but can be used only for internet facing servers. Also consider that target data will be stored on SSL Labs server and also will result some connection from SSL Labs server [21].

<pre>
$ java -jar TestSSLServer.jar www3.example.com 443
Supported versions: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
SSLv3
RSA_WITH_RC4_128_SHA
RSA_WITH_3DES_EDE_CBC_SHA
DHE_RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
DHE_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA
DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
TLS_DHE_RSA_WITH_SEED_CBC_SHA
(TLSv1.0: idem)
(TLSv1.1: idem)
TLSv1.2
RSA_WITH_RC4_128_SHA
RSA_WITH_3DES_EDE_CBC_SHA
DHE_RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
DHE_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_128_CBC_SHA
DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA256
DHE_RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_256_CBC_SHA
DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_SEED_CBC_SHA
TLS_DHE_RSA_WITH_SEED_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
******
----------------------
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected

</pre>

====Example 6. Testing SSL/TLS vulnerabilities with sslyze====
sslyze [33] is a python script which permits also mass scan and XML output. Follows an example of a regular scan. Is one of the most complete and versatile tool for SSL/TLS testing.

<pre>
./sslyze.py --regular example.com:443

REGISTERING AVAILABLE PLUGINS
-----------------------------

PluginHSTS
PluginSessionRenegotiation
PluginCertInfo
PluginSessionResumption
PluginOpenSSLCipherSuites
PluginCompression

CHECKING HOST(S) AVAILABILITY
-----------------------------

example.com:443 => 127.0.0.1:443

SCAN RESULTS FOR EXAMPLE.COM:443 - 127.0.0.1:443
---------------------------------------------------

* Compression :
Compression Support: Disabled

* Session Renegotiation :
Client-initiated Renegotiations: Rejected
Secure Renegotiation: Supported

* Certificate :
Validation w/ Mozilla's CA Store: Certificate is NOT Trusted: unable to get local issuer certificate
Hostname Validation: MISMATCH
SHA1 Fingerprint: ******

Common Name: www.example.com
Issuer: ******
Serial Number: ****
Not Before: Sep 26 00:00:00 2010 GMT
Not After: Sep 26 23:59:59 2020 GMT

Signature Algorithm: sha1WithRSAEncryption
Key Size: 1024 bit
X509v3 Subject Alternative Name: {'othername': ['<unsupported>'], 'DNS': ['www.example.com']}

* OCSP Stapling :
Server did not send back an OCSP response.

* Session Resumption :
With Session IDs: Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Session Tickets: Supported

* SSLV2 Cipher Suites :

Rejected Cipher Suite(s): Hidden

Preferred Cipher Suite: None

Accepted Cipher Suite(s): None

Undefined - An unexpected error happened: None

* SSLV3 Cipher Suites :

Rejected Cipher Suite(s): Hidden

Preferred Cipher Suite:
RC4-SHA 128 bits HTTP 200 OK

Accepted Cipher Suite(s):
CAMELLIA256-SHA 256 bits HTTP 200 OK
RC4-SHA 128 bits HTTP 200 OK
CAMELLIA128-SHA 128 bits HTTP 200 OK

Undefined - An unexpected error happened: None

* TLSV1_1 Cipher Suites :

Rejected Cipher Suite(s): Hidden

Preferred Cipher Suite: None

Accepted Cipher Suite(s): None

Undefined - An unexpected error happened:
ECDH-RSA-AES256-SHA socket.timeout - timed out
ECDH-ECDSA-AES256-SHA socket.timeout - timed out

* TLSV1_2 Cipher Suites :

Rejected Cipher Suite(s): Hidden

Preferred Cipher Suite: None

Accepted Cipher Suite(s): None

Undefined - An unexpected error happened:
ECDH-RSA-AES256-GCM-SHA384 socket.timeout - timed out
ECDH-ECDSA-AES256-GCM-SHA384 socket.timeout - timed out

* TLSV1 Cipher Suites :

Rejected Cipher Suite(s): Hidden

Preferred Cipher Suite:
RC4-SHA 128 bits Timeout on HTTP GET

Accepted Cipher Suite(s):
CAMELLIA256-SHA 256 bits HTTP 200 OK
RC4-SHA 128 bits HTTP 200 OK
CAMELLIA128-SHA 128 bits HTTP 200 OK

Undefined - An unexpected error happened:
ADH-CAMELLIA256-SHA socket.timeout - timed out

SCAN COMPLETED IN 9.68 S
------------------------
</pre>

===Testing SSL certificate validity – client and server===
Firstly upgrade your browser because also CA certs expire and, in every release of the browser, these are been renewed.
Examine the validity of the certificates used by the application. Browsers will issue a warning when encountering expired certificates, certificates issued by untrusted CAs, and certificates which do not match namewise with the site to which they should refer. By clicking on the padlock which appears in the browser window when visiting an HTTPS site, you can look at information related to the certificate – including the issuer, period of validity, encryption characteristics, etc. If the application requires a client certificate, you probably have installed one to access it. Certificate information is available in the browser by inspecting the relevant certificate(s) in the list of the installed certificates.
These checks must be applied to all visible SSL-wrapped communication channels used by the application. Though this is the usual https service running on port 443, there may be additional services involved depending on the web application architecture and on deployment issues (an HTTPS administrative port left open, HTTPS services on non-standard ports, etc.). Therefore, apply these checks to all SSL-wrapped ports which have been discovered. For example, the nmap scanner features a scanning mode (enabled by the –sV command line switch) which identifies SSL-wrapped services. The Nessus vulnerability scanner has the capability of performing SSL checks on all SSL/TLS-wrapped services.

Some tools, as in previous examples, check also for certificate validity.

====Example 7. Testing for certificate validity (manually)====
Rather than providing a fictitious example, we have inserted an anonymized real-life example to stress how frequently one stumbles on https sites whose certificates are inaccurate with respect to naming.
The following screenshots refer to a regional site of a high-profile IT company.

We are visiting an .it site and the certificate was issued to a .com site! Internet Explorer warns that the name on the certificate does not match the name of the site.

[[Image:SSL Certificate Validity Testing IE Warning.gif]]
''Warning issued by Microsoft Internet Explorer''

The message issued by Firefox is different – Firefox complains because it cannot ascertain the identity of the .com site the certificate refers to because it does not know the CA which signed the certificate. In fact, Internet Explorer and Firefox do not come preloaded with the same list of CAs. Therefore, the behavior experienced with various browsers may differ.

[[Image:SSL Certificate Validity Testing Firefox Warning.gif]]
''Warning issued by Mozilla Firefox''

===Testing for other vulnerabilities===
As mentioned previously there are other types of vulnerabilities that are not related with the SSL/TLS protocol used, the cipher suites or Certificates. A part from others discussed in other parts of the Guide, the another one is possible when the server provide the website both with the HTTP and HTTPS protocols, and permit to an attacker to force a victim into using a non-secure channel instead of a secure one.

====Surf Jacking====
Surf Jacking attack [7] was first presented by Sandro Gauci and permits to an attacker to hijack an HTTP session even when the victim’s connection is encrypted using SSL or TLS.
The following is a scenario of how the attack can take place:

The following is a scenario of how the attack can take place:
* Victim logs into the secure website at https://somesecuresite/.
* The secure site issues a session cookie as the client logs in.
* While logged in, the victim opens a new browser window and goes to http:// examplesite/
* An attacker sitting on the same network is able to see the clear text traffic to http://examplesite.
* The attacker sends back a "301 Moved Permanently" in response to the clear text traffic to http://examplesite. The response contains the header “Location: http://somesecuresite /”, which makes it appear that examplesite is sending the web browser to somesecuresite. Notice that the URL scheme is HTTP not HTTPS.
* The victim's browser starts a new clear text connection to http://somesecuresite/ and sends an HTTP request containing cookie in the HTTP header in clear text
* The attacker sees this traffic and logs the cookie for later (ab)use.
To test if a website is vulnerable is sufficient to proceed like follow:
# Check if website supports both HTTP and HTTPS protocol
# Check if cookies do not have the “Secure” flag

====SSL Strip====
Often applications supports both HTTP and HTTPS. As for usability or because users do not use to type “https://www.example.com”. Often users go into an HTTPS website from link or a redirect. Typically also home banking site have a similar configuration with an iframed login or a form with action attribute over HTTPS but the page under HTTP.
An attacker in a privileged position - as described in SSL strip [8] - can incercept traffic when user is into HTTP and manipulate it to get a Man-In-The-Middle attack under HTTPS.
To test if application is vulnerable is sufficient the website supports both HTTP and HTTPS.

===Testing via HTTP proxy===

Inside corporate environments you can see services that are not directly accessible and you can access them only via HTTP proxy using the CONNECT method [36]. Most of the tools will not work in this scenario because they try to connect to desired tcp port in order to start SSL/TLS handshake. With the help of relaying software such as socat [37] you can re-enable those tools for use with services behind HTTP proxy.

====Example 8. Testing via HTTP proxy====

To connect to destined.application.lan:443 via proxy 10.13.37.100:3128 run socat as follows:
<pre>
$ socat TCP-LISTEN:9999,reuseaddr,fork PROXY:10.13.37.100:destined.application.lan:443,proxyport=3128
</pre>

Then you can target all other tools to localhost:9999:
<pre>
$ openssl s_client -connect localhost:9999
</pre>

All connections to localhost:9999 will be effectively relayed by socat via proxy to destined.application.lan:443.

== Gray Box testing and example ==

===Testing for Weak SSL/TLS Cipher Suites===
Check the configuration of the web servers which provide https services. If the web application provides other SSL/TLS wrapped services, these should be checked as well.

====Example 9. Windows Server====
Check the configuration on a Microsoft Windows Server (2000, 2003 and 2008) using the registry key:
<pre>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\</pre>
which has some sub-keys like Ciphers, Protocols and KeyExchangeAlgorithms.

====Example 10: Apache====
To check the cipher suites and protocols supported by Apache2 web server open the ssl.conf file and search for the SSLCipherSuite, SSLProtocol, SSLHonorCipherOrder,SSLInsecureRenegotiation and SSLCompression directives.

===Testing SSL certificate validity – client and server===
Examine the validity of the certificates used by the application at both server and client levels. The usage of certificates is primarily at the web server level; however, there may be additional communication paths protected by SSL (for example, towards the DBMS). You should check the application architecture to identify all SSL protected channels.

==References==
'''OWASP Resources'''
* [5] [OWASP Testing Guide - Testing for cookie attributes (OTG-SESS-002)|https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)]
* [4][OWASP Testing Guide - Test Network/Infrastructure Configuration (OTG-CONFIG-001)|https://www.owasp.org/index.php/Testing_for_infrastructure_configuration_management_(OWASP-CM-003)]
* [6] [OWASP Testing |https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)][Guide - Testing for Missing HSTS header (OTG-CONFIG-009)|https://www.owasp.org/index.php/Testing_for_Missing_HSTS_header]
* [2] [OWASP Testing Guide - Testing for Sensitive information sent via unencrypted channels (OTG-CRYPST-007)|https://www.owasp.org/index.php?title=Testing_for_Sensitive_information_sent_via_unencrypted_channels_(OTG-CRYPST-007)&action=edit&redlink=1]
* [3] [OWASP Testing Guide - Testing for Credentials Transported over an Encrypted Channel (OWASP-AT-001)|https://www.owasp.org/index.php/Testing_for_Credentials_Transported_over_an_Encrypted_Channel_(OWASP-AT-001)]
* [9] [OWASP Testing Guide - Test Content Security Policy (OTG-CONFIG-008)|https://www.owasp.org/index.php/Testing_for_Content_Security_Policy_weakness]
* [22] [OWASP Cheat sheet - Transport Layer Protection|https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet]
* [23] [OWASP TOP 10 2013 - A6 Sensitive Data Exposure|https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure]
* [24] [OWASP TOP 10 2010 - A9 Insufficient Transport Layer Protection|https://www.owasp.org/index.php/Top_10_2010-A9-Insufficient_Transport_Layer_Protection]
* [25] [OWASP ASVS 2009 - Verification 10|https://code.google.com/p/owasp-asvs/wiki/Verification_V10]
* [26] [OWASP Application Security FAQ - Cryptography/SSL|https://www.owasp.org/index.php/OWASP_Application_Security_FAQ#Cryptography.2FSSL]

'''Whitepapers'''
* [1] [RFC5246 - The Transport Layer Security (TLS) Protocol Version 1.2 (Updated by RFC 5746, RFC 5878, RFC 6176)|http://www.ietf.org/rfc/rfc5246.txt]
* [36] [RFC2817 - Upgrading to TLS Within HTTP/1.1|]
* [34] [RFC6066 - Transport Layer Security (TLS) Extensions: Extension Definitions|http://www.ietf.org/rfc/rfc6066.txt]
* [11] [SSLv2 Protocol Multiple Weaknesses |http://osvdb.org/56387]
* [12] [Mitre - TLS Renegotiation MiTM|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555]
* [13] [Qualys SSL Labs - TLS Renegotiation DoS|https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks]
* [10] [Qualys SSL Labs - SSL/TLS Deployment Best Practices|https://www.ssllabs.com/projects/best-practices/index.html]
* [14] [Qualys SSL Labs - SSL Server Rating Guide|https://www.ssllabs.com/projects/rating-guide/index.html]
* [20] [Qualys SSL Labs - SSL Threat Model|https://www.ssllabs.com/projects/ssl-threat-model/index.html]
* [18] [Qualys SSL Labs - Forward Secrecy|https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy]
* [15] [Qualys SSL Labs - RC4 Usage|https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what]
* [16] [Qualys SSL Labs - BEAST|https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls]
* [17] [Qualys SSL Labs - CRIME|https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls]
* [7] [SurfJacking attack|https://resources.enablesecurity.com/resources/Surf%20Jacking.pdf]
* [8] [SSLStrip attack|http://www.thoughtcrime.org/software/sslstrip/]
* [19] [PCI-DSS v2.0|https://www.pcisecuritystandards.org/security_standards/documents.php]
* [35] [Xiaoyun Wang, Hongbo Yu: How to Break MD5 and Other Hash Functions| http://link.springer.com/chapter/10.1007/11426639_2]

'''Tools'''
* [21][Qualys SSL Labs - SSL Server Test|https://www.ssllabs.com/ssltest/index.html]: internet facing scanner
* [27] [Tenable - Nessus Vulnerability Scanner|http://www.tenable.com/products/nessus]: includes some plugins to test different SSL related vulnerabilities, Certificates and the presence of HTTP Basic authentication without SSL.
* [32] [TestSSLServer|http://www.bolet.org/TestSSLServer/]: a java scanner - and also windows executable - includes tests for cipher suites, CRIME and BEAST
* [33] [sslyze|https://github.com/iSECPartners/sslyze]: is a python script to check vulnerabilities in SSL/TLS.
* [28] [SSLAudit|https://code.google.com/p/sslaudit/]: a perl script/windows executable scanner which follows Qualys SSL Labs Rating Guide.
* [29] [SSLScan|http://sourceforge.net/projects/sslscan/] with [SSL Tests|http://www.pentesterscripting.com/discovery/ssl_tests]: a SSL Scanner and a wrapper in order to enumerate SSL vulnerabilities.
* [31] [nmap|http://nmap.org/]: can be used primary to identify SSL-based services and then to check Certificate and SSL/TLS vulnerabilities. In particular it has some scripts to check [Certificate and SSLv2|http://nmap.org/nsedoc/scripts/ssl-cert.html] and supported [SSL/TLS protocols/ciphers|http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html] with an internal rating.
* [30] [curl|http://curl.haxx.se/] and [openssl|http://www.openssl.org/]: can be used to query manually SSL/TLS services
* [9] [Stunnel|http://www.stunnel.org]: a noteworthy class of SSL clients is that of SSL proxies such as stunnel available at which can be used to allow non-SSL enabled tools to talk to SSL services)
* [37] [socat| http://www.dest-unreach.org/socat/]: Multipurpose relay

[[Category:Cryptographic Vulnerability]]
[[Category:SSL]]

OWASP WebSpa Project

2014-03-14T00:50:52Z

Yiannis: /* News */

=Main=

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
| valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

==OWASP WebSpa Project==

The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command.
It provides a cryptographically protected "open sesame" mechanism on the web application layer, comparable to well-known port-knocking techniques.

==Description==

This project implements the concept of web knocking by offering a jar file that 'tails' the access log of an existing web server. A user submits a specially crafted URL, therefore executing a predefined O/S command. No new ports or services are created.

Similarly to traditional network port-knocking schemes, the OWASP WebSpa Project aims to create a covert channel of communication for O/S commands over the web application layer. This channel is by no means bi-directional: It is only the client that can issue commands to the server. The inverse, i.e. the server issuing commands to the client, is not an option within the current version.

==Licensing==

The OWASP WebSpa Project is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

The source code that comes with the OWASP WebSpa Project in the form of the tool named Web-Spa is released as open source software under the terms of the [http://www.gnu.org/licenses/quick-guide-gplv3.html GNU Public License (GPL) version 3]. For reference, the full text of the GPL_v3 can be downloaded from the [http://www.fsf.org/ Free Software Foundation]. There are no plans to change the license; web-spa will always remain an open source project free for use by anyone subject to the terms of the license.

| valign="top" style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" |

== What is WebSpa? ==

OWASP WebSpa provides:

* A secure channel for executing premeditated O/S commands on your web server
* A resource-efficient single jar-file that can either be run as server, or client application, depending on the command line parameters

== Presentation ==

https://code.google.com/p/web-spa/

| valign="top" style="padding-left:25px;width:200px;" |

== Quick Download ==

* http://goo.gl/4T82Ug

==Classifications==

{| width="200" cellpadding="2"
|-
| align="center" valign="top" width="50%" rowspan="2"| [[File:Owasp-incubator-trans-85.png|link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Incubator_Projects]]
| align="center" valign="top" width="50%"| [[File:Owasp-builders-small.png|link=]]
|-
| align="center" valign="top" width="50%"| [[File:Owasp-defenders-small.png|link=]]
|-
| colspan="2" align="center" | [[File:Cc-button-y-sa-small.png|link=http://creativecommons.org/licenses/by-sa/3.0/]]
|-
| colspan="2" align="center" | [[File:Project_Type_Files_CODE.jpg|link=]]
|}

|}

= Videos =

{|
|-
|
{{#ev:youtube|eHlYnWyf35E|300|right|OWASP Web Knocking Project Demo}}
|
{{#ev:youtube|eHlYnWyf35E|300|right|OWASP Web Knocking Project Demo}}
|-
|
{{#ev:youtube|eHlYnWyf35E|300|right|OWASP Web Knocking Project Demo}}
|
{{#ev:youtube|eHlYnWyf35E|300|right|OWASP Web Knocking Project Demo}}
|}

= Tutorial =

== Supporting Documentation ==

The discrepant event discussed herein is web knocking. Within the latest [http://sourceforge.net/projects/webspa/files/latest/download?source=directory download] you can find three documents with the purpose of describing how WebSpa can be used. The three documents are:

* ''''WebSpa Administration Guide''' This document describes how to setup and use the server component. It details how to create new users and add new action numbers with respective O/S commands assigned to them

* '''WebSpa Specification Guide''' This document describes the actual design detailing the use case, specification, requirements and actual attacks, which this tool has been engineered to withstand

* '''WebSpa User Guide''' This document describes how to use the client for issuing commands through a URL request to a web server

The administration guide aims to enable anyone who would be interested in using WebSpa to be able to setup the server side component of it. After configuring the server component of WebSpa, you'll be ready to use the corresponding client for issuing direct actions as O/S commands to it.

If this is your first time using WebSpa, please note that the server operations described in this document, will not work if a WebSpa client does not submit a web-knock to your web server in a timely manner.

Thus, knowing a client implementation goes hand-in-hand with a server instance for it, please also have a look at the WebSpa user guide document to see how the two can be used in tandem.

The user guide aims to enable anyone who would be interested in using web-spa to do so. As soon as you install the server side component and decide what actions to allow, you'll be ready to use the corresponding client for issuing direct actions that work for you.

Finally, the specification guide aims to enable anyone who would be interested in implementing their own version of WebSpa to do so.

== HelloWorld! Enabling SSH via Web Knocking with WebSpa ==

In this section we describe the setup you should follow in order to get to the stage of being able to execute the video entitled: [https://www.youtube.com/watch?v=eHlYnWyf35E Enabling SSH via Web Knocking with Web-Spa (_v0.5)] on your server.

We assume you can SSH into your web server using the user 'web-spa'. We also assume that the user 'web-spa' has permissions to run the necessary service start and stop commands for this service. So, let's login to the box and get the latest WebSpa download:

ssh web-spa@web.spa.seleucus.net
web-spa@web:~$ cd /tmp
web-spa@web:/tmp$ wget https://downloads.sourceforge.net/project/webspa/webspa-06.zip

It would be wise at this stage to check the SHA1 digest of what we just downloaded. Sourceforge publishes the SHA1 of all files available for download; copying the value into our command prompt yields:

web-spa@web:/tmp$ echo "a630f23f88c49d02b5895a3d7e16aad245c387f3 *webspa-06.zip" | sha1sum -c -
webspa-06.zip: OK
web-spa@web:/tmp$

Ok, so we have downloaded something that we can vouch for-ish. Let's extract and setup.

unzip webspa-06.zip

A lot of noise comes back from this command. Apologies, different groups have clearly stated they have wanted the source code as well the documentation to be included within the download. Let's have a look at the install file:

=================================================
- Prerequisites for web-spa
=================================================

The following programs must be installed in order
for web-spa to run:

- Java 1.6 or later

If you don't have java installed, consider using the following command:

sudo aptitude install openjdk-7-jre

This will meet the one prerequisite for using WebSpa. As this is a production server, docs and src folders will not be missed. Also, we like to store things in /opt, ergo:

web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/src/
web-spa@web:/tmp$ rm -frv /tmp/web-spa-0.6/docs/
web-spa@web:/tmp$ sudo mv -v /tmp/web-spa-0.6/ /opt

We now have WebSpa in /opt, let's run the server and create some users.

web-spa@web:/tmp$ cd /opt/web-spa-0.6/
web-spa@web:/opt/web-spa-0.6$ java -jar web-spa-0.6.jar -server

Web-Spa - Single HTTP/S Request Authorisation
version 0.6 (web-spa@seleucus.net)

This is a holding prompt, type "exit" or "x" to quit

- type "service start" to start the web-spa server
- type "help" or "?" for more options

web-spa-server>

The last line above is the server's holding prompt; all commands are issued via this prompt. In order to exit this prompt, type 'exit' or 'quit'. In the next step we will add 3 users and assign a unique pass-phrase to each one of them.

web-spa-server>user add
=[Required] Enter the New User's Full Name: Yiannis Pavlosoglou
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address: yiannis@xxxxxx.com
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Please note that only a user's full name and pass-phrase are required to be entered. Let's create another user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Oliver Merki
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

Note that we did not specify a user's e-mail address nor a phone number, as both these fields were optional. Finally, adding a third user:

web-spa-server>user add
=[Required] Enter the New User's Full Name: Patryk
=[Required] Enter the New User's Pass-Phrase:
=[Required] Re-enter the above value:
-[Optional] Please enter the New User's Email Address:
-[Optional] Please enter the New User's Phone Number:
web-spa-server>

For Patryk we only specified his first name and a unique pass-phrase. You get the picture. Now that we have created our users, let's add some actions to each user. We would like to give Patryk the ability to bounce the SSH service; ergo, let's add two actions:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh start
=[Required] Select an action number for this O/S Command [0,9]: 1
web-spa-server>

The above adds the O/S command 'sudo service ssh start' to action number 1 for user Patryk. Let's also add the stop command:

web-spa-server>action add
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
The existing actions for this user are:
Actions for user with ID: 13
___________________________________________________________
# O/S Command Last Executed
-----------------------------------------------------------
1 sudo service ssh start has never been executed
___________________________________________________________
=[Required] Enter the new O/S Command: sudo service ssh stop
=[Required] Select an action number for this O/S Command [0,9]: 0
web-spa-server>

The above adds the O/S command 'sudo service ssh stop' to action number 0 for user Patryk. Two very important steps we must not forget is to enable the user Patryk and start the web-spa listening service.

web-spa-server>user activate
Users:
___________________________________________________________
ID Active Full Name Last Modified
-----------------------------------------------------------
11 false Yiannis Pavlosoglou 2014-02-23 12:09:26.240
12 false Oliver Merki 2014-02-23 12:12:13.313
13 false Patryk 2014-02-23 12:14:57.895
___________________________________________________________
-[Optional] Select a User ID: 13
User with ID: 13 is in-active
-[Optional] Toggle user activation [Y/n]:
User with ID: 13 is active
web-spa-server>

And finally issue the service start command:

web-spa-server>service start
[2014-02-23 12-36-07] Attempting to start web-spa...
[2014-02-23 12-36-07] Found access log file: /...cus.net/logs/access.log
[2014-02-23 12-36-07] Creating tail listener...
[2014-02-23 12-36-07] Web-spa server started!
[2014-02-23 12-36-07] Please make sure your web server is also up
web-spa-server>

= News =

* [14 Mar 2014] [https://code.google.com/p/web-spa/ Scheduled the deletion of the Google code project, given that downloads require a new account]
* [04 Mar 2014] [https://soundcloud.com/#owasp-podcast/the-owasp-webspa-project-with The WebSpa podcast has now been available!]
* [22 Feb 2014] Created the WebSpa project on sourceforge, started the import from google code
* [22 Dec 2013] Version 0.6 has been released and can be found in the download section
* [08 Nov 2013] The OWASP Web Knocking Project is created

=FAQs=

; Q1
: A1

; Q2
: A2

= People =

The OWASP WebSpa Project is developed by a worldwide team of volunteers. Below is a list of all people that have contributed to the project so far.

Active contributors:
* Yiannis Pavlosoglou
* Patryk Arciszewski
* Oliver Merki

Retired contributors:
* [[User:Dr. Markus Maria Miedaner|Markus Maria Miedaner]]

= Roadmap =

== Release 0.9 (Q2-Q3/2014) ==

WebSpa_v0.9 will examine attacks on the web knocking tool and propose controls in order to address the issues in question.

== Release 0.8 (Q2/2014) ==

WebSpa_v0.8 will incorporate in the server side component (run with -server option) the ability for a web-spa administrator to generate a single output of all actions available for a Web Knocking user.

== Release 0.7 (Q1/2014) ==

This is the next release of web-spa. The next release has not been scheduled yet.

For WebSpa_v0.7, a Java write-up of a number of test cases so that to increase test coverage within the tool. The ability to reset the pass-phrase for a web-spa user will also be added.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-06.zip Release 0.6 (21/Dec/2013)] ==

This is the current release of web-spa.

WebSpa _v0.6 offers enhanced logging functionality, fixing a bug that caused the server to become unresponsive upon starting and stopping. The client now offers to transmit a web knock request, thus not requiring for a user to copy-paste the URL into their browser.

Additional test cases have been added, the option "?" is now available to offer "help" and the log functionality tracks via means of a timestamp all events logged

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-05.zip Release 0.5 (21/Oct/2013)] ==

WebSpa _v0.5 shortens the number of inputs required from a legitimate user of web-spa to only two: A valid pass-phrase, unique for each user and a single digit in the range of [0-9]. We refer to the latter as an action number and it represents a premeditated Operating System (O/S) command.

All the functionality (for both the client and the server) is now within a single jar file, accompanied by detailed documentation:

- 00-web-spa-administration-guide.pdf
- 00-web-spa-specification-guide.pdf
- 00-web-spa-user-guide.pdf

The server side functionality has been re-designed to operate with a single configuration file (created at first run) as well as a HyperSQL embedded file database (also created at first run).

Finally, no files are created or are required when web-spa runs in client mode, with the '-client' option.

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-04.zip Release 0.4 (27/Aug/2011)] ==

A number of updates and bug fixes have been included within this version. Also, an update on the actual message format to further protect from replay attacks has been included.

WebSpa _v0.4 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-04.jar
* webspa-elements-04.jar
* webspa-server-04.jar

== [https://code.google.com/p/web-spa/downloads/detail?name=webspa-03.zip Release 0.3 (11/Jul/2011)] ==

In its first usable release, WebSpa _v0.3 contains the necessary client and server components, as well as an elements API library. Thus, the files within the download are:
* webspa-client-03.jar
* webspa-elements-03.jar
* webspa-server-03.jar

== Contribution ==

Involvement in the development and promotion of the OWASP WebSpa Project is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:
* Quality assurance of resolved defects
* Java development (good knowledge of Java desirable)

=Project About=
{{:Projects/OWASP_WebSpa_Project}}

__NOTOC__ <headertabs />

[[Category:OWASP Project]] [[Category:OWASP_Builders]] [[Category:OWASP_Defenders]] [[Category:OWASP_Document]]

Testing for Session Management

2014-03-14T00:44:01Z

Yiannis: Testing Guide V4: Review_v1

{{Template:OWASP Testing Guide v4}}

''' 4.5 Session Management Testing'''
----

One of the core components of any web-based application is the mechanism by which it controls and maintains the state for a user interacting with it. We refer to this as Session Management and define it as the set of all controls governing state-full interaction between a user and the web-based application. This broadly covers anything from how user authentication is performed, to what happens upon them logging out.

HTTP is a stateless protocol, meaning that web servers respond to client requests without linking them to each other. Even simple application logic requires a user's multiple requests to be associated with each other across a "session”. This necessitates third party solutions – through either Off-The-Shelf (OTS) middleware and web server solutions, or bespoke developer implementations. Most popular web application environments, such as ASP and PHP, provide developers with built-in session handling routines. Some kind of identification token will typically be issued, which will be referred to as a “Session ID” or Cookie.
 
There are a number of ways in which a web application may interact with a user. Each is dependent upon the nature of the site, the security, and availability requirements of the application.
Whilst there are accepted best practices for application development, such as those outlined in the [[OWASP Guide Project|OWASP Guide to Building Secure Web Applications]], it is important that application security is considered within the context of the provider’s requirements and expectations. In this chapter we describe the following items. 

[[Testing for Session_Management_Schema (OWASP-SM-001)|4.7.1 Testing for Bypassing Session Management Schema (OTG-SESS-001)]]

[[Testing for cookies attributes (OWASP-SM-002)|4.7.2 Testing for Cookies attributes (OTG-SESS-002)]]

[[Testing for Session Fixation (OWASP-SM-003)|4.7.3 Testing for Session Fixation (OTG-SESS-003)]]

[[Testing for Exposed Session Variables (OWASP-SM-004)|4.7.4 Testing for Exposed Session Variables (OTG-SESS-004)]]

[[Testing for CSRF (OWASP-SM-005)|4.7.5 Testing for Cross Site Request Forgery (CSRF) (OTG-SESS-005)]]

[[Testing for logout functionality (OWASP-SM-007)|4.7.6 Testing for logout functionality (OTG-SESS-007)]]

[[Test Session Timeout (OTG-SESS-008)|4.7.7 Test Session Timeout (OTG-SESS-008)]]

[[Testing for Session puzzling (OTG-SESS-010)|4.7.8 Testing for Session puzzling (OTG-SESS-010)]]

Testing for logout functionality (OTG-SESS-006)

2014-03-14T00:13:39Z

Yiannis: Testing Guide V4: Review_v1

{{Template:OWASP Testing Guide v4}}

== Brief Summary ==
Session termination is an important part of the session lifecycle. Reducing to a minimum the lifetime of the session token(s) decreases the likelihood of a successful session hijacking attack. This can be seen as a control against preventing other attacks like Cross Site Scripting and Cross Site Request Forgery. Such attacks have been known to rely on a user having an authenticated session present. Not having a secure session termination only increases the attack surface for any of these attacks.

A secure session termination requires at least the following components:

* Availability of user interface controls for manual logouts performed by the user.
* Session termination after a given amount of time without activity (session timeout).
* Proper invalidation of server-side session state.

== Description of the Issue ==

There are multiple issues which can prevent the effective termination of a session. For the ideal secure web application, a user should be able to terminate at any time through the user interface. Every page should contain a logout button on a place where it is directly visible. Unclear or ambiguous logout functions could cause the user not trusting such functionality.

Another common mistake in session termination is, that the client-side session token is set to a new value while the server-side state remains active and can be reused by setting the session cookie back to the previous value. Sometimes only a confirmation message is shown to the user without performing any further action. This should be avoided.

Users of web browsers often don't mind that an application is still open and just close the browser or a tab. A web application should be aware of this behavior and terminate the session automatically on the server-side after a defined amount of time.

The usage of a single sign-on (SSO) system instead of an application-specific authentication scheme often causes the coexistence of multiple sessions which have to be terminated separately. For instance, the termination of the application-specific session does not terminate the session in the SSO system. Navigating back to the SSO portal offers the user the possibility to relogin back to the application where the logout was performed just before. On the other side a logout function in a SSO system does not necessarily causes session termination in connected applications.

== Black Box testing and example ==
'''Testing for logout user interface:''' 
Verify the appearance and visibility of the logout functionality in the user interface. For this purpose, view each page from the perspective of an user who has the intention to logout from the web application.

'''Result Expected:''' 
There are some properties which indicate a good logout user interface:
* A logout button is present on all pages of the web application.
* The logout button should be identified quickly by an user which wants to logout from the web application.
* After loading of a page the logout button should be visible without scrolling.
* Ideally the logout button is placed in an area of the page, which is fixed in the view port of the browser and not affected by scrolling of the content. 

'''Testing for server-side session termination:''' 
First, store the values of cookies which are used to identify a session. Invoke the logout function and observe the behavior of the application, especially regarding session cookies. Try to navigate to a page which is only visible in an authenticated session, e.g. by usage of the back button of the browser. If a cached version of the page is displayed, use the reload button to refresh the page from the server. If the logout function causes that session cookies are set to a new value, restore the old value of the session cookies and reload a page from the authenticated area of the application. If these test don't show any vulnerabilities on a particular page, try at least some further pages of the application which are considered as security-critical, to ensure that session termination is recognized properly by these areas of the application.

'''Result Expected:''' 
No data which should be visible only by authenticated users should be visible on the examined pages while performing the tests. Ideally the application redirects to a public area or a login form while accessing authenticated areas after termination of the session.

It should be not necessary for the security of the application, but setting session cookies to new values after logout is generally considered as good practice. 

'''Testing for session timeout:''' 
Try to determine a session timeout by performing requests to a page in the authenticated area of the web application with increasing delays. If the logout behavior appears, the used delay matches approximately the session timeout value.

'''Result Expected:''' 
The same results as for server-side session termination testing described before are excepted by a logout caused by an inactivity timeout.

The proper value for the session timeout highly depends on the purpose of the application and should be a balance of security and usability. In a banking applications it makes normally no sense to keep an inactive session more than 15 minutes. On the other side a short timeout in a wiki or forum could annoy users which are typing lengthy articles with unnecessary login requests. There timeouts of an hour and more can be acceptable. 

'''Testing for session termination in single sign-on environments (single sign-off):''' 
Perform a logout in the tested application. Verify if there is a central portal or application directory which allows the user to relogin to the application without authentication. Test if the application requests the user to authenticate, if the URL of an entry point to the application is requested.

While logged in in the tested application, perform a logout in the SSO system. Then try to access an authenticated area of the tested application.

'''Result Expected:''' 
It is expected that the invocation of a logout function in a web application connected to a SSO system or in the SSO system itself causes global termination of all sessions. An authentication of the user should be required to gain access to the application after logout in the SSO system and connected application. 

== References ==
'''Whitepapers'''
* "The FormsAuthentication.SignOut method does not prevent cookie reply attacks in ASP.NET applications" - http://support.microsoft.com/default.aspx?scid=kb;en-us;900111
 
'''Tools'''
* "Burp Suite - Repeater" - http://portswigger.net/burp/repeater.html

OWASP Testing Guide Appendix D: Encoded Injection

2014-03-09T22:56:04Z

Yiannis: Testing Guide V4: Review_v1

{{Template:OWASP Testing Guide v4}}

== Background ==

Character encoding is the process of mapping characters, numbers and other symbols to a standard format. Typically, this is done in order to create a message ready for transmission between sender and receiver. It is, in simple terms, the conversion of characters (belonging to different languages like English, Chinese, Greek or any other known language) into bytes. An example of a widely used character encoding scheme is the American Standard Code for Information Interchange (ASCII) that initially used 7-bit codes. More recent examples of encoding schemes would be the Unicode UTF-8 and UTF-16 computing industry standards.

In the space of application security and due to the plethora of encoding schemes available, character encoding has a popular misuse. It is being used for encoding malicious injection strings in a way that obfuscates them. This can lead to the bypass of input validation filters, or take advantage of particular ways in which browsers render encoded text.

== Input Encoding – Filter Evasion ==

Web applications usually employ different types of input filtering mechanisms to limit the input that can be submitted by the user. If these input filters are not implemented sufficiently well, it is possible to slip a character or two through these filters. For instance, a / can be represented as 2F (hex) in ASCII, while the same character (/) is encoded as C0 AF in Unicode (2 byte sequence). Therefore, it is important for the input filtering control to be aware of the encoding scheme used. If the filter is found to be detecting only, say, UTF-8 encoded injections, a different encoding scheme may be employed to bypass this filter.

== Output Encoding – Server & Browser Consensus ==

Web browsers, in order to coherently display a web page, are required to be aware of the encoding scheme used. Ideally, this information should be provided to the browser in the HTTP header (“Content-Type”) field, as shown below:

<pre><nowiki>Content-Type: text/html; charset=UTF-8</nowiki></pre>

<nowiki> or through HTML META tag (“META HTTP-EQUIV”), as shown below:</nowiki>

<pre><nowiki><META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></nowiki></pre>

It is through these character encoding declarations that the browser understands which set of characters to use when converting bytes to characters.
Note: The content type mentioned in the HTTP header has precedence over the META tag declaration.

CERT describes it here as follows:

''Many web pages leave the character encoding ("charset" parameter in HTTP) undefined. In earlier versions of HTML and HTTP, the character encoding was supposed to default to ISO-8859-1 if it wasn't defined. In fact, many browsers had a different default, so it was not possible to rely on the default being ISO-8859-1. HTML version 4 legitimizes this - if the character encoding isn't specified, any character encoding can be used.

If the web server doesn't specify which character encoding is in use, it can't tell which characters are special. Web pages with unspecified character encoding work most of the time because most character sets assign the same characters to byte values below 128. But which of the values above 128 are special? Some 16-bit character-encoding schemes have additional multi-byte representations for special characters such as "<". Some browsers recognize this alternative encoding and act on it. This is "correct" behavior, but it makes attacks using malicious scripts much harder to prevent. The server simply doesn't know which byte sequences represent the special characters''

Therefore in the event of not receiving the character encoding information from the server, the browser either attempts to ‘guess’ the encoding scheme or reverts to a default scheme. In some cases, the user explicitly sets the default encoding in the browser to a different scheme. Any such mismatch in the encoding scheme used by the web page (server) and the browser may cause the browser to interpret the page in a manner that is unintended or unexpected.

==== Encoded Injections ====

All the scenarios given below form only a subset of the various ways obfuscation can be achieved in order to bypass input filters. Also, the success of encoded injections depends on the browser in use. For example, US-ASCII encoded injections were previously successful only in IE browser but not in Firefox. Therefore, it may be noted that encoded injections, to a large extent, are browser dependent.

==== Basic Encoding ====

Consider a basic input validation filter that protects against injection of single quote character. In this case the following injection would easily bypass this filter:

<pre>
<nowiki><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT></nowiki></pre>

String.fromCharCode Javascript function takes the given Unicode values and returns the corresponding string. This is one of the most basic forms of encoded injections. Another vector that can be used to bypass this filter is:

<pre><IMG SRC=javascript:alert(&quot ;XSS&quot ;)></pre>

<pre><IMG SRC=javascript:alert(&#34 ;XSS&#34 ;)> (Numeric reference)</pre>

The above uses HTML Entities to construct the injection string. HTML Entities encoding is used to display characters that have a special meaning in HTML. For instance, ‘>’ works as a closing bracket for a HTML tag. In order to actually display this character on the web page HTML character entities should be inserted in the page source. The injections mentioned above are one way of encoding. There are numerous other ways in which a string can be encoded (obfuscated) in order to bypass the above filter.

==== Hex Encoding ====

Hex, short for Hexadecimal, is a base 16 numbering system i.e it has 16 different values from 0 to 9 and A to F to represent various characters. Hex encoding is another form of obfuscation that is, sometimes, used to bypass input validation filters. For instance, hex encoded version of the string
<IMG SRC=javascript:alert('XSS')> is

<pre>
<nowiki><IMG SRC=%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%27%58%53%53%27%29></nowiki></pre>

A variation of the above string is given below. Can be used in case ‘%’ is being filtered:

<pre><nowiki><IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29></nowiki></pre>

There are other encoding schemes like Base64 and Octal as well that may be used for obfuscation. Although, every encoding scheme may not work every time, a bit of trial and error coupled with intelligent manipulations would definitely reveal the loophole in a weakly built input validation filter.

==== UTF-7 Encoding ====

UTF-7 encoding of <SCRIPT>alert(‘XSS’);</SCRIPT> is as below

<pre><nowiki>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-</nowiki></pre>

For the above script to work, the browser has to interpret the web page as encoded in UTF-7.

==== Multi-byte Encoding ====

Variable-width encoding is another type of character encoding scheme that uses codes of varying lengths to encode characters. Multi-Byte Encoding is a type of variable-width encoding that uses varying number of bytes to represent a character.
Multibyte encoding is primarily used to encode characters that belong to a large character set e.g. Chinese, Japanese and Korean.

Multibyte encoding has been used in the past to bypass standard input validation functions and carry out cross site scripting and SQL injection attacks.

== References ==
http://en.wikipedia.org/wiki/Encode_(semiotics)

http://ha.ckers.org/xss.html

http://www.cert.org/tech_tips/malicious_code_mitigation.html

http://www.w3schools.com/HTML/html_entities.asp

http://www.iss.net/security_center/advice/Intrusions/2000639/default.htm

http://searchsecurity.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid14_gci1212217_tax299989,00.html

http://www.joelonsoftware.com/articles/Unicode.html

User:Yiannis

2014-03-02T21:32:54Z

Yiannis: Updated short bio

There is a world of numbers, hiding behind letters, inside computers, this is what stimulates my work. I am currently employed in IT risk management within the financial industry, running a team of technical risk assessors. Prior to this, I spent 5 years in the world of professional penetration testing. I focused my career evolution on assisting large scale projects actually implement secure development practices. This included teaching developers how to write secure code. For OWASP, I was the project leader for JBroFuzz and used to chair the Global Industry Committee. I am on the Application Security Advisory Board of the (ISC)2. My academic qualifications include a [http://wrap.warwick.ac.uk/1193/ PhD in information security], designing routing protocols for ad-hoc networks. I am a certified scrum master and hold the CISSP certification.

'''Application Security'''

*2011 - Web-Spa [http://code.google.com/p/web-spa/ Single Request Authorisation Web Knocking]
*2011 - Port Knocking Web Implementations [http://www.portknocking.org/view/implementations Ideas for more ports]
*2011 - Swiss Cyber Storm [https://www.swisscyberstorm.com/speakers/pavlosoglou.html Protecting Web Applications through Port Knocking]
*2009 - WebGoat Off-By-One Lesson [http://webgoat.googlecode.com/svn-history/r436/trunk/webgoat/src/main/java/org/owasp/webgoat/lessons/OffByOne.java WebGoat Off-By-One Lesson Remains to be Published]

'''OWASP Life in Bullets:'''

*2010 - Bletchley Park ISSA UK [http://www.issa-uk.org/newsletters/ISSANewsletterApril2010.pdf Hacking for Queen and Country]
*2010 - OWASP GitHub [http://www.owasp.org/index.php/Category:OWASP_GitHub http://www.owasp.org/index.php/Category:OWASP_GitHub]
*2010 - OWASP London [http://www.owasp.org/index.php/London#Thursday.2C_January_14th_2010 http://www.owasp.org/index.php/London#Thursday.2C_January_14th_2010]
**Penetration Testing with Selenium
*2009 - OWASP Global Industry Committee [http://www.owasp.org/index.php/Global_Industry_Committee http://www.owasp.org/index.php/Global_Industry_Committee]
*2008 - OWASP NYC Conference [http://video.google.com/videoplay?docid=-1551704659206071145# http://video.google.com/videoplay?docid=-1551704659206071145#]
**JBroFuzz - Building a Java Fuzzer
*2008 - Deepsec Vienna [http://2008.deepsec.net/ http://2008.deepsec.net/]
**Hybrid Code Auditing: A Dataflow Source Code Review Methodology
*2007 - OWASP New York/New Jersey [http://www.owasp.org/images/4/4e/OWASP_NY_07-Financial-Real-Time-Threats_Pavlosoglou.ppt http://www.owasp.org/images/4/4e/OWASP_NY_07-Financial-Real-Time-Threats_Pavlosoglou.ppt]
**Financial Real-Time Threats: Impacting Trading Floor Operations
*2006 - JBroFuzz Project Leader [http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz]
** JBroFuzz Mailing List

'''Project Involvement'''

*DirBuster - [http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project]
*JBroFuzz - [http://www.owasp.org/index.php/JBroFuzz http://www.owasp.org/index.php/JBroFuzz]

'''Contact'''

Yiannis Pavlosoglou yiannis@owasp.org

User:Yiannis

2011-10-03T23:56:25Z

Yiannis:

There is a world of numbers, hiding behind letters, inside computers that stimulates the brain of Yiannis. Currently, he is focusing on research relating to coding standards, practices and ways of exploiting development code. This focus entails the breaking and making of client-side standalone, as well as server-side web applications.

'''Application Security'''

*2011 - Web-Spa [http://code.google.com/p/web-spa/ Single Request Authorisation Web Knocking]
*2011 - Port Knocking Web Implementations [http://www.portknocking.org/view/implementations Ideas for more ports]
*2011 - Swiss Cyber Storm [https://www.swisscyberstorm.com/speakers/pavlosoglou.html Protecting Web Applications through Port Knocking]
*2009 - WebGoat Off-By-One Lesson [http://webgoat.googlecode.com/svn-history/r436/trunk/webgoat/src/main/java/org/owasp/webgoat/lessons/OffByOne.java WebGoat Off-By-One Lesson Remains to be Published]

'''OWASP Life in Bullets:'''

*2010 - Bletchley Park ISSA UK [http://www.issa-uk.org/newsletters/ISSANewsletterApril2010.pdf Hacking for Queen and Country]
*2010 - OWASP GitHub [http://www.owasp.org/index.php/Category:OWASP_GitHub http://www.owasp.org/index.php/Category:OWASP_GitHub]
*2010 - OWASP London [http://www.owasp.org/index.php/London#Thursday.2C_January_14th_2010 http://www.owasp.org/index.php/London#Thursday.2C_January_14th_2010]
**Penetration Testing with Selenium
*2009 - OWASP Global Industry Committee [http://www.owasp.org/index.php/Global_Industry_Committee http://www.owasp.org/index.php/Global_Industry_Committee]
*2008 - OWASP NYC Conference [http://video.google.com/videoplay?docid=-1551704659206071145# http://video.google.com/videoplay?docid=-1551704659206071145#]
**JBroFuzz - Building a Java Fuzzer
*2008 - Deepsec Vienna [http://2008.deepsec.net/ http://2008.deepsec.net/]
**Hybrid Code Auditing: A Dataflow Source Code Review Methodology
*2007 - OWASP New York/New Jersey [http://www.owasp.org/images/4/4e/OWASP_NY_07-Financial-Real-Time-Threats_Pavlosoglou.ppt http://www.owasp.org/images/4/4e/OWASP_NY_07-Financial-Real-Time-Threats_Pavlosoglou.ppt]
**Financial Real-Time Threats: Impacting Trading Floor Operations
*2006 - JBroFuzz Project Leader [http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz]
** JBroFuzz Mailing List

'''Project Involvement'''

*DirBuster - [http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project]
*JBroFuzz - [http://www.owasp.org/index.php/JBroFuzz http://www.owasp.org/index.php/JBroFuzz]

'''Contact'''

Yiannis Pavlosoglou yiannis@owasp.org

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.1.0/Assessment

2010-12-22T16:12:40Z

Yiannis: /* Stable Release Review of the OWASP Zed Attack Proxy Project - Release ZAP 1.1.0 */

[[:OWASP Zed Attack Proxy Project|Click here to return to project's main page]] 

== Stable Release Review of the OWASP Zed Attack Proxy Project - Release ZAP 1.1.0 ==

==== Project Leader for this Release ====
'''''[[User:Psiinon|Psiinon]]'s Pre-Assessment Checklist:'''''

{{ Pre-Assessment Questions - Tools
| 1. Is this release associated with a project containing at least the [[Assessing_Project_Health#Project_Wiki_Page_Minimal_Content|Project Wiki Page Minimum Content]] information?
= I believe so

| 2. Is your tool licensed under an open source license?
= Yes - Apache License 2.0, referenced on both http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project and http://code.google.com/p/zaproxy/

| 3. Is the source code and any documentation available in an online project repository?
= Yes - http://code.google.com/p/zaproxy/source/checkout

| 4. Is there working code?
= Yes - http://code.google.com/p/zaproxy/source/checkout

| 5. Is there a roadmap for this project release which will take it from Alpha to Stable release?
= Yes - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Roadmap

| 6. Are the Alpha pre-assessment items complete?
= I believe so

| 7. Is there an installer or stand-alone executable?
= Yes, for Windows, Linux and Mac OS (being generated now) - http://code.google.com/p/zaproxy/downloads/list

| 8. Is there user documentation on the OWASP project wiki page?
= There is some documentation on the project page http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project, but this also references the Google Code page which includes the full user guide: http://code.google.com/p/zaproxy/wiki/HelpIntro, the latter is generated from the java help pages - migrating it to the OWASP wiki could prove tricky

| 9. Is there an "About box" or similar help item which lists the following?
= Yes - there is an about box which include things like the license and OWASP project page link. The credits are in the help file and online here: http://code.google.com/p/zaproxy/wiki/HelpCredits

| 10. Is there documentation on how to build the tool from source including obtaining the source from the code repository?
= Yes - http://code.google.com/p/zaproxy/wiki/Building

| 11. Is the tool documentation stored in the same repository as the source code?
= Yes - http://code.google.com/p/zaproxy/source/browse/#svn/wiki

| 12. Are the Alpha and Beta pre-assessment items complete?
= I believe so

| 13. Does the tool include documentation built into the tool?
= Yes - a full help file is included which is also available online: http://code.google.com/p/zaproxy/wiki/HelpIntro

| 14. Does the tool include build scripts to automate builds?
= Yes - http://code.google.com/p/zaproxy/source/browse/trunk/build/build.xml

| 15. Is there a publicly accessible bug tracking system?
= Yes - http://code.google.com/p/zaproxy/issues/list

| 16. Have any existing limitations of the tool been documented?
= Yes - all known limitations raised as bugs

}}

==== First Reviewer ====
'''''[[User:Yiannis|Yiannis]]'s Review:''''' 
Ideally, reviewers should be an existing OWASP project leader or chapter leader.

{{ Assessment Questions - Tools

| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?
=Yes. A stand-alone executable exists; it installs the files correctly with the corresponding shortcuts in place.

| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?

Yes. Pressing F1 triggers the OWASP ZAP User Guide window to appear. The documentation is also at:
=http://code.google.com/p/zaproxy/wiki/HelpReleases1_1_0

|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
=Yes.

| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
=Yes. It took less than 2 minutes to build after import into eclipse.

| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
=Yes. Standard JavaDoc format is also present.

| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
=No. This is definately a project that should be in beta, if not release!

| 7. Does the tool substantially address the application security issues it was created to solve?
=There is room for improvement around key functionality that will make the tool unique in terms of the features that it offers. This is on the roadmap for it's next release.

| 8. Is the tool reasonably easy to use?
=Yes. Carrying a port of paros also helps in this matter.

| 9. Does the documentation meet the needs of the tool users and is easily found?
=Yes.

| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
=Yes. A few warning do come back from javac, but they are minor.

| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
=Yes. There is 40 or some defects on the list, addressed at a priority, etc.

| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
=A few in terms of memory requirements around proxying and spidering. This is more on the side of "know what you are doing" then "the tool brakes".

| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
=Yes. I want to see more functionality though!

| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
=Nothing; this can move to beta.

}}

==== Second Reviewer ====
'''''[[User:Name|TBD]]'s Review:''''' 
It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Quality releases. The board has the initial option to review the project, followed by the Global Projects Committee.

{{ Assessment Questions - Tools

| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?
=

| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?
=

|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
=

| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
=

| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
=

| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
=

| 7. Does the tool substantially address the application security issues it was created to solve?
=

| 8. Is the tool reasonably easy to use?
=

| 9. Does the documentation meet the needs of the tool users and is easily found?
=

| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
=

| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
=

| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
=

| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
=

| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
=

}}

__NOTOC__
<headertabs/>

Projects/OWASP Zed Attack Proxy Project/Releases/ZAP 1.1.0/Assessment

2010-12-19T23:21:15Z

Yiannis: /* Stable Release Review of the OWASP Zed Attack Proxy Project - Release ZAP 1.1.0 */

[[:OWASP Zed Attack Proxy Project|Click here to return to project's main page]] 

== Stable Release Review of the OWASP Zed Attack Proxy Project - Release ZAP 1.1.0 ==

==== Project Leader for this Release ====
'''''[[User:Psiinon|Psiinon]]'s Pre-Assessment Checklist:'''''

{{ Pre-Assessment Questions - Tools
| 1. Is this release associated with a project containing at least the [[Assessing_Project_Health#Project_Wiki_Page_Minimal_Content|Project Wiki Page Minimum Content]] information?
= I believe so

| 2. Is your tool licensed under an open source license?
= Yes - Apache License 2.0, referenced on both http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project and http://code.google.com/p/zaproxy/

| 3. Is the source code and any documentation available in an online project repository?
= Yes - http://code.google.com/p/zaproxy/source/checkout

| 4. Is there working code?
= Yes - http://code.google.com/p/zaproxy/source/checkout

| 5. Is there a roadmap for this project release which will take it from Alpha to Stable release?
= Yes - http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Roadmap

| 6. Are the Alpha pre-assessment items complete?
= I believe so

| 7. Is there an installer or stand-alone executable?
= Yes, for Windows, Linux and Mac OS (being generated now) - http://code.google.com/p/zaproxy/downloads/list

| 8. Is there user documentation on the OWASP project wiki page?
= There is some documentation on the project page http://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project, but this also references the Google Code page which includes the full user guide: http://code.google.com/p/zaproxy/wiki/HelpIntro, the latter is generated from the java help pages - migrating it to the OWASP wiki could prove tricky

| 9. Is there an "About box" or similar help item which lists the following?
= Yes - there is an about box which include things like the license and OWASP project page link. The credits are in the help file and online here: http://code.google.com/p/zaproxy/wiki/HelpCredits

| 10. Is there documentation on how to build the tool from source including obtaining the source from the code repository?
= Yes - http://code.google.com/p/zaproxy/wiki/Building

| 11. Is the tool documentation stored in the same repository as the source code?
= Yes - http://code.google.com/p/zaproxy/source/browse/#svn/wiki

| 12. Are the Alpha and Beta pre-assessment items complete?
= I believe so

| 13. Does the tool include documentation built into the tool?
= Yes - a full help file is included which is also available online: http://code.google.com/p/zaproxy/wiki/HelpIntro

| 14. Does the tool include build scripts to automate builds?
= Yes - http://code.google.com/p/zaproxy/source/browse/trunk/build/build.xml

| 15. Is there a publicly accessible bug tracking system?
= Yes - http://code.google.com/p/zaproxy/issues/list

| 16. Have any existing limitations of the tool been documented?
= Yes - all known limitations raised as bugs

}}

==== First Reviewer ====
'''''[[User:Yiannis|Yiannis]]'s Review:''''' 
Ideally, reviewers should be an existing OWASP project leader or chapter leader.

{{ Assessment Questions - Tools

| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?

Yes. A stand-alone executable exists; it installs the files correctly with the corresponding shortcuts in place.

=

| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?

Yes. Pressing F1 triggers the OWASP ZAP User Guide window to appear. The documentation is also at:
http://code.google.com/p/zaproxy/wiki/HelpReleases1_1_0

=

|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?

Yes.

=

| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?

Yes. It took less than 2 minutes to build after import into eclipse.

=

| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?

Yes. Standard JavaDoc format is also present.

=

| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?

No. This is definately a project that should be in beta, if not release!

=

| 7. Does the tool substantially address the application security issues it was created to solve?

There is room for improvement around key functionality that will make the tool unique in terms of the features that it offers. This is on the roadmap for it's next release.

=

| 8. Is the tool reasonably easy to use?

Yes. Carrying a port of paros also helps in this matter.

=

| 9. Does the documentation meet the needs of the tool users and is easily found?

Yes.

=

| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.

Yes. A few warning do come back from javac, but they are minor.

=

| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)

Yes. There is 40 or some defects on the list, addressed at a priority, etc.

=

| 12. Have you noted any limitations of the tool that are not already documented by the project lead.

A few in terms of memory requirements around proxying and spidering. This is more on the side of "know what you are doing" then "the tool brakes".

=

| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?

Yes. I want to see more functionality though!

=

| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?

Nothing; this can move to beta.

=

}}

==== Second Reviewer ====
'''''[[User:Name|TBD]]'s Review:''''' 
It is recommended that an OWASP board member or Global Projects Committee member be the second reviewer on Quality releases. The board has the initial option to review the project, followed by the Global Projects Committee.

{{ Assessment Questions - Tools

| 1. Is an installer for the tool available and easy to use? How close does it reach the goal of a fully automated installer?
=

| 2. Is the end user documentation complete, relevant and presented on the OWASP wiki page?
=

|3. Does the tool have an “About box” or similar help item which allows the end user to get an overview of the state of this tool? Is this information readily available and easy to find?
=

| 4. Does the documentation on building the source provide the necessary information and detail to allow someone to build the tool? Is there sufficient detail and information for the target user? Is there any domain specific knowledge that is assumed and not provided?
=

| 5. Is the tool's documentation available with the source code and would it readily discoverable by a new user of the tool?
=

| 6. Is there anything missing that is critical enough to keep the release at a alpha quality?
=

| 7. Does the tool substantially address the application security issues it was created to solve?
=

| 8. Is the tool reasonably easy to use?
=

| 9. Does the documentation meet the needs of the tool users and is easily found?
=

| 10. Do the build scripts work as expected? Can you build the tool? The goal is a “One-click” build.
=

| 11. Is the bug tracking system usable? Is it hosted at the same place as the source code? (e.g. Google Code, Sourceforge)
=

| 12. Have you noted any limitations of the tool that are not already documented by the project lead.
=

| 13. Would you consider using this tool in your day to day work assuming your professional work includes a reason to use this tool? Why or why not?
=

| 14. What, if anything, is missing which would make this a more useful tool? Is what is missing critical enough to keep the release at a beta quality?
=

}}

__NOTOC__
<headertabs/>

Global Industry Committee

2010-12-17T00:50:11Z

Yiannis: /* Work in Progress */

'''The Global Industry Committee was created during the OWASP EU Summit in Portugal. The primary purpose of the Global Industry Committee is to work with industry executives to gather requirements from industry, work with Membership, Projects and others.'''

== Mission Statement ==

''To expand awareness of and promote the inclusion of software security best practices in Industry, Government, Academia and regulatory agencies and be a voice for industry. We will accomplish this through outreach; including presentations, development of position papers and collaborative efforts with other entities.'' [https://www.owasp.org/index.php/Global_Industry_Committee#General_Presentations_and_Reports Powerpoint of Accomplishments]

 

== Committee Plan ==

Step 1: [[Industry:Organizations for Outreach|Identify specific organizations]] worth working with to spread the OWASP gospel

Step 2: Prioritize the proposed liasons based on potential impact, and also realistic likelihood of the organization actively working with us

Step 3: Execute, leveraging global OWASP resources as much as possible to maximize impact

Step 4: Evaluate progress & repeat Step 1-3

== Committee Members ==

 Committee Members:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Lorna Alamri
| lorna.alamri 'at' owasp dot org
| US
|-
| Joe Bernik
| bernik 'at' gmail dot com
| US
|-
| Rex Booth
| rex.booth 'at' gt dot com
| US
|-
| David Campbell
| dcampbell 'at' owasp dot org
| US
|-
| Alexander Fry
| alexander.fry 'at' owasp dot org
| US
|-
| Georg Hess
| georg.hess 'at' artofdefence dot com
| Germany
|-
| Yiannis Pavlosoglou
| yiannis 'at' owasp dot org
| UK
|-
| Colin Watson
| colin.watson 'at' owasp dot org
| UK
|}

 Board Member Representative:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Matt Tesauro
| matt.tesauro 'at' owasp dot org
| USA
|}

The committee chair (from Nov 2010) is Yiannis Pavlosoglou. Previous chairs:

*Colin Watson (Nov 2009 to Oct 2010)

= Monthly Report Format =

See below...

== Getting Involved ==

=== Mailing List ===

[http://lists.owasp.org/mailman/listinfo/global_industry_committee Join our mailing list]

=== Meetings ===

The next Global Industry Committee meeting will be:

*TBC
**Dial in number: +1 866 534 4754
**Call code 192341

Minutes of previous meetings are:

*[[Industry:Minutes 2010-08-17|17 Aug 2010]] (also [http://www.owasp.org/images/0/0d/Gic_call_17aug2010.mp3 MP3 recording of the call])
*[[Industry:Minutes 2010-05-18|18 May 2010]]
*[[Industry:Minutes 2010-01-05|05 Jan 2010]] (also [http://www.owasp.org/images/a/a3/Owasp_gic_call_5jan10.mp3 MP3 recording of the call])
*[[Industry:Minutes 2009-01-23|23 Jan 2009]]
* 16 Dec 2010

=== Membership ===

[[Membership]] explains how to become an OWASP organization supporter or individual member. But you don't have to be an OWASP Member or Committee Member to contribute.

The current committee members joined for a 12 month term - see [[How to Join a Committee]] and [[Global Committee Pages]]. We would especially welcome new members who can widen our geographic coverage (e.g. Africa, Asia and South America) and who have time to contribute proactively.

=== Other ongoing initiatives ===

*[http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups] - Outreach to sector-specific critical infrastructures worldwide.
*[http://www.owasp.org/index.php/Category:India OWASP India Advisory Board] - Regional panel contributing to the software outsourcing industry.
*[http://www.owasp.org/index.php/Industry:Citations OWASP Citations] - References to OWASP in official, or otherwise important, documents.

== Current Activity ==

=== Work in Progress ===

The current activities being undertaken:

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Deadline
! Type
! Status
! Description
! Who
|-
| New IETF Web Security working group / W3C Web Application Security Working Group
| Ongoing
| All Members
| New
| Invite and coordinate OWASP contributions on this IETF/W3C Group
| CW/YP
|-
|-
| [http://www.owasp.org/index.php/OWASP_Mobile_Security_Project Kickoff OWASP Mobile Security Project]
| 2011 Summit
| Projects
| New
| Provide GIC oversight to Mobile Security Project
| DC
|-
|-
| [http://www.cio.gov/pages.cfm/page/Federal-Risk-and-Authorization-Management-Program-FedRAMP FedRAMP]
| 17 Jan 2011
| Standards
| In progress
| Provide response to FedRAMP certification and accreditation process
| RB
|-
| [http://trac.tools.ietf.org/area/sec/trac/wiki/SecurityDirectorate IETF Security Directorate]
| -
| Outreach
| In progress
| Make contact with, and discuss common goals with IETF
| YP/CW
|-
| [http://hacking-lab.com/ Hacking Lab]
| 14 Dec 2011
| Outreach
| In progress
| Matt Tesauro has been working with Hacking Lab previously and brought it to the GIC
| MAT/YP
|-
| Leeds Chapter Leader Presentation
| 13 Dec 2011
| Outreach
| In progress
| LA is gathering OWASP overview and project information for OWASP Leeds presentation needs.
| LA
|-
| "Configure SSL" Campaign
| 1 Feb 2011
| Paper write-up
| In progress
| Alexis FitzGerald's idea
| AFG/CW
|-
| [Testimonials]
| -
| Outreach
| In progress
| Obtain further testimonials for wiki page
| CW/SD
|-
| Reconnecting with past Industy Committee connections
| 1 Feb 2011
| Follow up
| In progress
| YP and LA to follow up with Industry Committee past contacts.
| YP/LA
|-
| [[Industry:ICO Data Sharing CoP|Data Sharing CoP]]
| 5 Jan 2011
| Standards
| In progress
| Provide response to UK ICO's "Data Sharing Code of Practice Consultation"
| CW
|-
| [http://www.londoncentral.bcs.org BCS London Central]
| 17 Feb 2011
| Outreach
| New
| Present a talk about OWASP.
| CW
|-
| [http://www.bcs.org BCS]
| 3 Sep 2010
| Outreach
| In Progress
| Write article for BCS ITnow magazine about application security and OWASP Top Ten.
| YP
|-
| [http://www.usmma.edu/ USMMA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USMMA computer club or security teams.
| AF
|-
| [http://www.usna.edu/ USNA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USNA computer science faculty and students or interest group.
| AF
|-
| [http://www.auscert.org.au/ AusCERT]
| -
| Outreach
| In Progress
| Make contact and discuss opportunities for OWASP to contribute to their work
| YP
|-
| OWASP Financial Services SIG
| -
| Outreach
| In Progress
| Working with Fabio Cerullo, Eoin Keary, Jim Routh, Jerry Kickenson and others on forming a SIG. Arranging a financial panel for AppSec in Washington, DC in November
| JB/EK
|-
| [http://www.spva.org Secure POS Vendor Alliance (SPVA)]
| -
| Outreach
| In Progress
| Begin dialogue about possibility of working together. Have had trouble getting through to them but have a good lead now. Updates soon :)
| DC
|}

=== Completed Items ===

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Completed
! Type
! Status
! Description
! Who
|-
| CRESTCON
| 14 Dec 2011
| Outreach
| Closed
| YP is attending CRESTCON in Royal Holloway, Surrey, UK
| YP
|-
| (ISC)^2 Application Security Advisory Board (ASAB)
| 19 Nov 2010
| Outreach
| Closed
| YP is now a member of the (ISC)^2 ASAB, with the first meeting to be held in FL on the above stated date.
| YP
|-
| [http://www.techexecnetworks.com/event_2010.12.01.asp T.E.N./Fortify Software Security Assurance Summit]
| 1 Dec 2010
| Outreach
| Closed
| Discuss quick wins and high impact software assurance activities using the OWASP SAMM model as reference and cite other OWASP projects as resources.
| AF
|-
| [[Industry:DOJ Nondiscrimination on the Basis of Disability|DOJ Nondiscimination on the Basis of Disability]]
| 30 Nov 2010
| Standards
| Closed
| Provide response to US DOJ's "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
| AF/LA
|
|-
| [[Industry:e-Consumer Protection Consultation|e-Consumer Protection Consultation]]
| 13 Oct 2010
| Standards
| Closed
| Review and provide official OWASP response to [http://www.oft.gov.uk/ UK Office of Fair Trading] [http://www.oft.gov.uk/OFTwork/consultations/current/eprotection/ e-Consumer Protection Consultation].
| YP
|-
| [[Industry:ENISA Cloud Computing Common Assurance Metrics|ENISA Common Assurance Maturity Model]]
| 8 Oct 2010
| Standards
| Closed
| Work with [[:Category:OWASP Cloud ‐ 10 Project]] to contribute to the development of Common Assurance Maturity Model for [http://www.enisa.europa.eu/ ENISA]/Cloud Security Alliance/etc joint initiative.
| CW
|-
| [http://www.w3.org/TR/2010/WD-mwabp-20100713/ Mobile Web Application Best Practices Working Draft]
| 6 Aug 2010
| Standards
| Closed
| Review and provide official OWASP response to W3C's [http://www.w3.org/2005/MWI/BPWG/ Mobile Web Best Practices Working Group].
| DC
|-
| [http://www.oft.gov.uk/ UK Office of Fair Trading]
| 23 Jul 2010
| Standards
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.businesslink.gov.uk BusinessLink]
| 1 Jul 2010
| Outreach
| Closed
| Offer to contribute to development of IT security information about [http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075421745 application security] on the BusinessLink website for UK SMEs. Outcome - no help required at present, but BusinessLink system to be disbanded.
| CW
|-
| Veracode
| 28 Jun 2010
| Outreach
| Closed
| Discuss use of Open SAMM to classify Secure SDL maturity in Veracode's code analysis summary reports. Outcome - positive response received.
| CW
|-
| [http://www.owasp.org/index.php/Leeds_UK OWASP Leeds/North]
| 16 Jun 2010
| Outreach
| Closed
| Presentations at chapter meeting in Newcastle-upon-Tyne about ENISA CAMM and OWASP Appsensor
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 Front Range OWASP Conference (FROC) 2010]
| 2 Jun 2010
| Outreach
| Closed
| Conference organisation [http://tinyurl.com/froctalks Vids & presentations online]
| DC
|-
| [http://www.isaca-denver.org/meetings/MAY_2010_CHPT_MTG.shtml OWASP Presentation at ISACA Denver Annual Meeting]
| 27 May 2010
| Outreach
| Closed
| Presentation [https://docs.google.com/fileview?id=0B_-vbfka88vFNjIwY2IwYjItZmYyNi00MmNiLWFhOWItYmQ4OGZmZjVmZWUx&hl=en Presentation online]
| DC
|-
| [http://www.issa-uk.org/ ISSA-UK]
| 13 May 2010
| Outreach
| Closed
| Presentation
| YP
|-
| [[Industry:Personal Information Online Code of Practice|Personal Information Online COP]]
| 5 Mar 2010
| Legislation
| Closed
| Provide response to UK Information Commissioner's Office draft "Personal Information Online Code of Practice"
| YP
|-
| [http://www.enisa.europa.eu/ ENISA] Mobile Apps
| Mar 2010
| Outreach
| Closed
| Identify and introduce OWASP contact for ENISA's Mobile Apps Project, in conjunction with Dinis Cruz.
| CW
|-
| [[Industry:Technology Strategy Board Secure Software Development Initiative|Technology Strategy Board Secure Software Development Partnership]]
| 18 Feb 2010
| Outreach
| Closed
| Liaise with the UK [http://www.innovateuk.org/ Technology Strategy Board] about the Secure Software Development Partnership (SSDP) in conjunction with the [http://www.owasp.org/index.php/London London chapter] leader Justin Clarke
| CW
|-
| US [http://www.issa-nova.org Information Systems Security Association Northern Virginia Chapter (ISSA-NOVA)]
| 21 Jan 2010
| Outreach
| Closed
| Provide presentation covering CSSLP, fundamentals of AppSec and Intro to OWASP and Global Industry Committee
| AF
|-
| [http://www.enisa.europa.eu/ ENISA]
| Jan 2010
| Outreach
| Closed
| Discuss opportunities for OWASP to work with ENISA, in conjunction with Dinis Cruz.
| CW
|-
| [[:Industry:Draft NIST SP 800-37 Revision 1|NIST SP 800-37 Revision 1 FPD]] Review Project
| 30 Dec 2009
| Standards
| Closed
| Provide response to "NIST SP 800-37 Revision 1 Final Public Draft, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
| RB
|-
| [http://www.crest-approved.org/ CREST] CRESTCon
| 15 Dec 2009
| Outreach
| Closed
| Already an oversubscribed event, YP & CW have been placed on the reserve list. Update: Positions secured for the 15th.
| YP
|-
| [http://msdn.microsoft.com/en-us/security/cc448177.aspx SDL Pro Network]
| 30 Nov 2009
| Outreach
| Closed
| Contact SDL Pro Network to discuss if there are opportunities for OWASP to become involved or connected in some way
| CW
|-
| [[Industry:Draft NIST IR 7628|Draft NIST IR 7628]]
| 25 Nov 2009
| Standards
| Closed
| Provide response to "NIST IR 7628 Draft Smart Grid Cyber Security Strategy and Requirements"
| CW
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 10-13 Nov 2009
| Outreach
| Closed
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.justice.gov.uk/ UK Ministry of Justice]
| -
| Legislation
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.it-sa.de/ IT-SA]
| 13-15 Oct 2009
| Outreach
| Closed
| OWASP booth at trade show
| GH
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009]
| 13 Oct 2009
| Outreach
| Closed
| Conference organisation
| GH
|-
| US [http://www.loc.gov Library of Congress]
| 28 Sep 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| [http://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference OWASP Ireland AppSec 2009]
| 10 Sep 2009
| Outreach
| Closed
| Conference organisation
| EK
|-
| OWASP Citations
| 7 Sep 2009
| Other
| Closed
| Identify and record the most important references to OWASP in official, or otherwise important, documents. Page created at: [[Industry:Citations]]
| CW
|-
| US [http://www.loc.gov Library of Congress]
| 26 Aug 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| OWASP webcast at Brighttalk [http://www.brighttalk.com/summit/dataprivacy2 Data and Privacy in Web 2.0 Summit]
| 13 Aug 2009
| Outreach
| Closed
| Deliver [http://www.brighttalk.com/webcasts/4767/attend OWASP presentation on XSS, client side exploitation, and countermeasures].
| DC
|-
| [[Industry:SAFECode Secure Development Practices (update to Oct 2008 version)|SAFECode Secure Development Practices (update to Oct 2008 version)]]
| 31 Jul 2009
| Standards
| Closed
| Response to [http://www.safecode.org/ SAFECode] "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."
| CW
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSA_Project OWASP CSA Project]
| 8 Jul 2009
| Standards
| Closed
| Response to RFC [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Cloud Security Alliance Guidance v1.0]
| TB
|-
| [[Scotland]]
| 25 Jun 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-scotland-industry-committee-june-2009.ppt]] and written notes [[Image:Owasp-scotland-industry-committee-june-2009-notes.pdf]])
| CW
|-
| OWASP Presentation at [http://cfp2009.org/ CFP Con 2009]
| 1 Jun 2009
| Outreach
| Closed
| Deliver presentation on web threats and countermeasures. See [http://www.cfp2009.org/wiki/index.php/Tutorials/Workshops CFP tutorial page] grep OWASP for more info.
| DC
|-
| ENISA [http://www.enisa.europa.eu/pages/02_03_news_2009_02_19_who_is_who.html Who-Is-Who Directory]
| -
| Outreach
| Closed
| Contact ENISA regarding OWASP inclusion in directory (in progress). Encourage European chapter leaders to contact their ENISA liaison officers (completed). Contact UK liaison officer on behalf of London, Leeds and Scotland chapters.
| CW
|-
| IIL [http://www.iilondon.co.uk/ Insurance Institute of London]
| 2 Jun 2009
| Outreach
| Closed
| Contact IIL regarding future input to their publication [http://www.iilondon.co.uk/XtraCart/store/comersus_viewItem.asp?idProduct=187 Insurance Aspects of E-Commerce]
| CW
|-
| [[Industry:Draft NIST SP 800-118|Draft NIST SP 800-118]]
| 29 May 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
| CW/EK/RB/DC
|-
| German IT Industry Association
| 15 May 2009
| Outreach
| Closed
| Presentation on OWASP
| GH
|-
| [http://docs.google.com/Present?docid=ddkr62qv_171cd7gh5fb&skipauth=true Outreach Presentation to Frontier Airlines]
| 7 May 2009
| Outreach
| Closed
| Provide outreach presentation covering fundamentals of AppSec and Intro to OWASP
| DC
|-
| [[Industry:DPC BS 10012|DPC BS 10012]]
| 31 Mar 2009
| Standards
| Closed
| Provide response to "BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998" Draft for Public Comment (DPC)
| CW
|-
| [[Industry:Draft NIST SP 800-53 Revision 3|Draft NIST SP 800-53 Revision 3]]
| 27 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
| RB
|-
| [[Industry:Draft NIST SP 800-122|Draft NIST SP 800-122]]
| 13 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
| CW
|-
| [[London]]
| 12 Mar 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-london-industry-committee-march-2009.ppt]] and written notes [[Image:Owasp-london-industry-committee-march-2009-notes.pdf]])
| CW
|-
| [[Industry:Digital Britain Interim Report|Digital Britain Interim Report]]
| 11 Mar 2009
| Legislation
| Closed
| Provide response to UK Government's "Digital Britain Interim Report Jan 2009"
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Front Range]
| 5 Mar 2009
| Outreach
| Closed
| Conference organisation
| DC
|-
| US [http://www.commerce.gov/ Department of Commerce]
| 25 Feb 2009
| Outreach
| Closed
| Presentation about OWASP to Economic Security Working Group
| RB
|-
| [[Industry:DPC BS 8878:2009|DPC BS 8878:2009]]
| 31 Jan 2009
| Standards
| Closed
| Provide response to "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
| Puneet/CW
|-
| AppSec Presentation Delivered to Infragard, Dec 2008
| Dec 2008
| Outreach
| Closed
| [http://www.infragard.net/ Infragard] is a collaboration between the US FBI and maintainers of critical infrastructure. [http://docs.google.com/Present?docid=ddkr62qv_0cn7km4c3&skipauth=true Presentation here]. Email DC for full PPT with speaker notes
| DC
|-
| The Register [http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/ Google Analytics — Yes, it is a security risk]
| Nov 2008
| Outreach
| Closed
| Co-ordination of response and provision of comments from OWASP leaders about risk of JavaScript on Barack Obama's website
| DC
|}

=== General Presentations and Reports ===

[[Summit 2009]]

*Global Industry Committee Presentation [[Image:Owasp-summit2009-industry-committee.ppt]]

Summaries (for inclusion into other full OWASP presentations):

*Sep 2009 [[Image:Owasp-industry-committee-summary-september-2009.ppt]]
*Jul 2009 [[Image:Owasp-industry-committee-summary-july-2009.ppt]]
*May 2009 [[Image:Owasp-industry-committee-summary-may-2009.ppt]]
*Apr 2009 [[Image:Owasp-industry-committee-summary-april-2009.ppt]]
*Mar 2009 [[Image:Owasp-industry-committee-summary-march-2009.ppt]]

 

Other [http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

Global Industry Committee

2010-12-17T00:47:15Z

Yiannis: /* Meetings */

'''The Global Industry Committee was created during the OWASP EU Summit in Portugal. The primary purpose of the Global Industry Committee is to work with industry executives to gather requirements from industry, work with Membership, Projects and others.'''

== Mission Statement ==

''To expand awareness of and promote the inclusion of software security best practices in Industry, Government, Academia and regulatory agencies and be a voice for industry. We will accomplish this through outreach; including presentations, development of position papers and collaborative efforts with other entities.'' [https://www.owasp.org/index.php/Global_Industry_Committee#General_Presentations_and_Reports Powerpoint of Accomplishments]

 

== Committee Plan ==

Step 1: [[Industry:Organizations for Outreach|Identify specific organizations]] worth working with to spread the OWASP gospel

Step 2: Prioritize the proposed liasons based on potential impact, and also realistic likelihood of the organization actively working with us

Step 3: Execute, leveraging global OWASP resources as much as possible to maximize impact

Step 4: Evaluate progress & repeat Step 1-3

== Committee Members ==

 Committee Members:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Lorna Alamri
| lorna.alamri 'at' owasp dot org
| US
|-
| Joe Bernik
| bernik 'at' gmail dot com
| US
|-
| Rex Booth
| rex.booth 'at' gt dot com
| US
|-
| David Campbell
| dcampbell 'at' owasp dot org
| US
|-
| Alexander Fry
| alexander.fry 'at' owasp dot org
| US
|-
| Georg Hess
| georg.hess 'at' artofdefence dot com
| Germany
|-
| Yiannis Pavlosoglou
| yiannis 'at' owasp dot org
| UK
|-
| Colin Watson
| colin.watson 'at' owasp dot org
| UK
|}

 Board Member Representative:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Matt Tesauro
| matt.tesauro 'at' owasp dot org
| USA
|}

The committee chair (from Nov 2010) is Yiannis Pavlosoglou. Previous chairs:

*Colin Watson (Nov 2009 to Oct 2010)

= Monthly Report Format =

See below...

== Getting Involved ==

=== Mailing List ===

[http://lists.owasp.org/mailman/listinfo/global_industry_committee Join our mailing list]

=== Meetings ===

The next Global Industry Committee meeting will be:

*TBC
**Dial in number: +1 866 534 4754
**Call code 192341

Minutes of previous meetings are:

*[[Industry:Minutes 2010-08-17|17 Aug 2010]] (also [http://www.owasp.org/images/0/0d/Gic_call_17aug2010.mp3 MP3 recording of the call])
*[[Industry:Minutes 2010-05-18|18 May 2010]]
*[[Industry:Minutes 2010-01-05|05 Jan 2010]] (also [http://www.owasp.org/images/a/a3/Owasp_gic_call_5jan10.mp3 MP3 recording of the call])
*[[Industry:Minutes 2009-01-23|23 Jan 2009]]
* 16 Dec 2010

=== Membership ===

[[Membership]] explains how to become an OWASP organization supporter or individual member. But you don't have to be an OWASP Member or Committee Member to contribute.

The current committee members joined for a 12 month term - see [[How to Join a Committee]] and [[Global Committee Pages]]. We would especially welcome new members who can widen our geographic coverage (e.g. Africa, Asia and South America) and who have time to contribute proactively.

=== Other ongoing initiatives ===

*[http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups] - Outreach to sector-specific critical infrastructures worldwide.
*[http://www.owasp.org/index.php/Category:India OWASP India Advisory Board] - Regional panel contributing to the software outsourcing industry.
*[http://www.owasp.org/index.php/Industry:Citations OWASP Citations] - References to OWASP in official, or otherwise important, documents.

== Current Activity ==

=== Work in Progress ===

The current activities being undertaken:

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Deadline
! Type
! Status
! Description
! Who
|-
| [http://www.owasp.org/index.php/OWASP_Mobile_Security_Project Kickoff OWASP Mobile Security Project]
| 2011 Summit
| Projects
| New
| Provide GIC oversight to Mobile Security Project
| DC
|-
|-
| [http://www.cio.gov/pages.cfm/page/Federal-Risk-and-Authorization-Management-Program-FedRAMP FedRAMP]
| 17 Jan 2011
| Standards
| In progress
| Provide response to FedRAMP certification and accreditation process
| RB
|-
| [http://trac.tools.ietf.org/area/sec/trac/wiki/SecurityDirectorate IETF Security Directorate]
| -
| Outreach
| In progress
| Make contact with, and discuss common goals with IETF
| YP/CW
|-
| [http://hacking-lab.com/ Hacking Lab]
| 14 Dec 2011
| Outreach
| In progress
| Matt Tesauro has been working with Hacking Lab previously and brought it to the GIC
| MAT/YP
|-
| Leeds Chapter Leader Presentation
| 13 Dec 2011
| Outreach
| In progress
| LA is gathering OWASP overview and project information for OWASP Leeds presentation needs.
| LA
|-
| "Configure SSL" Campaign
| 1 Feb 2011
| Paper write-up
| In progress
| Alexis FitzGerald's idea
| AFG/CW
|-
| [Testimonials]
| -
| Outreach
| In progress
| Obtain further testimonials for wiki page
| CW/SD
|-
| Reconnecting with past Industy Committee connections
| 1 Feb 2011
| Follow up
| In progress
| YP and LA to follow up with Industry Committee past contacts.
| YP/LA
|-
| [[Industry:ICO Data Sharing CoP|Data Sharing CoP]]
| 5 Jan 2011
| Standards
| In progress
| Provide response to UK ICO's "Data Sharing Code of Practice Consultation"
| CW
|-
| [http://www.londoncentral.bcs.org BCS London Central]
| 17 Feb 2011
| Outreach
| New
| Present a talk about OWASP.
| CW
|-
| [http://www.bcs.org BCS]
| 3 Sep 2010
| Outreach
| In Progress
| Write article for BCS ITnow magazine about application security and OWASP Top Ten.
| YP
|-
| [http://www.usmma.edu/ USMMA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USMMA computer club or security teams.
| AF
|-
| [http://www.usna.edu/ USNA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USNA computer science faculty and students or interest group.
| AF
|-
| [http://www.auscert.org.au/ AusCERT]
| -
| Outreach
| In Progress
| Make contact and discuss opportunities for OWASP to contribute to their work
| YP
|-
| OWASP Financial Services SIG
| -
| Outreach
| In Progress
| Working with Fabio Cerullo, Eoin Keary, Jim Routh, Jerry Kickenson and others on forming a SIG. Arranging a financial panel for AppSec in Washington, DC in November
| JB/EK
|-
| [http://www.spva.org Secure POS Vendor Alliance (SPVA)]
| -
| Outreach
| In Progress
| Begin dialogue about possibility of working together. Have had trouble getting through to them but have a good lead now. Updates soon :)
| DC
|}

=== Completed Items ===

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Completed
! Type
! Status
! Description
! Who
|-
| CRESTCON
| 14 Dec 2011
| Outreach
| Closed
| YP is attending CRESTCON in Royal Holloway, Surrey, UK
| YP
|-
| (ISC)^2 Application Security Advisory Board (ASAB)
| 19 Nov 2010
| Outreach
| Closed
| YP is now a member of the (ISC)^2 ASAB, with the first meeting to be held in FL on the above stated date.
| YP
|-
| [http://www.techexecnetworks.com/event_2010.12.01.asp T.E.N./Fortify Software Security Assurance Summit]
| 1 Dec 2010
| Outreach
| Closed
| Discuss quick wins and high impact software assurance activities using the OWASP SAMM model as reference and cite other OWASP projects as resources.
| AF
|-
| [[Industry:DOJ Nondiscrimination on the Basis of Disability|DOJ Nondiscimination on the Basis of Disability]]
| 30 Nov 2010
| Standards
| Closed
| Provide response to US DOJ's "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
| AF/LA
|
|-
| [[Industry:e-Consumer Protection Consultation|e-Consumer Protection Consultation]]
| 13 Oct 2010
| Standards
| Closed
| Review and provide official OWASP response to [http://www.oft.gov.uk/ UK Office of Fair Trading] [http://www.oft.gov.uk/OFTwork/consultations/current/eprotection/ e-Consumer Protection Consultation].
| YP
|-
| [[Industry:ENISA Cloud Computing Common Assurance Metrics|ENISA Common Assurance Maturity Model]]
| 8 Oct 2010
| Standards
| Closed
| Work with [[:Category:OWASP Cloud ‐ 10 Project]] to contribute to the development of Common Assurance Maturity Model for [http://www.enisa.europa.eu/ ENISA]/Cloud Security Alliance/etc joint initiative.
| CW
|-
| [http://www.w3.org/TR/2010/WD-mwabp-20100713/ Mobile Web Application Best Practices Working Draft]
| 6 Aug 2010
| Standards
| Closed
| Review and provide official OWASP response to W3C's [http://www.w3.org/2005/MWI/BPWG/ Mobile Web Best Practices Working Group].
| DC
|-
| [http://www.oft.gov.uk/ UK Office of Fair Trading]
| 23 Jul 2010
| Standards
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.businesslink.gov.uk BusinessLink]
| 1 Jul 2010
| Outreach
| Closed
| Offer to contribute to development of IT security information about [http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075421745 application security] on the BusinessLink website for UK SMEs. Outcome - no help required at present, but BusinessLink system to be disbanded.
| CW
|-
| Veracode
| 28 Jun 2010
| Outreach
| Closed
| Discuss use of Open SAMM to classify Secure SDL maturity in Veracode's code analysis summary reports. Outcome - positive response received.
| CW
|-
| [http://www.owasp.org/index.php/Leeds_UK OWASP Leeds/North]
| 16 Jun 2010
| Outreach
| Closed
| Presentations at chapter meeting in Newcastle-upon-Tyne about ENISA CAMM and OWASP Appsensor
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 Front Range OWASP Conference (FROC) 2010]
| 2 Jun 2010
| Outreach
| Closed
| Conference organisation [http://tinyurl.com/froctalks Vids & presentations online]
| DC
|-
| [http://www.isaca-denver.org/meetings/MAY_2010_CHPT_MTG.shtml OWASP Presentation at ISACA Denver Annual Meeting]
| 27 May 2010
| Outreach
| Closed
| Presentation [https://docs.google.com/fileview?id=0B_-vbfka88vFNjIwY2IwYjItZmYyNi00MmNiLWFhOWItYmQ4OGZmZjVmZWUx&hl=en Presentation online]
| DC
|-
| [http://www.issa-uk.org/ ISSA-UK]
| 13 May 2010
| Outreach
| Closed
| Presentation
| YP
|-
| [[Industry:Personal Information Online Code of Practice|Personal Information Online COP]]
| 5 Mar 2010
| Legislation
| Closed
| Provide response to UK Information Commissioner's Office draft "Personal Information Online Code of Practice"
| YP
|-
| [http://www.enisa.europa.eu/ ENISA] Mobile Apps
| Mar 2010
| Outreach
| Closed
| Identify and introduce OWASP contact for ENISA's Mobile Apps Project, in conjunction with Dinis Cruz.
| CW
|-
| [[Industry:Technology Strategy Board Secure Software Development Initiative|Technology Strategy Board Secure Software Development Partnership]]
| 18 Feb 2010
| Outreach
| Closed
| Liaise with the UK [http://www.innovateuk.org/ Technology Strategy Board] about the Secure Software Development Partnership (SSDP) in conjunction with the [http://www.owasp.org/index.php/London London chapter] leader Justin Clarke
| CW
|-
| US [http://www.issa-nova.org Information Systems Security Association Northern Virginia Chapter (ISSA-NOVA)]
| 21 Jan 2010
| Outreach
| Closed
| Provide presentation covering CSSLP, fundamentals of AppSec and Intro to OWASP and Global Industry Committee
| AF
|-
| [http://www.enisa.europa.eu/ ENISA]
| Jan 2010
| Outreach
| Closed
| Discuss opportunities for OWASP to work with ENISA, in conjunction with Dinis Cruz.
| CW
|-
| [[:Industry:Draft NIST SP 800-37 Revision 1|NIST SP 800-37 Revision 1 FPD]] Review Project
| 30 Dec 2009
| Standards
| Closed
| Provide response to "NIST SP 800-37 Revision 1 Final Public Draft, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
| RB
|-
| [http://www.crest-approved.org/ CREST] CRESTCon
| 15 Dec 2009
| Outreach
| Closed
| Already an oversubscribed event, YP & CW have been placed on the reserve list. Update: Positions secured for the 15th.
| YP
|-
| [http://msdn.microsoft.com/en-us/security/cc448177.aspx SDL Pro Network]
| 30 Nov 2009
| Outreach
| Closed
| Contact SDL Pro Network to discuss if there are opportunities for OWASP to become involved or connected in some way
| CW
|-
| [[Industry:Draft NIST IR 7628|Draft NIST IR 7628]]
| 25 Nov 2009
| Standards
| Closed
| Provide response to "NIST IR 7628 Draft Smart Grid Cyber Security Strategy and Requirements"
| CW
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 10-13 Nov 2009
| Outreach
| Closed
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.justice.gov.uk/ UK Ministry of Justice]
| -
| Legislation
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.it-sa.de/ IT-SA]
| 13-15 Oct 2009
| Outreach
| Closed
| OWASP booth at trade show
| GH
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009]
| 13 Oct 2009
| Outreach
| Closed
| Conference organisation
| GH
|-
| US [http://www.loc.gov Library of Congress]
| 28 Sep 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| [http://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference OWASP Ireland AppSec 2009]
| 10 Sep 2009
| Outreach
| Closed
| Conference organisation
| EK
|-
| OWASP Citations
| 7 Sep 2009
| Other
| Closed
| Identify and record the most important references to OWASP in official, or otherwise important, documents. Page created at: [[Industry:Citations]]
| CW
|-
| US [http://www.loc.gov Library of Congress]
| 26 Aug 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| OWASP webcast at Brighttalk [http://www.brighttalk.com/summit/dataprivacy2 Data and Privacy in Web 2.0 Summit]
| 13 Aug 2009
| Outreach
| Closed
| Deliver [http://www.brighttalk.com/webcasts/4767/attend OWASP presentation on XSS, client side exploitation, and countermeasures].
| DC
|-
| [[Industry:SAFECode Secure Development Practices (update to Oct 2008 version)|SAFECode Secure Development Practices (update to Oct 2008 version)]]
| 31 Jul 2009
| Standards
| Closed
| Response to [http://www.safecode.org/ SAFECode] "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."
| CW
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSA_Project OWASP CSA Project]
| 8 Jul 2009
| Standards
| Closed
| Response to RFC [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Cloud Security Alliance Guidance v1.0]
| TB
|-
| [[Scotland]]
| 25 Jun 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-scotland-industry-committee-june-2009.ppt]] and written notes [[Image:Owasp-scotland-industry-committee-june-2009-notes.pdf]])
| CW
|-
| OWASP Presentation at [http://cfp2009.org/ CFP Con 2009]
| 1 Jun 2009
| Outreach
| Closed
| Deliver presentation on web threats and countermeasures. See [http://www.cfp2009.org/wiki/index.php/Tutorials/Workshops CFP tutorial page] grep OWASP for more info.
| DC
|-
| ENISA [http://www.enisa.europa.eu/pages/02_03_news_2009_02_19_who_is_who.html Who-Is-Who Directory]
| -
| Outreach
| Closed
| Contact ENISA regarding OWASP inclusion in directory (in progress). Encourage European chapter leaders to contact their ENISA liaison officers (completed). Contact UK liaison officer on behalf of London, Leeds and Scotland chapters.
| CW
|-
| IIL [http://www.iilondon.co.uk/ Insurance Institute of London]
| 2 Jun 2009
| Outreach
| Closed
| Contact IIL regarding future input to their publication [http://www.iilondon.co.uk/XtraCart/store/comersus_viewItem.asp?idProduct=187 Insurance Aspects of E-Commerce]
| CW
|-
| [[Industry:Draft NIST SP 800-118|Draft NIST SP 800-118]]
| 29 May 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
| CW/EK/RB/DC
|-
| German IT Industry Association
| 15 May 2009
| Outreach
| Closed
| Presentation on OWASP
| GH
|-
| [http://docs.google.com/Present?docid=ddkr62qv_171cd7gh5fb&skipauth=true Outreach Presentation to Frontier Airlines]
| 7 May 2009
| Outreach
| Closed
| Provide outreach presentation covering fundamentals of AppSec and Intro to OWASP
| DC
|-
| [[Industry:DPC BS 10012|DPC BS 10012]]
| 31 Mar 2009
| Standards
| Closed
| Provide response to "BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998" Draft for Public Comment (DPC)
| CW
|-
| [[Industry:Draft NIST SP 800-53 Revision 3|Draft NIST SP 800-53 Revision 3]]
| 27 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
| RB
|-
| [[Industry:Draft NIST SP 800-122|Draft NIST SP 800-122]]
| 13 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
| CW
|-
| [[London]]
| 12 Mar 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-london-industry-committee-march-2009.ppt]] and written notes [[Image:Owasp-london-industry-committee-march-2009-notes.pdf]])
| CW
|-
| [[Industry:Digital Britain Interim Report|Digital Britain Interim Report]]
| 11 Mar 2009
| Legislation
| Closed
| Provide response to UK Government's "Digital Britain Interim Report Jan 2009"
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Front Range]
| 5 Mar 2009
| Outreach
| Closed
| Conference organisation
| DC
|-
| US [http://www.commerce.gov/ Department of Commerce]
| 25 Feb 2009
| Outreach
| Closed
| Presentation about OWASP to Economic Security Working Group
| RB
|-
| [[Industry:DPC BS 8878:2009|DPC BS 8878:2009]]
| 31 Jan 2009
| Standards
| Closed
| Provide response to "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
| Puneet/CW
|-
| AppSec Presentation Delivered to Infragard, Dec 2008
| Dec 2008
| Outreach
| Closed
| [http://www.infragard.net/ Infragard] is a collaboration between the US FBI and maintainers of critical infrastructure. [http://docs.google.com/Present?docid=ddkr62qv_0cn7km4c3&skipauth=true Presentation here]. Email DC for full PPT with speaker notes
| DC
|-
| The Register [http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/ Google Analytics — Yes, it is a security risk]
| Nov 2008
| Outreach
| Closed
| Co-ordination of response and provision of comments from OWASP leaders about risk of JavaScript on Barack Obama's website
| DC
|}

=== General Presentations and Reports ===

[[Summit 2009]]

*Global Industry Committee Presentation [[Image:Owasp-summit2009-industry-committee.ppt]]

Summaries (for inclusion into other full OWASP presentations):

*Sep 2009 [[Image:Owasp-industry-committee-summary-september-2009.ppt]]
*Jul 2009 [[Image:Owasp-industry-committee-summary-july-2009.ppt]]
*May 2009 [[Image:Owasp-industry-committee-summary-may-2009.ppt]]
*Apr 2009 [[Image:Owasp-industry-committee-summary-april-2009.ppt]]
*Mar 2009 [[Image:Owasp-industry-committee-summary-march-2009.ppt]]

 

Other [http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

Global Industry Committee

2010-12-14T00:07:16Z

Yiannis: /* Work in Progress */

'''The Global Industry Committee was created during the OWASP EU Summit in Portugal. The primary purpose of the Global Industry Committee is to work with industry executives to gather requirements from industry, work with Membership, Projects and others.'''

== Mission Statement ==

''To expand awareness of and promote the inclusion of software security best practices in Industry, Government, Academia and regulatory agencies and be a voice for industry. We will accomplish this through outreach; including presentations, development of position papers and collaborative efforts with other entities.'' [https://www.owasp.org/index.php/Global_Industry_Committee#General_Presentations_and_Reports Powerpoint of Accomplishments]

 

== Committee Plan ==

Step 1: [[Industry:Organizations for Outreach|Identify specific organizations]] worth working with to spread the OWASP gospel

Step 2: Prioritize the proposed liasons based on potential impact, and also realistic likelihood of the organization actively working with us

Step 3: Execute, leveraging global OWASP resources as much as possible to maximize impact

Step 4: Evaluate progress & repeat Step 1-3

== Committee Members ==

 Committee Members:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Lorna Alamri
| lorna.alamri 'at' owasp dot org
| US
|-
| Joe Bernik
| bernik 'at' gmail dot com
| US
|-
| Rex Booth
| rex.booth 'at' gt dot com
| US
|-
| David Campbell
| dcampbell 'at' owasp dot org
| US
|-
| Alexander Fry
| alexander.fry 'at' owasp dot org
| US
|-
| Georg Hess
| georg.hess 'at' artofdefence dot com
| Germany
|-
| Yiannis Pavlosoglou
| yiannis 'at' owasp dot org
| UK
|-
| Colin Watson
| colin.watson 'at' owasp dot org
| UK
|}

 Board Member Representative:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Matt Tesauro
| matt.tesauro 'at' owasp dot org
| USA
|}

The committee chair (from Nov 2010) is Yiannis Pavlosoglou. Previous chairs:

*Colin Watson (Nov 2009 to Oct 2010)

= Monthly Report Format =

See below...

== Getting Involved ==

=== Mailing List ===

[http://lists.owasp.org/mailman/listinfo/global_industry_committee Join our mailing list]

=== Meetings ===

The next Global Industry Committee meeting will be:

*TBC
**Dial in number: +1 866 534 4754
**Call code 192341

Minutes of previous meetings are:

*[[Industry:Minutes 2010-08-17|17 Aug 2010]] (also [http://www.owasp.org/images/0/0d/Gic_call_17aug2010.mp3 MP3 recording of the call])
*[[Industry:Minutes 2010-05-18|18 May 2010]]
*[[Industry:Minutes 2010-01-05|05 Jan 2010]] (also [http://www.owasp.org/images/a/a3/Owasp_gic_call_5jan10.mp3 MP3 recording of the call])
*[[Industry:Minutes 2009-01-23|23 Jan 2009]]

=== Membership ===

[[Membership]] explains how to become an OWASP organization supporter or individual member. But you don't have to be an OWASP Member or Committee Member to contribute.

The current committee members joined for a 12 month term - see [[How to Join a Committee]] and [[Global Committee Pages]]. We would especially welcome new members who can widen our geographic coverage (e.g. Africa, Asia and South America) and who have time to contribute proactively.

=== Other ongoing initiatives ===

*[http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups] - Outreach to sector-specific critical infrastructures worldwide.
*[http://www.owasp.org/index.php/Category:India OWASP India Advisory Board] - Regional panel contributing to the software outsourcing industry.
*[http://www.owasp.org/index.php/Industry:Citations OWASP Citations] - References to OWASP in official, or otherwise important, documents.

== Current Activity ==

=== Work in Progress ===

The current activities being undertaken:

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Deadline
! Type
! Status
! Description
! Who
|-
| CRESTCON
| 14 Dec 2011
| Reachout
| In progress
| YP is attending CRESTCON in Royal Holloway, Surrey, UK
| YP
|-
| Configure SSL" Campaign
| 1 Feb 2011
| Paper write-up
| In progress
| Colin Watson with Alexis FitzGerald are drafting this
| CW/AF
|-
| Reconnecting with past Industy Committee connections
| 1 Feb 2011
| Follow up
| In progress
| YP and LA to follow up with Industry Committee past contacts.
| YP/LA
|-
| (ISC)^2 Application Security Advisory Board (ASAB)
| 19 Nov 2010
| Outreach
| In progress
| YP is now a member of the (ISC)^2 ASAB, with the first meeting to be held in FL on the above stated date.
| YP
|-
| [[Industry:ICO Data Sharing CoP|Data Sharing CoP]]
| 5 Jan 2011
| Standards
| In progress
| Provide response to UK ICO's "Data Sharing Code of Practice Consultation"
| CW
|-
| [http://www.londoncentral.bcs.org BCS London Central]
| 17 Feb 2011
| Outreach
| New
| Present a talk about OWASP.
| CW
|-
| [http://www.bcs.org BCS]
| 3 Sep 2010
| Outreach
| In Progress
| Write article for BCS ITnow magazine about application security and OWASP Top Ten.
| YP
|-
| [http://www.usmma.edu/ USMMA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USMMA computer club or security teams.
| AF
|-
| [http://www.usna.edu/ USNA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USNA computer science faculty and students or interest group.
| AF
|-
| [http://www.auscert.org.au/ AusCERT]
| -
| Outreach
| In Progress
| Make contact and discuss opportunities for OWASP to contribute to their work
| YP
|-
| OWASP Financial Services SIG
| -
| Outreach
| In Progress
| Working with Fabio Cerullo, Eoin Keary, Jim Routh, Jerry Kickenson and others on forming a SIG. Arranging a financial panel for AppSec in Washington, DC in November
| JB/EK
|-
| [http://www.spva.org Secure POS Vendor Alliance (SPVA)]
| -
| Outreach
| In Progress
| Begin dialogue about possibility of working together. Have had trouble getting through to them but have a good lead now. Updates soon :)
| DC
|}

=== Completed Items ===

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Completed
! Type
! Status
! Description
! Who
|-
| [http://www.techexecnetworks.com/event_2010.12.01.asp T.E.N./Fortify Software Security Assurance Summit]
| 1 Dec 2010
| Outreach
| Closed
| Discuss quick wins and high impact software assurance activities using the OWASP SAMM model as reference and cite other OWASP projects as resources.
| AF
|-
| [[Industry:DOJ Nondiscrimination on the Basis of Disability|DOJ Nondiscimination on the Basis of Disability]]
| 30 Nov 2010
| Standards
| Closed
| Provide response to US DOJ's "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
| AF/LA
|
|-
| [[Industry:e-Consumer Protection Consultation|e-Consumer Protection Consultation]]
| 13 Oct 2010
| Standards
| Closed
| Review and provide official OWASP response to [http://www.oft.gov.uk/ UK Office of Fair Trading] [http://www.oft.gov.uk/OFTwork/consultations/current/eprotection/ e-Consumer Protection Consultation].
| YP
|-
| [[Industry:ENISA Cloud Computing Common Assurance Metrics|ENISA Common Assurance Maturity Model]]
| 8 Oct 2010
| Standards
| Closed
| Work with [[:Category:OWASP Cloud ‐ 10 Project]] to contribute to the development of Common Assurance Maturity Model for [http://www.enisa.europa.eu/ ENISA]/Cloud Security Alliance/etc joint initiative.
| CW
|-
| [http://www.w3.org/TR/2010/WD-mwabp-20100713/ Mobile Web Application Best Practices Working Draft]
| 6 Aug 2010
| Standards
| Closed
| Review and provide official OWASP response to W3C's [http://www.w3.org/2005/MWI/BPWG/ Mobile Web Best Practices Working Group].
| DC
|-
| [http://www.oft.gov.uk/ UK Office of Fair Trading]
| 23 Jul 2010
| Standards
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.businesslink.gov.uk BusinessLink]
| 1 Jul 2010
| Outreach
| Closed
| Offer to contribute to development of IT security information about [http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075421745 application security] on the BusinessLink website for UK SMEs. Outcome - no help required at present, but BusinessLink system to be disbanded.
| CW
|-
| Veracode
| 28 Jun 2010
| Outreach
| Closed
| Discuss use of Open SAMM to classify Secure SDL maturity in Veracode's code analysis summary reports. Outcome - positive response received.
| CW
|-
| [http://www.owasp.org/index.php/Leeds_UK OWASP Leeds/North]
| 16 Jun 2010
| Outreach
| Closed
| Presentations at chapter meeting in Newcastle-upon-Tyne about ENISA CAMM and OWASP Appsensor
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 Front Range OWASP Conference (FROC) 2010]
| 2 Jun 2010
| Outreach
| Closed
| Conference organisation [http://tinyurl.com/froctalks Vids & presentations online]
| DC
|-
| [http://www.isaca-denver.org/meetings/MAY_2010_CHPT_MTG.shtml OWASP Presentation at ISACA Denver Annual Meeting]
| 27 May 2010
| Outreach
| Closed
| Presentation [https://docs.google.com/fileview?id=0B_-vbfka88vFNjIwY2IwYjItZmYyNi00MmNiLWFhOWItYmQ4OGZmZjVmZWUx&hl=en Presentation online]
| DC
|-
| [http://www.issa-uk.org/ ISSA-UK]
| 13 May 2010
| Outreach
| Closed
| Presentation
| YP
|-
| [[Industry:Personal Information Online Code of Practice|Personal Information Online COP]]
| 5 Mar 2010
| Legislation
| Closed
| Provide response to UK Information Commissioner's Office draft "Personal Information Online Code of Practice"
| YP
|-
| [http://www.enisa.europa.eu/ ENISA] Mobile Apps
| Mar 2010
| Outreach
| Closed
| Identify and introduce OWASP contact for ENISA's Mobile Apps Project, in conjunction with Dinis Cruz.
| CW
|-
| [[Industry:Technology Strategy Board Secure Software Development Initiative|Technology Strategy Board Secure Software Development Partnership]]
| 18 Feb 2010
| Outreach
| Closed
| Liaise with the UK [http://www.innovateuk.org/ Technology Strategy Board] about the Secure Software Development Partnership (SSDP) in conjunction with the [http://www.owasp.org/index.php/London London chapter] leader Justin Clarke
| CW
|-
| US [http://www.issa-nova.org Information Systems Security Association Northern Virginia Chapter (ISSA-NOVA)]
| 21 Jan 2010
| Outreach
| Closed
| Provide presentation covering CSSLP, fundamentals of AppSec and Intro to OWASP and Global Industry Committee
| AF
|-
| [http://www.enisa.europa.eu/ ENISA]
| Jan 2010
| Outreach
| Closed
| Discuss opportunities for OWASP to work with ENISA, in conjunction with Dinis Cruz.
| CW
|-
| [[:Industry:Draft NIST SP 800-37 Revision 1|NIST SP 800-37 Revision 1 FPD]] Review Project
| 30 Dec 2009
| Standards
| Closed
| Provide response to "NIST SP 800-37 Revision 1 Final Public Draft, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
| RB
|-
| [http://www.crest-approved.org/ CREST] CRESTCon
| 15 Dec 2009
| Outreach
| Closed
| Already an oversubscribed event, YP & CW have been placed on the reserve list. Update: Positions secured for the 15th.
| YP
|-
| [http://msdn.microsoft.com/en-us/security/cc448177.aspx SDL Pro Network]
| 30 Nov 2009
| Outreach
| Closed
| Contact SDL Pro Network to discuss if there are opportunities for OWASP to become involved or connected in some way
| CW
|-
| [[Industry:Draft NIST IR 7628|Draft NIST IR 7628]]
| 25 Nov 2009
| Standards
| Closed
| Provide response to "NIST IR 7628 Draft Smart Grid Cyber Security Strategy and Requirements"
| CW
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 10-13 Nov 2009
| Outreach
| Closed
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.justice.gov.uk/ UK Ministry of Justice]
| -
| Legislation
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.it-sa.de/ IT-SA]
| 13-15 Oct 2009
| Outreach
| Closed
| OWASP booth at trade show
| GH
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009]
| 13 Oct 2009
| Outreach
| Closed
| Conference organisation
| GH
|-
| US [http://www.loc.gov Library of Congress]
| 28 Sep 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| [http://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference OWASP Ireland AppSec 2009]
| 10 Sep 2009
| Outreach
| Closed
| Conference organisation
| EK
|-
| OWASP Citations
| 7 Sep 2009
| Other
| Closed
| Identify and record the most important references to OWASP in official, or otherwise important, documents. Page created at: [[Industry:Citations]]
| CW
|-
| US [http://www.loc.gov Library of Congress]
| 26 Aug 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| OWASP webcast at Brighttalk [http://www.brighttalk.com/summit/dataprivacy2 Data and Privacy in Web 2.0 Summit]
| 13 Aug 2009
| Outreach
| Closed
| Deliver [http://www.brighttalk.com/webcasts/4767/attend OWASP presentation on XSS, client side exploitation, and countermeasures].
| DC
|-
| [[Industry:SAFECode Secure Development Practices (update to Oct 2008 version)|SAFECode Secure Development Practices (update to Oct 2008 version)]]
| 31 Jul 2009
| Standards
| Closed
| Response to [http://www.safecode.org/ SAFECode] "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."
| CW
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSA_Project OWASP CSA Project]
| 8 Jul 2009
| Standards
| Closed
| Response to RFC [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Cloud Security Alliance Guidance v1.0]
| TB
|-
| [[Scotland]]
| 25 Jun 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-scotland-industry-committee-june-2009.ppt]] and written notes [[Image:Owasp-scotland-industry-committee-june-2009-notes.pdf]])
| CW
|-
| OWASP Presentation at [http://cfp2009.org/ CFP Con 2009]
| 1 Jun 2009
| Outreach
| Closed
| Deliver presentation on web threats and countermeasures. See [http://www.cfp2009.org/wiki/index.php/Tutorials/Workshops CFP tutorial page] grep OWASP for more info.
| DC
|-
| ENISA [http://www.enisa.europa.eu/pages/02_03_news_2009_02_19_who_is_who.html Who-Is-Who Directory]
| -
| Outreach
| Closed
| Contact ENISA regarding OWASP inclusion in directory (in progress). Encourage European chapter leaders to contact their ENISA liaison officers (completed). Contact UK liaison officer on behalf of London, Leeds and Scotland chapters.
| CW
|-
| IIL [http://www.iilondon.co.uk/ Insurance Institute of London]
| 2 Jun 2009
| Outreach
| Closed
| Contact IIL regarding future input to their publication [http://www.iilondon.co.uk/XtraCart/store/comersus_viewItem.asp?idProduct=187 Insurance Aspects of E-Commerce]
| CW
|-
| [[Industry:Draft NIST SP 800-118|Draft NIST SP 800-118]]
| 29 May 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
| CW/EK/RB/DC
|-
| German IT Industry Association
| 15 May 2009
| Outreach
| Closed
| Presentation on OWASP
| GH
|-
| [http://docs.google.com/Present?docid=ddkr62qv_171cd7gh5fb&skipauth=true Outreach Presentation to Frontier Airlines]
| 7 May 2009
| Outreach
| Closed
| Provide outreach presentation covering fundamentals of AppSec and Intro to OWASP
| DC
|-
| [[Industry:DPC BS 10012|DPC BS 10012]]
| 31 Mar 2009
| Standards
| Closed
| Provide response to "BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998" Draft for Public Comment (DPC)
| CW
|-
| [[Industry:Draft NIST SP 800-53 Revision 3|Draft NIST SP 800-53 Revision 3]]
| 27 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
| RB
|-
| [[Industry:Draft NIST SP 800-122|Draft NIST SP 800-122]]
| 13 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
| CW
|-
| [[London]]
| 12 Mar 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-london-industry-committee-march-2009.ppt]] and written notes [[Image:Owasp-london-industry-committee-march-2009-notes.pdf]])
| CW
|-
| [[Industry:Digital Britain Interim Report|Digital Britain Interim Report]]
| 11 Mar 2009
| Legislation
| Closed
| Provide response to UK Government's "Digital Britain Interim Report Jan 2009"
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Front Range]
| 5 Mar 2009
| Outreach
| Closed
| Conference organisation
| DC
|-
| US [http://www.commerce.gov/ Department of Commerce]
| 25 Feb 2009
| Outreach
| Closed
| Presentation about OWASP to Economic Security Working Group
| RB
|-
| [[Industry:DPC BS 8878:2009|DPC BS 8878:2009]]
| 31 Jan 2009
| Standards
| Closed
| Provide response to "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
| Puneet/CW
|-
| AppSec Presentation Delivered to Infragard, Dec 2008
| Dec 2008
| Outreach
| Closed
| [http://www.infragard.net/ Infragard] is a collaboration between the US FBI and maintainers of critical infrastructure. [http://docs.google.com/Present?docid=ddkr62qv_0cn7km4c3&skipauth=true Presentation here]. Email DC for full PPT with speaker notes
| DC
|-
| The Register [http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/ Google Analytics — Yes, it is a security risk]
| Nov 2008
| Outreach
| Closed
| Co-ordination of response and provision of comments from OWASP leaders about risk of JavaScript on Barack Obama's website
| DC
|}

=== General Presentations and Reports ===

[[Summit 2009]]

*Global Industry Committee Presentation [[Image:Owasp-summit2009-industry-committee.ppt]]

Summaries (for inclusion into other full OWASP presentations):

*Sep 2009 [[Image:Owasp-industry-committee-summary-september-2009.ppt]]
*Jul 2009 [[Image:Owasp-industry-committee-summary-july-2009.ppt]]
*May 2009 [[Image:Owasp-industry-committee-summary-may-2009.ppt]]
*Apr 2009 [[Image:Owasp-industry-committee-summary-april-2009.ppt]]
*Mar 2009 [[Image:Owasp-industry-committee-summary-march-2009.ppt]]

 

Other [http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

Global Industry Committee

2010-12-13T23:52:54Z

Yiannis: /* Committee Members */

'''The Global Industry Committee was created during the OWASP EU Summit in Portugal. The primary purpose of the Global Industry Committee is to work with industry executives to gather requirements from industry, work with Membership, Projects and others.'''

== Mission Statement ==

''To expand awareness of and promote the inclusion of software security best practices in Industry, Government, Academia and regulatory agencies and be a voice for industry. We will accomplish this through outreach; including presentations, development of position papers and collaborative efforts with other entities.'' [https://www.owasp.org/index.php/Global_Industry_Committee#General_Presentations_and_Reports Powerpoint of Accomplishments]

 

== Committee Plan ==

Step 1: [[Industry:Organizations for Outreach|Identify specific organizations]] worth working with to spread the OWASP gospel

Step 2: Prioritize the proposed liasons based on potential impact, and also realistic likelihood of the organization actively working with us

Step 3: Execute, leveraging global OWASP resources as much as possible to maximize impact

Step 4: Evaluate progress & repeat Step 1-3

== Committee Members ==

 Committee Members:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Lorna Alamri
| lorna.alamri 'at' owasp dot org
| US
|-
| Joe Bernik
| bernik 'at' gmail dot com
| US
|-
| Rex Booth
| rex.booth 'at' gt dot com
| US
|-
| David Campbell
| dcampbell 'at' owasp dot org
| US
|-
| Alexander Fry
| alexander.fry 'at' owasp dot org
| US
|-
| Georg Hess
| georg.hess 'at' artofdefence dot com
| Germany
|-
| Yiannis Pavlosoglou
| yiannis 'at' owasp dot org
| UK
|-
| Colin Watson
| colin.watson 'at' owasp dot org
| UK
|}

 Board Member Representative:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Matt Tesauro
| matt.tesauro 'at' owasp dot org
| USA
|}

The committee chair (from Nov 2010) is Yiannis Pavlosoglou. Previous chairs:

*Colin Watson (Nov 2009 to Oct 2010)

= Monthly Report Format =

See below...

== Getting Involved ==

=== Mailing List ===

[http://lists.owasp.org/mailman/listinfo/global_industry_committee Join our mailing list]

=== Meetings ===

The next Global Industry Committee meeting will be:

*TBC
**Dial in number: +1 866 534 4754
**Call code 192341

Minutes of previous meetings are:

*[[Industry:Minutes 2010-08-17|17 Aug 2010]] (also [http://www.owasp.org/images/0/0d/Gic_call_17aug2010.mp3 MP3 recording of the call])
*[[Industry:Minutes 2010-05-18|18 May 2010]]
*[[Industry:Minutes 2010-01-05|05 Jan 2010]] (also [http://www.owasp.org/images/a/a3/Owasp_gic_call_5jan10.mp3 MP3 recording of the call])
*[[Industry:Minutes 2009-01-23|23 Jan 2009]]

=== Membership ===

[[Membership]] explains how to become an OWASP organization supporter or individual member. But you don't have to be an OWASP Member or Committee Member to contribute.

The current committee members joined for a 12 month term - see [[How to Join a Committee]] and [[Global Committee Pages]]. We would especially welcome new members who can widen our geographic coverage (e.g. Africa, Asia and South America) and who have time to contribute proactively.

=== Other ongoing initiatives ===

*[http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups] - Outreach to sector-specific critical infrastructures worldwide.
*[http://www.owasp.org/index.php/Category:India OWASP India Advisory Board] - Regional panel contributing to the software outsourcing industry.
*[http://www.owasp.org/index.php/Industry:Citations OWASP Citations] - References to OWASP in official, or otherwise important, documents.

== Current Activity ==

=== Work in Progress ===

The current activities being undertaken:

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Deadline
! Type
! Status
! Description
! Who
|-
| Reconnecting with past Industy Committee connections
| 1 Feb 2011
| Follow up
| In progress
| YP and LA to follow up with Industry Committee past contacts.
| YP/LA
|-
| (ISC)^2 Application Security Advisory Board (ASAB)
| 19 Nov 2010
| Outreach
| In progress
| YP is now a member of the (ISC)^2 ASAB, with the first meeting to be held in FL on the above stated date.
| YP
|-
| [[Industry:ICO Data Sharing CoP|Data Sharing CoP]]
| 5 Jan 2011
| Standards
| In progress
| Provide response to UK ICO's "Data Sharing Code of Practice Consultation"
| CW
|-
| [http://www.londoncentral.bcs.org BCS London Central]
| 17 Feb 2011
| Outreach
| New
| Present a talk about OWASP.
| CW
|-
| [http://www.bcs.org BCS]
| 3 Sep 2010
| Outreach
| In Progress
| Write article for BCS ITnow magazine about application security and OWASP Top Ten.
| YP
|-
| [http://www.usmma.edu/ USMMA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USMMA computer club or security teams.
| AF
|-
| [http://www.usna.edu/ USNA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USNA computer science faculty and students or interest group.
| AF
|-
| [http://www.auscert.org.au/ AusCERT]
| -
| Outreach
| In Progress
| Make contact and discuss opportunities for OWASP to contribute to their work
| YP
|-
| OWASP Financial Services SIG
| -
| Outreach
| In Progress
| Working with Fabio Cerullo, Eoin Keary, Jim Routh, Jerry Kickenson and others on forming a SIG. Arranging a financial panel for AppSec in Washington, DC in November
| JB/EK
|-
| [http://www.spva.org Secure POS Vendor Alliance (SPVA)]
| -
| Outreach
| In Progress
| Begin dialogue about possibility of working together. Have had trouble getting through to them but have a good lead now. Updates soon :)
| DC
|}

=== Completed Items ===

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Completed
! Type
! Status
! Description
! Who
|-
| [http://www.techexecnetworks.com/event_2010.12.01.asp T.E.N./Fortify Software Security Assurance Summit]
| 1 Dec 2010
| Outreach
| Closed
| Discuss quick wins and high impact software assurance activities using the OWASP SAMM model as reference and cite other OWASP projects as resources.
| AF
|-
| [[Industry:DOJ Nondiscrimination on the Basis of Disability|DOJ Nondiscimination on the Basis of Disability]]
| 30 Nov 2010
| Standards
| Closed
| Provide response to US DOJ's "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
| AF/LA
|
|-
| [[Industry:e-Consumer Protection Consultation|e-Consumer Protection Consultation]]
| 13 Oct 2010
| Standards
| Closed
| Review and provide official OWASP response to [http://www.oft.gov.uk/ UK Office of Fair Trading] [http://www.oft.gov.uk/OFTwork/consultations/current/eprotection/ e-Consumer Protection Consultation].
| YP
|-
| [[Industry:ENISA Cloud Computing Common Assurance Metrics|ENISA Common Assurance Maturity Model]]
| 8 Oct 2010
| Standards
| Closed
| Work with [[:Category:OWASP Cloud ‐ 10 Project]] to contribute to the development of Common Assurance Maturity Model for [http://www.enisa.europa.eu/ ENISA]/Cloud Security Alliance/etc joint initiative.
| CW
|-
| [http://www.w3.org/TR/2010/WD-mwabp-20100713/ Mobile Web Application Best Practices Working Draft]
| 6 Aug 2010
| Standards
| Closed
| Review and provide official OWASP response to W3C's [http://www.w3.org/2005/MWI/BPWG/ Mobile Web Best Practices Working Group].
| DC
|-
| [http://www.oft.gov.uk/ UK Office of Fair Trading]
| 23 Jul 2010
| Standards
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.businesslink.gov.uk BusinessLink]
| 1 Jul 2010
| Outreach
| Closed
| Offer to contribute to development of IT security information about [http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075421745 application security] on the BusinessLink website for UK SMEs. Outcome - no help required at present, but BusinessLink system to be disbanded.
| CW
|-
| Veracode
| 28 Jun 2010
| Outreach
| Closed
| Discuss use of Open SAMM to classify Secure SDL maturity in Veracode's code analysis summary reports. Outcome - positive response received.
| CW
|-
| [http://www.owasp.org/index.php/Leeds_UK OWASP Leeds/North]
| 16 Jun 2010
| Outreach
| Closed
| Presentations at chapter meeting in Newcastle-upon-Tyne about ENISA CAMM and OWASP Appsensor
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 Front Range OWASP Conference (FROC) 2010]
| 2 Jun 2010
| Outreach
| Closed
| Conference organisation [http://tinyurl.com/froctalks Vids & presentations online]
| DC
|-
| [http://www.isaca-denver.org/meetings/MAY_2010_CHPT_MTG.shtml OWASP Presentation at ISACA Denver Annual Meeting]
| 27 May 2010
| Outreach
| Closed
| Presentation [https://docs.google.com/fileview?id=0B_-vbfka88vFNjIwY2IwYjItZmYyNi00MmNiLWFhOWItYmQ4OGZmZjVmZWUx&hl=en Presentation online]
| DC
|-
| [http://www.issa-uk.org/ ISSA-UK]
| 13 May 2010
| Outreach
| Closed
| Presentation
| YP
|-
| [[Industry:Personal Information Online Code of Practice|Personal Information Online COP]]
| 5 Mar 2010
| Legislation
| Closed
| Provide response to UK Information Commissioner's Office draft "Personal Information Online Code of Practice"
| YP
|-
| [http://www.enisa.europa.eu/ ENISA] Mobile Apps
| Mar 2010
| Outreach
| Closed
| Identify and introduce OWASP contact for ENISA's Mobile Apps Project, in conjunction with Dinis Cruz.
| CW
|-
| [[Industry:Technology Strategy Board Secure Software Development Initiative|Technology Strategy Board Secure Software Development Partnership]]
| 18 Feb 2010
| Outreach
| Closed
| Liaise with the UK [http://www.innovateuk.org/ Technology Strategy Board] about the Secure Software Development Partnership (SSDP) in conjunction with the [http://www.owasp.org/index.php/London London chapter] leader Justin Clarke
| CW
|-
| US [http://www.issa-nova.org Information Systems Security Association Northern Virginia Chapter (ISSA-NOVA)]
| 21 Jan 2010
| Outreach
| Closed
| Provide presentation covering CSSLP, fundamentals of AppSec and Intro to OWASP and Global Industry Committee
| AF
|-
| [http://www.enisa.europa.eu/ ENISA]
| Jan 2010
| Outreach
| Closed
| Discuss opportunities for OWASP to work with ENISA, in conjunction with Dinis Cruz.
| CW
|-
| [[:Industry:Draft NIST SP 800-37 Revision 1|NIST SP 800-37 Revision 1 FPD]] Review Project
| 30 Dec 2009
| Standards
| Closed
| Provide response to "NIST SP 800-37 Revision 1 Final Public Draft, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
| RB
|-
| [http://www.crest-approved.org/ CREST] CRESTCon
| 15 Dec 2009
| Outreach
| Closed
| Already an oversubscribed event, YP & CW have been placed on the reserve list. Update: Positions secured for the 15th.
| YP
|-
| [http://msdn.microsoft.com/en-us/security/cc448177.aspx SDL Pro Network]
| 30 Nov 2009
| Outreach
| Closed
| Contact SDL Pro Network to discuss if there are opportunities for OWASP to become involved or connected in some way
| CW
|-
| [[Industry:Draft NIST IR 7628|Draft NIST IR 7628]]
| 25 Nov 2009
| Standards
| Closed
| Provide response to "NIST IR 7628 Draft Smart Grid Cyber Security Strategy and Requirements"
| CW
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 10-13 Nov 2009
| Outreach
| Closed
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.justice.gov.uk/ UK Ministry of Justice]
| -
| Legislation
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.it-sa.de/ IT-SA]
| 13-15 Oct 2009
| Outreach
| Closed
| OWASP booth at trade show
| GH
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009]
| 13 Oct 2009
| Outreach
| Closed
| Conference organisation
| GH
|-
| US [http://www.loc.gov Library of Congress]
| 28 Sep 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| [http://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference OWASP Ireland AppSec 2009]
| 10 Sep 2009
| Outreach
| Closed
| Conference organisation
| EK
|-
| OWASP Citations
| 7 Sep 2009
| Other
| Closed
| Identify and record the most important references to OWASP in official, or otherwise important, documents. Page created at: [[Industry:Citations]]
| CW
|-
| US [http://www.loc.gov Library of Congress]
| 26 Aug 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| OWASP webcast at Brighttalk [http://www.brighttalk.com/summit/dataprivacy2 Data and Privacy in Web 2.0 Summit]
| 13 Aug 2009
| Outreach
| Closed
| Deliver [http://www.brighttalk.com/webcasts/4767/attend OWASP presentation on XSS, client side exploitation, and countermeasures].
| DC
|-
| [[Industry:SAFECode Secure Development Practices (update to Oct 2008 version)|SAFECode Secure Development Practices (update to Oct 2008 version)]]
| 31 Jul 2009
| Standards
| Closed
| Response to [http://www.safecode.org/ SAFECode] "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."
| CW
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSA_Project OWASP CSA Project]
| 8 Jul 2009
| Standards
| Closed
| Response to RFC [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Cloud Security Alliance Guidance v1.0]
| TB
|-
| [[Scotland]]
| 25 Jun 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-scotland-industry-committee-june-2009.ppt]] and written notes [[Image:Owasp-scotland-industry-committee-june-2009-notes.pdf]])
| CW
|-
| OWASP Presentation at [http://cfp2009.org/ CFP Con 2009]
| 1 Jun 2009
| Outreach
| Closed
| Deliver presentation on web threats and countermeasures. See [http://www.cfp2009.org/wiki/index.php/Tutorials/Workshops CFP tutorial page] grep OWASP for more info.
| DC
|-
| ENISA [http://www.enisa.europa.eu/pages/02_03_news_2009_02_19_who_is_who.html Who-Is-Who Directory]
| -
| Outreach
| Closed
| Contact ENISA regarding OWASP inclusion in directory (in progress). Encourage European chapter leaders to contact their ENISA liaison officers (completed). Contact UK liaison officer on behalf of London, Leeds and Scotland chapters.
| CW
|-
| IIL [http://www.iilondon.co.uk/ Insurance Institute of London]
| 2 Jun 2009
| Outreach
| Closed
| Contact IIL regarding future input to their publication [http://www.iilondon.co.uk/XtraCart/store/comersus_viewItem.asp?idProduct=187 Insurance Aspects of E-Commerce]
| CW
|-
| [[Industry:Draft NIST SP 800-118|Draft NIST SP 800-118]]
| 29 May 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
| CW/EK/RB/DC
|-
| German IT Industry Association
| 15 May 2009
| Outreach
| Closed
| Presentation on OWASP
| GH
|-
| [http://docs.google.com/Present?docid=ddkr62qv_171cd7gh5fb&skipauth=true Outreach Presentation to Frontier Airlines]
| 7 May 2009
| Outreach
| Closed
| Provide outreach presentation covering fundamentals of AppSec and Intro to OWASP
| DC
|-
| [[Industry:DPC BS 10012|DPC BS 10012]]
| 31 Mar 2009
| Standards
| Closed
| Provide response to "BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998" Draft for Public Comment (DPC)
| CW
|-
| [[Industry:Draft NIST SP 800-53 Revision 3|Draft NIST SP 800-53 Revision 3]]
| 27 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
| RB
|-
| [[Industry:Draft NIST SP 800-122|Draft NIST SP 800-122]]
| 13 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
| CW
|-
| [[London]]
| 12 Mar 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-london-industry-committee-march-2009.ppt]] and written notes [[Image:Owasp-london-industry-committee-march-2009-notes.pdf]])
| CW
|-
| [[Industry:Digital Britain Interim Report|Digital Britain Interim Report]]
| 11 Mar 2009
| Legislation
| Closed
| Provide response to UK Government's "Digital Britain Interim Report Jan 2009"
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Front Range]
| 5 Mar 2009
| Outreach
| Closed
| Conference organisation
| DC
|-
| US [http://www.commerce.gov/ Department of Commerce]
| 25 Feb 2009
| Outreach
| Closed
| Presentation about OWASP to Economic Security Working Group
| RB
|-
| [[Industry:DPC BS 8878:2009|DPC BS 8878:2009]]
| 31 Jan 2009
| Standards
| Closed
| Provide response to "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
| Puneet/CW
|-
| AppSec Presentation Delivered to Infragard, Dec 2008
| Dec 2008
| Outreach
| Closed
| [http://www.infragard.net/ Infragard] is a collaboration between the US FBI and maintainers of critical infrastructure. [http://docs.google.com/Present?docid=ddkr62qv_0cn7km4c3&skipauth=true Presentation here]. Email DC for full PPT with speaker notes
| DC
|-
| The Register [http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/ Google Analytics — Yes, it is a security risk]
| Nov 2008
| Outreach
| Closed
| Co-ordination of response and provision of comments from OWASP leaders about risk of JavaScript on Barack Obama's website
| DC
|}

=== General Presentations and Reports ===

[[Summit 2009]]

*Global Industry Committee Presentation [[Image:Owasp-summit2009-industry-committee.ppt]]

Summaries (for inclusion into other full OWASP presentations):

*Sep 2009 [[Image:Owasp-industry-committee-summary-september-2009.ppt]]
*Jul 2009 [[Image:Owasp-industry-committee-summary-july-2009.ppt]]
*May 2009 [[Image:Owasp-industry-committee-summary-may-2009.ppt]]
*Apr 2009 [[Image:Owasp-industry-committee-summary-april-2009.ppt]]
*Mar 2009 [[Image:Owasp-industry-committee-summary-march-2009.ppt]]

 

Other [http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

Global Industry Committee

2010-12-13T23:44:24Z

Yiannis: /* Monthly Report Format */

'''The Global Industry Committee was created during the OWASP EU Summit in Portugal. The primary purpose of the Global Industry Committee is to work with industry executives to gather requirements from industry, work with Membership, Projects and others.'''

== Mission Statement ==

''To expand awareness of and promote the inclusion of software security best practices in Industry, Government, Academia and regulatory agencies and be a voice for industry. We will accomplish this through outreach; including presentations, development of position papers and collaborative efforts with other entities.'' [https://www.owasp.org/index.php/Global_Industry_Committee#General_Presentations_and_Reports Powerpoint of Accomplishments]

 

== Committee Plan ==

Step 1: [[Industry:Organizations for Outreach|Identify specific organizations]] worth working with to spread the OWASP gospel

Step 2: Prioritize the proposed liasons based on potential impact, and also realistic likelihood of the organization actively working with us

Step 3: Execute, leveraging global OWASP resources as much as possible to maximize impact

Step 4: Evaluate progress & repeat Step 1-3

== Committee Members ==

 Committee Members:

{| class="prettytable FCK__ShowTableBorders"
|-
! Name
! Email
! Location
|-
| Lorna Alamri
| lorna.alamri 'at' owasp dot org
| US
|-
| Joe Bernik
| bernik 'at' gmail dot com
| US
|-
| Rex Booth
| rex.booth 'at' gt dot com
| US
|-
| David Campbell
| dcampbell 'at' owasp dot org
| US
|-
| Alexander Fry
| alexander.fry 'at' owasp dot org
| US
|-
| Georg Hess
| georg.hess 'at' artofdefence dot com
| Germany
|-
| Eoin Keary
| eoin.keary 'at' owasp dot org
| Ireland
|-
| Yiannis Pavlosoglou
| yiannis 'at' owasp dot org
| UK
|-
| Colin Watson
| colin.watson 'at' owasp dot org
| UK
|}

The committee chair (from Nov 2010) is Yiannis Pavlosoglou. Previous chairs:

*Colin Watson (Nov 2009 to Oct 2010)

= Monthly Report Format =

See below...

== Getting Involved ==

=== Mailing List ===

[http://lists.owasp.org/mailman/listinfo/global_industry_committee Join our mailing list]

=== Meetings ===

The next Global Industry Committee meeting will be:

*TBC
**Dial in number: +1 866 534 4754
**Call code 192341

Minutes of previous meetings are:

*[[Industry:Minutes 2010-08-17|17 Aug 2010]] (also [http://www.owasp.org/images/0/0d/Gic_call_17aug2010.mp3 MP3 recording of the call])
*[[Industry:Minutes 2010-05-18|18 May 2010]]
*[[Industry:Minutes 2010-01-05|05 Jan 2010]] (also [http://www.owasp.org/images/a/a3/Owasp_gic_call_5jan10.mp3 MP3 recording of the call])
*[[Industry:Minutes 2009-01-23|23 Jan 2009]]

=== Membership ===

[[Membership]] explains how to become an OWASP organization supporter or individual member. But you don't have to be an OWASP Member or Committee Member to contribute.

The current committee members joined for a 12 month term - see [[How to Join a Committee]] and [[Global Committee Pages]]. We would especially welcome new members who can widen our geographic coverage (e.g. Africa, Asia and South America) and who have time to contribute proactively.

=== Other ongoing initiatives ===

*[http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups] - Outreach to sector-specific critical infrastructures worldwide.
*[http://www.owasp.org/index.php/Category:India OWASP India Advisory Board] - Regional panel contributing to the software outsourcing industry.
*[http://www.owasp.org/index.php/Industry:Citations OWASP Citations] - References to OWASP in official, or otherwise important, documents.

== Current Activity ==

=== Work in Progress ===

The current activities being undertaken:

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Deadline
! Type
! Status
! Description
! Who
|-
| Reconnecting with past Industy Committee connections
| 1 Feb 2011
| Follow up
| In progress
| YP and LA to follow up with Industry Committee past contacts.
| YP/LA
|-
| (ISC)^2 Application Security Advisory Board (ASAB)
| 19 Nov 2010
| Outreach
| In progress
| YP is now a member of the (ISC)^2 ASAB, with the first meeting to be held in FL on the above stated date.
| YP
|-
| [[Industry:ICO Data Sharing CoP|Data Sharing CoP]]
| 5 Jan 2011
| Standards
| In progress
| Provide response to UK ICO's "Data Sharing Code of Practice Consultation"
| CW
|-
| [http://www.londoncentral.bcs.org BCS London Central]
| 17 Feb 2011
| Outreach
| New
| Present a talk about OWASP.
| CW
|-
| [http://www.bcs.org BCS]
| 3 Sep 2010
| Outreach
| In Progress
| Write article for BCS ITnow magazine about application security and OWASP Top Ten.
| YP
|-
| [http://www.usmma.edu/ USMMA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USMMA computer club or security teams.
| AF
|-
| [http://www.usna.edu/ USNA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USNA computer science faculty and students or interest group.
| AF
|-
| [http://www.auscert.org.au/ AusCERT]
| -
| Outreach
| In Progress
| Make contact and discuss opportunities for OWASP to contribute to their work
| YP
|-
| OWASP Financial Services SIG
| -
| Outreach
| In Progress
| Working with Fabio Cerullo, Eoin Keary, Jim Routh, Jerry Kickenson and others on forming a SIG. Arranging a financial panel for AppSec in Washington, DC in November
| JB/EK
|-
| [http://www.spva.org Secure POS Vendor Alliance (SPVA)]
| -
| Outreach
| In Progress
| Begin dialogue about possibility of working together. Have had trouble getting through to them but have a good lead now. Updates soon :)
| DC
|}

=== Completed Items ===

{| class="prettytable FCK__ShowTableBorders"
|-
! Task
! Completed
! Type
! Status
! Description
! Who
|-
| [http://www.techexecnetworks.com/event_2010.12.01.asp T.E.N./Fortify Software Security Assurance Summit]
| 1 Dec 2010
| Outreach
| Closed
| Discuss quick wins and high impact software assurance activities using the OWASP SAMM model as reference and cite other OWASP projects as resources.
| AF
|-
| [[Industry:DOJ Nondiscrimination on the Basis of Disability|DOJ Nondiscimination on the Basis of Disability]]
| 30 Nov 2010
| Standards
| Closed
| Provide response to US DOJ's "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
| AF/LA
|
|-
| [[Industry:e-Consumer Protection Consultation|e-Consumer Protection Consultation]]
| 13 Oct 2010
| Standards
| Closed
| Review and provide official OWASP response to [http://www.oft.gov.uk/ UK Office of Fair Trading] [http://www.oft.gov.uk/OFTwork/consultations/current/eprotection/ e-Consumer Protection Consultation].
| YP
|-
| [[Industry:ENISA Cloud Computing Common Assurance Metrics|ENISA Common Assurance Maturity Model]]
| 8 Oct 2010
| Standards
| Closed
| Work with [[:Category:OWASP Cloud ‐ 10 Project]] to contribute to the development of Common Assurance Maturity Model for [http://www.enisa.europa.eu/ ENISA]/Cloud Security Alliance/etc joint initiative.
| CW
|-
| [http://www.w3.org/TR/2010/WD-mwabp-20100713/ Mobile Web Application Best Practices Working Draft]
| 6 Aug 2010
| Standards
| Closed
| Review and provide official OWASP response to W3C's [http://www.w3.org/2005/MWI/BPWG/ Mobile Web Best Practices Working Group].
| DC
|-
| [http://www.oft.gov.uk/ UK Office of Fair Trading]
| 23 Jul 2010
| Standards
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.businesslink.gov.uk BusinessLink]
| 1 Jul 2010
| Outreach
| Closed
| Offer to contribute to development of IT security information about [http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075421745 application security] on the BusinessLink website for UK SMEs. Outcome - no help required at present, but BusinessLink system to be disbanded.
| CW
|-
| Veracode
| 28 Jun 2010
| Outreach
| Closed
| Discuss use of Open SAMM to classify Secure SDL maturity in Veracode's code analysis summary reports. Outcome - positive response received.
| CW
|-
| [http://www.owasp.org/index.php/Leeds_UK OWASP Leeds/North]
| 16 Jun 2010
| Outreach
| Closed
| Presentations at chapter meeting in Newcastle-upon-Tyne about ENISA CAMM and OWASP Appsensor
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 Front Range OWASP Conference (FROC) 2010]
| 2 Jun 2010
| Outreach
| Closed
| Conference organisation [http://tinyurl.com/froctalks Vids & presentations online]
| DC
|-
| [http://www.isaca-denver.org/meetings/MAY_2010_CHPT_MTG.shtml OWASP Presentation at ISACA Denver Annual Meeting]
| 27 May 2010
| Outreach
| Closed
| Presentation [https://docs.google.com/fileview?id=0B_-vbfka88vFNjIwY2IwYjItZmYyNi00MmNiLWFhOWItYmQ4OGZmZjVmZWUx&hl=en Presentation online]
| DC
|-
| [http://www.issa-uk.org/ ISSA-UK]
| 13 May 2010
| Outreach
| Closed
| Presentation
| YP
|-
| [[Industry:Personal Information Online Code of Practice|Personal Information Online COP]]
| 5 Mar 2010
| Legislation
| Closed
| Provide response to UK Information Commissioner's Office draft "Personal Information Online Code of Practice"
| YP
|-
| [http://www.enisa.europa.eu/ ENISA] Mobile Apps
| Mar 2010
| Outreach
| Closed
| Identify and introduce OWASP contact for ENISA's Mobile Apps Project, in conjunction with Dinis Cruz.
| CW
|-
| [[Industry:Technology Strategy Board Secure Software Development Initiative|Technology Strategy Board Secure Software Development Partnership]]
| 18 Feb 2010
| Outreach
| Closed
| Liaise with the UK [http://www.innovateuk.org/ Technology Strategy Board] about the Secure Software Development Partnership (SSDP) in conjunction with the [http://www.owasp.org/index.php/London London chapter] leader Justin Clarke
| CW
|-
| US [http://www.issa-nova.org Information Systems Security Association Northern Virginia Chapter (ISSA-NOVA)]
| 21 Jan 2010
| Outreach
| Closed
| Provide presentation covering CSSLP, fundamentals of AppSec and Intro to OWASP and Global Industry Committee
| AF
|-
| [http://www.enisa.europa.eu/ ENISA]
| Jan 2010
| Outreach
| Closed
| Discuss opportunities for OWASP to work with ENISA, in conjunction with Dinis Cruz.
| CW
|-
| [[:Industry:Draft NIST SP 800-37 Revision 1|NIST SP 800-37 Revision 1 FPD]] Review Project
| 30 Dec 2009
| Standards
| Closed
| Provide response to "NIST SP 800-37 Revision 1 Final Public Draft, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
| RB
|-
| [http://www.crest-approved.org/ CREST] CRESTCon
| 15 Dec 2009
| Outreach
| Closed
| Already an oversubscribed event, YP & CW have been placed on the reserve list. Update: Positions secured for the 15th.
| YP
|-
| [http://msdn.microsoft.com/en-us/security/cc448177.aspx SDL Pro Network]
| 30 Nov 2009
| Outreach
| Closed
| Contact SDL Pro Network to discuss if there are opportunities for OWASP to become involved or connected in some way
| CW
|-
| [[Industry:Draft NIST IR 7628|Draft NIST IR 7628]]
| 25 Nov 2009
| Standards
| Closed
| Provide response to "NIST IR 7628 Draft Smart Grid Cyber Security Strategy and Requirements"
| CW
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 10-13 Nov 2009
| Outreach
| Closed
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.justice.gov.uk/ UK Ministry of Justice]
| -
| Legislation
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.it-sa.de/ IT-SA]
| 13-15 Oct 2009
| Outreach
| Closed
| OWASP booth at trade show
| GH
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009]
| 13 Oct 2009
| Outreach
| Closed
| Conference organisation
| GH
|-
| US [http://www.loc.gov Library of Congress]
| 28 Sep 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| [http://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference OWASP Ireland AppSec 2009]
| 10 Sep 2009
| Outreach
| Closed
| Conference organisation
| EK
|-
| OWASP Citations
| 7 Sep 2009
| Other
| Closed
| Identify and record the most important references to OWASP in official, or otherwise important, documents. Page created at: [[Industry:Citations]]
| CW
|-
| US [http://www.loc.gov Library of Congress]
| 26 Aug 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| OWASP webcast at Brighttalk [http://www.brighttalk.com/summit/dataprivacy2 Data and Privacy in Web 2.0 Summit]
| 13 Aug 2009
| Outreach
| Closed
| Deliver [http://www.brighttalk.com/webcasts/4767/attend OWASP presentation on XSS, client side exploitation, and countermeasures].
| DC
|-
| [[Industry:SAFECode Secure Development Practices (update to Oct 2008 version)|SAFECode Secure Development Practices (update to Oct 2008 version)]]
| 31 Jul 2009
| Standards
| Closed
| Response to [http://www.safecode.org/ SAFECode] "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."
| CW
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSA_Project OWASP CSA Project]
| 8 Jul 2009
| Standards
| Closed
| Response to RFC [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Cloud Security Alliance Guidance v1.0]
| TB
|-
| [[Scotland]]
| 25 Jun 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-scotland-industry-committee-june-2009.ppt]] and written notes [[Image:Owasp-scotland-industry-committee-june-2009-notes.pdf]])
| CW
|-
| OWASP Presentation at [http://cfp2009.org/ CFP Con 2009]
| 1 Jun 2009
| Outreach
| Closed
| Deliver presentation on web threats and countermeasures. See [http://www.cfp2009.org/wiki/index.php/Tutorials/Workshops CFP tutorial page] grep OWASP for more info.
| DC
|-
| ENISA [http://www.enisa.europa.eu/pages/02_03_news_2009_02_19_who_is_who.html Who-Is-Who Directory]
| -
| Outreach
| Closed
| Contact ENISA regarding OWASP inclusion in directory (in progress). Encourage European chapter leaders to contact their ENISA liaison officers (completed). Contact UK liaison officer on behalf of London, Leeds and Scotland chapters.
| CW
|-
| IIL [http://www.iilondon.co.uk/ Insurance Institute of London]
| 2 Jun 2009
| Outreach
| Closed
| Contact IIL regarding future input to their publication [http://www.iilondon.co.uk/XtraCart/store/comersus_viewItem.asp?idProduct=187 Insurance Aspects of E-Commerce]
| CW
|-
| [[Industry:Draft NIST SP 800-118|Draft NIST SP 800-118]]
| 29 May 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
| CW/EK/RB/DC
|-
| German IT Industry Association
| 15 May 2009
| Outreach
| Closed
| Presentation on OWASP
| GH
|-
| [http://docs.google.com/Present?docid=ddkr62qv_171cd7gh5fb&skipauth=true Outreach Presentation to Frontier Airlines]
| 7 May 2009
| Outreach
| Closed
| Provide outreach presentation covering fundamentals of AppSec and Intro to OWASP
| DC
|-
| [[Industry:DPC BS 10012|DPC BS 10012]]
| 31 Mar 2009
| Standards
| Closed
| Provide response to "BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998" Draft for Public Comment (DPC)
| CW
|-
| [[Industry:Draft NIST SP 800-53 Revision 3|Draft NIST SP 800-53 Revision 3]]
| 27 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
| RB
|-
| [[Industry:Draft NIST SP 800-122|Draft NIST SP 800-122]]
| 13 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
| CW
|-
| [[London]]
| 12 Mar 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-london-industry-committee-march-2009.ppt]] and written notes [[Image:Owasp-london-industry-committee-march-2009-notes.pdf]])
| CW
|-
| [[Industry:Digital Britain Interim Report|Digital Britain Interim Report]]
| 11 Mar 2009
| Legislation
| Closed
| Provide response to UK Government's "Digital Britain Interim Report Jan 2009"
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Front Range]
| 5 Mar 2009
| Outreach
| Closed
| Conference organisation
| DC
|-
| US [http://www.commerce.gov/ Department of Commerce]
| 25 Feb 2009
| Outreach
| Closed
| Presentation about OWASP to Economic Security Working Group
| RB
|-
| [[Industry:DPC BS 8878:2009|DPC BS 8878:2009]]
| 31 Jan 2009
| Standards
| Closed
| Provide response to "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
| Puneet/CW
|-
| AppSec Presentation Delivered to Infragard, Dec 2008
| Dec 2008
| Outreach
| Closed
| [http://www.infragard.net/ Infragard] is a collaboration between the US FBI and maintainers of critical infrastructure. [http://docs.google.com/Present?docid=ddkr62qv_0cn7km4c3&skipauth=true Presentation here]. Email DC for full PPT with speaker notes
| DC
|-
| The Register [http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/ Google Analytics — Yes, it is a security risk]
| Nov 2008
| Outreach
| Closed
| Co-ordination of response and provision of comments from OWASP leaders about risk of JavaScript on Barack Obama's website
| DC
|}

=== General Presentations and Reports ===

[[Summit 2009]]

*Global Industry Committee Presentation [[Image:Owasp-summit2009-industry-committee.ppt]]

Summaries (for inclusion into other full OWASP presentations):

*Sep 2009 [[Image:Owasp-industry-committee-summary-september-2009.ppt]]
*Jul 2009 [[Image:Owasp-industry-committee-summary-july-2009.ppt]]
*May 2009 [[Image:Owasp-industry-committee-summary-may-2009.ppt]]
*Apr 2009 [[Image:Owasp-industry-committee-summary-april-2009.ppt]]
*Mar 2009 [[Image:Owasp-industry-committee-summary-march-2009.ppt]]

 

Other [http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

Global Industry Committee

2010-10-26T11:35:53Z

Yiannis:

'''The Global Industry Committee was created during the OWASP EU Summit in Portugal. The primary purpose of the Global Industry Committee is to work with industry executives to gather requirements from industry, work with Membership, Projects and others.'''

== Mission Statement ==

''To expand awareness of and promote the inclusion of software security best practices in Industry, Government, Academia and regulatory agencies and be a voice for industry. We will accomplish this through outreach; including presentations, development of position papers and collaborative efforts with other entities.'' [https://www.owasp.org/index.php/Global_Industry_Committee#General_Presentations_and_Reports Powerpoint of Accomplishments]

 

== Committee Plan ==

Step 1: [[Industry:Organizations for Outreach|Identify specific organizations]] worth working with to spread the OWASP gospel

Step 2: Prioritize the proposed liasons based on potential impact, and also realistic likelihood of the organization actively working with us

Step 3: Execute, leveraging global OWASP resources as much as possible to maximize impact

Step 4: Evaluate progress & repeat Step 1-3

== Committee Members ==

 Committee Members:

{| class="prettytable"
|-
! Name
! Email
! Location
|-
| Lorna Alamri
| lorna.alamri 'at' owasp dot org
| US
|-
| Joe Bernik
| bernik 'at' gmail dot com
| US
|-
| Rex Booth
| rex.booth 'at' gt dot com
| US
|-
| David Campbell
| dcampbell 'at' owasp dot org
| US
|-
| Alexander Fry
| alexander.fry 'at' owasp dot org
| US
|-
| Georg Hess
| georg.hess 'at' artofdefence dot com
| Germany
|-
| Eoin Keary
| eoin.keary 'at' owasp dot org
| Ireland
|-
| Yiannis Pavlosoglou
| yiannis 'at' owasp dot org
| UK
|-
| Colin Watson
| colin.watson 'at' owasp dot org
| UK
|}

The committee chair is Colin Watson. From 1st November 2010, Yiannis Pavlosoglou will take over this role.

== Monthly Report ==

Date of last update: 29 September 2010
Updated by: CW

Accomplishments for this Month
* Finish writing article for BCS
* Continued work on Common Assurance Maturity Model in conjunction with OWASP Cloud 10 project (with ENISA, CSA, etc)
* Yiannis Pavlosoglou was elected unopposed as GIC chair from 1 Nov 2010
Planned for Next Month
* Review whether OWASP should respond to W3C Document Object Model (DOM) Level 3 Events Specification
* Follow up outreach to SPVA, USNA and USMMA
* Response to UK Office of Fair Trading consultation
Issues/Risks/Challenges
* Difficulty getting enough engagement with good contacts in all priority sectors
Financial costs to OWASP for calender year ending 31 Dec 2010 (2009)
* Budget: nil (nil)
* Actual: nil (nil)
* OWASP staff time: negligible (negligible)

== Getting Involved ==

=== Mailing List ===

[http://lists.owasp.org/mailman/listinfo/global_industry_committee Join our mailing list]

=== Meetings ===

The next Global Industry Committee meeting will be:

* TBC
** Dial in number: +1 866 534 4754
** Call code 192341

Minutes of previous meetings are:

* [[Industry:Minutes_2010-08-17|17 Aug 2010]] (also [http://www.owasp.org/images/0/0d/Gic_call_17aug2010.mp3 MP3 recording of the call])
* [[Industry:Minutes 2010-05-18|18 May 2010]]
*[[Industry:Minutes 2010-01-05|05 Jan 2010]] (also [http://www.owasp.org/images/a/a3/Owasp_gic_call_5jan10.mp3 MP3 recording of the call])
*[[Industry:Minutes 2009-01-23|23 Jan 2009]]

=== Membership ===

[[Membership]] explains how to become an OWASP organization supporter or individual member. But you don't have to be an OWASP Member or Committee Member to contribute.

The current committee members joined for a 12 month term - see [[How to Join a Committee]] and [[Global Committee Pages]]. We would especially welcome new members who can widen our geographic coverage (e.g. Africa, Asia and South America) and who have time to contribute proactively.

=== Other ongoing initiatives ===

*[http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups] - Outreach to sector-specific critical infrastructures worldwide.
*[http://www.owasp.org/index.php/Category:India OWASP India Advisory Board] - Regional panel contributing to the software outsourcing industry.
*[http://www.owasp.org/index.php/Industry:Citations OWASP Citations] - References to OWASP in official, or otherwise important, documents.

== Current Activity ==

=== Work in Progress ===

The current activities being undertaken:

{| class="prettytable"
|-
! Task
! Deadline
! Type
! Status
! Description
! Who
|-
| (ISC)^2 Application Security Advisory Board (ASAB)
| 19 Nov 2010
| Outreach
| In progress
| YP is now a member of the (ISC)^2 ASAB, with the first meeting to be held in FL on the above stated date.
| YP
|-
| [[Industry:DOJ Nondiscrimination on the Basis of Disability|DOJ Nondiscimination on the Basis of Disability]]
| 24 Jan 2011
| Standards
| In progress
| Provide response to US DOJ's "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
| AF/LA
|-
| [[Industry:ICO Data Sharing CoP|Data Sharing CoP]]
| 5 Jan 2011
| Standards
| In progress
| Provide response to UK ICO's "Data Sharing Code of Practice Consultation"
| CW
|-
| [http://www.londoncentral.bcs.org BCS London Central]
| 17 Feb 2011
| Outreach
| New
| Present a talk about OWASP.
| CW
|-
| [http://www.bcs.org BCS]
| 3 Sep 2010
| Outreach
| In Progress
| Write article for BCS ITnow magazine about application security and OWASP Top Ten.
| YP
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2010 Appsec DC 2010]
| 8-11 Nov 2010
| Outreach
| In Progress
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.usmma.edu/ USMMA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USMMA computer club or security teams.
| AF
|-
| [http://www.usna.edu/ USNA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USNA computer science faculty and students or interest group.
| AF
|-
| [http://www.auscert.org.au/ AusCERT]
| -
| Outreach
| In Progress
| Make contact and discuss opportunities for OWASP to contribute to their work
| YP
|-
| OWASP Financial Services SIG
| -
| Outreach
| In Progress
| Working with Fabio Cerullo, Eoin Keary, Jim Routh, Jerry Kickenson and others on forming a SIG. Arranging a financial panel for AppSec in Washington, DC in November
| JB/EK
|-
| [http://www.spva.org Secure POS Vendor Alliance (SPVA)]
| -
| Outreach
| In Progress
| Begin dialogue about possibility of working together. Have had trouble getting through to them but have a good lead now. Updates soon :)
| DC
|-
|}

=== Completed Items ===

{| class="prettytable"
|-
! Task
! Completed
! Type
! Status
! Description
! Who
|-
| [[Industry:e-Consumer Protection Consultation |e-Consumer Protection Consultation]]
| 13 Oct 2010
| Standards
| Closed
| Review and provide official OWASP response to [http://www.oft.gov.uk/ UK Office of Fair Trading] [http://www.oft.gov.uk/OFTwork/consultations/current/eprotection/ e-Consumer Protection Consultation].
| YP
|-
| [[Industry:ENISA Cloud Computing Common Assurance Metrics|ENISA Common Assurance Maturity Model]]
| 8 Oct 2010
| Standards
| Closed
| Work with [[:Category:OWASP Cloud ‐ 10 Project]] to contribute to the development of Common Assurance Maturity Model for [http://www.enisa.europa.eu/ ENISA]/Cloud Security Alliance/etc joint initiative.
| CW
|-
| [http://www.w3.org/TR/2010/WD-mwabp-20100713/ Mobile Web Application Best Practices Working Draft]
| 6 Aug 2010
| Standards
| Closed
| Review and provide official OWASP response to W3C's [http://www.w3.org/2005/MWI/BPWG/ Mobile Web Best Practices Working Group].
| DC
|-
| [http://www.oft.gov.uk/ UK Office of Fair Trading]
| 23 Jul 2010
| Standards
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.businesslink.gov.uk BusinessLink]
| 1 Jul 2010
| Outreach
| Closed
| Offer to contribute to development of IT security information about [http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075421745 application security] on the BusinessLink website for UK SMEs. Outcome - no help required at present, but BusinessLink system to be disbanded.
| CW
|-
| Veracode
| 28 Jun 2010
| Outreach
| Closed
| Discuss use of Open SAMM to classify Secure SDL maturity in Veracode's code analysis summary reports. Outcome - positive response received.
| CW
|-
| [http://www.owasp.org/index.php/Leeds_UK OWASP Leeds/North]
| 16 Jun 2010
| Outreach
| Closed
| Presentations at chapter meeting in Newcastle-upon-Tyne about ENISA CAMM and OWASP Appsensor
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 Front Range OWASP Conference (FROC) 2010]
| 2 Jun 2010
| Outreach
| Closed
| Conference organisation [http://tinyurl.com/froctalks Vids & presentations online]
| DC
|-
| [http://www.isaca-denver.org/meetings/MAY_2010_CHPT_MTG.shtml OWASP Presentation at ISACA Denver Annual Meeting]
| 27 May 2010
| Outreach
| Closed
| Presentation [https://docs.google.com/fileview?id=0B_-vbfka88vFNjIwY2IwYjItZmYyNi00MmNiLWFhOWItYmQ4OGZmZjVmZWUx&hl=en Presentation online]
| DC
|-
| [http://www.issa-uk.org/ ISSA-UK]
| 13 May 2010
| Outreach
| Closed
| Presentation
| YP
|-
| [[Industry:Personal Information Online Code of Practice|Personal Information Online COP]]
| 5 Mar 2010
| Legislation
| Closed
| Provide response to UK Information Commissioner's Office draft "Personal Information Online Code of Practice"
| YP
|-
| [http://www.enisa.europa.eu/ ENISA] Mobile Apps
| Mar 2010
| Outreach
| Closed
| Identify and introduce OWASP contact for ENISA's Mobile Apps Project, in conjunction with Dinis Cruz.
| CW
|-
| [[Industry:Technology Strategy Board Secure Software Development Initiative|Technology Strategy Board Secure Software Development Partnership]]
| 18 Feb 2010
| Outreach
| Closed
| Liaise with the UK [http://www.innovateuk.org/ Technology Strategy Board] about the Secure Software Development Partnership (SSDP) in conjunction with the [http://www.owasp.org/index.php/London London chapter] leader Justin Clarke
| CW
|-
| US [http://www.issa-nova.org Information Systems Security Association Northern Virginia Chapter (ISSA-NOVA)]
| 21 Jan 2010
| Outreach
| Closed
| Provide presentation covering CSSLP, fundamentals of AppSec and Intro to OWASP and Global Industry Committee
| AF
|-
| [http://www.enisa.europa.eu/ ENISA]
| Jan 2010
| Outreach
| Closed
| Discuss opportunities for OWASP to work with ENISA, in conjunction with Dinis Cruz.
| CW
|-
| [[:Industry:Draft NIST SP 800-37 Revision 1|NIST SP 800-37 Revision 1 FPD]] Review Project
| 30 Dec 2009
| Standards
| Closed
| Provide response to "NIST SP 800-37 Revision 1 Final Public Draft, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
| RB
|-
| [http://www.crest-approved.org/ CREST] CRESTCon
| 15 Dec 2009
| Outreach
| Closed
| Already an oversubscribed event, YP & CW have been placed on the reserve list. Update: Positions secured for the 15th.
| YP
|-
| [http://msdn.microsoft.com/en-us/security/cc448177.aspx SDL Pro Network]
| 30 Nov 2009
| Outreach
| Closed
| Contact SDL Pro Network to discuss if there are opportunities for OWASP to become involved or connected in some way
| CW
|-
| [[Industry:Draft NIST IR 7628|Draft NIST IR 7628]]
| 25 Nov 2009
| Standards
| Closed
| Provide response to "NIST IR 7628 Draft Smart Grid Cyber Security Strategy and Requirements"
| CW
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 10-13 Nov 2009
| Outreach
| Closed
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.justice.gov.uk/ UK Ministry of Justice]
| -
| Legislation
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.it-sa.de/ IT-SA]
| 13-15 Oct 2009
| Outreach
| Closed
| OWASP booth at trade show
| GH
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009]
| 13 Oct 2009
| Outreach
| Closed
| Conference organisation
| GH
|-
| US [http://www.loc.gov Library of Congress]
| 28 Sep 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| [http://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference OWASP Ireland AppSec 2009]
| 10 Sep 2009
| Outreach
| Closed
| Conference organisation
| EK
|-
| OWASP Citations
| 7 Sep 2009
| Other
| Closed
| Identify and record the most important references to OWASP in official, or otherwise important, documents. Page created at: [[Industry:Citations]]
| CW
|-
| US [http://www.loc.gov Library of Congress]
| 26 Aug 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| OWASP webcast at Brighttalk [http://www.brighttalk.com/summit/dataprivacy2 Data and Privacy in Web 2.0 Summit]
| 13 Aug 2009
| Outreach
| Closed
| Deliver [http://www.brighttalk.com/webcasts/4767/attend OWASP presentation on XSS, client side exploitation, and countermeasures].
| DC
|-
| [[Industry:SAFECode Secure Development Practices (update to Oct 2008 version)|SAFECode Secure Development Practices (update to Oct 2008 version)]]
| 31 Jul 2009
| Standards
| Closed
| Response to [http://www.safecode.org/ SAFECode] "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."
| CW
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSA_Project OWASP CSA Project]
| 8 Jul 2009
| Standards
| Closed
| Response to RFC [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Cloud Security Alliance Guidance v1.0]
| TB
|-
| [[Scotland]]
| 25 Jun 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-scotland-industry-committee-june-2009.ppt]] and written notes [[Image:Owasp-scotland-industry-committee-june-2009-notes.pdf]])
| CW
|-
| OWASP Presentation at [http://cfp2009.org/ CFP Con 2009]
| 1 Jun 2009
| Outreach
| Closed
| Deliver presentation on web threats and countermeasures. See [http://www.cfp2009.org/wiki/index.php/Tutorials/Workshops CFP tutorial page] grep OWASP for more info.
| DC
|-
| ENISA [http://www.enisa.europa.eu/pages/02_03_news_2009_02_19_who_is_who.html Who-Is-Who Directory]
| -
| Outreach
| Closed
| Contact ENISA regarding OWASP inclusion in directory (in progress). Encourage European chapter leaders to contact their ENISA liaison officers (completed). Contact UK liaison officer on behalf of London, Leeds and Scotland chapters.
| CW
|-
| IIL [http://www.iilondon.co.uk/ Insurance Institute of London]
| 2 Jun 2009
| Outreach
| Closed
| Contact IIL regarding future input to their publication [http://www.iilondon.co.uk/XtraCart/store/comersus_viewItem.asp?idProduct=187 Insurance Aspects of E-Commerce]
| CW
|-
| [[Industry:Draft NIST SP 800-118|Draft NIST SP 800-118]]
| 29 May 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
| CW/EK/RB/DC
|-
| German IT Industry Association
| 15 May 2009
| Outreach
| Closed
| Presentation on OWASP
| GH
|-
| [http://docs.google.com/Present?docid=ddkr62qv_171cd7gh5fb&skipauth=true Outreach Presentation to Frontier Airlines]
| 7 May 2009
| Outreach
| Closed
| Provide outreach presentation covering fundamentals of AppSec and Intro to OWASP
| DC
|-
| [[Industry:DPC BS 10012|DPC BS 10012]]
| 31 Mar 2009
| Standards
| Closed
| Provide response to "BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998" Draft for Public Comment (DPC)
| CW
|-
| [[Industry:Draft NIST SP 800-53 Revision 3|Draft NIST SP 800-53 Revision 3]]
| 27 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
| RB
|-
| [[Industry:Draft NIST SP 800-122|Draft NIST SP 800-122]]
| 13 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
| CW
|-
| [[London]]
| 12 Mar 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-london-industry-committee-march-2009.ppt]] and written notes [[Image:Owasp-london-industry-committee-march-2009-notes.pdf]])
| CW
|-
| [[Industry:Digital Britain Interim Report|Digital Britain Interim Report]]
| 11 Mar 2009
| Legislation
| Closed
| Provide response to UK Government's "Digital Britain Interim Report Jan 2009"
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Front Range]
| 5 Mar 2009
| Outreach
| Closed
| Conference organisation
| DC
|-
| US [http://www.commerce.gov/ Department of Commerce]
| 25 Feb 2009
| Outreach
| Closed
| Presentation about OWASP to Economic Security Working Group
| RB
|-
| [[Industry:DPC BS 8878:2009|DPC BS 8878:2009]]
| 31 Jan 2009
| Standards
| Closed
| Provide response to "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
| Puneet/CW
|-
| AppSec Presentation Delivered to Infragard, Dec 2008
| Dec 2008
| Outreach
| Closed
| [http://www.infragard.net/ Infragard] is a collaboration between the US FBI and maintainers of critical infrastructure. [http://docs.google.com/Present?docid=ddkr62qv_0cn7km4c3&skipauth=true Presentation here]. Email DC for full PPT with speaker notes
| DC
|-
| The Register [http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/ Google Analytics — Yes, it is a security risk]
| Nov 2008
| Outreach
| Closed
| Co-ordination of response and provision of comments from OWASP leaders about risk of JavaScript on Barack Obama's website
| DC
|}

=== General Presentations and Reports ===

[[Summit 2009]]

*Global Industry Committee Presentation [[Image:Owasp-summit2009-industry-committee.ppt]]

Summaries (for inclusion into other full OWASP presentations):

*Sep 2009 [[Image:Owasp-industry-committee-summary-september-2009.ppt]]
*Jul 2009 [[Image:Owasp-industry-committee-summary-july-2009.ppt]]
*May 2009 [[Image:Owasp-industry-committee-summary-may-2009.ppt]]
*Apr 2009 [[Image:Owasp-industry-committee-summary-april-2009.ppt]]
*Mar 2009 [[Image:Owasp-industry-committee-summary-march-2009.ppt]]

 

Other [http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

Global Industry Committee

2010-10-26T11:35:00Z

Yiannis: /* Work in Progress */

'''The Global Industry Committee was created during the OWASP EU Summit in Portugal. The primary purpose of the Global Industry Committee is to work with industry executives to gather requirements from industry, work with Membership, Projects and others.'''

== Mission Statement ==

''To expand awareness of and promote the inclusion of software security best practices in Industry, Government, Academia and regulatory agencies and be a voice for industry. We will accomplish this through outreach; including presentations, development of position papers and collaborative efforts with other entities.'' [https://www.owasp.org/index.php/Global_Industry_Committee#General_Presentations_and_Reports Powerpoint of Accomplishments]

 

== Committee Plan ==

Step 1: [[Industry:Organizations for Outreach|Identify specific organizations]] worth working with to spread the OWASP gospel

Step 2: Prioritize the proposed liasons based on potential impact, and also realistic likelihood of the organization actively working with us

Step 3: Execute, leveraging global OWASP resources as much as possible to maximize impact

Step 4: Evaluate progress & repeat Step 1-3

== Committee Members ==

 Committee Members:

{| class="prettytable"
|-
! Name
! Email
! Location
|-
| Lorna Alamri
| lorna.alamri 'at' owasp dot org
| US
|-
| Joe Bernik
| bernik 'at' gmail dot com
| US
|-
| Rex Booth
| rex.booth 'at' gt dot com
| US
|-
| David Campbell
| dcampbell 'at' owasp dot org
| US
|-
| Alexander Fry
| alexander.fry 'at' owasp dot org
| US
|-
| Georg Hess
| georg.hess 'at' artofdefence dot com
| Germany
|-
| Eoin Keary
| eoin.keary 'at' owasp dot org
| Ireland
|-
| Yiannis Pavlosoglou
| yiannis 'at' owasp dot org
| UK
|-
| Colin Watson
| colin.watson 'at' owasp dot org
| UK
|}

The committee chair is Colin Watson. From 1st November 2010, Yiannis Pavlosoglou will take over this role.

== Monthly Report ==

Date of last update: 29 September 2010
Updated by: CW

Accomplishments for this Month
* Finish writing article for BCS
* Continued work on Common Assurance Maturity Model in conjunction with OWASP Cloud 10 project (with ENISA, CSA, etc)
* Yiannis Pavlosoglou was elected unopposed as GIC chair from 1 Nov 2010
Planned for Next Month
* Review whether OWASP should respond to W3C Document Object Model (DOM) Level 3 Events Specification
* Follow up outreach to SPVA, USNA and USMMA
* Response to UK Office of Fair Trading consultation
Issues/Risks/Challenges
* Difficulty getting enough engagement with good contacts in all priority sectors
Financial costs to OWASP for calender year ending 31 Dec 2010 (2009)
* Budget: nil (nil)
* Actual: nil (nil)
* OWASP staff time: negligible (negligible)

== Getting Involved ==

=== Mailing List ===

[http://lists.owasp.org/mailman/listinfo/global_industry_committee Join our mailing list]

=== Meetings ===

The next Global Industry Committee meeting will be:

* TBC
** Dial in number: +1 866 534 4754
** Call code 192341

Minutes of previous meetings are:

* [[Industry:Minutes_2010-08-17|17 Aug 2010]] (also [http://www.owasp.org/images/0/0d/Gic_call_17aug2010.mp3 MP3 recording of the call])
* [[Industry:Minutes 2010-05-18|18 May 2010]]
*[[Industry:Minutes 2010-01-05|05 Jan 2010]] (also [http://www.owasp.org/images/a/a3/Owasp_gic_call_5jan10.mp3 MP3 recording of the call])
*[[Industry:Minutes 2009-01-23|23 Jan 2009]]

=== Membership ===

[[Membership]] explains how to become an OWASP organization supporter or individual member. But you don't have to be an OWASP Member or Committee Member to contribute.

The current committee members joined for a 12 month term - see [[How to Join a Committee]] and [[Global Committee Pages]]. We would especially welcome new members who can widen our geographic coverage (e.g. Africa, Asia and South America) and who have time to contribute proactively.

=== Other ongoing initiatives ===

*[http://www.owasp.org/index.php/Global_Industry_Committee-SIG Special Interest Groups] - Outreach to sector-specific critical infrastructures worldwide.
*[http://www.owasp.org/index.php/Category:India OWASP India Advisory Board] - Regional panel contributing to the software outsourcing industry.
*[http://www.owasp.org/index.php/Industry:Citations OWASP Citations] - References to OWASP in official, or otherwise important, documents.

== Current Activity ==

=== Work in Progress ===

The current activities being undertaken:

{| class="prettytable"
|-
! Task
! Deadline
! Type
! Status
! Description
! Who
|-
| (ISC)^2 Application Security Advisory Board (ASAB)
| 19 Nov 2010
| Standards
| In progress
| YP is now a member of the (ISC)^2 ASAB, with the first meeting to be held in FL on the above stated date.
| YP
|-
| [[Industry:DOJ Nondiscrimination on the Basis of Disability|DOJ Nondiscimination on the Basis of Disability]]
| 24 Jan 2011
| Standards
| In progress
| Provide response to US DOJ's "Accessibility of Web Information and Services of State and Local Government Entities and Public Accommodations"
| AF/LA
|-
| [[Industry:ICO Data Sharing CoP|Data Sharing CoP]]
| 5 Jan 2011
| Standards
| In progress
| Provide response to UK ICO's "Data Sharing Code of Practice Consultation"
| CW
|-
| [http://www.londoncentral.bcs.org BCS London Central]
| 17 Feb 2011
| Outreach
| New
| Present a talk about OWASP.
| CW
|-
| [http://www.bcs.org BCS]
| 3 Sep 2010
| Outreach
| In Progress
| Write article for BCS ITnow magazine about application security and OWASP Top Ten.
| YP
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2010 Appsec DC 2010]
| 8-11 Nov 2010
| Outreach
| In Progress
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.usmma.edu/ USMMA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USMMA computer club or security teams.
| AF
|-
| [http://www.usna.edu/ USNA]
| 1 Jan 2011
| Outreach
| New
| Make contact. Present a talk about OWASP to the USNA computer science faculty and students or interest group.
| AF
|-
| [http://www.auscert.org.au/ AusCERT]
| -
| Outreach
| In Progress
| Make contact and discuss opportunities for OWASP to contribute to their work
| YP
|-
| OWASP Financial Services SIG
| -
| Outreach
| In Progress
| Working with Fabio Cerullo, Eoin Keary, Jim Routh, Jerry Kickenson and others on forming a SIG. Arranging a financial panel for AppSec in Washington, DC in November
| JB/EK
|-
| [http://www.spva.org Secure POS Vendor Alliance (SPVA)]
| -
| Outreach
| In Progress
| Begin dialogue about possibility of working together. Have had trouble getting through to them but have a good lead now. Updates soon :)
| DC
|-
|}

=== Completed Items ===

{| class="prettytable"
|-
! Task
! Completed
! Type
! Status
! Description
! Who
|-
| [[Industry:e-Consumer Protection Consultation |e-Consumer Protection Consultation]]
| 13 Oct 2010
| Standards
| Closed
| Review and provide official OWASP response to [http://www.oft.gov.uk/ UK Office of Fair Trading] [http://www.oft.gov.uk/OFTwork/consultations/current/eprotection/ e-Consumer Protection Consultation].
| YP
|-
| [[Industry:ENISA Cloud Computing Common Assurance Metrics|ENISA Common Assurance Maturity Model]]
| 8 Oct 2010
| Standards
| Closed
| Work with [[:Category:OWASP Cloud ‐ 10 Project]] to contribute to the development of Common Assurance Maturity Model for [http://www.enisa.europa.eu/ ENISA]/Cloud Security Alliance/etc joint initiative.
| CW
|-
| [http://www.w3.org/TR/2010/WD-mwabp-20100713/ Mobile Web Application Best Practices Working Draft]
| 6 Aug 2010
| Standards
| Closed
| Review and provide official OWASP response to W3C's [http://www.w3.org/2005/MWI/BPWG/ Mobile Web Best Practices Working Group].
| DC
|-
| [http://www.oft.gov.uk/ UK Office of Fair Trading]
| 23 Jul 2010
| Standards
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.businesslink.gov.uk BusinessLink]
| 1 Jul 2010
| Outreach
| Closed
| Offer to contribute to development of IT security information about [http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1075421745 application security] on the BusinessLink website for UK SMEs. Outcome - no help required at present, but BusinessLink system to be disbanded.
| CW
|-
| Veracode
| 28 Jun 2010
| Outreach
| Closed
| Discuss use of Open SAMM to classify Secure SDL maturity in Veracode's code analysis summary reports. Outcome - positive response received.
| CW
|-
| [http://www.owasp.org/index.php/Leeds_UK OWASP Leeds/North]
| 16 Jun 2010
| Outreach
| Closed
| Presentations at chapter meeting in Newcastle-upon-Tyne about ENISA CAMM and OWASP Appsensor
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2010 Front Range OWASP Conference (FROC) 2010]
| 2 Jun 2010
| Outreach
| Closed
| Conference organisation [http://tinyurl.com/froctalks Vids & presentations online]
| DC
|-
| [http://www.isaca-denver.org/meetings/MAY_2010_CHPT_MTG.shtml OWASP Presentation at ISACA Denver Annual Meeting]
| 27 May 2010
| Outreach
| Closed
| Presentation [https://docs.google.com/fileview?id=0B_-vbfka88vFNjIwY2IwYjItZmYyNi00MmNiLWFhOWItYmQ4OGZmZjVmZWUx&hl=en Presentation online]
| DC
|-
| [http://www.issa-uk.org/ ISSA-UK]
| 13 May 2010
| Outreach
| Closed
| Presentation
| YP
|-
| [[Industry:Personal Information Online Code of Practice|Personal Information Online COP]]
| 5 Mar 2010
| Legislation
| Closed
| Provide response to UK Information Commissioner's Office draft "Personal Information Online Code of Practice"
| YP
|-
| [http://www.enisa.europa.eu/ ENISA] Mobile Apps
| Mar 2010
| Outreach
| Closed
| Identify and introduce OWASP contact for ENISA's Mobile Apps Project, in conjunction with Dinis Cruz.
| CW
|-
| [[Industry:Technology Strategy Board Secure Software Development Initiative|Technology Strategy Board Secure Software Development Partnership]]
| 18 Feb 2010
| Outreach
| Closed
| Liaise with the UK [http://www.innovateuk.org/ Technology Strategy Board] about the Secure Software Development Partnership (SSDP) in conjunction with the [http://www.owasp.org/index.php/London London chapter] leader Justin Clarke
| CW
|-
| US [http://www.issa-nova.org Information Systems Security Association Northern Virginia Chapter (ISSA-NOVA)]
| 21 Jan 2010
| Outreach
| Closed
| Provide presentation covering CSSLP, fundamentals of AppSec and Intro to OWASP and Global Industry Committee
| AF
|-
| [http://www.enisa.europa.eu/ ENISA]
| Jan 2010
| Outreach
| Closed
| Discuss opportunities for OWASP to work with ENISA, in conjunction with Dinis Cruz.
| CW
|-
| [[:Industry:Draft NIST SP 800-37 Revision 1|NIST SP 800-37 Revision 1 FPD]] Review Project
| 30 Dec 2009
| Standards
| Closed
| Provide response to "NIST SP 800-37 Revision 1 Final Public Draft, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach"
| RB
|-
| [http://www.crest-approved.org/ CREST] CRESTCon
| 15 Dec 2009
| Outreach
| Closed
| Already an oversubscribed event, YP & CW have been placed on the reserve list. Update: Positions secured for the 15th.
| YP
|-
| [http://msdn.microsoft.com/en-us/security/cc448177.aspx SDL Pro Network]
| 30 Nov 2009
| Outreach
| Closed
| Contact SDL Pro Network to discuss if there are opportunities for OWASP to become involved or connected in some way
| CW
|-
| [[Industry:Draft NIST IR 7628|Draft NIST IR 7628]]
| 25 Nov 2009
| Standards
| Closed
| Provide response to "NIST IR 7628 Draft Smart Grid Cyber Security Strategy and Requirements"
| CW
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_DC_2009 Appsec DC 2009]
| 10-13 Nov 2009
| Outreach
| Closed
| Conference organisation - special effort to engage with US Federal sector
| RB
|-
| [http://www.justice.gov.uk/ UK Ministry of Justice]
| -
| Legislation
| Closed
| Ask to be added to official consultation list
| CW
|-
| [http://www.it-sa.de/ IT-SA]
| 13-15 Oct 2009
| Outreach
| Closed
| OWASP booth at trade show
| GH
|-
| [http://www.owasp.org/index.php/OWASP_AppSec_Germany_2009_Conference OWASP AppSec Germany 2009]
| 13 Oct 2009
| Outreach
| Closed
| Conference organisation
| GH
|-
| US [http://www.loc.gov Library of Congress]
| 28 Sep 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| [http://www.owasp.org/index.php/OWASP_Ireland_AppSec_2009_Conference OWASP Ireland AppSec 2009]
| 10 Sep 2009
| Outreach
| Closed
| Conference organisation
| EK
|-
| OWASP Citations
| 7 Sep 2009
| Other
| Closed
| Identify and record the most important references to OWASP in official, or otherwise important, documents. Page created at: [[Industry:Citations]]
| CW
|-
| US [http://www.loc.gov Library of Congress]
| 26 Aug 2009
| Outreach
| Closed
| Presentation about OWASP
| RB
|-
| OWASP webcast at Brighttalk [http://www.brighttalk.com/summit/dataprivacy2 Data and Privacy in Web 2.0 Summit]
| 13 Aug 2009
| Outreach
| Closed
| Deliver [http://www.brighttalk.com/webcasts/4767/attend OWASP presentation on XSS, client side exploitation, and countermeasures].
| DC
|-
| [[Industry:SAFECode Secure Development Practices (update to Oct 2008 version)|SAFECode Secure Development Practices (update to Oct 2008 version)]]
| 31 Jul 2009
| Standards
| Closed
| Response to [http://www.safecode.org/ SAFECode] "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."
| CW
|-
| [http://www.owasp.org/index.php/Category:OWASP_CSA_Project OWASP CSA Project]
| 8 Jul 2009
| Standards
| Closed
| Response to RFC [http://www.cloudsecurityalliance.org/guidance/csaguide.pdf Cloud Security Alliance Guidance v1.0]
| TB
|-
| [[Scotland]]
| 25 Jun 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-scotland-industry-committee-june-2009.ppt]] and written notes [[Image:Owasp-scotland-industry-committee-june-2009-notes.pdf]])
| CW
|-
| OWASP Presentation at [http://cfp2009.org/ CFP Con 2009]
| 1 Jun 2009
| Outreach
| Closed
| Deliver presentation on web threats and countermeasures. See [http://www.cfp2009.org/wiki/index.php/Tutorials/Workshops CFP tutorial page] grep OWASP for more info.
| DC
|-
| ENISA [http://www.enisa.europa.eu/pages/02_03_news_2009_02_19_who_is_who.html Who-Is-Who Directory]
| -
| Outreach
| Closed
| Contact ENISA regarding OWASP inclusion in directory (in progress). Encourage European chapter leaders to contact their ENISA liaison officers (completed). Contact UK liaison officer on behalf of London, Leeds and Scotland chapters.
| CW
|-
| IIL [http://www.iilondon.co.uk/ Insurance Institute of London]
| 2 Jun 2009
| Outreach
| Closed
| Contact IIL regarding future input to their publication [http://www.iilondon.co.uk/XtraCart/store/comersus_viewItem.asp?idProduct=187 Insurance Aspects of E-Commerce]
| CW
|-
| [[Industry:Draft NIST SP 800-118|Draft NIST SP 800-118]]
| 29 May 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-118 Guide to Enterprise Password Management"
| CW/EK/RB/DC
|-
| German IT Industry Association
| 15 May 2009
| Outreach
| Closed
| Presentation on OWASP
| GH
|-
| [http://docs.google.com/Present?docid=ddkr62qv_171cd7gh5fb&skipauth=true Outreach Presentation to Frontier Airlines]
| 7 May 2009
| Outreach
| Closed
| Provide outreach presentation covering fundamentals of AppSec and Intro to OWASP
| DC
|-
| [[Industry:DPC BS 10012|DPC BS 10012]]
| 31 Mar 2009
| Standards
| Closed
| Provide response to "BS 10012 Specification for the management of personal information in compliance with the Data Protection Act 1998" Draft for Public Comment (DPC)
| CW
|-
| [[Industry:Draft NIST SP 800-53 Revision 3|Draft NIST SP 800-53 Revision 3]]
| 27 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-53 (Revision 3) Recommended Security Controls for Federal Information Systems and Organizations"
| RB
|-
| [[Industry:Draft NIST SP 800-122|Draft NIST SP 800-122]]
| 13 Mar 2009
| Standards
| Closed
| Provide response to "Draft NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)"
| CW
|-
| [[London]]
| 12 Mar 2009
| Outreach
| Closed
| Presentation about the Global Industry Committee, its role and recent activities (presentation slides [[Image:Owasp-london-industry-committee-march-2009.ppt]] and written notes [[Image:Owasp-london-industry-committee-march-2009-notes.pdf]])
| CW
|-
| [[Industry:Digital Britain Interim Report|Digital Britain Interim Report]]
| 11 Mar 2009
| Legislation
| Closed
| Provide response to UK Government's "Digital Britain Interim Report Jan 2009"
| CW
|-
| [http://www.owasp.org/index.php/Front_Range_OWASP_Conference_2009 SnowFROC Front Range]
| 5 Mar 2009
| Outreach
| Closed
| Conference organisation
| DC
|-
| US [http://www.commerce.gov/ Department of Commerce]
| 25 Feb 2009
| Outreach
| Closed
| Presentation about OWASP to Economic Security Working Group
| RB
|-
| [[Industry:DPC BS 8878:2009|DPC BS 8878:2009]]
| 31 Jan 2009
| Standards
| Closed
| Provide response to "BS 8878:2009 Web accessibility. Building accessible experiences for disabled people" Draft for Public Comment (DPC)
| Puneet/CW
|-
| AppSec Presentation Delivered to Infragard, Dec 2008
| Dec 2008
| Outreach
| Closed
| [http://www.infragard.net/ Infragard] is a collaboration between the US FBI and maintainers of critical infrastructure. [http://docs.google.com/Present?docid=ddkr62qv_0cn7km4c3&skipauth=true Presentation here]. Email DC for full PPT with speaker notes
| DC
|-
| The Register [http://www.theregister.co.uk/2008/11/22/google_analytics_as_security_risk/ Google Analytics — Yes, it is a security risk]
| Nov 2008
| Outreach
| Closed
| Co-ordination of response and provision of comments from OWASP leaders about risk of JavaScript on Barack Obama's website
| DC
|}

=== General Presentations and Reports ===

[[Summit 2009]]

*Global Industry Committee Presentation [[Image:Owasp-summit2009-industry-committee.ppt]]

Summaries (for inclusion into other full OWASP presentations):

*Sep 2009 [[Image:Owasp-industry-committee-summary-september-2009.ppt]]
*Jul 2009 [[Image:Owasp-industry-committee-summary-july-2009.ppt]]
*May 2009 [[Image:Owasp-industry-committee-summary-may-2009.ppt]]
*Apr 2009 [[Image:Owasp-industry-committee-summary-april-2009.ppt]]
*Mar 2009 [[Image:Owasp-industry-committee-summary-march-2009.ppt]]

 

Other [http://www.owasp.org/index.php/Global_Committee_Pages Global Committees]

User:Yiannis

2010-10-21T10:27:06Z

Yiannis:

There is a world of numbers, hiding behind letters, inside computers that stimulates the brain of Yiannis. Currently, he is focusing on research relating to coding standards, practices and ways of exploiting development code. This focus entails the breaking and making of client-side standalone, as well as server-side web applications.

'''OWASP Life in Bullets:'''

*2010 - Bletchley Park ISSA UK [http://www.issa-uk.org/newsletters/ISSANewsletterApril2010.pdf Hacking for Queen and Country]
*2010 - OWASP GitHub [http://www.owasp.org/index.php/Category:OWASP_GitHub http://www.owasp.org/index.php/Category:OWASP_GitHub]
*2010 - OWASP London [http://www.owasp.org/index.php/London#Thursday.2C_January_14th_2010 http://www.owasp.org/index.php/London#Thursday.2C_January_14th_2010]
**Penetration Testing with Selenium
*2009 - OWASP Global Industry Committee [http://www.owasp.org/index.php/Global_Industry_Committee http://www.owasp.org/index.php/Global_Industry_Committee]
*2008 - OWASP NYC Conference [http://video.google.com/videoplay?docid=-1551704659206071145# http://video.google.com/videoplay?docid=-1551704659206071145#]
**JBroFuzz - Building a Java Fuzzer
*2008 - Deepsec Vienna [http://2008.deepsec.net/ http://2008.deepsec.net/]
**Hybrid Code Auditing: A Dataflow Source Code Review Methodology
*2007 - OWASP New York/New Jersey [http://www.owasp.org/images/4/4e/OWASP_NY_07-Financial-Real-Time-Threats_Pavlosoglou.ppt http://www.owasp.org/images/4/4e/OWASP_NY_07-Financial-Real-Time-Threats_Pavlosoglou.ppt]
**Financial Real-Time Threats: Impacting Trading Floor Operations
*2006 - JBroFuzz Project Leader [http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz http://lists.owasp.org/mailman/listinfo/owasp-jbrofuzz]
** JBroFuzz Mailing List

'''Project Involvement'''

*DirBuster - [http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project]
*JBroFuzz - [http://www.owasp.org/index.php/JBroFuzz http://www.owasp.org/index.php/JBroFuzz]

'''Contact'''

Yiannis Pavlosoglou yiannis@owasp.org

User:Yiannis

2010-10-20T17:36:08Z

Yiannis:

Global Industry Committee - Application 5

2010-09-22T00:47:19Z

Yiannis:

[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]]

----

{| class="FCK__ShowTableBorders" style="width: 100%" align="center" border="0"
|-
! style="background: #4058a0; color: white" align="center" colspan="2" | '''COMMITTEE APPLICATION FORM'''
|-
| style="background: #7b8abd; width: 25%" align="center" | '''Applicant's Name'''
| style="background: #cccccc; width: 85%" align="left" | Lorna Alamri
|-
| style="background: #7b8abd; width: 25%" align="center" | '''Current and past OWASP Roles'''
| style="background: #cccccc; width: 85%" align="left" | OWASP MSP board, Connections Committee, Newsletter Editor
|-
| style="background: #7b8abd; width: 25%" align="center" | '''Committee Applying for'''
| style="background: #cccccc; width: 85%" align="left" | OWASP Global Industry Committee.
|}

----

 

----

Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote.

----

 

----

{| class="FCK__ShowTableBorders" style="width: 100%" align="center" border="0"
|-
! style="background: #4058a0; color: white" align="center" colspan="8" | '''COMMITTEE RECOMMENDATIONS'''
|-
! style="background: white; color: white" align="center" | 
! style="background: #7b8abd; color: white" align="center" | '''Who Recommends/Name'''
! style="background: #7b8abd; color: white" align="center" | '''Role in OWASP'''
! style="background: #7b8abd; color: white" align="center" | '''Recommendation Content'''
|-
| style="background: #cccccc; width: 3%" align="center" | '''1'''
| style="background: #cccccc; width: 20%" align="center" | Konstantinos Papapanagiotou
| style="background: #cccccc; width: 20%" align="center" | Greek Chapter Leader
| style="background: #cccccc; width: 57%" align="center" | Excellent work editing the newsletter and also coordinating the translation teams.
|-
| style="background: #cccccc; width: 3%" align="center" | '''2'''
| style="background: #cccccc; width: 20%" align="center" | Neil Matatall
| style="background: #cccccc; width: 20%" align="center" | OC Chapter Leader
| style="background: #cccccc; width: 57%" align="center" | good work with the newsletter, very personable, go getter, takes initiative, good marketing skills.
|-
| style="background: #cccccc; width: 3%" align="center" | '''3'''
| style="background: #cccccc; width: 20%" align="center" | Tin Zaw
| style="background: #cccccc; width: 20%" align="center" | Los Angeles Chapter Leader
| style="background: #cccccc; width: 57%" align="center" | Lorna has been very helpful to us, AppSec conference committee. She took initiative
and did a great job in promoting AppSec USA in the newsletters. She is a great communicator and an excellent people-person.
|-
| style="background: #cccccc; width: 3%" align="center" | '''4'''
| style="background: #cccccc; width: 20%" align="center" | Cassio Goldschmidt
| style="background: #cccccc; width: 20%" align="center" | Los Angeles Chapter Founder, AppSec USA 2010 co-chair
| style="background: #cccccc; width: 57%" align="center" | As an OWASP MSP board member, Lorna helped to create one of the most well run chapters in the country. Lorna is dedicated, personable and passionate about OWASP. She makes me have high expectations about OWASP AppSec USA 2011.
|-
| style="background: #cccccc; width: 3%" align="center" | '''5'''
| style="background: #cccccc; width: 20%" align="center" | Helen Gao
| style="background: #cccccc; width: 20%" align="center" | Founder and leader of Long Island Chapter
| style="background: #cccccc; width: 57%" align="center" | I have worked with you on several OWASP newsletters. You have impressed me with your enthusiasm and energy. I'm happy that you are willing to do more volunteer work. I wish you the best of luck with the committee.
|}

----

User:Yiannis

2010-09-20T01:02:34Z

Yiannis:

User:Yiannis

2010-09-20T00:23:26Z

Yiannis:

File:Jbrofuzz-fuzz-header.png

2010-09-19T23:00:37Z

Yiannis: uploaded a new version of "File:Jbrofuzz-fuzz-header.png": Updated version.

OWASP JBroFuzz Tutorial

2010-09-16T09:45:00Z

Yiannis:

== Introduction ==

''“If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!”''
<div align="right">Old JBroFuzz Motto </div>
 The art of teaching, Mark Van Doren said, is the art of assisting discovery. Fuzzing is a representative discipline towards assisting the discovery of security vulnerabilities, that is just beginning to come of age. Over the last two years, through continuous development, JBroFuzz has attempted to expose the intrinsic beauty of the subject: Constantly submit a vast amount of payloads to a service, device or prompt, waiting for the one response that makes all the difference. This is the mentality that JBroFuzz embraces and attempts to offer back to security professionals.

Fuzzing as a concept goes beyond a conventional work flow or a standard methodology. I would argue that to know how to fuzz well, is to master a new language. Thus, similar to the process of learning a programming (or foreign) language, there are three things you must master:

• Grammar: How fuzzing as a process is structured • Vocabulary: How to name fuzzing concepts you want to use • Usage: Ways of achieving everyday effective results with fuzzing 

[[Image:001-JBroFuzz-Tutorial.jpg|right|300px|JBroFuzz Splash Screen]]From the pre-existing information available for JBroFuzz, this tutorial focuses on usage: How to best put a fuzzing tool to good use, either via the UI, or using APIs that ''JBroFuzz.jar'' is constituted of. As a result, this document has a small requirement as a caveat; you need to have a beginner level understanding of the Java programming language in order to understand some sections.

There are a number of working examples described here within, which '''grep''' for statements such as “''<nowiki>public static void main(String[] args)</nowiki>''”. The majority of the content relates to reviewing these examples and putting the Java syntax into a fuzzing perspective.

To summarise, this tutorial focuses on customary and effective usage of fuzzing through the JBroFuzz Java APIs and the respective UI. It is targeting (without attacking them) web applications. Without further redo, let’s get fuzzing!

== JBroFuzz Basic Functionality ==

This section carries a number of basic fuzzing examples to get you started with JBroFuzz. Overall, even though the actions performed to not produce any amazing fuzzing results, it serves as a starting point in understanding how to perform particular fuzzing operations on web applications.

=== 'Hello Google!' (forget 'Hello World') ===

As the traditional first program that you learn when indulging in a new programming language, 'Hello World!' represents the norm for understanding the basic output operations and syntax (let alone compiler and execution behaviour) of the language in question.

As with most web application security related tools, when I am given the responsibility to run them, often in order to understand how they work, I would first craft a legitimate, single request to a trusted (to be up and behaving) popular Internet location. Needless, to say this request more than on occasion finds itself on Google servers.

So 'Hello World!' for programming languages seems to transform to 'Hello Google!' for understanding how web application security related tools work. Let us see, how JBroFuzz does it.

• Double-click on JBroFuzz and browse to the 'Fuzzing' tab

JBroFuzz is constituted of tabs, typically located in the bottom or top (if you bother to change the settings) of the main window.

The 'Fuzzing' tab is where you craft your request message to a particular host. Once that is in place, you can select any part of the request and proceed into adding any number of payloads. We shall see how in later sections.

• In the 'URL' field type: http://www.google.com/ http://www.google.com

Unlike conventional URLs, the URL field in JBroFuzz is only used for the underlying protocol (HTTP or HTTPS), host name (e.g. www.yahoo.com) and (optionally) port number.

All remaining information pasted or typed into the 'URL' field will be ignored; you are expected to enter it in the 'Request' field below.

<nowiki>Still, if you want to just copy-paste a URL from a browser, hit [Ctrl+L] while you are not fuzzing, paste the URL value that you have copied from a browser and JBroFuzz will automatically do the work for you. </nowiki>

Examples of valid URL values to be put in the

Treat the 'URL' and 'Request' fields as the two stages of a 'telnet' session on port 80; you are effectively using the 'URL' field to specify the equivalent of:

<tt>>telnet www.google.com 8088</tt>

As equivalent to:

<code>http://www.google.com:8088 </code>

or in the case of HTTPS:

<code>https://www.google.com:8088 </code>

Naturally, default ports for HTTP is 80 and HTTPS is 443.

• In the 'Request' field type:

<code>GET / HTTP/1.0 </code>

And press 'Enter' twice

This is where the body of the message you are sending is to be placed. So anything obeying HTTP/S protocol, such as GET and POST requests, header fields and/or HTML content should be included here.

As part of the process of fuzzing web applications with JBroFuzz you need to have done your homework, in terms of providing a base request message. This message is what will be used later on to add payloads to particular sections of the request.

<nowiki>• Hit 'Start' [Ctrl+Enter]</nowiki>

This will instigate the process of sending a single request to the specified host on a given (or default) port, over HTTP or HTTPS.

Once a connection has been established JBroFuzz will proceed to submit the message you have typed into the 'Request' field.

Finally, JBroFuzz will log all data sent and received into a file; accessing this file is typically a process of double clicking on the output line on the table at the bottom section of the 'Fuzzing' tab.

You should see a response received in the bottom part of the 'Fuzzing' panel. Double click (or right click for more options) to see the information exchanged; typically this would be a 302 redirect pointing you to another location. Congratulations, you have just said "Hello" to Google!

[[Image:002-JBroFuzz-Tutorial.png|500px|JBroFuzz Hello Google!]]

Now this would typically be enough under RFC rules, to get a response back; but damn all the bots out here, most websites require further information to respond back. So, in the 'Request' field let's pretend to be a (kind of) legitimate browser by typing:

<code>GET / HTTP/1.0 Host: www.google.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) JBroFuzz/1.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 </code>

Not forgetting to end the request typed with two returns: Press 'Enter' twice. Again, you should be able to see a line added with the response received back.

Practice sending single requests to a website of your choice by changing the URL and also the 'Host:' field from the 'Request' above. Also try accessing an HTTPS website.

<nowiki>Alternatively, you can use the shortcut [Ctrl+L] to type in your URL, with the 'Request' field filled automatically, based on the URL you have typed. </nowiki> 

=== HTTP Version Numbers & www.cia.gov Headerless Responses ===

For web applications, very often ill-defined requests submitted over the Internet, will trigger semi-legitimate responses that actually do not obey HTTP RFC protocol specification. Often, even though this is not the case in this example, these responses can lead to the identification of one or more security vulnerabilities.

In this example we test for the responses received for invalid HTTP version numbers on a particular website, namely www.cia.gov, over https. Now a word of caution here; please do not attempt to fuzz web applications that you do not have the authority to do so, especially over the Internet.

Still, for the purposes of this tutorial exercise, we will subject a web server to no more than a dozen or so requests. These requests would be otherwise identical, if it was not for the HTTP version number incrementing by a value of 1 on each request.

In terms of having the authority to do so, well this is identical to hitting 'Refresh' in your web browser a dozen or so times, while you are browsing to www.cia.gov. I do not consider this remotely close to any form of hacking, cracking, or proper fuzzing; web servers across the globe receive a lot more abuse than this on a daily basis.

Finally, by the time you are reading this, the particular issue described might have been fixed. So here goes:

• Within JBroFuzz, select:

<code>File -> Open Location [Ctrl+L] </code>

Type: https://www.cia.gov and hit enter. This is depicted in the following screenshot:

[[Image:003-JBroFuzz-Tutorial.png|JBroFuzz Open Location]]

Hitting 'Enter' should automatically populate the 'URL' field and the 'Request' field within the 'Fuzzing' tab. What you see is the base request that we intend to add fuzzing payloads to. Before we do so, let us make one small alteration first:

• Modify the first line of the 'Request' field to:

<code>GET / HTTP/0.0 </code>

Our objective is to enumerate the supported by the web server (in this case www.cia.gov) HTTP version numbers, following the two digit format that it has. We could be a lot more agressive here and test for buffer overflows and all types of injection; that would be out of line without the authority to do so. Instead we are going to see how JBroFuzz will iterate through the values of 0.0 to 1.4 by means of adding a Fuzzer to our base request.

• Highlight the second zero from the line 'GET / HTTP/0.0' and right-click, selecting 'Add'. This is depicted in the screeshot below:

[[Image:004-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer to the HTTP version number]]

• From the appearing 'Add a Fuzzer' window, select as 'Category Name', in the most left column 'Base' and as 'Fuzzer Name' in the middle column 'Base 10 (Decimal) Alphabet.

• Click on 'Add Fuzzer' on the bottom right of the window

[[Image:005-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer]]

This should add a Fuzzer of length 1 that iterates over the decimal (i.e. base 10) numbers 0 to 9. If we have added a hexadecimal Fuzzer instead of a decimal one (i.e. base 16) the iteration would from 0 to F. If we had selected two digits instead of one and proceeded to add a decimal Fuzzer, the iteration would be from:

<code>00 01 .. 98 99 </code>

From a User Interface (UI) perspective you should see a line added to the 'Added Payloads Table'.

• Click 'Start' [Ctrl+Enter]

This process will send 10 requests to the specified web server changing only first line of the request to:

<code>GET / HTTP/0.0... GET / HTTP/0.1... ... GET / HTTP/0.8... GET / HTTP/0.9... </code>

While this is ongoing, you can sort the results by 'No' in the 'Output' table in the bottom of the 'Fuzzing' tab. This should enable you to see what request is currently being transmitted and received in real time.

Once complete, change the first line of the 'Request' field to read:

<code>GET / HTTP/1.0 </code>

• Click 'Start' [Ctrl+Enter]

The resulting output should resemble the following screenshot:

[[Image:006-JBroFuzz-Tutorial.png|500px|JBroFuzz Output from a Fuzzing Session]]

Straight away we can notice a difference in the response size: For HTTP version numbers 0.0 to 0.9 we are getting back what seems fairly big in size responses; 32222 bytes in size worth of responses, given that HTTP protocol version 0.0 to 0.8 do not officially exist!

By double-clicking on one of these requests, we can see that the web server in question is responding back with no headers, yet returning a full HTML body; this represents the 32222 bytes of response of data we are receiving back. The following screenshot illustrates this:

[[Image:007-JBroFuzz-Tutorial.png|300px|JBroFuzz Output for a Single Request/Response]]

Using the 'Graphing' tab we can proceed to graph the particular requests and responses for this given session.

• Within the 'Graphing' tab, click 'Start' [Ctrl+Enter].

• Select the directory corresponding to the Output folder we have used for this fuzzing session. This will typically be the last one.

• Right-click and select 'Graph'

Once complete, browse to the 'Response Size' tab within the 'Graphing' tab, as illustrated in the screenshot below:

[[Image:008-JBroFuzz-Tutorial.png|300px|JBroFuzz Graphing different 'Response Sizes']]

To re-iterate this does not present a security vulnerability in any shape or form; merely the fact that by manipulating HTTP version numbers as part of the request we transmit, we can impact the response that we get back. In this case, what changes is the non-existent header fields, with some HTML content being received back.

If I was to guess what is causing this, I would say that some sort of load balancing or content delivery is not happening as it should when non-existent version numbers are being transmitted.

== Using JBroFuzz with a Generic Proxy ==

JBrofuzz 2.0 and subsequent releases include generic proxy support. As of this writing, basic authentication is supported with plans to eventually support NTLM and Kerberos authentication as well. We've tried to make the use of a proxy as straight forward as possible. All arguments for the proxy can be passed in the URL field and will take one of the following forms.
<pre>Without Authentication: <proxy server>:<proxy port>
With Authentication: <proxy username>:<proxy password>@<proxy server>:<proxy port>
</pre>
The structure of the request field and whether the GET parameter contains an absolute URL depends on the proxy you are using. For this reason, you may have to do a bit of trial and error to determine what format(s) your proxy accepts. To make all of this a bit clearer lets look at a couple of examples.

=== Squid Proxy ===

In the first example, we are fuzzing through a squid proxy that requires ncsa user authentication as shown in the figure below. When producing similar results, its important that you use your own proxy and not the one shown in the figure. This proxy was setup for demonstration purposes, will not accept connections from your IP address, and the credentials will no longer be active.

[[Image:016-JBroFuzz-Tutorial.jpg|503x449px]]

=== Paros Proxy ===

In the second example, we are fuzzing through a local Paros proxy running on port 8080 that does not require user authentication. Notice the difference in the syntax of the URL field when user authentication is not required.

[[Image:017-JBroFuzz-Tutorial.jpg|503x449px]]

In the third example, we are still fuzzing through Paros, but notice the slight difference in the Request Field. Specifically, pay special attention to the GET line. We are no longer including the fully qualified path. Unlike Squid, Paros will accept both formats. Keep this in mind when you are performing initial testing with JBroFuzz and the proxy of your choice.

[[Image:018-JBroFuzz-Tutorial.jpg|503x449px]]

=== Burp Proxy ===
In the final example, we are fuzzing through Burp. Similar to Squid, Burp requires absolute URLs in the request. A successful Burp request is shown below.

[[Image:019-JBroFuzz-Tutorial.jpg|503x449px]]

== Using JBroFuzz with Paros Proxy ==

JBroFuzz is a standalone fuzzer; it can release and create sockets over HTTP and HTTPS, but in order to use JBroFuzz correctly you will have to know what it is that you are fuzzing.

In comes the need for a proxy tool; the opening versions of JBroFuzz actually had a proxy tab that you could use to intercept traffic generated by your web browser. That functionality got removed in an attempt to focus and deliver solely on the fuzzing capabilities of the tool.

This section details how to use JBroFuzz in combination with a client side proxy. The one selected is Paros Proxy, which, despite the fact that it hasn't been updated since 2006 is still a popular tool that you see in web security testing live CDs. You could use any of the other proxy tools available.

=== Winning on a Remix of the Year Award ===

At 17:53, on a frosty winter evening, a message window popped up:
<pre>17:53 http://www.localhost.com/remixcontest/club/annual2010.html
17:53 Hey bro, could you cast in a vote here for the Such & Such Remix?
17:53 Appreciated!
</pre>
A friend in need is a friend indeed, so here goes I thought. Opening up a web browser configured to work with Paros as an intermediate proxy, allowed for the casting of my vote. while keeping a record of each request and reply.

No registration, or any other form of submitting an identifier was needed. The request that Paros stored for the casting of the actual vote was:
<pre>GET http://www.localhost.com/remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.1
Host: www.localhost.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
Paros Proxy actually places the domain (in this case www.localhost.com) with the protocol (i.e. http) in front of the GET request. As a result, you can't open a telnet/netcat session and just copy-paste the above. Similarly when we bring the request into JBroFuzz, a bit of tweaking is required.

*In the URL field, type:
<pre>http://www.localhost.com
</pre>
In the Request field, let's keep what is of interest:
<pre>GET /remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
No needs for Keep-Alive and Proxy-Connection. Let's simplify the HTTP request by making it a version 1.0 request and getting rid of the Host header as well. Also on the user agent, let us keep that mainstream vanilla: Firefox on Windows (popular browser combination), getting rid of the .NET and Paros additives.

Checking on the website, our Such & Such remix already has about 100 votes or so and the top remix has approximately 310 votes. Let's fuzz this:

*Select 2 of the digits of the cookie value:
<pre>PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
*Select: Panel -> Add

*In the "Add a Fuzzer" panel, select:
<pre>Base -> Base16 (HEX)
</pre>
and select "Add Fuzzer".

This will add a line within the Payloads tab on the right hand side.

Our cookie value above (PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e) is in lowercase, hexadecimal format. Let's make sure the encoding we select is also that.

Within the Payloads tab, click on the encoding drop down menu and select lowercase. Just before clicking "Start", JBroFuzz should look something like the screenshot below.

[[Image:014-JBroFuzz-Tutorial.png|Adding Votes by iterating through PHPSESSID cookie values]]

== Performing User Enumeration with a Valid Set of Credentials ==

Often you encounter an application that allows for the enumeration of one or more pages after a user has been successfully granted a set of session credentials. One of the key areas to test from an application specific perspective, relates to the page(s) that provide user account information.

In the following example, we investigate an ASP.NET 2.0 application with a C# back-end. In this, an authenticated user has the option to select to "View My Profile". This page provides them with account information (including the typical username, email address, further notes) that they can proceed to update and save to the back-end system.

After a user has authenticated, the following URL, gives them access to their profile information stored on the database:
<pre>http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23
</pre>
Simple investigation confirms that the digits allowed as part of the UserID value are decimal numbers only. Lets feed that information into JBroFuzz.

=== Fuzzing a User ID ===

• Within JBroFuzz, select:

<code>File -> Open Location [Ctrl+L] </code>

Type: http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23 and hit enter. This is depicted in the following screenshot:

[[Image:009-JBroFuzz-Tutorial.png|300px|JBroFuzz 'GET' Request with a 'UserID' parameter]]

From the URL the important parameter is the value of the UserID query string (the value 23, above). We want to fuzz that.

• Within the Fuzzing Tab, in the "Request" text area, highlight the above number 23 • Right-click and select "Add"

In the "Add a Fuzzer" window that appears, select:

• Category Name: <code>Base</code> • Fuzzer Name: <code>Base10 (DEC)</code> • Select "Add Fuzzer" in the bottom right

This would have added a decimal (base 10 fuzzer) of length 2 onto the location.

• You will see a row added within the "Added Fuzzers Table" of the Fuzzing panel. • Click "Start" <code>Ctrl+Enter</code>

This will transmit 100 requests to the domain in question, which in this case is assumed: www.myattackingdomain.com. The value being changed within each request will be:
<pre>• GET /portal-location/UserInfo.aspx?UserID=00 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=01 HTTP/1.0
...
• GET /portal-location/UserInfo.aspx?UserID=98 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=99 HTTP/1.0
</pre>
Done. Let's proceed to graph the responses that we have obtained. Our objective is to understand which two-digit numbers from 00 to 99 correspond to valid user accounts.

=== Graphing Results ===

• Within the "Graphing" tab, click "Start" <code>Ctrl+Enter</code>

A list of directories will appear on the left-hand side. If you scroll to the bottom of the list you should see the directory corresponding to your fuzzing session, in our case it was (175 2009-06-24 16-18-24)
<pre>• Right-click on (175 2009-06-24 16-18-24)
• Click "Graph"
</pre>
This will generate the graphs in their respective tabs. The question now becomes which graph is of interest for our user enumeration exercise.

By definition enumerating users against an ID value, or any other identifier involves being able to obtain a different response for an existing user to that of a user that is not have a corresponding ID value.

Thus, from the metrics available, the one useful for enumerating users will be that of measuring the "Hamming Distance" between responses received. Based on the JBroFuzz documentation:

'''Fuzzing Hamming Distance '''
<pre>A bar chart with the hamming distance of the characters in the response,
relative to the first response received. Check each character of the first
response received, against the character at the same position of the
current response received. If they are not identical, increment the
hamming distance.
</pre>
As we can see the Fuzzing Hamming Distance (FHD) varies quite a bit from the definition of the normal hamming distance term, used in telecommunications. Still, they share a lot of similarities.

As we can from the above, the first request is critical to calibrating our user enumeration exercise. It represents the value that all other Fuzzing Hamming Distances (FHD) will be measured and normalised towards. For the java-skilled audience, the algorithm is quite trivial, but offers spectacular results in distinguishing responses:
<pre>in = new BufferedReader(new FileReader(f));
58
59 int counter = 0;
60 int check = 0;
61 int c;
62 while (((c = in.read()) > 0) && (counter < MAX_CHARS)) {
63
64 // If we are passed "--jbrofuzz-->\n" in the file
65 if (check == END_SIGNATURE.length()) {
66
67 firstSet.append((char) c);
68
69 }
70 // Else find "--jbrofuzz-->\n" using a counter
71 else {
72 // Increment the counter for each success
73 if (c == END_SIGNATURE.charAt(check)) {
74 check++;
75 } else {
76 check = 0;
77 }
78 }
79
80 counter++;
81
82 }
83 in.close();
</pre>
Ergo, the corresponding graph is depicted in the screenshot below. The peak graphs correspond to number that if you hover the mouse over will give you the enumeration ID of a valid user.

[[Image:015-JBroFuzz-Tutorial.png|500px|Measuring Hamming Distance for User Enumeration]]

== Eliminating False Positives: LDAP Injection ==

Every now and then a tool (that does not produce false positives) will hit an application reporting back a huge variety of (hopefully not confirmed, but pending further investigation) injection findings.

Due to the limited number of characters required in performing LDAP Injection, such issues will be high on that list. But let's refresh our memory a bit of how LDAP injection works:

http://www.owasp.org/index.php/LDAP_injection

So typically, during an automated scan, negating LDAP cn-type queries would be submitted and their responses noted. Example:

<pre>
GET /myfilelocation.jsp?lang=en&city=user)(sn=*&rid=97 HTTP/1.1
...
</pre>

vs.

<pre>
GET /myfilelocation.jsp?lang=en&city=user)!(sn=*&rid=97 HTTP/1.1
...
</pre>

or

<pre>
GET /myfilelocation.jsp?lang=en&city=admin*)((|userpassword=*)&rid=97 HTTP/1.1
...
</pre>

As great as this check might be from an LDAP perspective, it has a high likelihood of generating false positives, due to the character sets being used. Ergo, a protection mechanism (silly worst-case blacklist present for example) would typically hunt down cross-site scripting and sql injection type of characters:

<pre>
< > ' etc.
</pre>

Not considering =, *, or brackets as completely bad (he says).

=== What characters are allowed through? ===

Enough of all that; we want to know what responses are allowed back and what's different about them for all characters being filtered through a black-list.

Let's transform the above GET into the following and proceed to add a single fuzzer that tells us that:

<pre>
GET /myfilelocation.jsp?lang=en&city=X&rid=97 HTTP/1.1
</pre>

Now in the position of the X character, proceed to add an ASCII 94 Alphabet Fuzzer (available in version 2.1 and above). This will check the responses for all characters which are printable ASCII, with the exception of space.

In total there are 95 printable ASCII characters; minus the one present for space (yes, the one you hit all the time, every day) leaves 94. This fuzzer produces each of those values, in incrementing ASCII order.

[[Image:020-JBroFuzz-Tutorial.png|500px|Measuring Size Length for Single Character ASCII 94 Fuzzing]]

Based on the above graph, the following responses trigger a different response size. Thus the characters blocked by a black-list are:

<pre>
! " , < > @ [ \ ] ^ ` { | } ~
</pre>

Interesting. Know any payloads that can evade those?
:)

== JBroFuzz Development Corner ==

This section presents how to setup and use JBroFuzz as a fuzzing library. Also, it offers an insight in how to setup and compile your own version of JBroFuzz. As different people have different levels of expertise of the java programming language, eclipse, ant and subversion, some of the steps presented herein might be considered basic by advanced developers.

=== Setting up a JBroFuzz Development Environment ===

This section guides you towards setting up a development environment for JBroFuzz. Despite the Operating System (O/S) being windows XP, a similar process can be followed in a number of other O/S.

You will need to have installed:

*Tortoise SVN (using TortoiseSVN-1.6.6.17493-win32-svn-1.6.6.msi)
*Eclipse Java (using eclipse-java-galileo-SR1-win32.zip)

Optionally, if you don't like building your application through eclipse you could also require to install Apache Ant.

==== Step 1: Obtain the source code ====

JBroFuzz uses SubVersion with the repository being publicly available for download through anonymous access on sourceforge. There is a plan to move it the source to the OWASP Git repository, but until then, use the guidelines below.

[[Image:010-JBroFuzz-Tutorial.png|Tortoise SVN Check out JBroFuzz Source Code]]

Right click on the folder location where you want to download the source code and select:

*SVN Checkout

In the "URL of repository", enter:
<pre>https://jbrofuzz.svn.sourceforge.net/svnroot/jbrofuzz
</pre>
In the "Checkout directory", enter the folder location of your choice, in this case:
<pre>C:\root\code\jbrofuzz
</pre>
In the "Checkout Depth" select:

*Fully recursive

Untick "Omit Externals" (should be unticked by default)

In the "Revision" select:

*"Head revision"

Select OK.

This process, once complete will checkout the entirety of the JBroFuzz source code from the SVN repository on sourceforge.

==== Step 2: Configuring a JBroFuzz Project within Eclipse ====

Having obtained the latest copy of the source code, the next step entails importing that source code within the Eclipse IDE.

Within Eclipse, select:
<pre>File -> New -> Other
</pre>
From the "New" panel that appears, select:
<pre>Java -> Java Project from Existig Ant Buildfile
</pre>
[[Image:011-JBroFuzz-Tutorial.png|Import JBroFuzz Code into Eclipse from Ant File]]

Select "Next".

In the next menu, under "Ant buildfile", select "Browse".

Browse to the location where you have just (step 1) downloaded the source code and select the following file:

*build.xml

The build.xml file is an Ant build file that JBroFuzz uses.

[[Image:012-JBroFuzz-Tutorial.png|Select the Ant File]]

Selecting that file should have populated the "Project name" as jbrofuzz and also given you:

 
<pre>"javac" task found in target "compile"
</pre>
MAKE SURE TO TICK:

*"Link to the buildfile in the filesystem"

Otherwise eclipse will try to replicate the source code within your workspace and that makes the process a tiny bit more complicated when it comes to actually building JBroFuzz.

Click "Finish"

You will see the item "Building workspace (76%) on the bottom right hand side of Eclipse. Once that is complete, you should see the jbrofuzz project on the top left corner of the Package Explorer within Eclipse.

==== Step 3: Building JBroFuzz ====

Within the Package Explorer, expand the jbrofuzz project and double-click on the build.xml file.

Right click on the "build [default]" task within the "Outline" window (typically seen on the right hand side) and select:
<pre>Run As -> 1. Ant Build [Alt+Shift+X, Q]
</pre>
If the build has been successful, a JBroFuzz.jar file within the the /jar folder would have been created. Following the path conventions above that should be in:
<pre>C:\root\code\jbrofuzz\jar\JBroFuzz.jar
</pre>
[[Image:013-JBroFuzz-Tutorial.png|Building JBroFuzz within Eclipse]]

=== How to Use JBroFuzz as a Fuzzing Library ===

Quite often what you need to do in terms of fuzzing, far exceeds the User Interface (UI) of JBroFuzz. For this reason, a set of core fuzzing APIs have been made available that can be used for more advanced fuzzing scenarios.

The JBroFuzz.jar standalone archive (made available with every release) carries a core fuzzing library that holds a number of key classes. These are located under:
<pre>org.owasp.jbrofuzz.core.*;
-Database.java
-Fuzzer.java
-FuzzerBigInteger.java
-NoSuchFuzzerException.java
-Prototype.java
</pre>
The class of importance is Fuzzer.java. If you are going to use recursive iterators of great length, there is also FuzzerBigInteger.java. The difference between the two is that Fuzzer.java uses the primitive java data type long (up to 16^16 values) while FuzzerBigInteger.java uses java BigInteger to perform the counting. Naturally, the class FuzzerBigInteger is slower and takes more memory than the Fuzzer class.

Within JBroFuzz a Fuzzer is an instance of a java Iterator. This implies that values can be accessed by simply calling the <code>next()</code> method once an object has been made available. Typically, a call to <code>hasNext()</code> should also be performed prior to avoid an exception being thrown.

A Fuzzer can be obtained from the factory method <code>createFuzzer(String, int);</code> available for every instance of the fuzzing Database. Ergo:

==== A HelloFuzzer Example ====
<pre>Database myDatabase = new Database();

Fuzzer myFuzzer = myDatabase.createFuzzer("031-B16-HEX", 5);
</pre>
So how do I use the API? Here is a simple HelloFuzzer (file called HelloFuzzer.java) example:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
To compile the above use:
<pre>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>
This assumes that you are currently inside the directory where HelloFuzzer.java resides and that the JBroFuzz.jar is located two directories within your current location i.e. in jbrofuzz/jar. In order to run the above compiled HelloFuzzer class issue:
<pre>java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>
Note: The above 2 commands have been crafted in a win32 environment. The process for compiling and running HelloFuzzer.java above is the same in *nix machines. Simply replace the backslash "\" with "/".

==== Fuzzing Payload Definitions ====

Within the JBroFuzz.jar file, there is a file called fuzzers.jbrf that carries all the fuzzer definitions that you see in the UI payloads tab of JBroFuzz. To view a latest copy of this file you can browse the SVN repository of JBroFuzz:
<pre>http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/tar/fuzzers.jbrf?view=log
</pre>
A note here worth mentioning: Files ending in .jbrofuzz are session files saved by users while performing fuzzing operations. Files ending in .jbrf are JBroFuzz system files. Typical examples of .jbrf files are headers.jbrf, as well as fuzzers.jbrf. Both these use an internal proprietary format not to be confused with the .jbrofuzz file format.

Fuzzers belong in categories (1 to many) and each fuzzer carries a set of payloads that define the alphabet of the fuzzer.

Also, you have replacive and recursive fuzzers, zero fuzzers, etc. There are a number of different fuzzer categories. As an example of a fuzzer within the fuzzers.jbrf file, consider the hexadecimal fuzzer:
<pre>Fuzzer Name: Base16 (HEX)
Fuzzer Type: Recursive
Fuzzer Id: 031-B16-HEX

Total Number of Payloads: 16
</pre>
Within the fuzzers.jbrf file this fuzzer is defined in plain-text format as follows:
<pre>R:031-B16-HEX:Base16 (HEX):16
> Number Systems | Base | Recursive Fuzzers
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
</pre>
 There is very little preventing you from defining your own fuzzers within this file, by following the file format specified above. You can use the UI to see if they have been loaded successfully.

Further to recursive and replacive fuzzers you also have zero fuzzers (i.e. a zero fuzzer of 1000 will just transmit 1000 requests as they are, without adding any payloads) double fuzzers, cross product fuzzers, etc.

Notice the factory method Database.createFuzzer("031-B16-HEX", 4) yielding: "I want a 4 digit recursive fuzzer (why because NUM-HEX is recursive in its definition, starts with R: instead of P:) of HEX digits."

Thus the above scenario would iterate through all the digits from 0000 to ffff. I wouldn't recommend using the above scenario for such trivial fuzzing capabilities; simply presented as an example of the inner workings of JBroFuzz.jar

==== HelloFuzzer Refined ====

A more detailed code breakdown of the above HelloFuzzer example can be found below:
<pre>/**
* JBroFuzz API Examples 01
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz a Fuzzer is a java Iterator.
*
* In order to create a Fuzzer, use the factory method
* Database.createFuzzer(String, int), passing as arguments
* the Fuzzer ID and the specified length as a positive int.
*
* Be careful to check that the fuzzer ID (labelled as f_ID)
* is actually an existing ID from the Database of Fuzzers.
*
* Expected Output:
* <code>
* The fuzzer payload is: 00000 
* The fuzzer payload is: 00001 
* ... 
* (a total of 16^5 = 1048576 lines) 
* ... 
* The fuzzer payload is: ffffd 
* The fuzzer payload is: ffffe 
* The fuzzer payload is: fffff 
* </code>
*
* For more information on the Database of Fuzzers, see the
* HelloDatabase Class.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloFuzzer {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "031-B16-HEX";
// You have to supply a (+)tive int
int f_len = 5;

try {

for(Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len); f.hasNext();) {

// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>
==== Hello Database of Fuzzers ====

Having seen how to access a single Fuzzer through the createFuzzer() method available in the Database object. The next question that comes naturally is what are the Fuzzers that are available by default in JBroFuzz?

To answer that, this example focuses more on the database component that we previously initialised, investigating the list of available methods that it offers.

In JBroFuzz, all Fuzzers are stored in a Database object that you will be required to construct in order to access them.
<pre>/**
* JBroFuzz API Examples 02
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz all Fuzzers are stored in a Database
* object that you will be required to construct in order
* to access them.
*
* Within the Database, each Fuzzer is a collection of
* payloads, which carries a unique ID string value.
*
* Example ID values are the output of this program:
* <code>
* The fuzzer ID is: 013-LDP-INJ 
* The name of the fuzzer is: LDAP Injection 
* The id of the fuzzer is: 013-LDP-INJ 
* The of payloads it carries (it's alphabet) is: 20 
* It has as 1st payload: 
* | 
* The fuzzer ID is: 018-XSS-4IE 
* The name of the fuzzer is: XSS IE 
* The id of the fuzzer is: 018-XSS-4IE 
* The of payloads it carries (it's alphabet) is: 38 
* It has as 1st payload: 
* < img src=`x` onrerror= ` ;; alert(1) ` /> 
*
* </code>
*
* Do not be confused between Prototypes and Fuzzers;
* JBroFuzz uses Prototype objects to construct the Fuzzers
* that get added into the Database upon initialisation.
*
* As a result, the getter methods available within a Database
* object can carry the name of getAllPrototypeIDs and
* getAllFuzzerIDs interchangebly.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloDatabase {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();

// Get a list of all the fuzzer IDs from the database
String[] fuzzer_IDs = fuzzDB.getAllPrototypeIDs();

System.out.println("The fuzzer IDs found are:");

for(String fuzzerID : fuzzer_IDs) {

System.out.println("The fuzzer ID is: " + fuzzerID);

// We pass of length of 1, irrelevant if we are
// just going to access the first payload
// of the fuzzer
Fuzzer fuzzer;
try {

fuzzer = fuzzDB.createFuzzer(fuzzerID, 1);
// Normally you should check for fuzzer.hasNext()
String payload = fuzzer.next();

System.out.println("\tThe name of the fuzzer is:\t\t\t" + fuzzer.getName() );
System.out.println("\tThe id of the fuzzer is:\t\t\t" + fuzzer.getId() );
System.out.println("\tThe of payloads it carries (it's alphabet) is:\t" + fuzzDB.getSize(fuzzerID));
System.out.println("\tIt has as 1st payload:\n\t\t" + payload );

} catch (NoSuchFuzzerException e) {
System.out.println("Could not find the specified fuzzer!");
System.out.println("Going to print all the fuzzer IDs I know:");
// old vs new for loop :)
// in case of an error, print just the
// fuzzer IDs, accessed from the DB
for(int j = 0; j < fuzzer_IDs.length; j++) {
System.out.println("The fuzzer ID is: " + fuzzer_IDs[j]);
}

}

}

}

}
</pre>
==== Methods available within the Fuzzer Class ====

A final example of this section, involves seeing the usage of all the method calls available in the Fuzzer.java class
<pre>/**
* JBroFuzz API Examples 03
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* Example iterating through all the methods available
* in the Fuzzer Object and their respective outputs.
*
* @author subere@uncon.org
* @version n/a
*/
public class IndigoFuzzerTests {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "033-B08-OCT";
// You have to supply a (+)tive int
int f_len = 5;

try {

Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len);

while(f.hasNext()) {

// Could do this via reflection, but..
f.next();
// System.out.println(" The fuzzer payload is: " + f.next());
System.out.println(" The maximum value is: " + f.getMaximumValue());

System.out.println(" The current value is: " + f.getCurrectValue());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>
=== Advanced Fuzzing with the JBroFuzz Library ===

This section covers more advanced APIs that are available under the '''org.owasp.jbrofuzz.core package'''. It should be noted that some of these classes and their corresponding functionality are not used by the JBroFuzz program application. Instead, they are made available for incorporation into other java code that you have perhaps written that requires more specialized type of fuzzing.

==== Fuzzing Really Long Values with Big Integer ====

As stated previously, within JBroFuzz a Fuzzer is a java Iterator. This implies that while fuzzing, we typically keep track of a counter representing the value that we are currently on. Consider the example of HelloFuzzer.java, above:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
If we compile this program:
<pre>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>
and run it:
<pre>java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>
We are going to see output similar to:
<pre> The fuzzer payload is: 0000
... (output omitted)
The fuzzer payload is: fffd
The fuzzer payload is: fffe
The fuzzer payload is: ffff
</pre>
Now what if we want a hexadecimal fuzzer of length not 4, but, say, 24. Let's try compile and run the above program with a length of 24. Changing the line to:
<pre> for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 24); f.hasNext();) {
</pre>
Running this modified version of HelloFuzzer.java, yields:
<pre>>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer.java

>java -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer

>
</pre>
Nothing! What is actually happening is JBroFuzz is figuring out that the specified length of the Fuzzer we are about to create is far greater than that of the long java data type. As a result, the Fuzzer is not even entering the iteration mode that is typically expected with methods next() and hasNext().

That's all great, but we still want a hexadecimal fuzzer, 24 digits long going from:
<pre>000000000000000000000000
...to...
ffffffffffffffffffffffff
</pre>
For this JBroFuzz offers another type of Fuzzer class, that of FuzzerBigInteger. Let's modify the critical line within the original HelloFuzzer.java program that we had:
<pre> for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
</pre>
With the entire program becoming:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
Compiling and running this program yields:
<pre> The fuzzer payload is: 000000000000000000000000
The fuzzer payload is: 000000000000000000000001
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
The fuzzer payload is: ffffffffffffffffffffffff
</pre>
There are limitations to this class, as governed by the BigInteger class itself. Further information can be found at:
<pre>http://java.sun.com/j2se/1.5.0/docs/api/java/math/BigInteger.html
</pre>
Still, on a virtual windows xp machine with 256Mb of RAM the above code had no problem running to completion. It took some time though.. Characteristics of the windows machine while this iteration was ongoing: The CPU was being utilised at 100% and memory usage was constant at 212 Mb. Overall, a clean sheet for FuzzerBigInteger.java.

==== Using the Power Fuzzer API ====

With web applications, it is often that you find yourself re-using part of, or the entirety of a fuzzing payload in more than one location, as part of the GET, POST, or any other type of request you submit.

For this reason, JBroFuzz offers the PowerFuzzer class: A type of iterator for which you can specify how many copies of the payload you require in each request.

Let's consider the following trivial scenario. You are in need of all hexadecimal values, which are 4-digits long (i.e. 0000 to FFFF) and you are in need of these 5 times for each request.

This scenario is trivial, because typically you can assign the fuzzing payload (i.e. the value you get back from Fuzzer.next() ) to a String variable and re-use it as many times as you see fit.
<pre> Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
....
for(Fuzzer f = fuzzDB.createFuzzer(fuzzerID, length); f.hasNext();) {
String payload = f.next();
....
}
</pre>
Using the PowerFuzzer.class, the following HelloPowerFuzzer.java program can be created:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {
// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java OWASP JBroFuzz Power Fuzzer Example

</pre>
This program would output the following; no rocket science here:
<pre>....
I have 5 elements: 4817 4817 4817 4817 4817
I have 5 elements: 4818 4818 4818 4818 4818
I have 5 elements: 4819 4819 4819 4819 4819
I have 5 elements: 481a 481a 481a 481a 481a
I have 5 elements: 481b 481b 481b 481b 481b
I have 5 elements: 481c 481c 481c 481c 481c
I have 5 elements: 481d 481d 481d 481d 481d
I have 5 elements: 481e 481e 481e 481e 481e
I have 5 elements: 481f 481f 481f 481f 481f
I have 5 elements: 4820 4820 4820 4820 4820
I have 5 elements: 4821 4821 4821 4821 4821
I have 5 elements: 4822 4822 4822 4822 4822
I have 5 elements: 4823 4823 4823 4823 4823
I have 5 elements: 4824 4824 4824 4824 4824
I have 5 elements: 4825 4825 4825 4825 4825
I have 5 elements: 4826 4826 4826 4826 4826
....
</pre>
Now imagine you need to change the number of elements you obtain back every time. For every second request, you need to obtain back two identical payloads, for every third request, you need to obtain back three payloads and for every fourth request, you need to obtain back four payloads.

The PowerFuzzer class, with the corresponding method '''setPower(int)''' allows you to set how many identical elements you obtain back, without having to worry about the length argument. Below is a class that solves the above scenario:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {

int currentValue = (int) f.getCurrentValue();
currentValue %= 4;
switch (currentValue) {
case 0: f.setPower(1); break;
case 1: f.setPower(2); break;
case 2: f.setPower(3); break;
default: f.setPower(4); break;
}

// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java

</pre>
This class has as output:
<pre> ....
I have 1 elements: 22a8
I have 2 elements: 22a9 22a9
I have 3 elements: 22aa 22aa 22aa
I have 4 elements: 22ab 22ab 22ab 22ab
I have 1 elements: 22ac
I have 2 elements: 22ad 22ad
I have 3 elements: 22ae 22ae 22ae
I have 4 elements: 22af 22af 22af 22af
I have 1 elements: 22b0
I have 2 elements: 22b1 22b1
I have 3 elements: 22b2 22b2 22b2
I have 4 elements: 22b3 22b3 22b3 22b3
I have 1 elements: 22b4
I have 2 elements: 22b5 22b5
I have 3 elements: 22b6 22b6 22b6
I have 4 elements: 22b7 22b7 22b7 22b7
I have 1 elements: 22b8
I have 2 elements: 22b9 22b9
....
</pre>
Naturally, the algorithm of the number of elements required can vary based on any number of parameters. The PowerFuzzer class gives you a quick way to control the number of identical payloads you obtain back, without having to worry about creating a data type to store them in.

==== Using the Double Fuzzer API ====

In some cases of fuzzing web applications, a requirement to fuzz two (or more) locations part of the request being submitted to the web server becomes apparent.

The DoubleFuzzer class allows you to create a fuzzer based on two prototype definitions. Similarly to instantiating a Fuzzer through a prototype and a given length, with a DoubleFuzzer, we pass two prototype definitions and two lengths. The corresponding method call available within the '''Database''' class of org.owasp.jbrofuzz.core is:
<pre>public DoubleFuzzer createDoubleFuzzer(String id1, int length1,
String id2, int length2) throws NoSuchFuzzerException {
</pre>
Let's cross-breed some fuzzers, see what results we get back during an iteration.

The first example below, uses two hexadecimal fuzzers of different lengths, as specified by the variables:
<pre>String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;
</pre>
As the double fuzzer iteration is taking place, the second fuzzer, defined by the fuzzID2 & length2 loops, starting from 00 and going all the way up to FF. An example output is:
<pre> I have 2 elements: fefb fb
I have 2 elements: fefc fc
I have 2 elements: fefd fd
I have 2 elements: fefe fe
I have 2 elements: feff ff
I have 2 elements: ff00 00
I have 2 elements: ff01 01
I have 2 elements: ff02 02
I have 2 elements: ff03 03
</pre>
The complete code listing of HelloDoubleFuzzer.java is:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>
That's simple enough; now let's cross-breed something a bit more exotic: Imagine a 3-digit octal ID value [000 - 777] being submitted inline with, say, a parameter that we want to test for Cross-Site Scripting (XSS). Let's adjust the program above with the corresponding fuzzer IDs of these fuzzers. Remember all the IDs of all the fuzzers can be found in the fuzzers.jbrf file within JBroFuzz.jar:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "019-XSS-GEK";

int length1 = 3;
int length2 = 1;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>
The output from this program is:
<pre> I have 2 elements: 000 (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I have 2 elements: 001 <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
I have 2 elements: 002 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 003 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 004 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 005 <A HREF="//google">XSS</A>
....
...
..
.
..
...
....
I have 2 elements: 774 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 775 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 776 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 777 <A HREF="//google">XSS</A>
</pre>
With the list stopping iterating at the last element of the greatest of the two fuzzers.

==== Using the Cross Product Fuzzer API ====

A final case of a special Double Fuzzer is the the Cross Product Fuzzer of the payloads of two fuzzers. This type of fuzzing is virtually encountered in username/password login form on the Internet. Let's work on this by example.

Consider your home network router. You recall changing the default password to one of the typical password values that you use. Also, you are not 100% certain about the username for the router either, it is one of the typical admin, user, administrator, root, yoda type values, but you cannot recall which one. Needless to say, you don't know what the username, or password actually is.

So in a mini brute-forcing attack scenario, you have the following list of usernames, out of which one is valid:
<pre>admin
administrator
Administrator
root
adminUser
</pre>
Also you know that the password is one of the following (Top 10 Threadwatch 2007 passwords):
<pre>password
123456
qwerty
abc123
letmein
monkey
myspace1
password1
blink182
</pre>
The set that contains every possible combination of the two sets is the Cross Product of the list of usernames, times the list of passwords. So manually, (as most people do while locking themselves out) you would try, popular combinations of the above, starting with:
<pre>admin password
admin 123456
admin qwerty
....
admin blink182
administrator password
administrator 123456
administrator qwerty
....
adminUser password1
adminUser blink182
</pre>
Thus the total number of attempts would be (number of usernames) x (number of passwords). No rocket science here.

JBroFuzz introduces the CrossProductFuzzer class capable of iterating through the cross product of two fuzzers. Let's put it into code; the following program provides a list of all 2-digit octal numbers with every 2-digit binary number. A total of (8 x 8) x (2 x 2) = 256 values.
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloCrossFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "034-B02-BIN";

int length1 = 2;
int length2 = 2;

try {
CrossProductFuzzer f = fuzzDB.createCrossFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloCrossFuzzer.java
</pre>
This program has as output:
<pre> I have 2 elements: 00 00
...
..
.
..
...
I have 2 elements: 74 00
I have 2 elements: 74 01
I have 2 elements: 74 10
I have 2 elements: 74 11
I have 2 elements: 75 00
I have 2 elements: 75 01
I have 2 elements: 75 10
I have 2 elements: 75 11
I have 2 elements: 76 00
I have 2 elements: 76 01
I have 2 elements: 76 10
I have 2 elements: 76 11
I have 2 elements: 77 00
I have 2 elements: 77 01
I have 2 elements: 77 10
I have 2 elements: 77 11
</pre>
You can substitute any list of fuzzer ID to the IDs you use in this program.

'''Remember!''' The total number of payloads must not exceed that of the the maximum value of the long primitive java data type ''Long.MAX_VALUE'' which is 2^63 - 1. If you are in need of more than that payloads, you would have to use the big integer implementation of the Fuzzer class, namely: FuzzerBigInteger.java.

== Graphing with JBroFuzz ==

Once a fuzzing session has completed, JBroFuzz offers the ability to generate a number of graphs, using various metrics. This section investigates how to further the graphing functionality available with the application.

=== Customizing the logo on each Graph ===

As of version 2.0, all image icons within JBroFuzz are located within the /icons directory of the application. The particular transparent image file displayed on top right part of the graphs is named:
<pre>/icons/owasp-med.png
</pre>
This file is a 64 x 64 PNG image file. You can replace it with your own file, as follows:
<pre>>ls -l JBroFuzz.jar
-rw-rw-rw- 1 user group 4033612 Feb 15 12:33 JBroFuzz.jar

>unzip -oq JBroFuzz.jar
>cd icons
>mv owasp-med.png file64x64-file.png
>cd ..
>zip -r JBroFuzz.zip *
>mv JBroFuzz.zip JBroFuzz.jar
</pre>
This enables you to have your own (company logo) on JBroFuzz graphs. Further to this, a number of other customization options are available, by right clicking on each of the graph generated.

== Added Fuzzer Transformations ==

A fuzzing transform is a simple term used to define the linear transposition of every set of payloads contained within a fuzzer. Say you have the following 4 basic XSS payloads:

<code>
"><script>alert('I can do some damage here!');</script> 
<IMG SRC=`javascript:alert("XSS says, 'XSS'")`> 
<IFRAME SRC="javascript:alert('XSS');"></IFRAME> 
</XSS STYLE=xss:expression(alert('XSS'))> 
</code>

Note that even though this example only looks at replacive fuzzers, recursive fuzzers, fuzzing transforms do apply to recursive fuzzers as well.

Without getting too algebraic, if X is the payload value, a transform is a linear equation such that for every original payload contained within a fuzzer, the resulting payload Y is of the form.

From version 2.4, JBroFuzz supports linear fuzzing tranforms for all its respective fuzzers. These are of the form:

Y = A*X + B

Where B represents a constant being padded to the original payload X, with A being the act of multiplication i.e. that of applying a particular encoding on X. Let's look at an example:

X = "><script>alert('I can do some damage here!');</script>
B = %00%00
A = URL Cp1252

Ergo, ignoring the brackets:

<code>
Y = (URL Cp1252)*("><script>alert('I can do some damage here!');</script>) + %00%00 
Y = %22%3E%3Cscript%3Ealert%28%27I+can+do+some+damage+here%21%27%29%3B%3C%2Fscript%3E%00%00 
</code>
Unfortunately, in fuzzing algebraic equivalence relations do not really hold much ground i.e. generating a payload, by padding a constant value at the end is not at all the same as padding a constant value at the beginning and the end for that payload. Thus in:

Y = A*X + B

We have to break down the constant B in two parts:

Y = B + A*X + C

This is the fuzzing transform that JBroFuzz uses. Whatsmore, we can chain this with friends, with benefits:

<code>
Y{1} = B{1} + A{1}*X{1} + C{1} 
Y{2} = B{2} + A{2}*Y{1} + C{1} 
</code>
Ergo,

Y{2} = B{2} + A{2}*{ B{1} + A{1}*X{1} + C{1} } + C{1}

But we all hated math at school, think it was the teachers, not the subject, so let's look at an example:

<code>
Y{1} = %00 + {URL Cp1252}{"><script>alert('I can do some damage here!');</script>} + %00%00 
Y{2} = {Base64}Y{1} 
</code>
Note that B{2} = C{2} = null

And of course we get:

<code>
Y{2} = JTAwJTIyJTNFJTNDc2NyaXB0JTNFYWxlcnQlMjglMjdJK2Nhbitkbytzb21lK2RhbWFnZStoZXJlJTIxJTI3JTI5JTNCJTNDJTJGc2NyaXB0JTNFJTAwJTAw
</code>

JBroFuzz 2.4 can do this in two rows for every payload grouped in a fuzzer, within the Added Fuzzer Tranformations Table of the Fuzzing tab.

After fuzzing that triple URL encode, base64 padded, timestamp MD5 into SHA512 hash? That would be 4 rows within the Added Fuzzer Tranformations Table.

One fine day, we will write a process to reverse back transforms by simple cryptanalysis.

[[Category:OWASP_JBroFuzz]]

User:Yiannis

2010-09-06T17:33:28Z

Yiannis:

File:JBroFuzzDownload.png

2010-06-04T13:57:52Z

Yiannis: The JBroFuzz Download Button

The JBroFuzz Download Button

OWASP JBroFuzz Tutorial

2010-03-30T16:04:38Z

Yiannis:

File:020-JBroFuzz-Tutorial.png

2010-03-30T15:58:14Z

Yiannis: A list of 94 different printable ASCII character responses, based on the fuzzing for what characters are allowed through.

A list of 94 different printable ASCII character responses, based on the fuzzing for what characters are allowed through.

OWASP JBroFuzz Tutorial

2010-03-30T15:50:54Z

Yiannis: /* What characters are allowed through? */

== Introduction ==

''“If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!”''
<div align="right">Old JBroFuzz Motto </div>
 The art of teaching, Mark Van Doren said, is the art of assisting discovery. Fuzzing is a representative discipline towards assisting the discovery of security vulnerabilities, that is just beginning to come of age. Over the last two years, through continuous development, JBroFuzz has attempted to expose the intrinsic beauty of the subject: Constantly submit a vast amount of payloads to a service, device or prompt, waiting for the one response that makes all the difference. This is the mentality that JBroFuzz embraces and attempts to offer back to security professionals.

Fuzzing as a concept goes beyond a conventional work flow or a standard methodology. I would argue that to know how to fuzz well, is to master a new language. Thus, similar to the process of learning a programming (or foreign) language, there are three things you must master:

• Grammar: How fuzzing as a process is structured • Vocabulary: How to name fuzzing concepts you want to use • Usage: Ways of achieving everyday effective results with fuzzing 

[[Image:001-JBroFuzz-Tutorial.jpg|right|300px|JBroFuzz Splash Screen]]From the pre-existing information available for JBroFuzz, this tutorial focuses on usage: How to best put a fuzzing tool to good use, either via the UI, or using APIs that ''JBroFuzz.jar'' is constituted of. As a result, this document has a small requirement as a caveat; you need to have a beginner level understanding of the Java programming language in order to understand some sections.

There are a number of working examples described here within, which '''grep''' for statements such as “''<nowiki>public static void main(String[] args)</nowiki>''”. The majority of the content relates to reviewing these examples and putting the Java syntax into a fuzzing perspective.

To summarise, this tutorial focuses on customary and effective usage of fuzzing through the JBroFuzz Java APIs and the respective UI. It is targeting (without attacking them) web applications. Without further redo, let’s get fuzzing!

== JBroFuzz Basic Functionality ==

This section carries a number of basic fuzzing examples to get you started with JBroFuzz. Overall, even though the actions performed to not produce any amazing fuzzing results, it serves as a starting point in understanding how to perform particular fuzzing operations on web applications.

=== 'Hello Google!' (forget 'Hello World') ===

As the traditional first program that you learn when indulging in a new programming language, 'Hello World!' represents the norm for understanding the basic output operations and syntax (let alone compiler and execution behaviour) of the language in question.

As with most web application security related tools, when I am given the responsibility to run them, often in order to understand how they work, I would first craft a legitimate, single request to a trusted (to be up and behaving) popular Internet location. Needless, to say this request more than on occasion finds itself on Google servers.

So 'Hello World!' for programming languages seems to transform to 'Hello Google!' for understanding how web application security related tools work. Let us see, how JBroFuzz does it.

• Double-click on JBroFuzz and browse to the 'Fuzzing' tab

JBroFuzz is constituted of tabs, typically located in the bottom or top (if you bother to change the settings) of the main window.

The 'Fuzzing' tab is where you craft your request message to a particular host. Once that is in place, you can select any part of the request and proceed into adding any number of payloads. We shall see how in later sections.

• In the 'URL' field type: http://www.google.com/ http://www.google.com

Unlike conventional URLs, the URL field in JBroFuzz is only used for the underlying protocol (HTTP or HTTPS), host name (e.g. www.yahoo.com) and (optionally) port number.

All remaining information pasted or typed into the 'URL' field will be ignored; you are expected to enter it in the 'Request' field below.

<nowiki>Still, if you want to just copy-paste a URL from a browser, hit [Ctrl+L] while you are not fuzzing, paste the URL value that you have copied from a browser and JBroFuzz will automatically do the work for you. </nowiki>

Examples of valid URL values to be put in the

Treat the 'URL' and 'Request' fields as the two stages of a 'telnet' session on port 80; you are effectively using the 'URL' field to specify the equivalent of:

<tt>>telnet www.google.com 8088</tt>

As equivalent to:

<code>http://www.google.com:8088 </code>

or in the case of HTTPS:

<code>https://www.google.com:8088 </code>

Naturally, default ports for HTTP is 80 and HTTPS is 443.

• In the 'Request' field type:

<code>GET / HTTP/1.0 </code>

And press 'Enter' twice

This is where the body of the message you are sending is to be placed. So anything obeying HTTP/S protocol, such as GET and POST requests, header fields and/or HTML content should be included here.

As part of the process of fuzzing web applications with JBroFuzz you need to have done your homework, in terms of providing a base request message. This message is what will be used later on to add payloads to particular sections of the request.

<nowiki>• Hit 'Start' [Ctrl+Enter]</nowiki>

This will instigate the process of sending a single request to the specified host on a given (or default) port, over HTTP or HTTPS.

Once a connection has been established JBroFuzz will proceed to submit the message you have typed into the 'Request' field.

Finally, JBroFuzz will log all data sent and received into a file; accessing this file is typically a process of double clicking on the output line on the table at the bottom section of the 'Fuzzing' tab.

You should see a response received in the bottom part of the 'Fuzzing' panel. Double click (or right click for more options) to see the information exchanged; typically this would be a 302 redirect pointing you to another location. Congratulations, you have just said "Hello" to Google!

[[Image:002-JBroFuzz-Tutorial.png|500px|JBroFuzz Hello Google!]]

Now this would typically be enough under RFC rules, to get a response back; but damn all the bots out here, most websites require further information to respond back. So, in the 'Request' field let's pretend to be a (kind of) legitimate browser by typing:

<code>GET / HTTP/1.0 Host: www.google.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) JBroFuzz/1.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 </code>

Not forgetting to end the request typed with two returns: Press 'Enter' twice. Again, you should be able to see a line added with the response received back.

Practice sending single requests to a website of your choice by changing the URL and also the 'Host:' field from the 'Request' above. Also try accessing an HTTPS website.

<nowiki>Alternatively, you can use the shortcut [Ctrl+L] to type in your URL, with the 'Request' field filled automatically, based on the URL you have typed. </nowiki> 

=== HTTP Version Numbers & www.cia.gov Headerless Responses ===

For web applications, very often ill-defined requests submitted over the Internet, will trigger semi-legitimate responses that actually do not obey HTTP RFC protocol specification. Often, even though this is not the case in this example, these responses can lead to the identification of one or more security vulnerabilities.

In this example we test for the responses received for invalid HTTP version numbers on a particular website, namely www.cia.gov, over https. Now a word of caution here; please do not attempt to fuzz web applications that you do not have the authority to do so, especially over the Internet.

Still, for the purposes of this tutorial exercise, we will subject a web server to no more than a dozen or so requests. These requests would be otherwise identical, if it was not for the HTTP version number incrementing by a value of 1 on each request.

In terms of having the authority to do so, well this is identical to hitting 'Refresh' in your web browser a dozen or so times, while you are browsing to www.cia.gov. I do not consider this remotely close to any form of hacking, cracking, or proper fuzzing; web servers across the globe receive a lot more abuse than this on a daily basis.

Finally, by the time you are reading this, the particular issue described might have been fixed. So here goes:

• Within JBroFuzz, select:

<code>File -> Open Location [Ctrl+L] </code>

Type: https://www.cia.gov and hit enter. This is depicted in the following screenshot:

[[Image:003-JBroFuzz-Tutorial.png|JBroFuzz Open Location]]

Hitting 'Enter' should automatically populate the 'URL' field and the 'Request' field within the 'Fuzzing' tab. What you see is the base request that we intend to add fuzzing payloads to. Before we do so, let us make one small alteration first:

• Modify the first line of the 'Request' field to:

<code>GET / HTTP/0.0 </code>

Our objective is to enumerate the supported by the web server (in this case www.cia.gov) HTTP version numbers, following the two digit format that it has. We could be a lot more agressive here and test for buffer overflows and all types of injection; that would be out of line without the authority to do so. Instead we are going to see how JBroFuzz will iterate through the values of 0.0 to 1.4 by means of adding a Fuzzer to our base request.

• Highlight the second zero from the line 'GET / HTTP/0.0' and right-click, selecting 'Add'. This is depicted in the screeshot below:

[[Image:004-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer to the HTTP version number]]

• From the appearing 'Add a Fuzzer' window, select as 'Category Name', in the most left column 'Base' and as 'Fuzzer Name' in the middle column 'Base 10 (Decimal) Alphabet.

• Click on 'Add Fuzzer' on the bottom right of the window

[[Image:005-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer]]

This should add a Fuzzer of length 1 that iterates over the decimal (i.e. base 10) numbers 0 to 9. If we have added a hexadecimal Fuzzer instead of a decimal one (i.e. base 16) the iteration would from 0 to F. If we had selected two digits instead of one and proceeded to add a decimal Fuzzer, the iteration would be from:

<code>00 01 .. 98 99 </code>

From a User Interface (UI) perspective you should see a line added to the 'Added Payloads Table'.

• Click 'Start' [Ctrl+Enter]

This process will send 10 requests to the specified web server changing only first line of the request to:

<code>GET / HTTP/0.0... GET / HTTP/0.1... ... GET / HTTP/0.8... GET / HTTP/0.9... </code>

While this is ongoing, you can sort the results by 'No' in the 'Output' table in the bottom of the 'Fuzzing' tab. This should enable you to see what request is currently being transmitted and received in real time.

Once complete, change the first line of the 'Request' field to read:

<code>GET / HTTP/1.0 </code>

• Click 'Start' [Ctrl+Enter]

The resulting output should resemble the following screenshot:

[[Image:006-JBroFuzz-Tutorial.png|500px|JBroFuzz Output from a Fuzzing Session]]

Straight away we can notice a difference in the response size: For HTTP version numbers 0.0 to 0.9 we are getting back what seems fairly big in size responses; 32222 bytes in size worth of responses, given that HTTP protocol version 0.0 to 0.8 do not officially exist!

By double-clicking on one of these requests, we can see that the web server in question is responding back with no headers, yet returning a full HTML body; this represents the 32222 bytes of response of data we are receiving back. The following screenshot illustrates this:

[[Image:007-JBroFuzz-Tutorial.png|300px|JBroFuzz Output for a Single Request/Response]]

Using the 'Graphing' tab we can proceed to graph the particular requests and responses for this given session.

• Within the 'Graphing' tab, click 'Start' [Ctrl+Enter].

• Select the directory corresponding to the Output folder we have used for this fuzzing session. This will typically be the last one.

• Right-click and select 'Graph'

Once complete, browse to the 'Response Size' tab within the 'Graphing' tab, as illustrated in the screenshot below:

[[Image:008-JBroFuzz-Tutorial.png|300px|JBroFuzz Graphing different 'Response Sizes']]

To re-iterate this does not present a security vulnerability in any shape or form; merely the fact that by manipulating HTTP version numbers as part of the request we transmit, we can impact the response that we get back. In this case, what changes is the non-existent header fields, with some HTML content being received back.

If I was to guess what is causing this, I would say that some sort of load balancing or content delivery is not happening as it should when non-existent version numbers are being transmitted.

== Using JBroFuzz with a Generic Proxy ==

JBrofuzz 2.0 and subsequent releases include generic proxy support. As of this writing, basic authentication is supported with plans to eventually support NTLM and Kerberos authentication as well. We've tried to make the use of a proxy as straight forward as possible. All arguments for the proxy can be passed in the URL field and will take one of the following forms.
<pre>Without Authentication: <proxy server>:<proxy port>
With Authentication: <proxy username>:<proxy password>@<proxy server>:<proxy port>
</pre>
The structure of the request field and whether the GET parameter contains an absolute URL depends on the proxy you are using. For this reason, you may have to do a bit of trial and error to determine what format(s) your proxy accepts. To make all of this a bit clearer lets look at a couple of examples.

=== Squid Proxy ===

In the first example, we are fuzzing through a squid proxy that requires ncsa user authentication as shown in the figure below. When producing similar results, its important that you use your own proxy and not the one shown in the figure. This proxy was setup for demonstration purposes, will not accept connections from your IP address, and the credentials will no longer be active.

[[Image:016-JBroFuzz-Tutorial.jpg|503x449px]]

=== Paros Proxy ===

In the second example, we are fuzzing through a local Paros proxy running on port 8080 that does not require user authentication. Notice the difference in the syntax of the URL field when user authentication is not required.

[[Image:017-JBroFuzz-Tutorial.jpg|503x449px]]

In the third example, we are still fuzzing through Paros, but notice the slight difference in the Request Field. Specifically, pay special attention to the GET line. We are no longer including the fully qualified path. Unlike Squid, Paros will accept both formats. Keep this in mind when you are performing initial testing with JBroFuzz and the proxy of your choice.

[[Image:018-JBroFuzz-Tutorial.jpg|503x449px]]

=== Burp Proxy ===
In the final example, we are fuzzing through Burp. Similar to Squid, Burp requires absolute URLs in the request. A successful Burp request is shown below.

[[Image:019-JBroFuzz-Tutorial.jpg|503x449px]]

== Using JBroFuzz with Paros Proxy ==

JBroFuzz is a standalone fuzzer; it can release and create sockets over HTTP and HTTPS, but in order to use JBroFuzz correctly you will have to know what it is that you are fuzzing.

In comes the need for a proxy tool; the opening versions of JBroFuzz actually had a proxy tab that you could use to intercept traffic generated by your web browser. That functionality got removed in an attempt to focus and deliver solely on the fuzzing capabilities of the tool.

This section details how to use JBroFuzz in combination with a client side proxy. The one selected is Paros Proxy, which, despite the fact that it hasn't been updated since 2006 is still a popular tool that you see in web security testing live CDs. You could use any of the other proxy tools available.

=== Winning on a Remix of the Year Award ===

At 17:53, on a frosty winter evening, a message window popped up:
<pre>17:53 http://www.localhost.com/remixcontest/club/annual2010.html
17:53 Hey bro, could you cast in a vote here for the Such & Such Remix?
17:53 Appreciated!
</pre>
A friend in need is a friend indeed, so here goes I thought. Opening up a web browser configured to work with Paros as an intermediate proxy, allowed for the casting of my vote. while keeping a record of each request and reply.

No registration, or any other form of submitting an identifier was needed. The request that Paros stored for the casting of the actual vote was:
<pre>GET http://www.localhost.com/remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.1
Host: www.localhost.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
Paros Proxy actually places the domain (in this case www.localhost.com) with the protocol (i.e. http) in front of the GET request. As a result, you can't open a telnet/netcat session and just copy-paste the above. Similarly when we bring the request into JBroFuzz, a bit of tweaking is required.

*In the URL field, type:
<pre>http://www.localhost.com
</pre>
In the Request field, let's keep what is of interest:
<pre>GET /remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
No needs for Keep-Alive and Proxy-Connection. Let's simplify the HTTP request by making it a version 1.0 request and getting rid of the Host header as well. Also on the user agent, let us keep that mainstream vanilla: Firefox on Windows (popular browser combination), getting rid of the .NET and Paros additives.

Checking on the website, our Such & Such remix already has about 100 votes or so and the top remix has approximately 310 votes. Let's fuzz this:

*Select 2 of the digits of the cookie value:
<pre>PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
*Select: Panel -> Add

*In the "Add a Fuzzer" panel, select:
<pre>Base -> Base16 (HEX)
</pre>
and select "Add Fuzzer".

This will add a line within the Payloads tab on the right hand side.

Our cookie value above (PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e) is in lowercase, hexadecimal format. Let's make sure the encoding we select is also that.

Within the Payloads tab, click on the encoding drop down menu and select lowercase. Just before clicking "Start", JBroFuzz should look something like the screenshot below.

[[Image:014-JBroFuzz-Tutorial.png|Adding Votes by iterating through PHPSESSID cookie values]]

== Performing User Enumeration with a Valid Set of Credentials ==

Often you encounter an application that allows for the enumeration of one or more pages after a user has been successfully granted a set of session credentials. One of the key areas to test from an application specific perspective, relates to the page(s) that provide user account information.

In the following example, we investigate an ASP.NET 2.0 application with a C# back-end. In this, an authenticated user has the option to select to "View My Profile". This page provides them with account information (including the typical username, email address, further notes) that they can proceed to update and save to the back-end system.

After a user has authenticated, the following URL, gives them access to their profile information stored on the database:
<pre>http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23
</pre>
Simple investigation confirms that the digits allowed as part of the UserID value are decimal numbers only. Lets feed that information into JBroFuzz.

=== Fuzzing a User ID ===

• Within JBroFuzz, select:

<code>File -> Open Location [Ctrl+L] </code>

Type: http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23 and hit enter. This is depicted in the following screenshot:

[[Image:009-JBroFuzz-Tutorial.png|300px|JBroFuzz 'GET' Request with a 'UserID' parameter]]

From the URL the important parameter is the value of the UserID query string (the value 23, above). We want to fuzz that.

• Within the Fuzzing Tab, in the "Request" text area, highlight the above number 23 • Right-click and select "Add"

In the "Add a Fuzzer" window that appears, select:

• Category Name: <code>Base</code> • Fuzzer Name: <code>Base10 (DEC)</code> • Select "Add Fuzzer" in the bottom right

This would have added a decimal (base 10 fuzzer) of length 2 onto the location.

• You will see a row added within the "Added Fuzzers Table" of the Fuzzing panel. • Click "Start" <code>Ctrl+Enter</code>

This will transmit 100 requests to the domain in question, which in this case is assumed: www.myattackingdomain.com. The value being changed within each request will be:
<pre>• GET /portal-location/UserInfo.aspx?UserID=00 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=01 HTTP/1.0
...
• GET /portal-location/UserInfo.aspx?UserID=98 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=99 HTTP/1.0
</pre>
Done. Let's proceed to graph the responses that we have obtained. Our objective is to understand which two-digit numbers from 00 to 99 correspond to valid user accounts.

=== Graphing Results ===

• Within the "Graphing" tab, click "Start" <code>Ctrl+Enter</code>

A list of directories will appear on the left-hand side. If you scroll to the bottom of the list you should see the directory corresponding to your fuzzing session, in our case it was (175 2009-06-24 16-18-24)
<pre>• Right-click on (175 2009-06-24 16-18-24)
• Click "Graph"
</pre>
This will generate the graphs in their respective tabs. The question now becomes which graph is of interest for our user enumeration exercise.

By definition enumerating users against an ID value, or any other identifier involves being able to obtain a different response for an existing user to that of a user that is not have a corresponding ID value.

Thus, from the metrics available, the one useful for enumerating users will be that of measuring the "Hamming Distance" between responses received. Based on the JBroFuzz documentation:

'''Fuzzing Hamming Distance '''
<pre>A bar chart with the hamming distance of the characters in the response,
relative to the first response received. Check each character of the first
response received, against the character at the same position of the
current response received. If they are not identical, increment the
hamming distance.
</pre>
As we can see the Fuzzing Hamming Distance (FHD) varies quite a bit from the definition of the normal hamming distance term, used in telecommunications. Still, they share a lot of similarities.

As we can from the above, the first request is critical to calibrating our user enumeration exercise. It represents the value that all other Fuzzing Hamming Distances (FHD) will be measured and normalised towards. For the java-skilled audience, the algorithm is quite trivial, but offers spectacular results in distinguishing responses:
<pre>in = new BufferedReader(new FileReader(f));
58
59 int counter = 0;
60 int check = 0;
61 int c;
62 while (((c = in.read()) > 0) && (counter < MAX_CHARS)) {
63
64 // If we are passed "--jbrofuzz-->\n" in the file
65 if (check == END_SIGNATURE.length()) {
66
67 firstSet.append((char) c);
68
69 }
70 // Else find "--jbrofuzz-->\n" using a counter
71 else {
72 // Increment the counter for each success
73 if (c == END_SIGNATURE.charAt(check)) {
74 check++;
75 } else {
76 check = 0;
77 }
78 }
79
80 counter++;
81
82 }
83 in.close();
</pre>
Ergo, the corresponding graph is depicted in the screenshot below. The peak graphs correspond to number that if you hover the mouse over will give you the enumeration ID of a valid user.

[[Image:015-JBroFuzz-Tutorial.png|500px|Measuring Hamming Distance for User Enumeration]]

== Eliminating False Positives: LDAP Injection ==

Every now and then a tool (that does not produce false positives) will hit an application reporting back a huge variety of (hopefully not confirmed, but pending further investigation) injection findings.

Due to the limited number of characters required in performing LDAP Injection, such issues will be high on that list. But let's refresh our memory a bit of how LDAP injection works:

http://www.owasp.org/index.php/LDAP_injection

So typically, during an automated scan, negating LDAP cn-type queries would be submitted and their responses noted. Example:

<pre>
GET /myfilelocation.jsp?lang=en&city=user)(sn=*&rid=97 HTTP/1.1
...
</pre>

vs.

<pre>
GET /myfilelocation.jsp?lang=en&city=user)!(sn=*&rid=97 HTTP/1.1
...
</pre>

or

<pre>
GET /myfilelocation.jsp?lang=en&city=admin*)((|userpassword=*)&rid=97 HTTP/1.1
...
</pre>

As great as this check might be from an LDAP perspective, it has a high likelihood of generating false positives, due to the character sets being used. Ergo, a protection mechanism (silly worst-case blacklist present for example) would typically hunt down cross-site scripting and sql injection type of characters:

<pre>
< > ' etc.
</pre>

Not considering =, *, or brackets as completely bad (he says).

=== What characters are allowed through? ===

Enough of all that; we want to know what responses are allowed back and what's different about them for all characters being filtered through a black-list.

Let's transform the above GET into the following and proceed to add a single fuzzer that tells us that:

<pre>
GET /myfilelocation.jsp?lang=en&city=X&rid=97 HTTP/1.1
</pre>

Now in the position of the X character, proceed to add an ASCII 94 Alphabet Fuzzer (available in version 2.1 and above). This will check the responses for all characters which are printable ASCII, with the exception of space.

In total there are 95 printable ASCII characters; minus the one present for space (yes, the one you hit all the time, every day) leaves 94. This fuzzer produces each of those values, in incrementing ASCII order.

== JBroFuzz Development Corner ==

This section presents how to setup and use JBroFuzz as a fuzzing library. Also, it offers an insight in how to setup and compile your own version of JBroFuzz. As different people have different levels of expertise of the java programming language, eclipse, ant and subversion, some of the steps presented herein might be considered basic by advanced developers.

=== Setting up a JBroFuzz Development Environment ===

This section guides you towards setting up a development environment for JBroFuzz. Despite the Operating System (O/S) being windows XP, a similar process can be followed in a number of other O/S.

You will need to have installed:

*Tortoise SVN (using TortoiseSVN-1.6.6.17493-win32-svn-1.6.6.msi)
*Eclipse Java (using eclipse-java-galileo-SR1-win32.zip)

Optionally, if you don't like building your application through eclipse you could also require to install Apache Ant.

==== Step 1: Obtain the source code ====

JBroFuzz uses SubVersion with the repository being publicly available for download through anonymous access on sourceforge. There is a plan to move it the source to the OWASP Git repository, but until then, use the guidelines below.

[[Image:010-JBroFuzz-Tutorial.png|Tortoise SVN Check out JBroFuzz Source Code]]

Right click on the folder location where you want to download the source code and select:

*SVN Checkout

In the "URL of repository", enter:
<pre>https://jbrofuzz.svn.sourceforge.net/svnroot/jbrofuzz
</pre>
In the "Checkout directory", enter the folder location of your choice, in this case:
<pre>C:\root\code\jbrofuzz
</pre>
In the "Checkout Depth" select:

*Fully recursive

Untick "Omit Externals" (should be unticked by default)

In the "Revision" select:

*"Head revision"

Select OK.

This process, once complete will checkout the entirety of the JBroFuzz source code from the SVN repository on sourceforge.

==== Step 2: Configuring a JBroFuzz Project within Eclipse ====

Having obtained the latest copy of the source code, the next step entails importing that source code within the Eclipse IDE.

Within Eclipse, select:
<pre>File -> New -> Other
</pre>
From the "New" panel that appears, select:
<pre>Java -> Java Project from Existig Ant Buildfile
</pre>
[[Image:011-JBroFuzz-Tutorial.png|Import JBroFuzz Code into Eclipse from Ant File]]

Select "Next".

In the next menu, under "Ant buildfile", select "Browse".

Browse to the location where you have just (step 1) downloaded the source code and select the following file:

*build.xml

The build.xml file is an Ant build file that JBroFuzz uses.

[[Image:012-JBroFuzz-Tutorial.png|Select the Ant File]]

Selecting that file should have populated the "Project name" as jbrofuzz and also given you:

 
<pre>"javac" task found in target "compile"
</pre>
MAKE SURE TO TICK:

*"Link to the buildfile in the filesystem"

Otherwise eclipse will try to replicate the source code within your workspace and that makes the process a tiny bit more complicated when it comes to actually building JBroFuzz.

Click "Finish"

You will see the item "Building workspace (76%) on the bottom right hand side of Eclipse. Once that is complete, you should see the jbrofuzz project on the top left corner of the Package Explorer within Eclipse.

==== Step 3: Building JBroFuzz ====

Within the Package Explorer, expand the jbrofuzz project and double-click on the build.xml file.

Right click on the "build [default]" task within the "Outline" window (typically seen on the right hand side) and select:
<pre>Run As -> 1. Ant Build [Alt+Shift+X, Q]
</pre>
If the build has been successful, a JBroFuzz.jar file within the the /jar folder would have been created. Following the path conventions above that should be in:
<pre>C:\root\code\jbrofuzz\jar\JBroFuzz.jar
</pre>
[[Image:013-JBroFuzz-Tutorial.png|Building JBroFuzz within Eclipse]]

=== How to Use JBroFuzz as a Fuzzing Library ===

Quite often what you need to do in terms of fuzzing, far exceeds the User Interface (UI) of JBroFuzz. For this reason, a set of core fuzzing APIs have been made available that can be used for more advanced fuzzing scenarios.

The JBroFuzz.jar standalone archive (made available with every release) carries a core fuzzing library that holds a number of key classes. These are located under:
<pre>org.owasp.jbrofuzz.core.*;
-Database.java
-Fuzzer.java
-FuzzerBigInteger.java
-NoSuchFuzzerException.java
-Prototype.java
</pre>
The class of importance is Fuzzer.java. If you are going to use recursive iterators of great length, there is also FuzzerBigInteger.java. The difference between the two is that Fuzzer.java uses the primitive java data type long (up to 16^16 values) while FuzzerBigInteger.java uses java BigInteger to perform the counting. Naturally, the class FuzzerBigInteger is slower and takes more memory than the Fuzzer class.

Within JBroFuzz a Fuzzer is an instance of a java Iterator. This implies that values can be accessed by simply calling the <code>next()</code> method once an object has been made available. Typically, a call to <code>hasNext()</code> should also be performed prior to avoid an exception being thrown.

A Fuzzer can be obtained from the factory method <code>createFuzzer(String, int);</code> available for every instance of the fuzzing Database. Ergo:

==== A HelloFuzzer Example ====
<pre>Database myDatabase = new Database();

Fuzzer myFuzzer = myDatabase.createFuzzer("031-B16-HEX", 5);
</pre>
So how do I use the API? Here is a simple HelloFuzzer (file called HelloFuzzer.java) example:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
To compile the above use:
<pre>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>
This assumes that you are currently inside the directory where HelloFuzzer.java resides and that the JBroFuzz.jar is located two directories within your current location i.e. in jbrofuzz/jar. In order to run the above compiled HelloFuzzer class issue:
<pre>java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>
Note: The above 2 commands have been crafted in a win32 environment. The process for compiling and running HelloFuzzer.java above is the same in *nix machines. Simply replace the backslash "\" with "/".

==== Fuzzing Payload Definitions ====

Within the JBroFuzz.jar file, there is a file called fuzzers.jbrf that carries all the fuzzer definitions that you see in the UI payloads tab of JBroFuzz. To view a latest copy of this file you can browse the SVN repository of JBroFuzz:
<pre>http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/tar/fuzzers.jbrf?view=log
</pre>
A note here worth mentioning: Files ending in .jbrofuzz are session files saved by users while performing fuzzing operations. Files ending in .jbrf are JBroFuzz system files. Typical examples of .jbrf files are headers.jbrf, as well as fuzzers.jbrf. Both these use an internal proprietary format not to be confused with the .jbrofuzz file format.

Fuzzers belong in categories (1 to many) and each fuzzer carries a set of payloads that define the alphabet of the fuzzer.

Also, you have replacive and recursive fuzzers, zero fuzzers, etc. There are a number of different fuzzer categories. As an example of a fuzzer within the fuzzers.jbrf file, consider the hexadecimal fuzzer:
<pre>Fuzzer Name: Base16 (HEX)
Fuzzer Type: Recursive
Fuzzer Id: 031-B16-HEX

Total Number of Payloads: 16
</pre>
Within the fuzzers.jbrf file this fuzzer is defined in plain-text format as follows:
<pre>R:031-B16-HEX:Base16 (HEX):16
> Number Systems | Base | Recursive Fuzzers
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
</pre>
 There is very little preventing you from defining your own fuzzers within this file, by following the file format specified above. You can use the UI to see if they have been loaded successfully.

Further to recursive and replacive fuzzers you also have zero fuzzers (i.e. a zero fuzzer of 1000 will just transmit 1000 requests as they are, without adding any payloads) double fuzzers, cross product fuzzers, etc.

Notice the factory method Database.createFuzzer("031-B16-HEX", 4) yielding: "I want a 4 digit recursive fuzzer (why because NUM-HEX is recursive in its definition, starts with R: instead of P:) of HEX digits."

Thus the above scenario would iterate through all the digits from 0000 to ffff. I wouldn't recommend using the above scenario for such trivial fuzzing capabilities; simply presented as an example of the inner workings of JBroFuzz.jar

==== HelloFuzzer Refined ====

A more detailed code breakdown of the above HelloFuzzer example can be found below:
<pre>/**
* JBroFuzz API Examples 01
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz a Fuzzer is a java Iterator.
*
* In order to create a Fuzzer, use the factory method
* Database.createFuzzer(String, int), passing as arguments
* the Fuzzer ID and the specified length as a positive int.
*
* Be careful to check that the fuzzer ID (labelled as f_ID)
* is actually an existing ID from the Database of Fuzzers.
*
* Expected Output:
* <code>
* The fuzzer payload is: 00000 
* The fuzzer payload is: 00001 
* ... 
* (a total of 16^5 = 1048576 lines) 
* ... 
* The fuzzer payload is: ffffd 
* The fuzzer payload is: ffffe 
* The fuzzer payload is: fffff 
* </code>
*
* For more information on the Database of Fuzzers, see the
* HelloDatabase Class.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloFuzzer {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "031-B16-HEX";
// You have to supply a (+)tive int
int f_len = 5;

try {

for(Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len); f.hasNext();) {

// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>
==== Hello Database of Fuzzers ====

Having seen how to access a single Fuzzer through the createFuzzer() method available in the Database object. The next question that comes naturally is what are the Fuzzers that are available by default in JBroFuzz?

To answer that, this example focuses more on the database component that we previously initialised, investigating the list of available methods that it offers.

In JBroFuzz, all Fuzzers are stored in a Database object that you will be required to construct in order to access them.
<pre>/**
* JBroFuzz API Examples 02
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz all Fuzzers are stored in a Database
* object that you will be required to construct in order
* to access them.
*
* Within the Database, each Fuzzer is a collection of
* payloads, which carries a unique ID string value.
*
* Example ID values are the output of this program:
* <code>
* The fuzzer ID is: 013-LDP-INJ 
* The name of the fuzzer is: LDAP Injection 
* The id of the fuzzer is: 013-LDP-INJ 
* The of payloads it carries (it's alphabet) is: 20 
* It has as 1st payload: 
* | 
* The fuzzer ID is: 018-XSS-4IE 
* The name of the fuzzer is: XSS IE 
* The id of the fuzzer is: 018-XSS-4IE 
* The of payloads it carries (it's alphabet) is: 38 
* It has as 1st payload: 
* < img src=`x` onrerror= ` ;; alert(1) ` /> 
*
* </code>
*
* Do not be confused between Prototypes and Fuzzers;
* JBroFuzz uses Prototype objects to construct the Fuzzers
* that get added into the Database upon initialisation.
*
* As a result, the getter methods available within a Database
* object can carry the name of getAllPrototypeIDs and
* getAllFuzzerIDs interchangebly.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloDatabase {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();

// Get a list of all the fuzzer IDs from the database
String[] fuzzer_IDs = fuzzDB.getAllPrototypeIDs();

System.out.println("The fuzzer IDs found are:");

for(String fuzzerID : fuzzer_IDs) {

System.out.println("The fuzzer ID is: " + fuzzerID);

// We pass of length of 1, irrelevant if we are
// just going to access the first payload
// of the fuzzer
Fuzzer fuzzer;
try {

fuzzer = fuzzDB.createFuzzer(fuzzerID, 1);
// Normally you should check for fuzzer.hasNext()
String payload = fuzzer.next();

System.out.println("\tThe name of the fuzzer is:\t\t\t" + fuzzer.getName() );
System.out.println("\tThe id of the fuzzer is:\t\t\t" + fuzzer.getId() );
System.out.println("\tThe of payloads it carries (it's alphabet) is:\t" + fuzzDB.getSize(fuzzerID));
System.out.println("\tIt has as 1st payload:\n\t\t" + payload );

} catch (NoSuchFuzzerException e) {
System.out.println("Could not find the specified fuzzer!");
System.out.println("Going to print all the fuzzer IDs I know:");
// old vs new for loop :)
// in case of an error, print just the
// fuzzer IDs, accessed from the DB
for(int j = 0; j < fuzzer_IDs.length; j++) {
System.out.println("The fuzzer ID is: " + fuzzer_IDs[j]);
}

}

}

}

}
</pre>
==== Methods available within the Fuzzer Class ====

A final example of this section, involves seeing the usage of all the method calls available in the Fuzzer.java class
<pre>/**
* JBroFuzz API Examples 03
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* Example iterating through all the methods available
* in the Fuzzer Object and their respective outputs.
*
* @author subere@uncon.org
* @version n/a
*/
public class IndigoFuzzerTests {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "033-B08-OCT";
// You have to supply a (+)tive int
int f_len = 5;

try {

Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len);

while(f.hasNext()) {

// Could do this via reflection, but..
f.next();
// System.out.println(" The fuzzer payload is: " + f.next());
System.out.println(" The maximum value is: " + f.getMaximumValue());

System.out.println(" The current value is: " + f.getCurrectValue());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>
=== Advanced Fuzzing with the JBroFuzz Library ===

This section covers more advanced APIs that are available under the '''org.owasp.jbrofuzz.core package'''. It should be noted that some of these classes and their corresponding functionality are not used by the JBroFuzz program application. Instead, they are made available for incorporation into other java code that you have perhaps written that requires more specialized type of fuzzing.

==== Fuzzing Really Long Values with Big Integer ====

As stated previously, within JBroFuzz a Fuzzer is a java Iterator. This implies that while fuzzing, we typically keep track of a counter representing the value that we are currently on. Consider the example of HelloFuzzer.java, above:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
If we compile this program:
<pre>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>
and run it:
<pre>java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>
We are going to see output similar to:
<pre> The fuzzer payload is: 0000
... (output omitted)
The fuzzer payload is: fffd
The fuzzer payload is: fffe
The fuzzer payload is: ffff
</pre>
Now what if we want a hexadecimal fuzzer of length not 4, but, say, 24. Let's try compile and run the above program with a length of 24. Changing the line to:
<pre> for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 24); f.hasNext();) {
</pre>
Running this modified version of HelloFuzzer.java, yields:
<pre>>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer.java

>java -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer

>
</pre>
Nothing! What is actually happening is JBroFuzz is figuring out that the specified length of the Fuzzer we are about to create is far greater than that of the long java data type. As a result, the Fuzzer is not even entering the iteration mode that is typically expected with methods next() and hasNext().

That's all great, but we still want a hexadecimal fuzzer, 24 digits long going from:
<pre>000000000000000000000000
...to...
ffffffffffffffffffffffff
</pre>
For this JBroFuzz offers another type of Fuzzer class, that of FuzzerBigInteger. Let's modify the critical line within the original HelloFuzzer.java program that we had:
<pre> for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
</pre>
With the entire program becoming:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
Compiling and running this program yields:
<pre> The fuzzer payload is: 000000000000000000000000
The fuzzer payload is: 000000000000000000000001
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
The fuzzer payload is: ffffffffffffffffffffffff
</pre>
There are limitations to this class, as governed by the BigInteger class itself. Further information can be found at:
<pre>http://java.sun.com/j2se/1.5.0/docs/api/java/math/BigInteger.html
</pre>
Still, on a virtual windows xp machine with 256Mb of RAM the above code had no problem running to completion. It took some time though.. Characteristics of the windows machine while this iteration was ongoing: The CPU was being utilised at 100% and memory usage was constant at 212 Mb. Overall, a clean sheet for FuzzerBigInteger.java.

==== Using the Power Fuzzer API ====

With web applications, it is often that you find yourself re-using part of, or the entirety of a fuzzing payload in more than one location, as part of the GET, POST, or any other type of request you submit.

For this reason, JBroFuzz offers the PowerFuzzer class: A type of iterator for which you can specify how many copies of the payload you require in each request.

Let's consider the following trivial scenario. You are in need of all hexadecimal values, which are 4-digits long (i.e. 0000 to FFFF) and you are in need of these 5 times for each request.

This scenario is trivial, because typically you can assign the fuzzing payload (i.e. the value you get back from Fuzzer.next() ) to a String variable and re-use it as many times as you see fit.
<pre> Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
....
for(Fuzzer f = fuzzDB.createFuzzer(fuzzerID, length); f.hasNext();) {
String payload = f.next();
....
}
</pre>
Using the PowerFuzzer.class, the following HelloPowerFuzzer.java program can be created:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {
// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java OWASP JBroFuzz Power Fuzzer Example

</pre>
This program would output the following; no rocket science here:
<pre>....
I have 5 elements: 4817 4817 4817 4817 4817
I have 5 elements: 4818 4818 4818 4818 4818
I have 5 elements: 4819 4819 4819 4819 4819
I have 5 elements: 481a 481a 481a 481a 481a
I have 5 elements: 481b 481b 481b 481b 481b
I have 5 elements: 481c 481c 481c 481c 481c
I have 5 elements: 481d 481d 481d 481d 481d
I have 5 elements: 481e 481e 481e 481e 481e
I have 5 elements: 481f 481f 481f 481f 481f
I have 5 elements: 4820 4820 4820 4820 4820
I have 5 elements: 4821 4821 4821 4821 4821
I have 5 elements: 4822 4822 4822 4822 4822
I have 5 elements: 4823 4823 4823 4823 4823
I have 5 elements: 4824 4824 4824 4824 4824
I have 5 elements: 4825 4825 4825 4825 4825
I have 5 elements: 4826 4826 4826 4826 4826
....
</pre>
Now imagine you need to change the number of elements you obtain back every time. For every second request, you need to obtain back two identical payloads, for every third request, you need to obtain back three payloads and for every fourth request, you need to obtain back four payloads.

The PowerFuzzer class, with the corresponding method '''setPower(int)''' allows you to set how many identical elements you obtain back, without having to worry about the length argument. Below is a class that solves the above scenario:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {

int currentValue = (int) f.getCurrentValue();
currentValue %= 4;
switch (currentValue) {
case 0: f.setPower(1); break;
case 1: f.setPower(2); break;
case 2: f.setPower(3); break;
default: f.setPower(4); break;
}

// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java

</pre>
This class has as output:
<pre> ....
I have 1 elements: 22a8
I have 2 elements: 22a9 22a9
I have 3 elements: 22aa 22aa 22aa
I have 4 elements: 22ab 22ab 22ab 22ab
I have 1 elements: 22ac
I have 2 elements: 22ad 22ad
I have 3 elements: 22ae 22ae 22ae
I have 4 elements: 22af 22af 22af 22af
I have 1 elements: 22b0
I have 2 elements: 22b1 22b1
I have 3 elements: 22b2 22b2 22b2
I have 4 elements: 22b3 22b3 22b3 22b3
I have 1 elements: 22b4
I have 2 elements: 22b5 22b5
I have 3 elements: 22b6 22b6 22b6
I have 4 elements: 22b7 22b7 22b7 22b7
I have 1 elements: 22b8
I have 2 elements: 22b9 22b9
....
</pre>
Naturally, the algorithm of the number of elements required can vary based on any number of parameters. The PowerFuzzer class gives you a quick way to control the number of identical payloads you obtain back, without having to worry about creating a data type to store them in.

==== Using the Double Fuzzer API ====

In some cases of fuzzing web applications, a requirement to fuzz two (or more) locations part of the request being submitted to the web server becomes apparent.

The DoubleFuzzer class allows you to create a fuzzer based on two prototype definitions. Similarly to instantiating a Fuzzer through a prototype and a given length, with a DoubleFuzzer, we pass two prototype definitions and two lengths. The corresponding method call available within the '''Database''' class of org.owasp.jbrofuzz.core is:
<pre>public DoubleFuzzer createDoubleFuzzer(String id1, int length1,
String id2, int length2) throws NoSuchFuzzerException {
</pre>
Let's cross-breed some fuzzers, see what results we get back during an iteration.

The first example below, uses two hexadecimal fuzzers of different lengths, as specified by the variables:
<pre>String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;
</pre>
As the double fuzzer iteration is taking place, the second fuzzer, defined by the fuzzID2 & length2 loops, starting from 00 and going all the way up to FF. An example output is:
<pre> I have 2 elements: fefb fb
I have 2 elements: fefc fc
I have 2 elements: fefd fd
I have 2 elements: fefe fe
I have 2 elements: feff ff
I have 2 elements: ff00 00
I have 2 elements: ff01 01
I have 2 elements: ff02 02
I have 2 elements: ff03 03
</pre>
The complete code listing of HelloDoubleFuzzer.java is:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>
That's simple enough; now let's cross-breed something a bit more exotic: Imagine a 3-digit octal ID value [000 - 777] being submitted inline with, say, a parameter that we want to test for Cross-Site Scripting (XSS). Let's adjust the program above with the corresponding fuzzer IDs of these fuzzers. Remember all the IDs of all the fuzzers can be found in the fuzzers.jbrf file within JBroFuzz.jar:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "019-XSS-GEK";

int length1 = 3;
int length2 = 1;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>
The output from this program is:
<pre> I have 2 elements: 000 (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I have 2 elements: 001 <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
I have 2 elements: 002 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 003 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 004 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 005 <A HREF="//google">XSS</A>
....
...
..
.
..
...
....
I have 2 elements: 774 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 775 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 776 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 777 <A HREF="//google">XSS</A>
</pre>
With the list stopping iterating at the last element of the greatest of the two fuzzers.

==== Using the Cross Product Fuzzer API ====

A final case of a special Double Fuzzer is the the Cross Product Fuzzer of the payloads of two fuzzers. This type of fuzzing is virtually encountered in username/password login form on the Internet. Let's work on this by example.

Consider your home network router. You recall changing the default password to one of the typical password values that you use. Also, you are not 100% certain about the username for the router either, it is one of the typical admin, user, administrator, root, yoda type values, but you cannot recall which one. Needless to say, you don't know what the username, or password actually is.

So in a mini brute-forcing attack scenario, you have the following list of usernames, out of which one is valid:
<pre>admin
administrator
Administrator
root
adminUser
</pre>
Also you know that the password is one of the following (Top 10 Threadwatch 2007 passwords):
<pre>password
123456
qwerty
abc123
letmein
monkey
myspace1
password1
blink182
</pre>
The set that contains every possible combination of the two sets is the Cross Product of the list of usernames, times the list of passwords. So manually, (as most people do while locking themselves out) you would try, popular combinations of the above, starting with:
<pre>admin password
admin 123456
admin qwerty
....
admin blink182
administrator password
administrator 123456
administrator qwerty
....
adminUser password1
adminUser blink182
</pre>
Thus the total number of attempts would be (number of usernames) x (number of passwords). No rocket science here.

JBroFuzz introduces the CrossProductFuzzer class capable of iterating through the cross product of two fuzzers. Let's put it into code; the following program provides a list of all 2-digit octal numbers with every 2-digit binary number. A total of (8 x 8) x (2 x 2) = 256 values.
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloCrossFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "034-B02-BIN";

int length1 = 2;
int length2 = 2;

try {
CrossProductFuzzer f = fuzzDB.createCrossFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloCrossFuzzer.java
</pre>
This program has as output:
<pre> I have 2 elements: 00 00
...
..
.
..
...
I have 2 elements: 74 00
I have 2 elements: 74 01
I have 2 elements: 74 10
I have 2 elements: 74 11
I have 2 elements: 75 00
I have 2 elements: 75 01
I have 2 elements: 75 10
I have 2 elements: 75 11
I have 2 elements: 76 00
I have 2 elements: 76 01
I have 2 elements: 76 10
I have 2 elements: 76 11
I have 2 elements: 77 00
I have 2 elements: 77 01
I have 2 elements: 77 10
I have 2 elements: 77 11
</pre>
You can substitute any list of fuzzer ID to the IDs you use in this program.

'''Remember!''' The total number of payloads must not exceed that of the the maximum value of the long primitive java data type ''Long.MAX_VALUE'' which is 2^63 - 1. If you are in need of more than that payloads, you would have to use the big integer implementation of the Fuzzer class, namely: FuzzerBigInteger.java.

== Graphing with JBroFuzz ==

Once a fuzzing session has completed, JBroFuzz offers the ability to generate a number of graphs, using various metrics. This section investigates how to further the graphing functionality available with the application.

=== Customizing the logo on each Graph ===

As of version 2.0, all image icons within JBroFuzz are located within the /icons directory of the application. The particular transparent image file displayed on top right part of the graphs is named:
<pre>/icons/owasp-med.png
</pre>
This file is a 64 x 64 PNG image file. You can replace it with your own file, as follows:
<pre>>ls -l JBroFuzz.jar
-rw-rw-rw- 1 user group 4033612 Feb 15 12:33 JBroFuzz.jar

>unzip -oq JBroFuzz.jar
>cd icons
>mv owasp-med.png file64x64-file.png
>cd ..
>zip -r JBroFuzz.zip *
>mv JBroFuzz.zip JBroFuzz.jar
</pre>
This enables you to have your own (company logo) on JBroFuzz graphs. Further to this, a number of other customization options are available, by right clicking on each of the graph generated.

[[Category:OWASP_JBroFuzz]]

OWASP JBroFuzz Tutorial

2010-03-30T15:47:35Z

Yiannis:

== Introduction ==

''“If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!”''
<div align="right">Old JBroFuzz Motto </div>
 The art of teaching, Mark Van Doren said, is the art of assisting discovery. Fuzzing is a representative discipline towards assisting the discovery of security vulnerabilities, that is just beginning to come of age. Over the last two years, through continuous development, JBroFuzz has attempted to expose the intrinsic beauty of the subject: Constantly submit a vast amount of payloads to a service, device or prompt, waiting for the one response that makes all the difference. This is the mentality that JBroFuzz embraces and attempts to offer back to security professionals.

Fuzzing as a concept goes beyond a conventional work flow or a standard methodology. I would argue that to know how to fuzz well, is to master a new language. Thus, similar to the process of learning a programming (or foreign) language, there are three things you must master:

• Grammar: How fuzzing as a process is structured • Vocabulary: How to name fuzzing concepts you want to use • Usage: Ways of achieving everyday effective results with fuzzing 

[[Image:001-JBroFuzz-Tutorial.jpg|right|300px|JBroFuzz Splash Screen]]From the pre-existing information available for JBroFuzz, this tutorial focuses on usage: How to best put a fuzzing tool to good use, either via the UI, or using APIs that ''JBroFuzz.jar'' is constituted of. As a result, this document has a small requirement as a caveat; you need to have a beginner level understanding of the Java programming language in order to understand some sections.

There are a number of working examples described here within, which '''grep''' for statements such as “''<nowiki>public static void main(String[] args)</nowiki>''”. The majority of the content relates to reviewing these examples and putting the Java syntax into a fuzzing perspective.

To summarise, this tutorial focuses on customary and effective usage of fuzzing through the JBroFuzz Java APIs and the respective UI. It is targeting (without attacking them) web applications. Without further redo, let’s get fuzzing!

== JBroFuzz Basic Functionality ==

This section carries a number of basic fuzzing examples to get you started with JBroFuzz. Overall, even though the actions performed to not produce any amazing fuzzing results, it serves as a starting point in understanding how to perform particular fuzzing operations on web applications.

=== 'Hello Google!' (forget 'Hello World') ===

As the traditional first program that you learn when indulging in a new programming language, 'Hello World!' represents the norm for understanding the basic output operations and syntax (let alone compiler and execution behaviour) of the language in question.

As with most web application security related tools, when I am given the responsibility to run them, often in order to understand how they work, I would first craft a legitimate, single request to a trusted (to be up and behaving) popular Internet location. Needless, to say this request more than on occasion finds itself on Google servers.

So 'Hello World!' for programming languages seems to transform to 'Hello Google!' for understanding how web application security related tools work. Let us see, how JBroFuzz does it.

• Double-click on JBroFuzz and browse to the 'Fuzzing' tab

JBroFuzz is constituted of tabs, typically located in the bottom or top (if you bother to change the settings) of the main window.

The 'Fuzzing' tab is where you craft your request message to a particular host. Once that is in place, you can select any part of the request and proceed into adding any number of payloads. We shall see how in later sections.

• In the 'URL' field type: http://www.google.com/ http://www.google.com

Unlike conventional URLs, the URL field in JBroFuzz is only used for the underlying protocol (HTTP or HTTPS), host name (e.g. www.yahoo.com) and (optionally) port number.

All remaining information pasted or typed into the 'URL' field will be ignored; you are expected to enter it in the 'Request' field below.

<nowiki>Still, if you want to just copy-paste a URL from a browser, hit [Ctrl+L] while you are not fuzzing, paste the URL value that you have copied from a browser and JBroFuzz will automatically do the work for you. </nowiki>

Examples of valid URL values to be put in the

Treat the 'URL' and 'Request' fields as the two stages of a 'telnet' session on port 80; you are effectively using the 'URL' field to specify the equivalent of:

<tt>>telnet www.google.com 8088</tt>

As equivalent to:

<code>http://www.google.com:8088 </code>

or in the case of HTTPS:

<code>https://www.google.com:8088 </code>

Naturally, default ports for HTTP is 80 and HTTPS is 443.

• In the 'Request' field type:

<code>GET / HTTP/1.0 </code>

And press 'Enter' twice

This is where the body of the message you are sending is to be placed. So anything obeying HTTP/S protocol, such as GET and POST requests, header fields and/or HTML content should be included here.

As part of the process of fuzzing web applications with JBroFuzz you need to have done your homework, in terms of providing a base request message. This message is what will be used later on to add payloads to particular sections of the request.

<nowiki>• Hit 'Start' [Ctrl+Enter]</nowiki>

This will instigate the process of sending a single request to the specified host on a given (or default) port, over HTTP or HTTPS.

Once a connection has been established JBroFuzz will proceed to submit the message you have typed into the 'Request' field.

Finally, JBroFuzz will log all data sent and received into a file; accessing this file is typically a process of double clicking on the output line on the table at the bottom section of the 'Fuzzing' tab.

You should see a response received in the bottom part of the 'Fuzzing' panel. Double click (or right click for more options) to see the information exchanged; typically this would be a 302 redirect pointing you to another location. Congratulations, you have just said "Hello" to Google!

[[Image:002-JBroFuzz-Tutorial.png|500px|JBroFuzz Hello Google!]]

Now this would typically be enough under RFC rules, to get a response back; but damn all the bots out here, most websites require further information to respond back. So, in the 'Request' field let's pretend to be a (kind of) legitimate browser by typing:

<code>GET / HTTP/1.0 Host: www.google.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) JBroFuzz/1.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 </code>

Not forgetting to end the request typed with two returns: Press 'Enter' twice. Again, you should be able to see a line added with the response received back.

Practice sending single requests to a website of your choice by changing the URL and also the 'Host:' field from the 'Request' above. Also try accessing an HTTPS website.

<nowiki>Alternatively, you can use the shortcut [Ctrl+L] to type in your URL, with the 'Request' field filled automatically, based on the URL you have typed. </nowiki> 

=== HTTP Version Numbers & www.cia.gov Headerless Responses ===

For web applications, very often ill-defined requests submitted over the Internet, will trigger semi-legitimate responses that actually do not obey HTTP RFC protocol specification. Often, even though this is not the case in this example, these responses can lead to the identification of one or more security vulnerabilities.

In this example we test for the responses received for invalid HTTP version numbers on a particular website, namely www.cia.gov, over https. Now a word of caution here; please do not attempt to fuzz web applications that you do not have the authority to do so, especially over the Internet.

Still, for the purposes of this tutorial exercise, we will subject a web server to no more than a dozen or so requests. These requests would be otherwise identical, if it was not for the HTTP version number incrementing by a value of 1 on each request.

In terms of having the authority to do so, well this is identical to hitting 'Refresh' in your web browser a dozen or so times, while you are browsing to www.cia.gov. I do not consider this remotely close to any form of hacking, cracking, or proper fuzzing; web servers across the globe receive a lot more abuse than this on a daily basis.

Finally, by the time you are reading this, the particular issue described might have been fixed. So here goes:

• Within JBroFuzz, select:

<code>File -> Open Location [Ctrl+L] </code>

Type: https://www.cia.gov and hit enter. This is depicted in the following screenshot:

[[Image:003-JBroFuzz-Tutorial.png|JBroFuzz Open Location]]

Hitting 'Enter' should automatically populate the 'URL' field and the 'Request' field within the 'Fuzzing' tab. What you see is the base request that we intend to add fuzzing payloads to. Before we do so, let us make one small alteration first:

• Modify the first line of the 'Request' field to:

<code>GET / HTTP/0.0 </code>

Our objective is to enumerate the supported by the web server (in this case www.cia.gov) HTTP version numbers, following the two digit format that it has. We could be a lot more agressive here and test for buffer overflows and all types of injection; that would be out of line without the authority to do so. Instead we are going to see how JBroFuzz will iterate through the values of 0.0 to 1.4 by means of adding a Fuzzer to our base request.

• Highlight the second zero from the line 'GET / HTTP/0.0' and right-click, selecting 'Add'. This is depicted in the screeshot below:

[[Image:004-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer to the HTTP version number]]

• From the appearing 'Add a Fuzzer' window, select as 'Category Name', in the most left column 'Base' and as 'Fuzzer Name' in the middle column 'Base 10 (Decimal) Alphabet.

• Click on 'Add Fuzzer' on the bottom right of the window

[[Image:005-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer]]

This should add a Fuzzer of length 1 that iterates over the decimal (i.e. base 10) numbers 0 to 9. If we have added a hexadecimal Fuzzer instead of a decimal one (i.e. base 16) the iteration would from 0 to F. If we had selected two digits instead of one and proceeded to add a decimal Fuzzer, the iteration would be from:

<code>00 01 .. 98 99 </code>

From a User Interface (UI) perspective you should see a line added to the 'Added Payloads Table'.

• Click 'Start' [Ctrl+Enter]

This process will send 10 requests to the specified web server changing only first line of the request to:

<code>GET / HTTP/0.0... GET / HTTP/0.1... ... GET / HTTP/0.8... GET / HTTP/0.9... </code>

While this is ongoing, you can sort the results by 'No' in the 'Output' table in the bottom of the 'Fuzzing' tab. This should enable you to see what request is currently being transmitted and received in real time.

Once complete, change the first line of the 'Request' field to read:

<code>GET / HTTP/1.0 </code>

• Click 'Start' [Ctrl+Enter]

The resulting output should resemble the following screenshot:

[[Image:006-JBroFuzz-Tutorial.png|500px|JBroFuzz Output from a Fuzzing Session]]

Straight away we can notice a difference in the response size: For HTTP version numbers 0.0 to 0.9 we are getting back what seems fairly big in size responses; 32222 bytes in size worth of responses, given that HTTP protocol version 0.0 to 0.8 do not officially exist!

By double-clicking on one of these requests, we can see that the web server in question is responding back with no headers, yet returning a full HTML body; this represents the 32222 bytes of response of data we are receiving back. The following screenshot illustrates this:

[[Image:007-JBroFuzz-Tutorial.png|300px|JBroFuzz Output for a Single Request/Response]]

Using the 'Graphing' tab we can proceed to graph the particular requests and responses for this given session.

• Within the 'Graphing' tab, click 'Start' [Ctrl+Enter].

• Select the directory corresponding to the Output folder we have used for this fuzzing session. This will typically be the last one.

• Right-click and select 'Graph'

Once complete, browse to the 'Response Size' tab within the 'Graphing' tab, as illustrated in the screenshot below:

[[Image:008-JBroFuzz-Tutorial.png|300px|JBroFuzz Graphing different 'Response Sizes']]

To re-iterate this does not present a security vulnerability in any shape or form; merely the fact that by manipulating HTTP version numbers as part of the request we transmit, we can impact the response that we get back. In this case, what changes is the non-existent header fields, with some HTML content being received back.

If I was to guess what is causing this, I would say that some sort of load balancing or content delivery is not happening as it should when non-existent version numbers are being transmitted.

== Using JBroFuzz with a Generic Proxy ==

JBrofuzz 2.0 and subsequent releases include generic proxy support. As of this writing, basic authentication is supported with plans to eventually support NTLM and Kerberos authentication as well. We've tried to make the use of a proxy as straight forward as possible. All arguments for the proxy can be passed in the URL field and will take one of the following forms.
<pre>Without Authentication: <proxy server>:<proxy port>
With Authentication: <proxy username>:<proxy password>@<proxy server>:<proxy port>
</pre>
The structure of the request field and whether the GET parameter contains an absolute URL depends on the proxy you are using. For this reason, you may have to do a bit of trial and error to determine what format(s) your proxy accepts. To make all of this a bit clearer lets look at a couple of examples.

=== Squid Proxy ===

In the first example, we are fuzzing through a squid proxy that requires ncsa user authentication as shown in the figure below. When producing similar results, its important that you use your own proxy and not the one shown in the figure. This proxy was setup for demonstration purposes, will not accept connections from your IP address, and the credentials will no longer be active.

[[Image:016-JBroFuzz-Tutorial.jpg|503x449px]]

=== Paros Proxy ===

In the second example, we are fuzzing through a local Paros proxy running on port 8080 that does not require user authentication. Notice the difference in the syntax of the URL field when user authentication is not required.

[[Image:017-JBroFuzz-Tutorial.jpg|503x449px]]

In the third example, we are still fuzzing through Paros, but notice the slight difference in the Request Field. Specifically, pay special attention to the GET line. We are no longer including the fully qualified path. Unlike Squid, Paros will accept both formats. Keep this in mind when you are performing initial testing with JBroFuzz and the proxy of your choice.

[[Image:018-JBroFuzz-Tutorial.jpg|503x449px]]

=== Burp Proxy ===
In the final example, we are fuzzing through Burp. Similar to Squid, Burp requires absolute URLs in the request. A successful Burp request is shown below.

[[Image:019-JBroFuzz-Tutorial.jpg|503x449px]]

== Using JBroFuzz with Paros Proxy ==

JBroFuzz is a standalone fuzzer; it can release and create sockets over HTTP and HTTPS, but in order to use JBroFuzz correctly you will have to know what it is that you are fuzzing.

In comes the need for a proxy tool; the opening versions of JBroFuzz actually had a proxy tab that you could use to intercept traffic generated by your web browser. That functionality got removed in an attempt to focus and deliver solely on the fuzzing capabilities of the tool.

This section details how to use JBroFuzz in combination with a client side proxy. The one selected is Paros Proxy, which, despite the fact that it hasn't been updated since 2006 is still a popular tool that you see in web security testing live CDs. You could use any of the other proxy tools available.

=== Winning on a Remix of the Year Award ===

At 17:53, on a frosty winter evening, a message window popped up:
<pre>17:53 http://www.localhost.com/remixcontest/club/annual2010.html
17:53 Hey bro, could you cast in a vote here for the Such & Such Remix?
17:53 Appreciated!
</pre>
A friend in need is a friend indeed, so here goes I thought. Opening up a web browser configured to work with Paros as an intermediate proxy, allowed for the casting of my vote. while keeping a record of each request and reply.

No registration, or any other form of submitting an identifier was needed. The request that Paros stored for the casting of the actual vote was:
<pre>GET http://www.localhost.com/remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.1
Host: www.localhost.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
Paros Proxy actually places the domain (in this case www.localhost.com) with the protocol (i.e. http) in front of the GET request. As a result, you can't open a telnet/netcat session and just copy-paste the above. Similarly when we bring the request into JBroFuzz, a bit of tweaking is required.

*In the URL field, type:
<pre>http://www.localhost.com
</pre>
In the Request field, let's keep what is of interest:
<pre>GET /remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
No needs for Keep-Alive and Proxy-Connection. Let's simplify the HTTP request by making it a version 1.0 request and getting rid of the Host header as well. Also on the user agent, let us keep that mainstream vanilla: Firefox on Windows (popular browser combination), getting rid of the .NET and Paros additives.

Checking on the website, our Such & Such remix already has about 100 votes or so and the top remix has approximately 310 votes. Let's fuzz this:

*Select 2 of the digits of the cookie value:
<pre>PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>
*Select: Panel -> Add

*In the "Add a Fuzzer" panel, select:
<pre>Base -> Base16 (HEX)
</pre>
and select "Add Fuzzer".

This will add a line within the Payloads tab on the right hand side.

Our cookie value above (PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e) is in lowercase, hexadecimal format. Let's make sure the encoding we select is also that.

Within the Payloads tab, click on the encoding drop down menu and select lowercase. Just before clicking "Start", JBroFuzz should look something like the screenshot below.

[[Image:014-JBroFuzz-Tutorial.png|Adding Votes by iterating through PHPSESSID cookie values]]

== Performing User Enumeration with a Valid Set of Credentials ==

Often you encounter an application that allows for the enumeration of one or more pages after a user has been successfully granted a set of session credentials. One of the key areas to test from an application specific perspective, relates to the page(s) that provide user account information.

In the following example, we investigate an ASP.NET 2.0 application with a C# back-end. In this, an authenticated user has the option to select to "View My Profile". This page provides them with account information (including the typical username, email address, further notes) that they can proceed to update and save to the back-end system.

After a user has authenticated, the following URL, gives them access to their profile information stored on the database:
<pre>http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23
</pre>
Simple investigation confirms that the digits allowed as part of the UserID value are decimal numbers only. Lets feed that information into JBroFuzz.

=== Fuzzing a User ID ===

• Within JBroFuzz, select:

<code>File -> Open Location [Ctrl+L] </code>

Type: http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23 and hit enter. This is depicted in the following screenshot:

[[Image:009-JBroFuzz-Tutorial.png|300px|JBroFuzz 'GET' Request with a 'UserID' parameter]]

From the URL the important parameter is the value of the UserID query string (the value 23, above). We want to fuzz that.

• Within the Fuzzing Tab, in the "Request" text area, highlight the above number 23 • Right-click and select "Add"

In the "Add a Fuzzer" window that appears, select:

• Category Name: <code>Base</code> • Fuzzer Name: <code>Base10 (DEC)</code> • Select "Add Fuzzer" in the bottom right

This would have added a decimal (base 10 fuzzer) of length 2 onto the location.

• You will see a row added within the "Added Fuzzers Table" of the Fuzzing panel. • Click "Start" <code>Ctrl+Enter</code>

This will transmit 100 requests to the domain in question, which in this case is assumed: www.myattackingdomain.com. The value being changed within each request will be:
<pre>• GET /portal-location/UserInfo.aspx?UserID=00 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=01 HTTP/1.0
...
• GET /portal-location/UserInfo.aspx?UserID=98 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=99 HTTP/1.0
</pre>
Done. Let's proceed to graph the responses that we have obtained. Our objective is to understand which two-digit numbers from 00 to 99 correspond to valid user accounts.

=== Graphing Results ===

• Within the "Graphing" tab, click "Start" <code>Ctrl+Enter</code>

A list of directories will appear on the left-hand side. If you scroll to the bottom of the list you should see the directory corresponding to your fuzzing session, in our case it was (175 2009-06-24 16-18-24)
<pre>• Right-click on (175 2009-06-24 16-18-24)
• Click "Graph"
</pre>
This will generate the graphs in their respective tabs. The question now becomes which graph is of interest for our user enumeration exercise.

By definition enumerating users against an ID value, or any other identifier involves being able to obtain a different response for an existing user to that of a user that is not have a corresponding ID value.

Thus, from the metrics available, the one useful for enumerating users will be that of measuring the "Hamming Distance" between responses received. Based on the JBroFuzz documentation:

'''Fuzzing Hamming Distance '''
<pre>A bar chart with the hamming distance of the characters in the response,
relative to the first response received. Check each character of the first
response received, against the character at the same position of the
current response received. If they are not identical, increment the
hamming distance.
</pre>
As we can see the Fuzzing Hamming Distance (FHD) varies quite a bit from the definition of the normal hamming distance term, used in telecommunications. Still, they share a lot of similarities.

As we can from the above, the first request is critical to calibrating our user enumeration exercise. It represents the value that all other Fuzzing Hamming Distances (FHD) will be measured and normalised towards. For the java-skilled audience, the algorithm is quite trivial, but offers spectacular results in distinguishing responses:
<pre>in = new BufferedReader(new FileReader(f));
58
59 int counter = 0;
60 int check = 0;
61 int c;
62 while (((c = in.read()) > 0) && (counter < MAX_CHARS)) {
63
64 // If we are passed "--jbrofuzz-->\n" in the file
65 if (check == END_SIGNATURE.length()) {
66
67 firstSet.append((char) c);
68
69 }
70 // Else find "--jbrofuzz-->\n" using a counter
71 else {
72 // Increment the counter for each success
73 if (c == END_SIGNATURE.charAt(check)) {
74 check++;
75 } else {
76 check = 0;
77 }
78 }
79
80 counter++;
81
82 }
83 in.close();
</pre>
Ergo, the corresponding graph is depicted in the screenshot below. The peak graphs correspond to number that if you hover the mouse over will give you the enumeration ID of a valid user.

[[Image:015-JBroFuzz-Tutorial.png|500px|Measuring Hamming Distance for User Enumeration]]

== Eliminating False Positives: LDAP Injection ==

Every now and then a tool (that does not produce false positives) will hit an application reporting back a huge variety of (hopefully not confirmed, but pending further investigation) injection findings.

Due to the limited number of characters required in performing LDAP Injection, such issues will be high on that list. But let's refresh our memory a bit of how LDAP injection works:

http://www.owasp.org/index.php/LDAP_injection

So typically, during an automated scan, negating LDAP cn-type queries would be submitted and their responses noted. Example:

<pre>
GET /myfilelocation.jsp?lang=en&city=user)(sn=*&rid=97 HTTP/1.1
...
</pre>

vs.

<pre>
GET /myfilelocation.jsp?lang=en&city=user)!(sn=*&rid=97 HTTP/1.1
...
</pre>

or

<pre>
GET /myfilelocation.jsp?lang=en&city=admin*)((|userpassword=*)&rid=97 HTTP/1.1
...
</pre>

As great as this check might be from an LDAP perspective, it has a high likelihood of generating false positives, due to the character sets being used. Ergo, a protection mechanism (silly worst-case blacklist present for example) would typically hunt down cross-site scripting and sql injection type of characters:

<pre>
< > ' etc.
</pre>

Not considering =, *, or brackets as completely bad (he says).

=== What characters are allowed through? ===

Enough of all that; we want to know what responses are allowed back and what's different about them for all characters being filtered through a black-list.

Let's transform the above GET into the following and proceed to add a single fuzzer that tells us that:

<pre>
GET /myfilelocation.jsp?lang=en&city=X&rid=97 HTTP/1.1
</pre>
== JBroFuzz Development Corner ==

This section presents how to setup and use JBroFuzz as a fuzzing library. Also, it offers an insight in how to setup and compile your own version of JBroFuzz. As different people have different levels of expertise of the java programming language, eclipse, ant and subversion, some of the steps presented herein might be considered basic by advanced developers.

=== Setting up a JBroFuzz Development Environment ===

This section guides you towards setting up a development environment for JBroFuzz. Despite the Operating System (O/S) being windows XP, a similar process can be followed in a number of other O/S.

You will need to have installed:

*Tortoise SVN (using TortoiseSVN-1.6.6.17493-win32-svn-1.6.6.msi)
*Eclipse Java (using eclipse-java-galileo-SR1-win32.zip)

Optionally, if you don't like building your application through eclipse you could also require to install Apache Ant.

==== Step 1: Obtain the source code ====

JBroFuzz uses SubVersion with the repository being publicly available for download through anonymous access on sourceforge. There is a plan to move it the source to the OWASP Git repository, but until then, use the guidelines below.

[[Image:010-JBroFuzz-Tutorial.png|Tortoise SVN Check out JBroFuzz Source Code]]

Right click on the folder location where you want to download the source code and select:

*SVN Checkout

In the "URL of repository", enter:
<pre>https://jbrofuzz.svn.sourceforge.net/svnroot/jbrofuzz
</pre>
In the "Checkout directory", enter the folder location of your choice, in this case:
<pre>C:\root\code\jbrofuzz
</pre>
In the "Checkout Depth" select:

*Fully recursive

Untick "Omit Externals" (should be unticked by default)

In the "Revision" select:

*"Head revision"

Select OK.

This process, once complete will checkout the entirety of the JBroFuzz source code from the SVN repository on sourceforge.

==== Step 2: Configuring a JBroFuzz Project within Eclipse ====

Having obtained the latest copy of the source code, the next step entails importing that source code within the Eclipse IDE.

Within Eclipse, select:
<pre>File -> New -> Other
</pre>
From the "New" panel that appears, select:
<pre>Java -> Java Project from Existig Ant Buildfile
</pre>
[[Image:011-JBroFuzz-Tutorial.png|Import JBroFuzz Code into Eclipse from Ant File]]

Select "Next".

In the next menu, under "Ant buildfile", select "Browse".

Browse to the location where you have just (step 1) downloaded the source code and select the following file:

*build.xml

The build.xml file is an Ant build file that JBroFuzz uses.

[[Image:012-JBroFuzz-Tutorial.png|Select the Ant File]]

Selecting that file should have populated the "Project name" as jbrofuzz and also given you:

 
<pre>"javac" task found in target "compile"
</pre>
MAKE SURE TO TICK:

*"Link to the buildfile in the filesystem"

Otherwise eclipse will try to replicate the source code within your workspace and that makes the process a tiny bit more complicated when it comes to actually building JBroFuzz.

Click "Finish"

You will see the item "Building workspace (76%) on the bottom right hand side of Eclipse. Once that is complete, you should see the jbrofuzz project on the top left corner of the Package Explorer within Eclipse.

==== Step 3: Building JBroFuzz ====

Within the Package Explorer, expand the jbrofuzz project and double-click on the build.xml file.

Right click on the "build [default]" task within the "Outline" window (typically seen on the right hand side) and select:
<pre>Run As -> 1. Ant Build [Alt+Shift+X, Q]
</pre>
If the build has been successful, a JBroFuzz.jar file within the the /jar folder would have been created. Following the path conventions above that should be in:
<pre>C:\root\code\jbrofuzz\jar\JBroFuzz.jar
</pre>
[[Image:013-JBroFuzz-Tutorial.png|Building JBroFuzz within Eclipse]]

=== How to Use JBroFuzz as a Fuzzing Library ===

Quite often what you need to do in terms of fuzzing, far exceeds the User Interface (UI) of JBroFuzz. For this reason, a set of core fuzzing APIs have been made available that can be used for more advanced fuzzing scenarios.

The JBroFuzz.jar standalone archive (made available with every release) carries a core fuzzing library that holds a number of key classes. These are located under:
<pre>org.owasp.jbrofuzz.core.*;
-Database.java
-Fuzzer.java
-FuzzerBigInteger.java
-NoSuchFuzzerException.java
-Prototype.java
</pre>
The class of importance is Fuzzer.java. If you are going to use recursive iterators of great length, there is also FuzzerBigInteger.java. The difference between the two is that Fuzzer.java uses the primitive java data type long (up to 16^16 values) while FuzzerBigInteger.java uses java BigInteger to perform the counting. Naturally, the class FuzzerBigInteger is slower and takes more memory than the Fuzzer class.

Within JBroFuzz a Fuzzer is an instance of a java Iterator. This implies that values can be accessed by simply calling the <code>next()</code> method once an object has been made available. Typically, a call to <code>hasNext()</code> should also be performed prior to avoid an exception being thrown.

A Fuzzer can be obtained from the factory method <code>createFuzzer(String, int);</code> available for every instance of the fuzzing Database. Ergo:

==== A HelloFuzzer Example ====
<pre>Database myDatabase = new Database();

Fuzzer myFuzzer = myDatabase.createFuzzer("031-B16-HEX", 5);
</pre>
So how do I use the API? Here is a simple HelloFuzzer (file called HelloFuzzer.java) example:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
To compile the above use:
<pre>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>
This assumes that you are currently inside the directory where HelloFuzzer.java resides and that the JBroFuzz.jar is located two directories within your current location i.e. in jbrofuzz/jar. In order to run the above compiled HelloFuzzer class issue:
<pre>java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>
Note: The above 2 commands have been crafted in a win32 environment. The process for compiling and running HelloFuzzer.java above is the same in *nix machines. Simply replace the backslash "\" with "/".

==== Fuzzing Payload Definitions ====

Within the JBroFuzz.jar file, there is a file called fuzzers.jbrf that carries all the fuzzer definitions that you see in the UI payloads tab of JBroFuzz. To view a latest copy of this file you can browse the SVN repository of JBroFuzz:
<pre>http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/tar/fuzzers.jbrf?view=log
</pre>
A note here worth mentioning: Files ending in .jbrofuzz are session files saved by users while performing fuzzing operations. Files ending in .jbrf are JBroFuzz system files. Typical examples of .jbrf files are headers.jbrf, as well as fuzzers.jbrf. Both these use an internal proprietary format not to be confused with the .jbrofuzz file format.

Fuzzers belong in categories (1 to many) and each fuzzer carries a set of payloads that define the alphabet of the fuzzer.

Also, you have replacive and recursive fuzzers, zero fuzzers, etc. There are a number of different fuzzer categories. As an example of a fuzzer within the fuzzers.jbrf file, consider the hexadecimal fuzzer:
<pre>Fuzzer Name: Base16 (HEX)
Fuzzer Type: Recursive
Fuzzer Id: 031-B16-HEX

Total Number of Payloads: 16
</pre>
Within the fuzzers.jbrf file this fuzzer is defined in plain-text format as follows:
<pre>R:031-B16-HEX:Base16 (HEX):16
> Number Systems | Base | Recursive Fuzzers
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
</pre>
 There is very little preventing you from defining your own fuzzers within this file, by following the file format specified above. You can use the UI to see if they have been loaded successfully.

Further to recursive and replacive fuzzers you also have zero fuzzers (i.e. a zero fuzzer of 1000 will just transmit 1000 requests as they are, without adding any payloads) double fuzzers, cross product fuzzers, etc.

Notice the factory method Database.createFuzzer("031-B16-HEX", 4) yielding: "I want a 4 digit recursive fuzzer (why because NUM-HEX is recursive in its definition, starts with R: instead of P:) of HEX digits."

Thus the above scenario would iterate through all the digits from 0000 to ffff. I wouldn't recommend using the above scenario for such trivial fuzzing capabilities; simply presented as an example of the inner workings of JBroFuzz.jar

==== HelloFuzzer Refined ====

A more detailed code breakdown of the above HelloFuzzer example can be found below:
<pre>/**
* JBroFuzz API Examples 01
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz a Fuzzer is a java Iterator.
*
* In order to create a Fuzzer, use the factory method
* Database.createFuzzer(String, int), passing as arguments
* the Fuzzer ID and the specified length as a positive int.
*
* Be careful to check that the fuzzer ID (labelled as f_ID)
* is actually an existing ID from the Database of Fuzzers.
*
* Expected Output:
* <code>
* The fuzzer payload is: 00000 
* The fuzzer payload is: 00001 
* ... 
* (a total of 16^5 = 1048576 lines) 
* ... 
* The fuzzer payload is: ffffd 
* The fuzzer payload is: ffffe 
* The fuzzer payload is: fffff 
* </code>
*
* For more information on the Database of Fuzzers, see the
* HelloDatabase Class.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloFuzzer {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "031-B16-HEX";
// You have to supply a (+)tive int
int f_len = 5;

try {

for(Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len); f.hasNext();) {

// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>
==== Hello Database of Fuzzers ====

Having seen how to access a single Fuzzer through the createFuzzer() method available in the Database object. The next question that comes naturally is what are the Fuzzers that are available by default in JBroFuzz?

To answer that, this example focuses more on the database component that we previously initialised, investigating the list of available methods that it offers.

In JBroFuzz, all Fuzzers are stored in a Database object that you will be required to construct in order to access them.
<pre>/**
* JBroFuzz API Examples 02
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz all Fuzzers are stored in a Database
* object that you will be required to construct in order
* to access them.
*
* Within the Database, each Fuzzer is a collection of
* payloads, which carries a unique ID string value.
*
* Example ID values are the output of this program:
* <code>
* The fuzzer ID is: 013-LDP-INJ 
* The name of the fuzzer is: LDAP Injection 
* The id of the fuzzer is: 013-LDP-INJ 
* The of payloads it carries (it's alphabet) is: 20 
* It has as 1st payload: 
* | 
* The fuzzer ID is: 018-XSS-4IE 
* The name of the fuzzer is: XSS IE 
* The id of the fuzzer is: 018-XSS-4IE 
* The of payloads it carries (it's alphabet) is: 38 
* It has as 1st payload: 
* < img src=`x` onrerror= ` ;; alert(1) ` /> 
*
* </code>
*
* Do not be confused between Prototypes and Fuzzers;
* JBroFuzz uses Prototype objects to construct the Fuzzers
* that get added into the Database upon initialisation.
*
* As a result, the getter methods available within a Database
* object can carry the name of getAllPrototypeIDs and
* getAllFuzzerIDs interchangebly.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloDatabase {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();

// Get a list of all the fuzzer IDs from the database
String[] fuzzer_IDs = fuzzDB.getAllPrototypeIDs();

System.out.println("The fuzzer IDs found are:");

for(String fuzzerID : fuzzer_IDs) {

System.out.println("The fuzzer ID is: " + fuzzerID);

// We pass of length of 1, irrelevant if we are
// just going to access the first payload
// of the fuzzer
Fuzzer fuzzer;
try {

fuzzer = fuzzDB.createFuzzer(fuzzerID, 1);
// Normally you should check for fuzzer.hasNext()
String payload = fuzzer.next();

System.out.println("\tThe name of the fuzzer is:\t\t\t" + fuzzer.getName() );
System.out.println("\tThe id of the fuzzer is:\t\t\t" + fuzzer.getId() );
System.out.println("\tThe of payloads it carries (it's alphabet) is:\t" + fuzzDB.getSize(fuzzerID));
System.out.println("\tIt has as 1st payload:\n\t\t" + payload );

} catch (NoSuchFuzzerException e) {
System.out.println("Could not find the specified fuzzer!");
System.out.println("Going to print all the fuzzer IDs I know:");
// old vs new for loop :)
// in case of an error, print just the
// fuzzer IDs, accessed from the DB
for(int j = 0; j < fuzzer_IDs.length; j++) {
System.out.println("The fuzzer ID is: " + fuzzer_IDs[j]);
}

}

}

}

}
</pre>
==== Methods available within the Fuzzer Class ====

A final example of this section, involves seeing the usage of all the method calls available in the Fuzzer.java class
<pre>/**
* JBroFuzz API Examples 03
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* Example iterating through all the methods available
* in the Fuzzer Object and their respective outputs.
*
* @author subere@uncon.org
* @version n/a
*/
public class IndigoFuzzerTests {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "033-B08-OCT";
// You have to supply a (+)tive int
int f_len = 5;

try {

Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len);

while(f.hasNext()) {

// Could do this via reflection, but..
f.next();
// System.out.println(" The fuzzer payload is: " + f.next());
System.out.println(" The maximum value is: " + f.getMaximumValue());

System.out.println(" The current value is: " + f.getCurrectValue());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>
=== Advanced Fuzzing with the JBroFuzz Library ===

This section covers more advanced APIs that are available under the '''org.owasp.jbrofuzz.core package'''. It should be noted that some of these classes and their corresponding functionality are not used by the JBroFuzz program application. Instead, they are made available for incorporation into other java code that you have perhaps written that requires more specialized type of fuzzing.

==== Fuzzing Really Long Values with Big Integer ====

As stated previously, within JBroFuzz a Fuzzer is a java Iterator. This implies that while fuzzing, we typically keep track of a counter representing the value that we are currently on. Consider the example of HelloFuzzer.java, above:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
If we compile this program:
<pre>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>
and run it:
<pre>java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>
We are going to see output similar to:
<pre> The fuzzer payload is: 0000
... (output omitted)
The fuzzer payload is: fffd
The fuzzer payload is: fffe
The fuzzer payload is: ffff
</pre>
Now what if we want a hexadecimal fuzzer of length not 4, but, say, 24. Let's try compile and run the above program with a length of 24. Changing the line to:
<pre> for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 24); f.hasNext();) {
</pre>
Running this modified version of HelloFuzzer.java, yields:
<pre>>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer.java

>java -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer

>
</pre>
Nothing! What is actually happening is JBroFuzz is figuring out that the specified length of the Fuzzer we are about to create is far greater than that of the long java data type. As a result, the Fuzzer is not even entering the iteration mode that is typically expected with methods next() and hasNext().

That's all great, but we still want a hexadecimal fuzzer, 24 digits long going from:
<pre>000000000000000000000000
...to...
ffffffffffffffffffffffff
</pre>
For this JBroFuzz offers another type of Fuzzer class, that of FuzzerBigInteger. Let's modify the critical line within the original HelloFuzzer.java program that we had:
<pre> for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
</pre>
With the entire program becoming:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>
Compiling and running this program yields:
<pre> The fuzzer payload is: 000000000000000000000000
The fuzzer payload is: 000000000000000000000001
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
The fuzzer payload is: ffffffffffffffffffffffff
</pre>
There are limitations to this class, as governed by the BigInteger class itself. Further information can be found at:
<pre>http://java.sun.com/j2se/1.5.0/docs/api/java/math/BigInteger.html
</pre>
Still, on a virtual windows xp machine with 256Mb of RAM the above code had no problem running to completion. It took some time though.. Characteristics of the windows machine while this iteration was ongoing: The CPU was being utilised at 100% and memory usage was constant at 212 Mb. Overall, a clean sheet for FuzzerBigInteger.java.

==== Using the Power Fuzzer API ====

With web applications, it is often that you find yourself re-using part of, or the entirety of a fuzzing payload in more than one location, as part of the GET, POST, or any other type of request you submit.

For this reason, JBroFuzz offers the PowerFuzzer class: A type of iterator for which you can specify how many copies of the payload you require in each request.

Let's consider the following trivial scenario. You are in need of all hexadecimal values, which are 4-digits long (i.e. 0000 to FFFF) and you are in need of these 5 times for each request.

This scenario is trivial, because typically you can assign the fuzzing payload (i.e. the value you get back from Fuzzer.next() ) to a String variable and re-use it as many times as you see fit.
<pre> Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
....
for(Fuzzer f = fuzzDB.createFuzzer(fuzzerID, length); f.hasNext();) {
String payload = f.next();
....
}
</pre>
Using the PowerFuzzer.class, the following HelloPowerFuzzer.java program can be created:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {
// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java OWASP JBroFuzz Power Fuzzer Example

</pre>
This program would output the following; no rocket science here:
<pre>....
I have 5 elements: 4817 4817 4817 4817 4817
I have 5 elements: 4818 4818 4818 4818 4818
I have 5 elements: 4819 4819 4819 4819 4819
I have 5 elements: 481a 481a 481a 481a 481a
I have 5 elements: 481b 481b 481b 481b 481b
I have 5 elements: 481c 481c 481c 481c 481c
I have 5 elements: 481d 481d 481d 481d 481d
I have 5 elements: 481e 481e 481e 481e 481e
I have 5 elements: 481f 481f 481f 481f 481f
I have 5 elements: 4820 4820 4820 4820 4820
I have 5 elements: 4821 4821 4821 4821 4821
I have 5 elements: 4822 4822 4822 4822 4822
I have 5 elements: 4823 4823 4823 4823 4823
I have 5 elements: 4824 4824 4824 4824 4824
I have 5 elements: 4825 4825 4825 4825 4825
I have 5 elements: 4826 4826 4826 4826 4826
....
</pre>
Now imagine you need to change the number of elements you obtain back every time. For every second request, you need to obtain back two identical payloads, for every third request, you need to obtain back three payloads and for every fourth request, you need to obtain back four payloads.

The PowerFuzzer class, with the corresponding method '''setPower(int)''' allows you to set how many identical elements you obtain back, without having to worry about the length argument. Below is a class that solves the above scenario:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {

int currentValue = (int) f.getCurrentValue();
currentValue %= 4;
switch (currentValue) {
case 0: f.setPower(1); break;
case 1: f.setPower(2); break;
case 2: f.setPower(3); break;
default: f.setPower(4); break;
}

// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java

</pre>
This class has as output:
<pre> ....
I have 1 elements: 22a8
I have 2 elements: 22a9 22a9
I have 3 elements: 22aa 22aa 22aa
I have 4 elements: 22ab 22ab 22ab 22ab
I have 1 elements: 22ac
I have 2 elements: 22ad 22ad
I have 3 elements: 22ae 22ae 22ae
I have 4 elements: 22af 22af 22af 22af
I have 1 elements: 22b0
I have 2 elements: 22b1 22b1
I have 3 elements: 22b2 22b2 22b2
I have 4 elements: 22b3 22b3 22b3 22b3
I have 1 elements: 22b4
I have 2 elements: 22b5 22b5
I have 3 elements: 22b6 22b6 22b6
I have 4 elements: 22b7 22b7 22b7 22b7
I have 1 elements: 22b8
I have 2 elements: 22b9 22b9
....
</pre>
Naturally, the algorithm of the number of elements required can vary based on any number of parameters. The PowerFuzzer class gives you a quick way to control the number of identical payloads you obtain back, without having to worry about creating a data type to store them in.

==== Using the Double Fuzzer API ====

In some cases of fuzzing web applications, a requirement to fuzz two (or more) locations part of the request being submitted to the web server becomes apparent.

The DoubleFuzzer class allows you to create a fuzzer based on two prototype definitions. Similarly to instantiating a Fuzzer through a prototype and a given length, with a DoubleFuzzer, we pass two prototype definitions and two lengths. The corresponding method call available within the '''Database''' class of org.owasp.jbrofuzz.core is:
<pre>public DoubleFuzzer createDoubleFuzzer(String id1, int length1,
String id2, int length2) throws NoSuchFuzzerException {
</pre>
Let's cross-breed some fuzzers, see what results we get back during an iteration.

The first example below, uses two hexadecimal fuzzers of different lengths, as specified by the variables:
<pre>String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;
</pre>
As the double fuzzer iteration is taking place, the second fuzzer, defined by the fuzzID2 & length2 loops, starting from 00 and going all the way up to FF. An example output is:
<pre> I have 2 elements: fefb fb
I have 2 elements: fefc fc
I have 2 elements: fefd fd
I have 2 elements: fefe fe
I have 2 elements: feff ff
I have 2 elements: ff00 00
I have 2 elements: ff01 01
I have 2 elements: ff02 02
I have 2 elements: ff03 03
</pre>
The complete code listing of HelloDoubleFuzzer.java is:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>
That's simple enough; now let's cross-breed something a bit more exotic: Imagine a 3-digit octal ID value [000 - 777] being submitted inline with, say, a parameter that we want to test for Cross-Site Scripting (XSS). Let's adjust the program above with the corresponding fuzzer IDs of these fuzzers. Remember all the IDs of all the fuzzers can be found in the fuzzers.jbrf file within JBroFuzz.jar:
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "019-XSS-GEK";

int length1 = 3;
int length2 = 1;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>
The output from this program is:
<pre> I have 2 elements: 000 (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I have 2 elements: 001 <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
I have 2 elements: 002 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 003 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 004 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 005 <A HREF="//google">XSS</A>
....
...
..
.
..
...
....
I have 2 elements: 774 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 775 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 776 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 777 <A HREF="//google">XSS</A>
</pre>
With the list stopping iterating at the last element of the greatest of the two fuzzers.

==== Using the Cross Product Fuzzer API ====

A final case of a special Double Fuzzer is the the Cross Product Fuzzer of the payloads of two fuzzers. This type of fuzzing is virtually encountered in username/password login form on the Internet. Let's work on this by example.

Consider your home network router. You recall changing the default password to one of the typical password values that you use. Also, you are not 100% certain about the username for the router either, it is one of the typical admin, user, administrator, root, yoda type values, but you cannot recall which one. Needless to say, you don't know what the username, or password actually is.

So in a mini brute-forcing attack scenario, you have the following list of usernames, out of which one is valid:
<pre>admin
administrator
Administrator
root
adminUser
</pre>
Also you know that the password is one of the following (Top 10 Threadwatch 2007 passwords):
<pre>password
123456
qwerty
abc123
letmein
monkey
myspace1
password1
blink182
</pre>
The set that contains every possible combination of the two sets is the Cross Product of the list of usernames, times the list of passwords. So manually, (as most people do while locking themselves out) you would try, popular combinations of the above, starting with:
<pre>admin password
admin 123456
admin qwerty
....
admin blink182
administrator password
administrator 123456
administrator qwerty
....
adminUser password1
adminUser blink182
</pre>
Thus the total number of attempts would be (number of usernames) x (number of passwords). No rocket science here.

JBroFuzz introduces the CrossProductFuzzer class capable of iterating through the cross product of two fuzzers. Let's put it into code; the following program provides a list of all 2-digit octal numbers with every 2-digit binary number. A total of (8 x 8) x (2 x 2) = 256 values.
<pre>import org.owasp.jbrofuzz.core.*;

public class HelloCrossFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "034-B02-BIN";

int length1 = 2;
int length2 = 2;

try {
CrossProductFuzzer f = fuzzDB.createCrossFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloCrossFuzzer.java
</pre>
This program has as output:
<pre> I have 2 elements: 00 00
...
..
.
..
...
I have 2 elements: 74 00
I have 2 elements: 74 01
I have 2 elements: 74 10
I have 2 elements: 74 11
I have 2 elements: 75 00
I have 2 elements: 75 01
I have 2 elements: 75 10
I have 2 elements: 75 11
I have 2 elements: 76 00
I have 2 elements: 76 01
I have 2 elements: 76 10
I have 2 elements: 76 11
I have 2 elements: 77 00
I have 2 elements: 77 01
I have 2 elements: 77 10
I have 2 elements: 77 11
</pre>
You can substitute any list of fuzzer ID to the IDs you use in this program.

'''Remember!''' The total number of payloads must not exceed that of the the maximum value of the long primitive java data type ''Long.MAX_VALUE'' which is 2^63 - 1. If you are in need of more than that payloads, you would have to use the big integer implementation of the Fuzzer class, namely: FuzzerBigInteger.java.

== Graphing with JBroFuzz ==

Once a fuzzing session has completed, JBroFuzz offers the ability to generate a number of graphs, using various metrics. This section investigates how to further the graphing functionality available with the application.

=== Customizing the logo on each Graph ===

As of version 2.0, all image icons within JBroFuzz are located within the /icons directory of the application. The particular transparent image file displayed on top right part of the graphs is named:
<pre>/icons/owasp-med.png
</pre>
This file is a 64 x 64 PNG image file. You can replace it with your own file, as follows:
<pre>>ls -l JBroFuzz.jar
-rw-rw-rw- 1 user group 4033612 Feb 15 12:33 JBroFuzz.jar

>unzip -oq JBroFuzz.jar
>cd icons
>mv owasp-med.png file64x64-file.png
>cd ..
>zip -r JBroFuzz.zip *
>mv JBroFuzz.zip JBroFuzz.jar
</pre>
This enables you to have your own (company logo) on JBroFuzz graphs. Further to this, a number of other customization options are available, by right clicking on each of the graph generated.

[[Category:OWASP_JBroFuzz]]

OWASP JBroFuzz Tutorial

2010-02-18T15:50:55Z

Yiannis: /* Using the Cross Product Fuzzer API */

[[Category:OWASP JBroFuzz]]

== Introduction ==
''“If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!”''

<div align="right">Old JBroFuzz Motto </div>

The art of teaching, Mark Van Doren said, is the art of assisting discovery. Fuzzing is a representative discipline towards assisting the discovery of security vulnerabilities, that is just beginning to come of age. Over the last two years, through continuous development, JBroFuzz has attempted to expose the intrinsic beauty of the subject: Constantly submit a vast amount of payloads to a service, device or prompt, waiting for the one response that makes all the difference. This is the mentality that JBroFuzz embraces and attempts to offer back to security professionals.

Fuzzing as a concept goes beyond a conventional work flow or a standard methodology. I would argue that to know how to fuzz well, is to master a new language. Thus, similar to the process of learning a programming (or foreign) language, there are three things you must master:

• Grammar: How fuzzing as a process is structured 
• Vocabulary: How to name fuzzing concepts you want to use 
• Usage: Ways of achieving everyday effective results with fuzzing 

[[Image:001-JBroFuzz-Tutorial.jpg|300px|right|JBroFuzz Splash Screen]]From the pre-existing information available for JBroFuzz, this tutorial focuses on usage: How to best put a fuzzing tool to good use, either via the UI, or using APIs that ''JBroFuzz.jar'' is constituted of. As a result, this document has a small requirement as a caveat; you need to have a beginner level understanding of the Java programming language in order to understand some sections.

There are a number of working examples described here within, which '''grep''' for statements such as “''<nowiki>public static void main(String[] args)</nowiki>''”. The majority of the content relates to reviewing these examples and putting the Java syntax into a fuzzing perspective.

To summarise, this tutorial focuses on customary and effective usage of fuzzing through the JBroFuzz Java APIs and the respective UI. It is targeting (without attacking them) web applications. Without further redo, let’s get fuzzing!

== JBroFuzz Basic Functionality ==
This section carries a number of basic fuzzing examples to get you started with JBroFuzz. Overall, even though the actions performed to not produce any amazing fuzzing results, it serves as a starting point in understanding how to perform particular fuzzing operations on web applications.

=== 'Hello Google!' (forget 'Hello World') ===
As the traditional first program that you learn when indulging in a new programming language, 'Hello World!' represents the norm for understanding the basic output operations and syntax (let alone compiler and execution behaviour) of the language in question.

As with most web application security related tools, when I am given the responsibility to run them, often in order to understand how they work, I would first craft a legitimate, single request to a trusted (to be up and behaving) popular Internet location. Needless, to say this request more than on occasion finds itself on Google servers.

So 'Hello World!' for programming languages seems to transform to 'Hello Google!' for understanding how web application security related tools work. Let us see, how JBroFuzz does it.

• Double-click on JBroFuzz and browse to the 'Fuzzing' tab

JBroFuzz is constituted of tabs, typically located in the bottom or top (if you bother to change the settings) of the main window.

The 'Fuzzing' tab is where you craft your request message to a particular host. Once that is in place, you can select any part of the request and proceed into adding any number of payloads. We shall see how in later sections.

• In the 'URL' field type: http://www.google.com/ http://www.google.com

Unlike conventional URLs, the URL field in JBroFuzz is only used for the underlying protocol (HTTP or HTTPS), host name (e.g. www.yahoo.com) and (optionally) port number.

All remaining information pasted or typed into the 'URL' field will be ignored; you are expected to enter it in the 'Request' field below.

<nowiki>Still, if you want to just copy-paste a URL from a browser, hit [Ctrl+L] while you are not fuzzing, paste the URL value that you have copied from a browser and JBroFuzz will automatically do the work for you. </nowiki>

Examples of valid URL values to be put in the

Treat the 'URL' and 'Request' fields as the two stages of a 'telnet' session on port 80; you are effectively using the 'URL' field to specify the equivalent of:

<tt>>telnet www.google.com 8088</tt>

As equivalent to:

<code>
http://www.google.com:8088 
</code>

or in the case of HTTPS:

<code>
https://www.google.com:8088 
</code>

Naturally, default ports for HTTP is 80 and HTTPS is 443.

• In the 'Request' field type:

<code>
GET / HTTP/1.0 
 
</code>

And press 'Enter' twice

This is where the body of the message you are sending is to be placed. So anything obeying HTTP/S protocol, such as GET and POST requests, header fields and/or HTML content should be included here.

As part of the process of fuzzing web applications with JBroFuzz you need to have done your homework, in terms of providing a base request message. This message is what will be used later on to add payloads to particular sections of the request.

<nowiki>• Hit 'Start' [Ctrl+Enter]</nowiki>

This will instigate the process of sending a single request to the specified host on a given (or default) port, over HTTP or HTTPS.

Once a connection has been established JBroFuzz will proceed to submit the message you have typed into the 'Request' field.

Finally, JBroFuzz will log all data sent and received into a file; accessing this file is typically a process of double clicking on the output line on the table at the bottom section of the 'Fuzzing' tab.

You should see a response received in the bottom part of the 'Fuzzing' panel. Double click (or right click for more options) to see the information exchanged; typically this would be a 302 redirect pointing you to another location. Congratulations, you have just said "Hello" to Google!

[[Image:002-JBroFuzz-Tutorial.png|500px|JBroFuzz Hello Google!]]

Now this would typically be enough under RFC rules, to get a response back; but damn all the bots out here, most websites require further information to respond back. So, in the 'Request' field let's pretend to be a (kind of) legitimate browser by typing:

<code>
GET / HTTP/1.0 
Host: www.google.com 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) JBroFuzz/1.5 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
 
</code>

Not forgetting to end the request typed with two returns: Press 'Enter' twice. Again, you should be able to see a line added with the response received back.

Practice sending single requests to a website of your choice by changing the URL and also the 'Host:' field from the 'Request' above. Also try accessing an HTTPS website.

<nowiki>Alternatively, you can use the shortcut [Ctrl+L] to type in your URL, with the 'Request' field filled automatically, based on the URL you have typed. </nowiki>
 
=== HTTP Version Numbers & www.cia.gov Headerless Responses ===
For web applications, very often ill-defined requests submitted over the Internet, will trigger semi-legitimate responses that actually do not obey HTTP RFC protocol specification. Often, even though this is not the case in this example, these responses can lead to the identification of one or more security vulnerabilities.

In this example we test for the responses received for invalid HTTP version numbers on a particular website, namely www.cia.gov, over https. Now a word of caution here; please do not attempt to fuzz web applications that you do not have the authority to do so, especially over the Internet.

Still, for the purposes of this tutorial exercise, we will subject a web server to no more than a dozen or so requests. These requests would be otherwise identical, if it was not for the HTTP version number incrementing by a value of 1 on each request.

In terms of having the authority to do so, well this is identical to hitting 'Refresh' in your web browser a dozen or so times, while you are browsing to www.cia.gov. I do not consider this remotely close to any form of hacking, cracking, or proper fuzzing; web servers across the globe receive a lot more abuse than this on a daily basis.

Finally, by the time you are reading this, the particular issue described might have been fixed. So here goes:

• Within JBroFuzz, select:

<code>
File -> Open Location [Ctrl+L] 
</code>

Type: https://www.cia.gov and hit enter. This is depicted in the following screenshot:

[[Image:003-JBroFuzz-Tutorial.png|JBroFuzz Open Location]]

Hitting 'Enter' should automatically populate the 'URL' field and the 'Request' field within the 'Fuzzing' tab. What you see is the base request that we intend to add fuzzing payloads to. Before we do so, let us make one small alteration first:

• Modify the first line of the 'Request' field to:

<code>
GET / HTTP/0.0 
</code>

Our objective is to enumerate the supported by the web server (in this case www.cia.gov) HTTP version numbers, following the two digit format that it has. We could be a lot more agressive here and test for buffer overflows and all types of injection; that would be out of line without the authority to do so. Instead we are going to see how JBroFuzz will iterate through the values of 0.0 to 1.4 by means of adding a Fuzzer to our base request.

• Highlight the second zero from the line 'GET / HTTP/0.0' and right-click, selecting 'Add'. This is depicted in the screeshot below:

[[Image:004-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer to the HTTP version number]]

• From the appearing 'Add a Fuzzer' window, select as 'Category Name', in the most left column 'Base' and as 'Fuzzer Name' in the middle column 'Base 10 (Decimal) Alphabet.

• Click on 'Add Fuzzer' on the bottom right of the window

[[Image:005-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer]]

This should add a Fuzzer of length 1 that iterates over the decimal (i.e. base 10) numbers 0 to 9. If we have added a hexadecimal Fuzzer instead of a decimal one (i.e. base 16) the iteration would from 0 to F. If we had selected two digits instead of one and proceeded to add a decimal Fuzzer, the iteration would be from:

<code>
00 
01 
.. 
98 
99 
</code>

From a User Interface (UI) perspective you should see a line added to the 'Added Payloads Table'.

• Click 'Start' [Ctrl+Enter]

This process will send 10 requests to the specified web server changing only first line of the request to:

<code>
GET / HTTP/0.0... 
GET / HTTP/0.1... 
... 
GET / HTTP/0.8... 
GET / HTTP/0.9... 
</code>

While this is ongoing, you can sort the results by 'No' in the 'Output' table in the bottom of the 'Fuzzing' tab. This should enable you to see what request is currently being transmitted and received in real time.

Once complete, change the first line of the 'Request' field to read:

<code>
GET / HTTP/1.0 
</code>

• Click 'Start' [Ctrl+Enter]

The resulting output should resemble the following screenshot:

[[Image:006-JBroFuzz-Tutorial.png|500px|JBroFuzz Output from a Fuzzing Session]]

Straight away we can notice a difference in the response size: For HTTP version numbers 0.0 to 0.9 we are getting back what seems fairly big in size responses; 32222 bytes in size worth of responses, given that HTTP protocol version 0.0 to 0.8 do not officially exist!

By double-clicking on one of these requests, we can see that the web server in question is responding back with no headers, yet returning a full HTML body; this represents the 32222 bytes of response of data we are receiving back. The following screenshot illustrates this:

[[Image:007-JBroFuzz-Tutorial.png|300px|JBroFuzz Output for a Single Request/Response]]

Using the 'Graphing' tab we can proceed to graph the particular requests and responses for this given session.

• Within the 'Graphing' tab, click 'Start' [Ctrl+Enter].

• Select the directory corresponding to the Output folder we have used for this fuzzing session. This will typically be the last one.

• Right-click and select 'Graph'

Once complete, browse to the 'Response Size' tab within the 'Graphing' tab, as illustrated in the screenshot below:

[[Image:008-JBroFuzz-Tutorial.png|300px|JBroFuzz Graphing different 'Response Sizes']]

To re-iterate this does not present a security vulnerability in any shape or form; merely the fact that by manipulating HTTP version numbers as part of the request we transmit, we can impact the response that we get back. In this case, what changes is the non-existent header fields, with some HTML content being received back.

If I was to guess what is causing this, I would say that some sort of load balancing or content delivery is not happening as it should when non-existent version numbers are being transmitted.

==Using JBroFuzz with Paros Proxy==

JBroFuzz is a standalone fuzzer; it can release and create sockets over HTTP and HTTPS, but in order to use JBroFuzz correctly you will have to know what it is that you are fuzzing.

In comes the need for a proxy tool; the opening versions of JBroFuzz actually had a proxy tab that you could use to intercept traffic generated by your web browser. That functionality got removed in an attempt to focus and deliver solely on the fuzzing capabilities of the tool.

This section details how to use JBroFuzz in combination with a client side proxy. The one selected is Paros Proxy, which, despite the fact that it hasn't been updated since 2006 is still a popular tool that you see in web security testing live CDs. You could use any of the other proxy tools available.

===Winning on a Remix of the Year Award===

At 17:53, on a frosty winter evening, a message window popped up:
<pre>
17:53 http://www.localhost.com/remixcontest/club/annual2010.html
17:53 Hey bro, could you cast in a vote here for the Such & Such Remix?
17:53 Appreciated!
</pre>
A friend in need is a friend indeed, so here goes I thought. Opening up a web browser configured to work with Paros as an intermediate proxy, allowed for the casting of my vote. while keeping a record of each request and reply.

No registration, or any other form of submitting an identifier was needed. The request that Paros stored for the casting of the actual vote was:

<pre>
GET http://www.localhost.com/remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.1
Host: www.localhost.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

Paros Proxy actually places the domain (in this case www.localhost.com) with the protocol (i.e. http) in front of the GET request. As a result, you can't open a telnet/netcat session and just copy-paste the above. Similarly when we bring the request into JBroFuzz, a bit of tweaking is required.

* In the URL field, type:

<pre>
http://www.localhost.com
</pre>

In the Request field, let's keep what is of interest:

<pre>
GET /remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

No needs for Keep-Alive and Proxy-Connection. Let's simplify the HTTP request by making it a version 1.0 request and getting rid of the Host header as well. Also on the user agent, let us keep that mainstream vanilla: Firefox on Windows (popular browser combination), getting rid of the .NET and Paros additives.

Checking on the website, our Such & Such remix already has about 100 votes or so and the top remix has approximately 310 votes. Let's fuzz this:

* Select 2 of the digits of the cookie value:

<pre>
PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

* Select: Panel -> Add

* In the "Add a Fuzzer" panel, select:

<pre>
Base -> Base16 (HEX)
</pre>

and select "Add Fuzzer".

This will add a line within the Payloads tab on the right hand side.

Our cookie value above (PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e) is in lowercase, hexadecimal format. Let's make sure the encoding we select is also that.

Within the Payloads tab, click on the encoding drop down menu and select lowercase. Just before clicking "Start", JBroFuzz should look something like the screenshot below.

[[Image:014-JBroFuzz-Tutorial.png|Adding Votes by iterating through PHPSESSID cookie values]]

== Performing User Enumeration with a Valid Set of Credentials ==
Often you encounter an application that allows for the enumeration of one or more pages after a user has been successfully granted a set of session credentials. One of the key areas to test from an application specific perspective, relates to the page(s) that provide user account information.

In the following example, we investigate an ASP.NET 2.0 application with a C# back-end. In this, an authenticated user has the option to select to "View My Profile". This page provides them with account information (including the typical username, email address, further notes) that they can proceed to update and save to the back-end system.

After a user has authenticated, the following URL, gives them access to their profile information stored on the database:

<pre>
http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23
</pre>

Simple investigation confirms that the digits allowed as part of the UserID value are decimal numbers only. Lets feed that information into JBroFuzz.

===Fuzzing a User ID===

• Within JBroFuzz, select:

<code>
File -> Open Location [Ctrl+L] 
</code>

Type: http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23 and hit enter. This is depicted in the following screenshot:

[[Image:009-JBroFuzz-Tutorial.png|300px|JBroFuzz 'GET' Request with a 'UserID' parameter]]

From the URL the important parameter is the value of the UserID query string (the value 23, above). We want to fuzz that.

• Within the Fuzzing Tab, in the "Request" text area, highlight the above number 23
• Right-click and select "Add"

In the "Add a Fuzzer" window that appears, select:

• Category Name: <code>Base</code>
• Fuzzer Name: <code>Base10 (DEC)</code>
• Select "Add Fuzzer" in the bottom right

This would have added a decimal (base 10 fuzzer) of length 2 onto the location.

• You will see a row added within the "Added Fuzzers Table" of the Fuzzing panel.
• Click "Start" <code>Ctrl+Enter</code>

This will transmit 100 requests to the domain in question, which in this case is assumed: www.myattackingdomain.com. The value being changed within each request will be:

<pre>
• GET /portal-location/UserInfo.aspx?UserID=00 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=01 HTTP/1.0
...
• GET /portal-location/UserInfo.aspx?UserID=98 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=99 HTTP/1.0
</pre>

Done. Let's proceed to graph the responses that we have obtained. Our objective is to understand which two-digit numbers from 00 to 99 correspond to valid user accounts.

===Graphing Results===
• Within the "Graphing" tab, click "Start" <code>Ctrl+Enter</code>

A list of directories will appear on the left-hand side. If you scroll to the bottom of the list you should see the directory corresponding to your fuzzing session, in our case it was (175 2009-06-24 16-18-24)

<pre>
• Right-click on (175 2009-06-24 16-18-24)
• Click "Graph"
</pre>

This will generate the graphs in their respective tabs. The question now becomes which graph is of interest for our user enumeration exercise.

By definition enumerating users against an ID value, or any other identifier involves being able to obtain a different response for an existing user to that of a user that is not have a corresponding ID value.

Thus, from the metrics available, the one useful for enumerating users will be that of measuring the "Hamming Distance" between responses received. Based on the JBroFuzz documentation:

Fuzzing Hamming Distance 
<pre>
A bar chart with the hamming distance of the characters in the response,
relative to the first response received. Check each character of the first
response received, against the character at the same position of the
current response received. If they are not identical, increment the
hamming distance.
</pre>

As we can see the Fuzzing Hamming Distance (FHD) varies quite a bit from the definition of the normal hamming distance term, used in telecommunications. Still, they share a lot of similarities.

As we can from the above, the first request is critical to calibrating our user enumeration exercise. It represents the value that all other Fuzzing Hamming Distances (FHD) will be measured and normalised towards. For the java-skilled audience, the algorithm is quite trivial, but offers spectacular results in distinguishing responses:

<pre>
in = new BufferedReader(new FileReader(f));
58
59 int counter = 0;
60 int check = 0;
61 int c;
62 while (((c = in.read()) > 0) && (counter < MAX_CHARS)) {
63
64 // If we are passed "--jbrofuzz-->\n" in the file
65 if (check == END_SIGNATURE.length()) {
66
67 firstSet.append((char) c);
68
69 }
70 // Else find "--jbrofuzz-->\n" using a counter
71 else {
72 // Increment the counter for each success
73 if (c == END_SIGNATURE.charAt(check)) {
74 check++;
75 } else {
76 check = 0;
77 }
78 }
79
80 counter++;
81
82 }
83 in.close();
</pre>

Ergo, the corresponding graph is depicted in the screenshot below. The peak graphs correspond to number that if you hover the mouse over will give you the enumeration ID of a valid user.

[[Image:015-JBroFuzz-Tutorial.png|500px|Measuring Hamming Distance for User Enumeration]]

== JBroFuzz Development Corner ==
This section presents how to setup and use JBroFuzz as a fuzzing library. Also, it offers an insight in how to setup and compile your own version of JBroFuzz. As different people have different levels of expertise of the java programming language, eclipse, ant and subversion, some of the steps presented herein might be considered basic by advanced developers.

===Setting up a JBroFuzz Development Environment===

This section guides you towards setting up a development environment for JBroFuzz. Despite the Operating System (O/S) being windows XP, a similar process can be followed in a number of other O/S.

You will need to have installed:

* Tortoise SVN (using TortoiseSVN-1.6.6.17493-win32-svn-1.6.6.msi)
* Eclipse Java (using eclipse-java-galileo-SR1-win32.zip)

Optionally, if you don't like building your application through eclipse you could also require to install Apache Ant.

====Step 1: Obtain the source code====

JBroFuzz uses SubVersion with the repository being publicly available for download through anonymous access on sourceforge. There is a plan to move it the source to the OWASP Git repository, but until then, use the guidelines below.

[[Image:010-JBroFuzz-Tutorial.png|Tortoise SVN Check out JBroFuzz Source Code]]

Right click on the folder location where you want to download the source code and select:

* SVN Checkout

In the "URL of repository", enter:

<pre>
https://jbrofuzz.svn.sourceforge.net/svnroot/jbrofuzz
</pre>

In the "Checkout directory", enter the folder location of your choice, in this case:

<pre>
C:\root\code\jbrofuzz
</pre>

In the "Checkout Depth" select:

* Fully recursive

Untick "Omit Externals" (should be unticked by default)

In the "Revision" select:

* "Head revision"

Select OK.

This process, once complete will checkout the entirety of the JBroFuzz source code from the SVN repository on sourceforge.

====Step 2: Configuring a JBroFuzz Project within Eclipse====

Having obtained the latest copy of the source code, the next step entails importing that source code within the Eclipse IDE.

Within Eclipse, select:

<pre>
File -> New -> Other
</pre>

From the "New" panel that appears, select:

<pre>
Java -> Java Project from Existig Ant Buildfile
</pre>

[[Image:011-JBroFuzz-Tutorial.png|Import JBroFuzz Code into Eclipse from Ant File]]

Select "Next".

In the next menu, under "Ant buildfile", select "Browse".

Browse to the location where you have just (step 1) downloaded the source code and select the following file:

* build.xml

The build.xml file is an Ant build file that JBroFuzz uses.

[[Image:012-JBroFuzz-Tutorial.png|Select the Ant File]]

Selecting that file should have populated the "Project name" as jbrofuzz and also given you:

<pre>
"javac" task found in target "compile"
</pre>

MAKE SURE TO TICK:

* "Link to the buildfile in the filesystem"

Otherwise eclipse will try to replicate the source code within your workspace and that makes the process a tiny bit more complicated when it comes to actually building JBroFuzz.

Click "Finish"

You will see the item "Building workspace (76%) on the bottom right hand side of Eclipse. Once that is complete, you should see the jbrofuzz project on the top left corner of the Package Explorer within Eclipse.

====Step 3: Building JBroFuzz====

Within the Package Explorer, expand the jbrofuzz project and double-click on the build.xml file.

Right click on the "build [default]" task within the "Outline" window (typically seen on the right hand side) and select:

<pre>
Run As -> 1. Ant Build [Alt+Shift+X, Q]
</pre>

If the build has been successful, a JBroFuzz.jar file within the the /jar folder would have been created. Following the path conventions above that should be in:

<pre>
C:\root\code\jbrofuzz\jar\JBroFuzz.jar
</pre>

[[Image:013-JBroFuzz-Tutorial.png|Building JBroFuzz within Eclipse]]

===How to Use JBroFuzz as a Fuzzing Library===

Quite often what you need to do in terms of fuzzing, far exceeds the User Interface (UI) of JBroFuzz. For this reason, a set of core fuzzing APIs have been made available that can be used for more advanced fuzzing scenarios.

The JBroFuzz.jar standalone archive (made available with every release) carries a core fuzzing library that holds a number of key classes. These are located under:

<pre>
org.owasp.jbrofuzz.core.*;
-Database.java
-Fuzzer.java
-FuzzerBigInteger.java
-NoSuchFuzzerException.java
-Prototype.java
</pre>

The class of importance is Fuzzer.java. If you are going to use recursive iterators of great length, there is also FuzzerBigInteger.java. The difference between the two is that Fuzzer.java uses the primitive java data type long (up to 16^16 values) while FuzzerBigInteger.java uses java BigInteger to perform the counting. Naturally, the class FuzzerBigInteger is slower and takes more memory than the Fuzzer class.

Within JBroFuzz a Fuzzer is an instance of a java Iterator. This implies that values can be accessed by simply calling the <code>next()</code> method once an object has been made available. Typically, a call to <code>hasNext()</code> should also be performed prior to avoid an exception being thrown.

A Fuzzer can be obtained from the factory method <code>createFuzzer(String, int);</code> available for every instance of the fuzzing Database. Ergo:

====A HelloFuzzer Example====

<pre>
Database myDatabase = new Database();

Fuzzer myFuzzer = myDatabase.createFuzzer("031-B16-HEX", 5);
</pre>

So how do I use the API? Here is a simple HelloFuzzer (file called HelloFuzzer.java) example:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

To compile the above use:

<pre>
javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>

This assumes that you are currently inside the directory where HelloFuzzer.java resides and that the JBroFuzz.jar is located two directories within your current location i.e. in jbrofuzz/jar. In order to run the above compiled HelloFuzzer class issue:

<pre>
java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>

Note: The above 2 commands have been crafted in a win32 environment. The process for compiling and running HelloFuzzer.java above is the same in *nix machines. Simply replace the backslash "\" with "/".

====Fuzzing Payload Definitions====
Within the JBroFuzz.jar file, there is a file called fuzzers.jbrf that carries all the fuzzer definitions that you see in the UI payloads tab of JBroFuzz. To view a latest copy of this file you can browse the SVN repository of JBroFuzz:

<pre>
http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/tar/fuzzers.jbrf?view=log
</pre>

A note here worth mentioning: Files ending in .jbrofuzz are session files saved by users while performing fuzzing operations. Files ending in .jbrf are JBroFuzz system files. Typical examples of .jbrf files are headers.jbrf, as well as fuzzers.jbrf. Both these use an internal proprietary format not to be confused with the .jbrofuzz file format.

Fuzzers belong in categories (1 to many) and each fuzzer carries a set of payloads that define the alphabet of the fuzzer.

Also, you have replacive and recursive fuzzers, zero fuzzers, etc. There are a number of different fuzzer categories. As an example of a fuzzer within the fuzzers.jbrf file, consider the hexadecimal fuzzer:

<pre>
Fuzzer Name: Base16 (HEX)
Fuzzer Type: Recursive
Fuzzer Id: 031-B16-HEX

Total Number of Payloads: 16
</pre>

Within the fuzzers.jbrf file this fuzzer is defined in plain-text format as follows:

<pre>
R:031-B16-HEX:Base16 (HEX):16
> Number Systems | Base | Recursive Fuzzers
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
</pre>

There is very little preventing you from defining your own fuzzers within this file, by following the file format specified above. You can use the UI to see if they have been loaded successfully.

Further to recursive and replacive fuzzers you also have zero fuzzers (i.e. a zero fuzzer of 1000 will just transmit 1000 requests as they are, without adding any payloads) double fuzzers, cross product fuzzers, etc.

Notice the factory method Database.createFuzzer("031-B16-HEX", 4) yielding: "I want a 4 digit recursive fuzzer (why because NUM-HEX is recursive in its definition, starts with R: instead of P:) of HEX digits."

Thus the above scenario would iterate through all the digits from 0000 to ffff. I wouldn't recommend using the above scenario for such trivial fuzzing capabilities; simply presented as an example of the inner workings of JBroFuzz.jar

====HelloFuzzer Refined====
A more detailed code breakdown of the above HelloFuzzer example can be found below:

<pre>
/**
* JBroFuzz API Examples 01
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz a Fuzzer is a java Iterator.
*
* In order to create a Fuzzer, use the factory method
* Database.createFuzzer(String, int), passing as arguments
* the Fuzzer ID and the specified length as a positive int.
*
* Be careful to check that the fuzzer ID (labelled as f_ID)
* is actually an existing ID from the Database of Fuzzers.
*
* Expected Output:
* <code>
* The fuzzer payload is: 00000 
* The fuzzer payload is: 00001 
* ... 
* (a total of 16^5 = 1048576 lines) 
* ... 
* The fuzzer payload is: ffffd 
* The fuzzer payload is: ffffe 
* The fuzzer payload is: fffff 
* </code>
*
* For more information on the Database of Fuzzers, see the
* HelloDatabase Class.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloFuzzer {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "031-B16-HEX";
// You have to supply a (+)tive int
int f_len = 5;

try {

for(Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len); f.hasNext();) {

// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>

====Hello Database of Fuzzers====
Having seen how to access a single Fuzzer through the createFuzzer() method available in the Database object. The next question that comes naturally is what are the Fuzzers that are available by default in JBroFuzz?

To answer that, this example focuses more on the database component that we previously initialised, investigating the list of available methods that it offers.

In JBroFuzz, all Fuzzers are stored in a Database object that you will be required to construct in order to access them.

<pre>
/**
* JBroFuzz API Examples 02
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz all Fuzzers are stored in a Database
* object that you will be required to construct in order
* to access them.
*
* Within the Database, each Fuzzer is a collection of
* payloads, which carries a unique ID string value.
*
* Example ID values are the output of this program:
* <code>
* The fuzzer ID is: 013-LDP-INJ 
* The name of the fuzzer is: LDAP Injection 
* The id of the fuzzer is: 013-LDP-INJ 
* The of payloads it carries (it's alphabet) is: 20 
* It has as 1st payload: 
* | 
* The fuzzer ID is: 018-XSS-4IE 
* The name of the fuzzer is: XSS IE 
* The id of the fuzzer is: 018-XSS-4IE 
* The of payloads it carries (it's alphabet) is: 38 
* It has as 1st payload: 
* < img src=`x` onrerror= ` ;; alert(1) ` /> 
*
* </code>
*
* Do not be confused between Prototypes and Fuzzers;
* JBroFuzz uses Prototype objects to construct the Fuzzers
* that get added into the Database upon initialisation.
*
* As a result, the getter methods available within a Database
* object can carry the name of getAllPrototypeIDs and
* getAllFuzzerIDs interchangebly.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloDatabase {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();

// Get a list of all the fuzzer IDs from the database
String[] fuzzer_IDs = fuzzDB.getAllPrototypeIDs();

System.out.println("The fuzzer IDs found are:");

for(String fuzzerID : fuzzer_IDs) {

System.out.println("The fuzzer ID is: " + fuzzerID);

// We pass of length of 1, irrelevant if we are
// just going to access the first payload
// of the fuzzer
Fuzzer fuzzer;
try {

fuzzer = fuzzDB.createFuzzer(fuzzerID, 1);
// Normally you should check for fuzzer.hasNext()
String payload = fuzzer.next();

System.out.println("\tThe name of the fuzzer is:\t\t\t" + fuzzer.getName() );
System.out.println("\tThe id of the fuzzer is:\t\t\t" + fuzzer.getId() );
System.out.println("\tThe of payloads it carries (it's alphabet) is:\t" + fuzzDB.getSize(fuzzerID));
System.out.println("\tIt has as 1st payload:\n\t\t" + payload );

} catch (NoSuchFuzzerException e) {
System.out.println("Could not find the specified fuzzer!");
System.out.println("Going to print all the fuzzer IDs I know:");
// old vs new for loop :)
// in case of an error, print just the
// fuzzer IDs, accessed from the DB
for(int j = 0; j < fuzzer_IDs.length; j++) {
System.out.println("The fuzzer ID is: " + fuzzer_IDs[j]);
}

}

}

}

}
</pre>

====Methods available within the Fuzzer Class====
A final example of this section, involves seeing the usage of all the method calls available in the Fuzzer.java class

<pre>
/**
* JBroFuzz API Examples 03
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* Example iterating through all the methods available
* in the Fuzzer Object and their respective outputs.
*
* @author subere@uncon.org
* @version n/a
*/
public class IndigoFuzzerTests {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "033-B08-OCT";
// You have to supply a (+)tive int
int f_len = 5;

try {

Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len);

while(f.hasNext()) {

// Could do this via reflection, but..
f.next();
// System.out.println(" The fuzzer payload is: " + f.next());
System.out.println(" The maximum value is: " + f.getMaximumValue());

System.out.println(" The current value is: " + f.getCurrectValue());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>

===Advanced Fuzzing with the JBroFuzz Library===

This section covers more advanced APIs that are available under the org.owasp.jbrofuzz.core package. It should be noted that some of these classes and their corresponding functionality are not used by the JBroFuzz program application. Instead, they are made available for incorporation into other java code that you have perhaps written that requires more specialized type of fuzzing.

====Fuzzing Really Long Values with Big Integer====

As stated previously, within JBroFuzz a Fuzzer is a java Iterator. This implies that while fuzzing, we typically keep track of a counter representing the value that we are currently on. Consider the example of HelloFuzzer.java, above:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

If we compile this program:

<pre>
javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>

and run it:

<pre>
java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>

We are going to see output similar to:

<pre>
The fuzzer payload is: 0000
... (output omitted)
The fuzzer payload is: fffd
The fuzzer payload is: fffe
The fuzzer payload is: ffff
</pre>

Now what if we want a hexadecimal fuzzer of length not 4, but, say, 24. Let's try compile and run the above program with a length of 24. Changing the line to:

<pre>
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 24); f.hasNext();) {
</pre>

Running this modified version of HelloFuzzer.java, yields:

<pre>
>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer.java

>java -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer

>
</pre>

Nothing! What is actually happening is JBroFuzz is figuring out that the specified length of the Fuzzer we are about to create is far greater than that of the long java data type. As a result, the Fuzzer is not even entering the iteration mode that is typically expected with methods next() and hasNext().

That's all great, but we still want a hexadecimal fuzzer, 24 digits long going from:

<pre>
000000000000000000000000
...to...
ffffffffffffffffffffffff
</pre>

For this JBroFuzz offers another type of Fuzzer class, that of FuzzerBigInteger. Let's modify the critical line within the original HelloFuzzer.java program that we had:

<pre>
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
</pre>

With the entire program becoming:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

Compiling and running this program yields:

<pre>
The fuzzer payload is: 000000000000000000000000
The fuzzer payload is: 000000000000000000000001
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
The fuzzer payload is: ffffffffffffffffffffffff
</pre>

There are limitations to this class, as governed by the BigInteger class itself. Further information can be found at:

<pre>
http://java.sun.com/j2se/1.5.0/docs/api/java/math/BigInteger.html
</pre>

Still, on a virtual windows xp machine with 256Mb of RAM the above code had no problem running to completion. It took some time though.. Characteristics of the windows machine while this iteration was ongoing: The CPU was being utilised at 100% and memory usage was constant at 212 Mb. Overall, a clean sheet for FuzzerBigInteger.java.

====Using the Power Fuzzer API====

With web applications, it is often that you find yourself re-using part of, or the entirety of a fuzzing payload in more than one location, as part of the GET, POST, or any other type of request you submit.

For this reason, JBroFuzz offers the PowerFuzzer class: A type of iterator for which you can specify how many copies of the payload you require in each request.

Let's consider the following trivial scenario. You are in need of all hexadecimal values, which are 4-digits long (i.e. 0000 to FFFF) and you are in need of these 5 times for each request.

This scenario is trivial, because typically you can assign the fuzzing payload (i.e. the value you get back from Fuzzer.next() ) to a String variable and re-use it as many times as you see fit.

<pre>
Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
....
for(Fuzzer f = fuzzDB.createFuzzer(fuzzerID, length); f.hasNext();) {
String payload = f.next();
....
}
</pre>

Using the PowerFuzzer.class, the following HelloPowerFuzzer.java program can be created:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {
// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java OWASP JBroFuzz Power Fuzzer Example

</pre>

This program would output the following; no rocket science here:

<pre>
....
I have 5 elements: 4817 4817 4817 4817 4817
I have 5 elements: 4818 4818 4818 4818 4818
I have 5 elements: 4819 4819 4819 4819 4819
I have 5 elements: 481a 481a 481a 481a 481a
I have 5 elements: 481b 481b 481b 481b 481b
I have 5 elements: 481c 481c 481c 481c 481c
I have 5 elements: 481d 481d 481d 481d 481d
I have 5 elements: 481e 481e 481e 481e 481e
I have 5 elements: 481f 481f 481f 481f 481f
I have 5 elements: 4820 4820 4820 4820 4820
I have 5 elements: 4821 4821 4821 4821 4821
I have 5 elements: 4822 4822 4822 4822 4822
I have 5 elements: 4823 4823 4823 4823 4823
I have 5 elements: 4824 4824 4824 4824 4824
I have 5 elements: 4825 4825 4825 4825 4825
I have 5 elements: 4826 4826 4826 4826 4826
....
</pre>

Now imagine you need to change the number of elements you obtain back every time. For every second request, you need to obtain back two identical payloads, for every third request, you need to obtain back three payloads and for every fourth request, you need to obtain back four payloads.

The PowerFuzzer class, with the corresponding method setPower(int) allows you to set how many identical elements you obtain back, without having to worry about the length argument. Below is a class that solves the above scenario:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {

int currentValue = (int) f.getCurrentValue();
currentValue %= 4;
switch (currentValue) {
case 0: f.setPower(1); break;
case 1: f.setPower(2); break;
case 2: f.setPower(3); break;
default: f.setPower(4); break;
}

// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java

</pre>

This class has as output:

<pre>
....
I have 1 elements: 22a8
I have 2 elements: 22a9 22a9
I have 3 elements: 22aa 22aa 22aa
I have 4 elements: 22ab 22ab 22ab 22ab
I have 1 elements: 22ac
I have 2 elements: 22ad 22ad
I have 3 elements: 22ae 22ae 22ae
I have 4 elements: 22af 22af 22af 22af
I have 1 elements: 22b0
I have 2 elements: 22b1 22b1
I have 3 elements: 22b2 22b2 22b2
I have 4 elements: 22b3 22b3 22b3 22b3
I have 1 elements: 22b4
I have 2 elements: 22b5 22b5
I have 3 elements: 22b6 22b6 22b6
I have 4 elements: 22b7 22b7 22b7 22b7
I have 1 elements: 22b8
I have 2 elements: 22b9 22b9
....
</pre>

Naturally, the algorithm of the number of elements required can vary based on any number of parameters. The PowerFuzzer class gives you a quick way to control the number of identical payloads you obtain back, without having to worry about creating a data type to store them in.

====Using the Double Fuzzer API====

In some cases of fuzzing web applications, a requirement to fuzz two (or more) locations part of the request being submitted to the web server becomes apparent.

The DoubleFuzzer class allows you to create a fuzzer based on two prototype definitions. Similarly to instantiating a Fuzzer through a prototype and a given length, with a DoubleFuzzer, we pass two prototype definitions and two lengths. The corresponding method call available within the Database class of org.owasp.jbrofuzz.core is:

<pre>
public DoubleFuzzer createDoubleFuzzer(String id1, int length1,
String id2, int length2) throws NoSuchFuzzerException {
</pre>

Let's cross-breed some fuzzers, see what results we get back during an iteration.

The first example below, uses two hexadecimal fuzzers of different lengths, as specified by the variables:

<pre>
String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;
</pre>

As the double fuzzer iteration is taking place, the second fuzzer, defined by the fuzzID2 & length2 loops, starting from 00 and going all the way up to FF. An example output is:

<pre>
I have 2 elements: fefb fb
I have 2 elements: fefc fc
I have 2 elements: fefd fd
I have 2 elements: fefe fe
I have 2 elements: feff ff
I have 2 elements: ff00 00
I have 2 elements: ff01 01
I have 2 elements: ff02 02
I have 2 elements: ff03 03
</pre>

The complete code listing of HelloDoubleFuzzer.java is:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>

That's simple enough; now let's cross-breed something a bit more exotic: Imagine a 3-digit octal ID value [000 - 777] being submitted inline with, say, a parameter that we want to test for Cross-Site Scripting (XSS). Let's adjust the program above with the corresponding fuzzer IDs of these fuzzers. Remember all the IDs of all the fuzzers can be found in the fuzzers.jbrf file within JBroFuzz.jar:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "019-XSS-GEK";

int length1 = 3;
int length2 = 1;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>

The output from this program is:

<pre>
I have 2 elements: 000 (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I have 2 elements: 001 <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
I have 2 elements: 002 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 003 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 004 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 005 <A HREF="//google">XSS</A>
....
...
..
.
..
...
....
I have 2 elements: 774 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 775 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 776 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 777 <A HREF="//google">XSS</A>
</pre>

With the list stopping iterating at the last element of the greatest of the two fuzzers.

====Using the Cross Product Fuzzer API====

A final case of a special Double Fuzzer is the the Cross Product Fuzzer of the payloads of two fuzzers. This type of fuzzing is virtually encountered in username/password login form on the Internet. Let's work on this by example.

Consider your home network router. You recall changing the default password to one of the typical password values that you use. Also, you are not 100% certain about the username for the router either, it is one of the typical admin, user, administrator, root, yoda type values, but you cannot recall which one. Needless to say, you don't know what the username, or password actually is.

So in a mini brute-forcing attack scenario, you have the following list of usernames, out of which one is valid:

<pre>
admin
administrator
Administrator
root
adminUser
</pre>

Also you know that the password is one of the following (Top 10 Threadwatch 2007 passwords):

<pre>
password
123456
qwerty
abc123
letmein
monkey
myspace1
password1
blink182
</pre>

The set that contains every possible combination of the two sets is the Cross Product of the list of usernames, times the list of passwords. So manually, (as most people do while locking themselves out) you would try, popular combinations of the above, starting with:

<pre>
admin password
admin 123456
admin qwerty
....
admin blink182
administrator password
administrator 123456
administrator qwerty
....
adminUser password1
adminUser blink182
</pre>

Thus the total number of attempts would be (number of usernames) x (number of passwords). No rocket science here.

JBroFuzz introduces the CrossProductFuzzer class capable of iterating through the cross product of two fuzzers. Let's put it into code; the following program provides a list of all 2-digit octal numbers with every 2-digit binary number. A total of (8 x 8) x (2 x 2) = 256 values.

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloCrossFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "034-B02-BIN";

int length1 = 2;
int length2 = 2;

try {
CrossProductFuzzer f = fuzzDB.createCrossFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloCrossFuzzer.java
</pre>

This program has as output:

<pre>
I have 2 elements: 00 00
...
..
.
..
...
I have 2 elements: 74 00
I have 2 elements: 74 01
I have 2 elements: 74 10
I have 2 elements: 74 11
I have 2 elements: 75 00
I have 2 elements: 75 01
I have 2 elements: 75 10
I have 2 elements: 75 11
I have 2 elements: 76 00
I have 2 elements: 76 01
I have 2 elements: 76 10
I have 2 elements: 76 11
I have 2 elements: 77 00
I have 2 elements: 77 01
I have 2 elements: 77 10
I have 2 elements: 77 11
</pre>

You can substitute any list of fuzzer ID to the IDs you use in this program.

Remember! The total number of payloads must not exceed that of the the maximum value of the long primitive java data type Long.MAX_VALUE which is 2^63 - 1. If you are in need of more than that payloads, you would have to use the big integer implementation of the Fuzzer class, namely: FuzzerBigInteger.java.

==Graphing with JBroFuzz==

Once a fuzzing session has completed, JBroFuzz offers the ability to generate a number of graphs, using various metrics. This section investigates how to further the graphing functionality available with the application.

===Customizing the logo on each Graph===

As of version 2.0, all image icons within JBroFuzz are located within the /icons directory of the application. The particular transparent image file displayed on top right part of the graphs is named:

<pre>
/icons/owasp-med.png
</pre>

This file is a 64 x 64 PNG image file. You can replace it with your own file, as follows:

<pre>
>ls -l JBroFuzz.jar
-rw-rw-rw- 1 user group 4033612 Feb 15 12:33 JBroFuzz.jar

>unzip -oq JBroFuzz.jar
>cd icons
>mv owasp-med.png file64x64-file.png
>cd ..
>zip -r JBroFuzz.zip *
>mv JBroFuzz.zip JBroFuzz.jar
</pre>

This enables you to have your own (company logo) on JBroFuzz graphs. Further to this, a number of other customization options are available, by right clicking on each of the graph generated.

OWASP JBroFuzz Tutorial

2010-02-18T15:46:06Z

Yiannis: /* Advanced Fuzzing with the JBroFuzz Library */

[[Category:OWASP JBroFuzz]]

== Introduction ==
''“If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!”''

<div align="right">Old JBroFuzz Motto </div>

The art of teaching, Mark Van Doren said, is the art of assisting discovery. Fuzzing is a representative discipline towards assisting the discovery of security vulnerabilities, that is just beginning to come of age. Over the last two years, through continuous development, JBroFuzz has attempted to expose the intrinsic beauty of the subject: Constantly submit a vast amount of payloads to a service, device or prompt, waiting for the one response that makes all the difference. This is the mentality that JBroFuzz embraces and attempts to offer back to security professionals.

Fuzzing as a concept goes beyond a conventional work flow or a standard methodology. I would argue that to know how to fuzz well, is to master a new language. Thus, similar to the process of learning a programming (or foreign) language, there are three things you must master:

• Grammar: How fuzzing as a process is structured 
• Vocabulary: How to name fuzzing concepts you want to use 
• Usage: Ways of achieving everyday effective results with fuzzing 

[[Image:001-JBroFuzz-Tutorial.jpg|300px|right|JBroFuzz Splash Screen]]From the pre-existing information available for JBroFuzz, this tutorial focuses on usage: How to best put a fuzzing tool to good use, either via the UI, or using APIs that ''JBroFuzz.jar'' is constituted of. As a result, this document has a small requirement as a caveat; you need to have a beginner level understanding of the Java programming language in order to understand some sections.

There are a number of working examples described here within, which '''grep''' for statements such as “''<nowiki>public static void main(String[] args)</nowiki>''”. The majority of the content relates to reviewing these examples and putting the Java syntax into a fuzzing perspective.

To summarise, this tutorial focuses on customary and effective usage of fuzzing through the JBroFuzz Java APIs and the respective UI. It is targeting (without attacking them) web applications. Without further redo, let’s get fuzzing!

== JBroFuzz Basic Functionality ==
This section carries a number of basic fuzzing examples to get you started with JBroFuzz. Overall, even though the actions performed to not produce any amazing fuzzing results, it serves as a starting point in understanding how to perform particular fuzzing operations on web applications.

=== 'Hello Google!' (forget 'Hello World') ===
As the traditional first program that you learn when indulging in a new programming language, 'Hello World!' represents the norm for understanding the basic output operations and syntax (let alone compiler and execution behaviour) of the language in question.

As with most web application security related tools, when I am given the responsibility to run them, often in order to understand how they work, I would first craft a legitimate, single request to a trusted (to be up and behaving) popular Internet location. Needless, to say this request more than on occasion finds itself on Google servers.

So 'Hello World!' for programming languages seems to transform to 'Hello Google!' for understanding how web application security related tools work. Let us see, how JBroFuzz does it.

• Double-click on JBroFuzz and browse to the 'Fuzzing' tab

JBroFuzz is constituted of tabs, typically located in the bottom or top (if you bother to change the settings) of the main window.

The 'Fuzzing' tab is where you craft your request message to a particular host. Once that is in place, you can select any part of the request and proceed into adding any number of payloads. We shall see how in later sections.

• In the 'URL' field type: http://www.google.com/ http://www.google.com

Unlike conventional URLs, the URL field in JBroFuzz is only used for the underlying protocol (HTTP or HTTPS), host name (e.g. www.yahoo.com) and (optionally) port number.

All remaining information pasted or typed into the 'URL' field will be ignored; you are expected to enter it in the 'Request' field below.

<nowiki>Still, if you want to just copy-paste a URL from a browser, hit [Ctrl+L] while you are not fuzzing, paste the URL value that you have copied from a browser and JBroFuzz will automatically do the work for you. </nowiki>

Examples of valid URL values to be put in the

Treat the 'URL' and 'Request' fields as the two stages of a 'telnet' session on port 80; you are effectively using the 'URL' field to specify the equivalent of:

<tt>>telnet www.google.com 8088</tt>

As equivalent to:

<code>
http://www.google.com:8088 
</code>

or in the case of HTTPS:

<code>
https://www.google.com:8088 
</code>

Naturally, default ports for HTTP is 80 and HTTPS is 443.

• In the 'Request' field type:

<code>
GET / HTTP/1.0 
 
</code>

And press 'Enter' twice

This is where the body of the message you are sending is to be placed. So anything obeying HTTP/S protocol, such as GET and POST requests, header fields and/or HTML content should be included here.

As part of the process of fuzzing web applications with JBroFuzz you need to have done your homework, in terms of providing a base request message. This message is what will be used later on to add payloads to particular sections of the request.

<nowiki>• Hit 'Start' [Ctrl+Enter]</nowiki>

This will instigate the process of sending a single request to the specified host on a given (or default) port, over HTTP or HTTPS.

Once a connection has been established JBroFuzz will proceed to submit the message you have typed into the 'Request' field.

Finally, JBroFuzz will log all data sent and received into a file; accessing this file is typically a process of double clicking on the output line on the table at the bottom section of the 'Fuzzing' tab.

You should see a response received in the bottom part of the 'Fuzzing' panel. Double click (or right click for more options) to see the information exchanged; typically this would be a 302 redirect pointing you to another location. Congratulations, you have just said "Hello" to Google!

[[Image:002-JBroFuzz-Tutorial.png|500px|JBroFuzz Hello Google!]]

Now this would typically be enough under RFC rules, to get a response back; but damn all the bots out here, most websites require further information to respond back. So, in the 'Request' field let's pretend to be a (kind of) legitimate browser by typing:

<code>
GET / HTTP/1.0 
Host: www.google.com 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) JBroFuzz/1.5 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
 
</code>

Not forgetting to end the request typed with two returns: Press 'Enter' twice. Again, you should be able to see a line added with the response received back.

Practice sending single requests to a website of your choice by changing the URL and also the 'Host:' field from the 'Request' above. Also try accessing an HTTPS website.

<nowiki>Alternatively, you can use the shortcut [Ctrl+L] to type in your URL, with the 'Request' field filled automatically, based on the URL you have typed. </nowiki>
 
=== HTTP Version Numbers & www.cia.gov Headerless Responses ===
For web applications, very often ill-defined requests submitted over the Internet, will trigger semi-legitimate responses that actually do not obey HTTP RFC protocol specification. Often, even though this is not the case in this example, these responses can lead to the identification of one or more security vulnerabilities.

In this example we test for the responses received for invalid HTTP version numbers on a particular website, namely www.cia.gov, over https. Now a word of caution here; please do not attempt to fuzz web applications that you do not have the authority to do so, especially over the Internet.

Still, for the purposes of this tutorial exercise, we will subject a web server to no more than a dozen or so requests. These requests would be otherwise identical, if it was not for the HTTP version number incrementing by a value of 1 on each request.

In terms of having the authority to do so, well this is identical to hitting 'Refresh' in your web browser a dozen or so times, while you are browsing to www.cia.gov. I do not consider this remotely close to any form of hacking, cracking, or proper fuzzing; web servers across the globe receive a lot more abuse than this on a daily basis.

Finally, by the time you are reading this, the particular issue described might have been fixed. So here goes:

• Within JBroFuzz, select:

<code>
File -> Open Location [Ctrl+L] 
</code>

Type: https://www.cia.gov and hit enter. This is depicted in the following screenshot:

[[Image:003-JBroFuzz-Tutorial.png|JBroFuzz Open Location]]

Hitting 'Enter' should automatically populate the 'URL' field and the 'Request' field within the 'Fuzzing' tab. What you see is the base request that we intend to add fuzzing payloads to. Before we do so, let us make one small alteration first:

• Modify the first line of the 'Request' field to:

<code>
GET / HTTP/0.0 
</code>

Our objective is to enumerate the supported by the web server (in this case www.cia.gov) HTTP version numbers, following the two digit format that it has. We could be a lot more agressive here and test for buffer overflows and all types of injection; that would be out of line without the authority to do so. Instead we are going to see how JBroFuzz will iterate through the values of 0.0 to 1.4 by means of adding a Fuzzer to our base request.

• Highlight the second zero from the line 'GET / HTTP/0.0' and right-click, selecting 'Add'. This is depicted in the screeshot below:

[[Image:004-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer to the HTTP version number]]

• From the appearing 'Add a Fuzzer' window, select as 'Category Name', in the most left column 'Base' and as 'Fuzzer Name' in the middle column 'Base 10 (Decimal) Alphabet.

• Click on 'Add Fuzzer' on the bottom right of the window

[[Image:005-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer]]

This should add a Fuzzer of length 1 that iterates over the decimal (i.e. base 10) numbers 0 to 9. If we have added a hexadecimal Fuzzer instead of a decimal one (i.e. base 16) the iteration would from 0 to F. If we had selected two digits instead of one and proceeded to add a decimal Fuzzer, the iteration would be from:

<code>
00 
01 
.. 
98 
99 
</code>

From a User Interface (UI) perspective you should see a line added to the 'Added Payloads Table'.

• Click 'Start' [Ctrl+Enter]

This process will send 10 requests to the specified web server changing only first line of the request to:

<code>
GET / HTTP/0.0... 
GET / HTTP/0.1... 
... 
GET / HTTP/0.8... 
GET / HTTP/0.9... 
</code>

While this is ongoing, you can sort the results by 'No' in the 'Output' table in the bottom of the 'Fuzzing' tab. This should enable you to see what request is currently being transmitted and received in real time.

Once complete, change the first line of the 'Request' field to read:

<code>
GET / HTTP/1.0 
</code>

• Click 'Start' [Ctrl+Enter]

The resulting output should resemble the following screenshot:

[[Image:006-JBroFuzz-Tutorial.png|500px|JBroFuzz Output from a Fuzzing Session]]

Straight away we can notice a difference in the response size: For HTTP version numbers 0.0 to 0.9 we are getting back what seems fairly big in size responses; 32222 bytes in size worth of responses, given that HTTP protocol version 0.0 to 0.8 do not officially exist!

By double-clicking on one of these requests, we can see that the web server in question is responding back with no headers, yet returning a full HTML body; this represents the 32222 bytes of response of data we are receiving back. The following screenshot illustrates this:

[[Image:007-JBroFuzz-Tutorial.png|300px|JBroFuzz Output for a Single Request/Response]]

Using the 'Graphing' tab we can proceed to graph the particular requests and responses for this given session.

• Within the 'Graphing' tab, click 'Start' [Ctrl+Enter].

• Select the directory corresponding to the Output folder we have used for this fuzzing session. This will typically be the last one.

• Right-click and select 'Graph'

Once complete, browse to the 'Response Size' tab within the 'Graphing' tab, as illustrated in the screenshot below:

[[Image:008-JBroFuzz-Tutorial.png|300px|JBroFuzz Graphing different 'Response Sizes']]

To re-iterate this does not present a security vulnerability in any shape or form; merely the fact that by manipulating HTTP version numbers as part of the request we transmit, we can impact the response that we get back. In this case, what changes is the non-existent header fields, with some HTML content being received back.

If I was to guess what is causing this, I would say that some sort of load balancing or content delivery is not happening as it should when non-existent version numbers are being transmitted.

==Using JBroFuzz with Paros Proxy==

JBroFuzz is a standalone fuzzer; it can release and create sockets over HTTP and HTTPS, but in order to use JBroFuzz correctly you will have to know what it is that you are fuzzing.

In comes the need for a proxy tool; the opening versions of JBroFuzz actually had a proxy tab that you could use to intercept traffic generated by your web browser. That functionality got removed in an attempt to focus and deliver solely on the fuzzing capabilities of the tool.

This section details how to use JBroFuzz in combination with a client side proxy. The one selected is Paros Proxy, which, despite the fact that it hasn't been updated since 2006 is still a popular tool that you see in web security testing live CDs. You could use any of the other proxy tools available.

===Winning on a Remix of the Year Award===

At 17:53, on a frosty winter evening, a message window popped up:
<pre>
17:53 http://www.localhost.com/remixcontest/club/annual2010.html
17:53 Hey bro, could you cast in a vote here for the Such & Such Remix?
17:53 Appreciated!
</pre>
A friend in need is a friend indeed, so here goes I thought. Opening up a web browser configured to work with Paros as an intermediate proxy, allowed for the casting of my vote. while keeping a record of each request and reply.

No registration, or any other form of submitting an identifier was needed. The request that Paros stored for the casting of the actual vote was:

<pre>
GET http://www.localhost.com/remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.1
Host: www.localhost.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

Paros Proxy actually places the domain (in this case www.localhost.com) with the protocol (i.e. http) in front of the GET request. As a result, you can't open a telnet/netcat session and just copy-paste the above. Similarly when we bring the request into JBroFuzz, a bit of tweaking is required.

* In the URL field, type:

<pre>
http://www.localhost.com
</pre>

In the Request field, let's keep what is of interest:

<pre>
GET /remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

No needs for Keep-Alive and Proxy-Connection. Let's simplify the HTTP request by making it a version 1.0 request and getting rid of the Host header as well. Also on the user agent, let us keep that mainstream vanilla: Firefox on Windows (popular browser combination), getting rid of the .NET and Paros additives.

Checking on the website, our Such & Such remix already has about 100 votes or so and the top remix has approximately 310 votes. Let's fuzz this:

* Select 2 of the digits of the cookie value:

<pre>
PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

* Select: Panel -> Add

* In the "Add a Fuzzer" panel, select:

<pre>
Base -> Base16 (HEX)
</pre>

and select "Add Fuzzer".

This will add a line within the Payloads tab on the right hand side.

Our cookie value above (PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e) is in lowercase, hexadecimal format. Let's make sure the encoding we select is also that.

Within the Payloads tab, click on the encoding drop down menu and select lowercase. Just before clicking "Start", JBroFuzz should look something like the screenshot below.

[[Image:014-JBroFuzz-Tutorial.png|Adding Votes by iterating through PHPSESSID cookie values]]

== Performing User Enumeration with a Valid Set of Credentials ==
Often you encounter an application that allows for the enumeration of one or more pages after a user has been successfully granted a set of session credentials. One of the key areas to test from an application specific perspective, relates to the page(s) that provide user account information.

In the following example, we investigate an ASP.NET 2.0 application with a C# back-end. In this, an authenticated user has the option to select to "View My Profile". This page provides them with account information (including the typical username, email address, further notes) that they can proceed to update and save to the back-end system.

After a user has authenticated, the following URL, gives them access to their profile information stored on the database:

<pre>
http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23
</pre>

Simple investigation confirms that the digits allowed as part of the UserID value are decimal numbers only. Lets feed that information into JBroFuzz.

===Fuzzing a User ID===

• Within JBroFuzz, select:

<code>
File -> Open Location [Ctrl+L] 
</code>

Type: http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23 and hit enter. This is depicted in the following screenshot:

[[Image:009-JBroFuzz-Tutorial.png|300px|JBroFuzz 'GET' Request with a 'UserID' parameter]]

From the URL the important parameter is the value of the UserID query string (the value 23, above). We want to fuzz that.

• Within the Fuzzing Tab, in the "Request" text area, highlight the above number 23
• Right-click and select "Add"

In the "Add a Fuzzer" window that appears, select:

• Category Name: <code>Base</code>
• Fuzzer Name: <code>Base10 (DEC)</code>
• Select "Add Fuzzer" in the bottom right

This would have added a decimal (base 10 fuzzer) of length 2 onto the location.

• You will see a row added within the "Added Fuzzers Table" of the Fuzzing panel.
• Click "Start" <code>Ctrl+Enter</code>

This will transmit 100 requests to the domain in question, which in this case is assumed: www.myattackingdomain.com. The value being changed within each request will be:

<pre>
• GET /portal-location/UserInfo.aspx?UserID=00 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=01 HTTP/1.0
...
• GET /portal-location/UserInfo.aspx?UserID=98 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=99 HTTP/1.0
</pre>

Done. Let's proceed to graph the responses that we have obtained. Our objective is to understand which two-digit numbers from 00 to 99 correspond to valid user accounts.

===Graphing Results===
• Within the "Graphing" tab, click "Start" <code>Ctrl+Enter</code>

A list of directories will appear on the left-hand side. If you scroll to the bottom of the list you should see the directory corresponding to your fuzzing session, in our case it was (175 2009-06-24 16-18-24)

<pre>
• Right-click on (175 2009-06-24 16-18-24)
• Click "Graph"
</pre>

This will generate the graphs in their respective tabs. The question now becomes which graph is of interest for our user enumeration exercise.

By definition enumerating users against an ID value, or any other identifier involves being able to obtain a different response for an existing user to that of a user that is not have a corresponding ID value.

Thus, from the metrics available, the one useful for enumerating users will be that of measuring the "Hamming Distance" between responses received. Based on the JBroFuzz documentation:

Fuzzing Hamming Distance 
<pre>
A bar chart with the hamming distance of the characters in the response,
relative to the first response received. Check each character of the first
response received, against the character at the same position of the
current response received. If they are not identical, increment the
hamming distance.
</pre>

As we can see the Fuzzing Hamming Distance (FHD) varies quite a bit from the definition of the normal hamming distance term, used in telecommunications. Still, they share a lot of similarities.

As we can from the above, the first request is critical to calibrating our user enumeration exercise. It represents the value that all other Fuzzing Hamming Distances (FHD) will be measured and normalised towards. For the java-skilled audience, the algorithm is quite trivial, but offers spectacular results in distinguishing responses:

<pre>
in = new BufferedReader(new FileReader(f));
58
59 int counter = 0;
60 int check = 0;
61 int c;
62 while (((c = in.read()) > 0) && (counter < MAX_CHARS)) {
63
64 // If we are passed "--jbrofuzz-->\n" in the file
65 if (check == END_SIGNATURE.length()) {
66
67 firstSet.append((char) c);
68
69 }
70 // Else find "--jbrofuzz-->\n" using a counter
71 else {
72 // Increment the counter for each success
73 if (c == END_SIGNATURE.charAt(check)) {
74 check++;
75 } else {
76 check = 0;
77 }
78 }
79
80 counter++;
81
82 }
83 in.close();
</pre>

Ergo, the corresponding graph is depicted in the screenshot below. The peak graphs correspond to number that if you hover the mouse over will give you the enumeration ID of a valid user.

[[Image:015-JBroFuzz-Tutorial.png|500px|Measuring Hamming Distance for User Enumeration]]

== JBroFuzz Development Corner ==
This section presents how to setup and use JBroFuzz as a fuzzing library. Also, it offers an insight in how to setup and compile your own version of JBroFuzz. As different people have different levels of expertise of the java programming language, eclipse, ant and subversion, some of the steps presented herein might be considered basic by advanced developers.

===Setting up a JBroFuzz Development Environment===

This section guides you towards setting up a development environment for JBroFuzz. Despite the Operating System (O/S) being windows XP, a similar process can be followed in a number of other O/S.

You will need to have installed:

* Tortoise SVN (using TortoiseSVN-1.6.6.17493-win32-svn-1.6.6.msi)
* Eclipse Java (using eclipse-java-galileo-SR1-win32.zip)

Optionally, if you don't like building your application through eclipse you could also require to install Apache Ant.

====Step 1: Obtain the source code====

JBroFuzz uses SubVersion with the repository being publicly available for download through anonymous access on sourceforge. There is a plan to move it the source to the OWASP Git repository, but until then, use the guidelines below.

[[Image:010-JBroFuzz-Tutorial.png|Tortoise SVN Check out JBroFuzz Source Code]]

Right click on the folder location where you want to download the source code and select:

* SVN Checkout

In the "URL of repository", enter:

<pre>
https://jbrofuzz.svn.sourceforge.net/svnroot/jbrofuzz
</pre>

In the "Checkout directory", enter the folder location of your choice, in this case:

<pre>
C:\root\code\jbrofuzz
</pre>

In the "Checkout Depth" select:

* Fully recursive

Untick "Omit Externals" (should be unticked by default)

In the "Revision" select:

* "Head revision"

Select OK.

This process, once complete will checkout the entirety of the JBroFuzz source code from the SVN repository on sourceforge.

====Step 2: Configuring a JBroFuzz Project within Eclipse====

Having obtained the latest copy of the source code, the next step entails importing that source code within the Eclipse IDE.

Within Eclipse, select:

<pre>
File -> New -> Other
</pre>

From the "New" panel that appears, select:

<pre>
Java -> Java Project from Existig Ant Buildfile
</pre>

[[Image:011-JBroFuzz-Tutorial.png|Import JBroFuzz Code into Eclipse from Ant File]]

Select "Next".

In the next menu, under "Ant buildfile", select "Browse".

Browse to the location where you have just (step 1) downloaded the source code and select the following file:

* build.xml

The build.xml file is an Ant build file that JBroFuzz uses.

[[Image:012-JBroFuzz-Tutorial.png|Select the Ant File]]

Selecting that file should have populated the "Project name" as jbrofuzz and also given you:

<pre>
"javac" task found in target "compile"
</pre>

MAKE SURE TO TICK:

* "Link to the buildfile in the filesystem"

Otherwise eclipse will try to replicate the source code within your workspace and that makes the process a tiny bit more complicated when it comes to actually building JBroFuzz.

Click "Finish"

You will see the item "Building workspace (76%) on the bottom right hand side of Eclipse. Once that is complete, you should see the jbrofuzz project on the top left corner of the Package Explorer within Eclipse.

====Step 3: Building JBroFuzz====

Within the Package Explorer, expand the jbrofuzz project and double-click on the build.xml file.

Right click on the "build [default]" task within the "Outline" window (typically seen on the right hand side) and select:

<pre>
Run As -> 1. Ant Build [Alt+Shift+X, Q]
</pre>

If the build has been successful, a JBroFuzz.jar file within the the /jar folder would have been created. Following the path conventions above that should be in:

<pre>
C:\root\code\jbrofuzz\jar\JBroFuzz.jar
</pre>

[[Image:013-JBroFuzz-Tutorial.png|Building JBroFuzz within Eclipse]]

===How to Use JBroFuzz as a Fuzzing Library===

Quite often what you need to do in terms of fuzzing, far exceeds the User Interface (UI) of JBroFuzz. For this reason, a set of core fuzzing APIs have been made available that can be used for more advanced fuzzing scenarios.

The JBroFuzz.jar standalone archive (made available with every release) carries a core fuzzing library that holds a number of key classes. These are located under:

<pre>
org.owasp.jbrofuzz.core.*;
-Database.java
-Fuzzer.java
-FuzzerBigInteger.java
-NoSuchFuzzerException.java
-Prototype.java
</pre>

The class of importance is Fuzzer.java. If you are going to use recursive iterators of great length, there is also FuzzerBigInteger.java. The difference between the two is that Fuzzer.java uses the primitive java data type long (up to 16^16 values) while FuzzerBigInteger.java uses java BigInteger to perform the counting. Naturally, the class FuzzerBigInteger is slower and takes more memory than the Fuzzer class.

Within JBroFuzz a Fuzzer is an instance of a java Iterator. This implies that values can be accessed by simply calling the <code>next()</code> method once an object has been made available. Typically, a call to <code>hasNext()</code> should also be performed prior to avoid an exception being thrown.

A Fuzzer can be obtained from the factory method <code>createFuzzer(String, int);</code> available for every instance of the fuzzing Database. Ergo:

====A HelloFuzzer Example====

<pre>
Database myDatabase = new Database();

Fuzzer myFuzzer = myDatabase.createFuzzer("031-B16-HEX", 5);
</pre>

So how do I use the API? Here is a simple HelloFuzzer (file called HelloFuzzer.java) example:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

To compile the above use:

<pre>
javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>

This assumes that you are currently inside the directory where HelloFuzzer.java resides and that the JBroFuzz.jar is located two directories within your current location i.e. in jbrofuzz/jar. In order to run the above compiled HelloFuzzer class issue:

<pre>
java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>

Note: The above 2 commands have been crafted in a win32 environment. The process for compiling and running HelloFuzzer.java above is the same in *nix machines. Simply replace the backslash "\" with "/".

====Fuzzing Payload Definitions====
Within the JBroFuzz.jar file, there is a file called fuzzers.jbrf that carries all the fuzzer definitions that you see in the UI payloads tab of JBroFuzz. To view a latest copy of this file you can browse the SVN repository of JBroFuzz:

<pre>
http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/tar/fuzzers.jbrf?view=log
</pre>

A note here worth mentioning: Files ending in .jbrofuzz are session files saved by users while performing fuzzing operations. Files ending in .jbrf are JBroFuzz system files. Typical examples of .jbrf files are headers.jbrf, as well as fuzzers.jbrf. Both these use an internal proprietary format not to be confused with the .jbrofuzz file format.

Fuzzers belong in categories (1 to many) and each fuzzer carries a set of payloads that define the alphabet of the fuzzer.

Also, you have replacive and recursive fuzzers, zero fuzzers, etc. There are a number of different fuzzer categories. As an example of a fuzzer within the fuzzers.jbrf file, consider the hexadecimal fuzzer:

<pre>
Fuzzer Name: Base16 (HEX)
Fuzzer Type: Recursive
Fuzzer Id: 031-B16-HEX

Total Number of Payloads: 16
</pre>

Within the fuzzers.jbrf file this fuzzer is defined in plain-text format as follows:

<pre>
R:031-B16-HEX:Base16 (HEX):16
> Number Systems | Base | Recursive Fuzzers
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
</pre>

There is very little preventing you from defining your own fuzzers within this file, by following the file format specified above. You can use the UI to see if they have been loaded successfully.

Further to recursive and replacive fuzzers you also have zero fuzzers (i.e. a zero fuzzer of 1000 will just transmit 1000 requests as they are, without adding any payloads) double fuzzers, cross product fuzzers, etc.

Notice the factory method Database.createFuzzer("031-B16-HEX", 4) yielding: "I want a 4 digit recursive fuzzer (why because NUM-HEX is recursive in its definition, starts with R: instead of P:) of HEX digits."

Thus the above scenario would iterate through all the digits from 0000 to ffff. I wouldn't recommend using the above scenario for such trivial fuzzing capabilities; simply presented as an example of the inner workings of JBroFuzz.jar

====HelloFuzzer Refined====
A more detailed code breakdown of the above HelloFuzzer example can be found below:

<pre>
/**
* JBroFuzz API Examples 01
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz a Fuzzer is a java Iterator.
*
* In order to create a Fuzzer, use the factory method
* Database.createFuzzer(String, int), passing as arguments
* the Fuzzer ID and the specified length as a positive int.
*
* Be careful to check that the fuzzer ID (labelled as f_ID)
* is actually an existing ID from the Database of Fuzzers.
*
* Expected Output:
* <code>
* The fuzzer payload is: 00000 
* The fuzzer payload is: 00001 
* ... 
* (a total of 16^5 = 1048576 lines) 
* ... 
* The fuzzer payload is: ffffd 
* The fuzzer payload is: ffffe 
* The fuzzer payload is: fffff 
* </code>
*
* For more information on the Database of Fuzzers, see the
* HelloDatabase Class.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloFuzzer {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "031-B16-HEX";
// You have to supply a (+)tive int
int f_len = 5;

try {

for(Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len); f.hasNext();) {

// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>

====Hello Database of Fuzzers====
Having seen how to access a single Fuzzer through the createFuzzer() method available in the Database object. The next question that comes naturally is what are the Fuzzers that are available by default in JBroFuzz?

To answer that, this example focuses more on the database component that we previously initialised, investigating the list of available methods that it offers.

In JBroFuzz, all Fuzzers are stored in a Database object that you will be required to construct in order to access them.

<pre>
/**
* JBroFuzz API Examples 02
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz all Fuzzers are stored in a Database
* object that you will be required to construct in order
* to access them.
*
* Within the Database, each Fuzzer is a collection of
* payloads, which carries a unique ID string value.
*
* Example ID values are the output of this program:
* <code>
* The fuzzer ID is: 013-LDP-INJ 
* The name of the fuzzer is: LDAP Injection 
* The id of the fuzzer is: 013-LDP-INJ 
* The of payloads it carries (it's alphabet) is: 20 
* It has as 1st payload: 
* | 
* The fuzzer ID is: 018-XSS-4IE 
* The name of the fuzzer is: XSS IE 
* The id of the fuzzer is: 018-XSS-4IE 
* The of payloads it carries (it's alphabet) is: 38 
* It has as 1st payload: 
* < img src=`x` onrerror= ` ;; alert(1) ` /> 
*
* </code>
*
* Do not be confused between Prototypes and Fuzzers;
* JBroFuzz uses Prototype objects to construct the Fuzzers
* that get added into the Database upon initialisation.
*
* As a result, the getter methods available within a Database
* object can carry the name of getAllPrototypeIDs and
* getAllFuzzerIDs interchangebly.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloDatabase {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();

// Get a list of all the fuzzer IDs from the database
String[] fuzzer_IDs = fuzzDB.getAllPrototypeIDs();

System.out.println("The fuzzer IDs found are:");

for(String fuzzerID : fuzzer_IDs) {

System.out.println("The fuzzer ID is: " + fuzzerID);

// We pass of length of 1, irrelevant if we are
// just going to access the first payload
// of the fuzzer
Fuzzer fuzzer;
try {

fuzzer = fuzzDB.createFuzzer(fuzzerID, 1);
// Normally you should check for fuzzer.hasNext()
String payload = fuzzer.next();

System.out.println("\tThe name of the fuzzer is:\t\t\t" + fuzzer.getName() );
System.out.println("\tThe id of the fuzzer is:\t\t\t" + fuzzer.getId() );
System.out.println("\tThe of payloads it carries (it's alphabet) is:\t" + fuzzDB.getSize(fuzzerID));
System.out.println("\tIt has as 1st payload:\n\t\t" + payload );

} catch (NoSuchFuzzerException e) {
System.out.println("Could not find the specified fuzzer!");
System.out.println("Going to print all the fuzzer IDs I know:");
// old vs new for loop :)
// in case of an error, print just the
// fuzzer IDs, accessed from the DB
for(int j = 0; j < fuzzer_IDs.length; j++) {
System.out.println("The fuzzer ID is: " + fuzzer_IDs[j]);
}

}

}

}

}
</pre>

====Methods available within the Fuzzer Class====
A final example of this section, involves seeing the usage of all the method calls available in the Fuzzer.java class

<pre>
/**
* JBroFuzz API Examples 03
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* Example iterating through all the methods available
* in the Fuzzer Object and their respective outputs.
*
* @author subere@uncon.org
* @version n/a
*/
public class IndigoFuzzerTests {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "033-B08-OCT";
// You have to supply a (+)tive int
int f_len = 5;

try {

Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len);

while(f.hasNext()) {

// Could do this via reflection, but..
f.next();
// System.out.println(" The fuzzer payload is: " + f.next());
System.out.println(" The maximum value is: " + f.getMaximumValue());

System.out.println(" The current value is: " + f.getCurrectValue());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>

===Advanced Fuzzing with the JBroFuzz Library===

This section covers more advanced APIs that are available under the org.owasp.jbrofuzz.core package. It should be noted that some of these classes and their corresponding functionality are not used by the JBroFuzz program application. Instead, they are made available for incorporation into other java code that you have perhaps written that requires more specialized type of fuzzing.

====Fuzzing Really Long Values with Big Integer====

As stated previously, within JBroFuzz a Fuzzer is a java Iterator. This implies that while fuzzing, we typically keep track of a counter representing the value that we are currently on. Consider the example of HelloFuzzer.java, above:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

If we compile this program:

<pre>
javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>

and run it:

<pre>
java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>

We are going to see output similar to:

<pre>
The fuzzer payload is: 0000
... (output omitted)
The fuzzer payload is: fffd
The fuzzer payload is: fffe
The fuzzer payload is: ffff
</pre>

Now what if we want a hexadecimal fuzzer of length not 4, but, say, 24. Let's try compile and run the above program with a length of 24. Changing the line to:

<pre>
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 24); f.hasNext();) {
</pre>

Running this modified version of HelloFuzzer.java, yields:

<pre>
>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer.java

>java -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer

>
</pre>

Nothing! What is actually happening is JBroFuzz is figuring out that the specified length of the Fuzzer we are about to create is far greater than that of the long java data type. As a result, the Fuzzer is not even entering the iteration mode that is typically expected with methods next() and hasNext().

That's all great, but we still want a hexadecimal fuzzer, 24 digits long going from:

<pre>
000000000000000000000000
...to...
ffffffffffffffffffffffff
</pre>

For this JBroFuzz offers another type of Fuzzer class, that of FuzzerBigInteger. Let's modify the critical line within the original HelloFuzzer.java program that we had:

<pre>
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
</pre>

With the entire program becoming:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

Compiling and running this program yields:

<pre>
The fuzzer payload is: 000000000000000000000000
The fuzzer payload is: 000000000000000000000001
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
The fuzzer payload is: ffffffffffffffffffffffff
</pre>

There are limitations to this class, as governed by the BigInteger class itself. Further information can be found at:

<pre>
http://java.sun.com/j2se/1.5.0/docs/api/java/math/BigInteger.html
</pre>

Still, on a virtual windows xp machine with 256Mb of RAM the above code had no problem running to completion. It took some time though.. Characteristics of the windows machine while this iteration was ongoing: The CPU was being utilised at 100% and memory usage was constant at 212 Mb. Overall, a clean sheet for FuzzerBigInteger.java.

====Using the Power Fuzzer API====

With web applications, it is often that you find yourself re-using part of, or the entirety of a fuzzing payload in more than one location, as part of the GET, POST, or any other type of request you submit.

For this reason, JBroFuzz offers the PowerFuzzer class: A type of iterator for which you can specify how many copies of the payload you require in each request.

Let's consider the following trivial scenario. You are in need of all hexadecimal values, which are 4-digits long (i.e. 0000 to FFFF) and you are in need of these 5 times for each request.

This scenario is trivial, because typically you can assign the fuzzing payload (i.e. the value you get back from Fuzzer.next() ) to a String variable and re-use it as many times as you see fit.

<pre>
Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
....
for(Fuzzer f = fuzzDB.createFuzzer(fuzzerID, length); f.hasNext();) {
String payload = f.next();
....
}
</pre>

Using the PowerFuzzer.class, the following HelloPowerFuzzer.java program can be created:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {
// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java OWASP JBroFuzz Power Fuzzer Example

</pre>

This program would output the following; no rocket science here:

<pre>
....
I have 5 elements: 4817 4817 4817 4817 4817
I have 5 elements: 4818 4818 4818 4818 4818
I have 5 elements: 4819 4819 4819 4819 4819
I have 5 elements: 481a 481a 481a 481a 481a
I have 5 elements: 481b 481b 481b 481b 481b
I have 5 elements: 481c 481c 481c 481c 481c
I have 5 elements: 481d 481d 481d 481d 481d
I have 5 elements: 481e 481e 481e 481e 481e
I have 5 elements: 481f 481f 481f 481f 481f
I have 5 elements: 4820 4820 4820 4820 4820
I have 5 elements: 4821 4821 4821 4821 4821
I have 5 elements: 4822 4822 4822 4822 4822
I have 5 elements: 4823 4823 4823 4823 4823
I have 5 elements: 4824 4824 4824 4824 4824
I have 5 elements: 4825 4825 4825 4825 4825
I have 5 elements: 4826 4826 4826 4826 4826
....
</pre>

Now imagine you need to change the number of elements you obtain back every time. For every second request, you need to obtain back two identical payloads, for every third request, you need to obtain back three payloads and for every fourth request, you need to obtain back four payloads.

The PowerFuzzer class, with the corresponding method setPower(int) allows you to set how many identical elements you obtain back, without having to worry about the length argument. Below is a class that solves the above scenario:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {

int currentValue = (int) f.getCurrentValue();
currentValue %= 4;
switch (currentValue) {
case 0: f.setPower(1); break;
case 1: f.setPower(2); break;
case 2: f.setPower(3); break;
default: f.setPower(4); break;
}

// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java

</pre>

This class has as output:

<pre>
....
I have 1 elements: 22a8
I have 2 elements: 22a9 22a9
I have 3 elements: 22aa 22aa 22aa
I have 4 elements: 22ab 22ab 22ab 22ab
I have 1 elements: 22ac
I have 2 elements: 22ad 22ad
I have 3 elements: 22ae 22ae 22ae
I have 4 elements: 22af 22af 22af 22af
I have 1 elements: 22b0
I have 2 elements: 22b1 22b1
I have 3 elements: 22b2 22b2 22b2
I have 4 elements: 22b3 22b3 22b3 22b3
I have 1 elements: 22b4
I have 2 elements: 22b5 22b5
I have 3 elements: 22b6 22b6 22b6
I have 4 elements: 22b7 22b7 22b7 22b7
I have 1 elements: 22b8
I have 2 elements: 22b9 22b9
....
</pre>

Naturally, the algorithm of the number of elements required can vary based on any number of parameters. The PowerFuzzer class gives you a quick way to control the number of identical payloads you obtain back, without having to worry about creating a data type to store them in.

====Using the Double Fuzzer API====

In some cases of fuzzing web applications, a requirement to fuzz two (or more) locations part of the request being submitted to the web server becomes apparent.

The DoubleFuzzer class allows you to create a fuzzer based on two prototype definitions. Similarly to instantiating a Fuzzer through a prototype and a given length, with a DoubleFuzzer, we pass two prototype definitions and two lengths. The corresponding method call available within the Database class of org.owasp.jbrofuzz.core is:

<pre>
public DoubleFuzzer createDoubleFuzzer(String id1, int length1,
String id2, int length2) throws NoSuchFuzzerException {
</pre>

Let's cross-breed some fuzzers, see what results we get back during an iteration.

The first example below, uses two hexadecimal fuzzers of different lengths, as specified by the variables:

<pre>
String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;
</pre>

As the double fuzzer iteration is taking place, the second fuzzer, defined by the fuzzID2 & length2 loops, starting from 00 and going all the way up to FF. An example output is:

<pre>
I have 2 elements: fefb fb
I have 2 elements: fefc fc
I have 2 elements: fefd fd
I have 2 elements: fefe fe
I have 2 elements: feff ff
I have 2 elements: ff00 00
I have 2 elements: ff01 01
I have 2 elements: ff02 02
I have 2 elements: ff03 03
</pre>

The complete code listing of HelloDoubleFuzzer.java is:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>

That's simple enough; now let's cross-breed something a bit more exotic: Imagine a 3-digit octal ID value [000 - 777] being submitted inline with, say, a parameter that we want to test for Cross-Site Scripting (XSS). Let's adjust the program above with the corresponding fuzzer IDs of these fuzzers. Remember all the IDs of all the fuzzers can be found in the fuzzers.jbrf file within JBroFuzz.jar:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "019-XSS-GEK";

int length1 = 3;
int length2 = 1;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>

The output from this program is:

<pre>
I have 2 elements: 000 (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I have 2 elements: 001 <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
I have 2 elements: 002 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 003 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 004 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 005 <A HREF="//google">XSS</A>
....
...
..
.
..
...
....
I have 2 elements: 774 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 775 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 776 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 777 <A HREF="//google">XSS</A>
</pre>

With the list stopping iterating at the last element of the greatest of the two fuzzers.

===Using the Cross Product Fuzzer API===

A final case of a special Double Fuzzer is the the Cross Product Fuzzer of the payloads of two fuzzers. This type of fuzzing is virtually encountered in username/password login form on the Internet. Let's work on this by example.

Consider your home network router. You recall changing the default password to one of the typical password values that you use. Also, you are not 100% certain about the username for the router either, it is one of the typical admin, user, administrator, root, yoda type values, but you cannot recall which one. Needless to say, you don't know what the username, or password actually is.

So in a mini brute-forcing attack scenario, you have the following list of usernames, out of which one is valid:

<pre>
admin
administrator
Administrator
root
adminUser
</pre>

Also you know that the password is one of the following (Top 10 Threadwatch 2007 passwords):

<pre>
password
123456
qwerty
abc123
letmein
monkey
myspace1
password1
blink182
</pre>

The set that contains every possible combination of the two sets is the Cross Product of the list of usernames, times the list of passwords. So manually, (as most people do while locking themselves out) you would try, popular combinations of the above, starting with:

<pre>
admin password
admin 123456
admin qwerty
....
admin blink182
administrator password
administrator 123456
administrator qwerty
....
adminUser password1
adminUser blink182
</pre>

Thus the total number of attempts would be (number of usernames) x (number of passwords). No rocket science here.

JBroFuzz introduces the CrossProductFuzzer class capable of iterating through the cross product of two fuzzers. Let's put it into code; the following program provides a list of all 2-digit octal numbers with every 2-digit binary number. A total of (8 x 8) x (2 x 2) = 256 values.

==Graphing with JBroFuzz==

Once a fuzzing session has completed, JBroFuzz offers the ability to generate a number of graphs, using various metrics. This section investigates how to further the graphing functionality available with the application.

===Customizing the logo on each Graph===

As of version 2.0, all image icons within JBroFuzz are located within the /icons directory of the application. The particular transparent image file displayed on top right part of the graphs is named:

<pre>
/icons/owasp-med.png
</pre>

This file is a 64 x 64 PNG image file. You can replace it with your own file, as follows:

<pre>
>ls -l JBroFuzz.jar
-rw-rw-rw- 1 user group 4033612 Feb 15 12:33 JBroFuzz.jar

>unzip -oq JBroFuzz.jar
>cd icons
>mv owasp-med.png file64x64-file.png
>cd ..
>zip -r JBroFuzz.zip *
>mv JBroFuzz.zip JBroFuzz.jar
</pre>

This enables you to have your own (company logo) on JBroFuzz graphs. Further to this, a number of other customization options are available, by right clicking on each of the graph generated.

OWASP JBroFuzz Tutorial

2010-02-18T14:28:11Z

Yiannis: /* Advanced Fuzzing with the JBroFuzz Library */

[[Category:OWASP JBroFuzz]]

== Introduction ==
''“If you can’t fuzz with JBroFuzz, you probably do not want to fuzz!”''

<div align="right">Old JBroFuzz Motto </div>

The art of teaching, Mark Van Doren said, is the art of assisting discovery. Fuzzing is a representative discipline towards assisting the discovery of security vulnerabilities, that is just beginning to come of age. Over the last two years, through continuous development, JBroFuzz has attempted to expose the intrinsic beauty of the subject: Constantly submit a vast amount of payloads to a service, device or prompt, waiting for the one response that makes all the difference. This is the mentality that JBroFuzz embraces and attempts to offer back to security professionals.

Fuzzing as a concept goes beyond a conventional work flow or a standard methodology. I would argue that to know how to fuzz well, is to master a new language. Thus, similar to the process of learning a programming (or foreign) language, there are three things you must master:

• Grammar: How fuzzing as a process is structured 
• Vocabulary: How to name fuzzing concepts you want to use 
• Usage: Ways of achieving everyday effective results with fuzzing 

[[Image:001-JBroFuzz-Tutorial.jpg|300px|right|JBroFuzz Splash Screen]]From the pre-existing information available for JBroFuzz, this tutorial focuses on usage: How to best put a fuzzing tool to good use, either via the UI, or using APIs that ''JBroFuzz.jar'' is constituted of. As a result, this document has a small requirement as a caveat; you need to have a beginner level understanding of the Java programming language in order to understand some sections.

There are a number of working examples described here within, which '''grep''' for statements such as “''<nowiki>public static void main(String[] args)</nowiki>''”. The majority of the content relates to reviewing these examples and putting the Java syntax into a fuzzing perspective.

To summarise, this tutorial focuses on customary and effective usage of fuzzing through the JBroFuzz Java APIs and the respective UI. It is targeting (without attacking them) web applications. Without further redo, let’s get fuzzing!

== JBroFuzz Basic Functionality ==
This section carries a number of basic fuzzing examples to get you started with JBroFuzz. Overall, even though the actions performed to not produce any amazing fuzzing results, it serves as a starting point in understanding how to perform particular fuzzing operations on web applications.

=== 'Hello Google!' (forget 'Hello World') ===
As the traditional first program that you learn when indulging in a new programming language, 'Hello World!' represents the norm for understanding the basic output operations and syntax (let alone compiler and execution behaviour) of the language in question.

As with most web application security related tools, when I am given the responsibility to run them, often in order to understand how they work, I would first craft a legitimate, single request to a trusted (to be up and behaving) popular Internet location. Needless, to say this request more than on occasion finds itself on Google servers.

So 'Hello World!' for programming languages seems to transform to 'Hello Google!' for understanding how web application security related tools work. Let us see, how JBroFuzz does it.

• Double-click on JBroFuzz and browse to the 'Fuzzing' tab

JBroFuzz is constituted of tabs, typically located in the bottom or top (if you bother to change the settings) of the main window.

The 'Fuzzing' tab is where you craft your request message to a particular host. Once that is in place, you can select any part of the request and proceed into adding any number of payloads. We shall see how in later sections.

• In the 'URL' field type: http://www.google.com/ http://www.google.com

Unlike conventional URLs, the URL field in JBroFuzz is only used for the underlying protocol (HTTP or HTTPS), host name (e.g. www.yahoo.com) and (optionally) port number.

All remaining information pasted or typed into the 'URL' field will be ignored; you are expected to enter it in the 'Request' field below.

<nowiki>Still, if you want to just copy-paste a URL from a browser, hit [Ctrl+L] while you are not fuzzing, paste the URL value that you have copied from a browser and JBroFuzz will automatically do the work for you. </nowiki>

Examples of valid URL values to be put in the

Treat the 'URL' and 'Request' fields as the two stages of a 'telnet' session on port 80; you are effectively using the 'URL' field to specify the equivalent of:

<tt>>telnet www.google.com 8088</tt>

As equivalent to:

<code>
http://www.google.com:8088 
</code>

or in the case of HTTPS:

<code>
https://www.google.com:8088 
</code>

Naturally, default ports for HTTP is 80 and HTTPS is 443.

• In the 'Request' field type:

<code>
GET / HTTP/1.0 
 
</code>

And press 'Enter' twice

This is where the body of the message you are sending is to be placed. So anything obeying HTTP/S protocol, such as GET and POST requests, header fields and/or HTML content should be included here.

As part of the process of fuzzing web applications with JBroFuzz you need to have done your homework, in terms of providing a base request message. This message is what will be used later on to add payloads to particular sections of the request.

<nowiki>• Hit 'Start' [Ctrl+Enter]</nowiki>

This will instigate the process of sending a single request to the specified host on a given (or default) port, over HTTP or HTTPS.

Once a connection has been established JBroFuzz will proceed to submit the message you have typed into the 'Request' field.

Finally, JBroFuzz will log all data sent and received into a file; accessing this file is typically a process of double clicking on the output line on the table at the bottom section of the 'Fuzzing' tab.

You should see a response received in the bottom part of the 'Fuzzing' panel. Double click (or right click for more options) to see the information exchanged; typically this would be a 302 redirect pointing you to another location. Congratulations, you have just said "Hello" to Google!

[[Image:002-JBroFuzz-Tutorial.png|500px|JBroFuzz Hello Google!]]

Now this would typically be enough under RFC rules, to get a response back; but damn all the bots out here, most websites require further information to respond back. So, in the 'Request' field let's pretend to be a (kind of) legitimate browser by typing:

<code>
GET / HTTP/1.0 
Host: www.google.com 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729) JBroFuzz/1.5 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-gb,en;q=0.5Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 
 
</code>

Not forgetting to end the request typed with two returns: Press 'Enter' twice. Again, you should be able to see a line added with the response received back.

Practice sending single requests to a website of your choice by changing the URL and also the 'Host:' field from the 'Request' above. Also try accessing an HTTPS website.

<nowiki>Alternatively, you can use the shortcut [Ctrl+L] to type in your URL, with the 'Request' field filled automatically, based on the URL you have typed. </nowiki>
 
=== HTTP Version Numbers & www.cia.gov Headerless Responses ===
For web applications, very often ill-defined requests submitted over the Internet, will trigger semi-legitimate responses that actually do not obey HTTP RFC protocol specification. Often, even though this is not the case in this example, these responses can lead to the identification of one or more security vulnerabilities.

In this example we test for the responses received for invalid HTTP version numbers on a particular website, namely www.cia.gov, over https. Now a word of caution here; please do not attempt to fuzz web applications that you do not have the authority to do so, especially over the Internet.

Still, for the purposes of this tutorial exercise, we will subject a web server to no more than a dozen or so requests. These requests would be otherwise identical, if it was not for the HTTP version number incrementing by a value of 1 on each request.

In terms of having the authority to do so, well this is identical to hitting 'Refresh' in your web browser a dozen or so times, while you are browsing to www.cia.gov. I do not consider this remotely close to any form of hacking, cracking, or proper fuzzing; web servers across the globe receive a lot more abuse than this on a daily basis.

Finally, by the time you are reading this, the particular issue described might have been fixed. So here goes:

• Within JBroFuzz, select:

<code>
File -> Open Location [Ctrl+L] 
</code>

Type: https://www.cia.gov and hit enter. This is depicted in the following screenshot:

[[Image:003-JBroFuzz-Tutorial.png|JBroFuzz Open Location]]

Hitting 'Enter' should automatically populate the 'URL' field and the 'Request' field within the 'Fuzzing' tab. What you see is the base request that we intend to add fuzzing payloads to. Before we do so, let us make one small alteration first:

• Modify the first line of the 'Request' field to:

<code>
GET / HTTP/0.0 
</code>

Our objective is to enumerate the supported by the web server (in this case www.cia.gov) HTTP version numbers, following the two digit format that it has. We could be a lot more agressive here and test for buffer overflows and all types of injection; that would be out of line without the authority to do so. Instead we are going to see how JBroFuzz will iterate through the values of 0.0 to 1.4 by means of adding a Fuzzer to our base request.

• Highlight the second zero from the line 'GET / HTTP/0.0' and right-click, selecting 'Add'. This is depicted in the screeshot below:

[[Image:004-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer to the HTTP version number]]

• From the appearing 'Add a Fuzzer' window, select as 'Category Name', in the most left column 'Base' and as 'Fuzzer Name' in the middle column 'Base 10 (Decimal) Alphabet.

• Click on 'Add Fuzzer' on the bottom right of the window

[[Image:005-JBroFuzz-Tutorial.png|400px|Adding a Fuzzer]]

This should add a Fuzzer of length 1 that iterates over the decimal (i.e. base 10) numbers 0 to 9. If we have added a hexadecimal Fuzzer instead of a decimal one (i.e. base 16) the iteration would from 0 to F. If we had selected two digits instead of one and proceeded to add a decimal Fuzzer, the iteration would be from:

<code>
00 
01 
.. 
98 
99 
</code>

From a User Interface (UI) perspective you should see a line added to the 'Added Payloads Table'.

• Click 'Start' [Ctrl+Enter]

This process will send 10 requests to the specified web server changing only first line of the request to:

<code>
GET / HTTP/0.0... 
GET / HTTP/0.1... 
... 
GET / HTTP/0.8... 
GET / HTTP/0.9... 
</code>

While this is ongoing, you can sort the results by 'No' in the 'Output' table in the bottom of the 'Fuzzing' tab. This should enable you to see what request is currently being transmitted and received in real time.

Once complete, change the first line of the 'Request' field to read:

<code>
GET / HTTP/1.0 
</code>

• Click 'Start' [Ctrl+Enter]

The resulting output should resemble the following screenshot:

[[Image:006-JBroFuzz-Tutorial.png|500px|JBroFuzz Output from a Fuzzing Session]]

Straight away we can notice a difference in the response size: For HTTP version numbers 0.0 to 0.9 we are getting back what seems fairly big in size responses; 32222 bytes in size worth of responses, given that HTTP protocol version 0.0 to 0.8 do not officially exist!

By double-clicking on one of these requests, we can see that the web server in question is responding back with no headers, yet returning a full HTML body; this represents the 32222 bytes of response of data we are receiving back. The following screenshot illustrates this:

[[Image:007-JBroFuzz-Tutorial.png|300px|JBroFuzz Output for a Single Request/Response]]

Using the 'Graphing' tab we can proceed to graph the particular requests and responses for this given session.

• Within the 'Graphing' tab, click 'Start' [Ctrl+Enter].

• Select the directory corresponding to the Output folder we have used for this fuzzing session. This will typically be the last one.

• Right-click and select 'Graph'

Once complete, browse to the 'Response Size' tab within the 'Graphing' tab, as illustrated in the screenshot below:

[[Image:008-JBroFuzz-Tutorial.png|300px|JBroFuzz Graphing different 'Response Sizes']]

To re-iterate this does not present a security vulnerability in any shape or form; merely the fact that by manipulating HTTP version numbers as part of the request we transmit, we can impact the response that we get back. In this case, what changes is the non-existent header fields, with some HTML content being received back.

If I was to guess what is causing this, I would say that some sort of load balancing or content delivery is not happening as it should when non-existent version numbers are being transmitted.

==Using JBroFuzz with Paros Proxy==

JBroFuzz is a standalone fuzzer; it can release and create sockets over HTTP and HTTPS, but in order to use JBroFuzz correctly you will have to know what it is that you are fuzzing.

In comes the need for a proxy tool; the opening versions of JBroFuzz actually had a proxy tab that you could use to intercept traffic generated by your web browser. That functionality got removed in an attempt to focus and deliver solely on the fuzzing capabilities of the tool.

This section details how to use JBroFuzz in combination with a client side proxy. The one selected is Paros Proxy, which, despite the fact that it hasn't been updated since 2006 is still a popular tool that you see in web security testing live CDs. You could use any of the other proxy tools available.

===Winning on a Remix of the Year Award===

At 17:53, on a frosty winter evening, a message window popped up:
<pre>
17:53 http://www.localhost.com/remixcontest/club/annual2010.html
17:53 Hey bro, could you cast in a vote here for the Such & Such Remix?
17:53 Appreciated!
</pre>
A friend in need is a friend indeed, so here goes I thought. Opening up a web browser configured to work with Paros as an intermediate proxy, allowed for the casting of my vote. while keeping a record of each request and reply.

No registration, or any other form of submitting an identifier was needed. The request that Paros stored for the casting of the actual vote was:

<pre>
GET http://www.localhost.com/remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.1
Host: www.localhost.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729) Paros/3.2.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

Paros Proxy actually places the domain (in this case www.localhost.com) with the protocol (i.e. http) in front of the GET request. As a result, you can't open a telnet/netcat session and just copy-paste the above. Similarly when we bring the request into JBroFuzz, a bit of tweaking is required.

* In the URL field, type:

<pre>
http://www.localhost.com
</pre>

In the Request field, let's keep what is of interest:

<pre>
GET /remixcontest/club/vote.php?onLoad=%5Btype%20Method%5D&id=55 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Cookie: PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

No needs for Keep-Alive and Proxy-Connection. Let's simplify the HTTP request by making it a version 1.0 request and getting rid of the Host header as well. Also on the user agent, let us keep that mainstream vanilla: Firefox on Windows (popular browser combination), getting rid of the .NET and Paros additives.

Checking on the website, our Such & Such remix already has about 100 votes or so and the top remix has approximately 310 votes. Let's fuzz this:

* Select 2 of the digits of the cookie value:

<pre>
PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e
</pre>

* Select: Panel -> Add

* In the "Add a Fuzzer" panel, select:

<pre>
Base -> Base16 (HEX)
</pre>

and select "Add Fuzzer".

This will add a line within the Payloads tab on the right hand side.

Our cookie value above (PHPSESSID=ab6afb883dbgf8084f6dcf1eafdb225e) is in lowercase, hexadecimal format. Let's make sure the encoding we select is also that.

Within the Payloads tab, click on the encoding drop down menu and select lowercase. Just before clicking "Start", JBroFuzz should look something like the screenshot below.

[[Image:014-JBroFuzz-Tutorial.png|Adding Votes by iterating through PHPSESSID cookie values]]

== Performing User Enumeration with a Valid Set of Credentials ==
Often you encounter an application that allows for the enumeration of one or more pages after a user has been successfully granted a set of session credentials. One of the key areas to test from an application specific perspective, relates to the page(s) that provide user account information.

In the following example, we investigate an ASP.NET 2.0 application with a C# back-end. In this, an authenticated user has the option to select to "View My Profile". This page provides them with account information (including the typical username, email address, further notes) that they can proceed to update and save to the back-end system.

After a user has authenticated, the following URL, gives them access to their profile information stored on the database:

<pre>
http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23
</pre>

Simple investigation confirms that the digits allowed as part of the UserID value are decimal numbers only. Lets feed that information into JBroFuzz.

===Fuzzing a User ID===

• Within JBroFuzz, select:

<code>
File -> Open Location [Ctrl+L] 
</code>

Type: http://www.myattackingdomain.com/portal-location/UserInfo.aspx?UserID=23 and hit enter. This is depicted in the following screenshot:

[[Image:009-JBroFuzz-Tutorial.png|300px|JBroFuzz 'GET' Request with a 'UserID' parameter]]

From the URL the important parameter is the value of the UserID query string (the value 23, above). We want to fuzz that.

• Within the Fuzzing Tab, in the "Request" text area, highlight the above number 23
• Right-click and select "Add"

In the "Add a Fuzzer" window that appears, select:

• Category Name: <code>Base</code>
• Fuzzer Name: <code>Base10 (DEC)</code>
• Select "Add Fuzzer" in the bottom right

This would have added a decimal (base 10 fuzzer) of length 2 onto the location.

• You will see a row added within the "Added Fuzzers Table" of the Fuzzing panel.
• Click "Start" <code>Ctrl+Enter</code>

This will transmit 100 requests to the domain in question, which in this case is assumed: www.myattackingdomain.com. The value being changed within each request will be:

<pre>
• GET /portal-location/UserInfo.aspx?UserID=00 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=01 HTTP/1.0
...
• GET /portal-location/UserInfo.aspx?UserID=98 HTTP/1.0
• GET /portal-location/UserInfo.aspx?UserID=99 HTTP/1.0
</pre>

Done. Let's proceed to graph the responses that we have obtained. Our objective is to understand which two-digit numbers from 00 to 99 correspond to valid user accounts.

===Graphing Results===
• Within the "Graphing" tab, click "Start" <code>Ctrl+Enter</code>

A list of directories will appear on the left-hand side. If you scroll to the bottom of the list you should see the directory corresponding to your fuzzing session, in our case it was (175 2009-06-24 16-18-24)

<pre>
• Right-click on (175 2009-06-24 16-18-24)
• Click "Graph"
</pre>

This will generate the graphs in their respective tabs. The question now becomes which graph is of interest for our user enumeration exercise.

By definition enumerating users against an ID value, or any other identifier involves being able to obtain a different response for an existing user to that of a user that is not have a corresponding ID value.

Thus, from the metrics available, the one useful for enumerating users will be that of measuring the "Hamming Distance" between responses received. Based on the JBroFuzz documentation:

Fuzzing Hamming Distance 
<pre>
A bar chart with the hamming distance of the characters in the response,
relative to the first response received. Check each character of the first
response received, against the character at the same position of the
current response received. If they are not identical, increment the
hamming distance.
</pre>

As we can see the Fuzzing Hamming Distance (FHD) varies quite a bit from the definition of the normal hamming distance term, used in telecommunications. Still, they share a lot of similarities.

As we can from the above, the first request is critical to calibrating our user enumeration exercise. It represents the value that all other Fuzzing Hamming Distances (FHD) will be measured and normalised towards. For the java-skilled audience, the algorithm is quite trivial, but offers spectacular results in distinguishing responses:

<pre>
in = new BufferedReader(new FileReader(f));
58
59 int counter = 0;
60 int check = 0;
61 int c;
62 while (((c = in.read()) > 0) && (counter < MAX_CHARS)) {
63
64 // If we are passed "--jbrofuzz-->\n" in the file
65 if (check == END_SIGNATURE.length()) {
66
67 firstSet.append((char) c);
68
69 }
70 // Else find "--jbrofuzz-->\n" using a counter
71 else {
72 // Increment the counter for each success
73 if (c == END_SIGNATURE.charAt(check)) {
74 check++;
75 } else {
76 check = 0;
77 }
78 }
79
80 counter++;
81
82 }
83 in.close();
</pre>

Ergo, the corresponding graph is depicted in the screenshot below. The peak graphs correspond to number that if you hover the mouse over will give you the enumeration ID of a valid user.

[[Image:015-JBroFuzz-Tutorial.png|500px|Measuring Hamming Distance for User Enumeration]]

== JBroFuzz Development Corner ==
This section presents how to setup and use JBroFuzz as a fuzzing library. Also, it offers an insight in how to setup and compile your own version of JBroFuzz. As different people have different levels of expertise of the java programming language, eclipse, ant and subversion, some of the steps presented herein might be considered basic by advanced developers.

===Setting up a JBroFuzz Development Environment===

This section guides you towards setting up a development environment for JBroFuzz. Despite the Operating System (O/S) being windows XP, a similar process can be followed in a number of other O/S.

You will need to have installed:

* Tortoise SVN (using TortoiseSVN-1.6.6.17493-win32-svn-1.6.6.msi)
* Eclipse Java (using eclipse-java-galileo-SR1-win32.zip)

Optionally, if you don't like building your application through eclipse you could also require to install Apache Ant.

====Step 1: Obtain the source code====

JBroFuzz uses SubVersion with the repository being publicly available for download through anonymous access on sourceforge. There is a plan to move it the source to the OWASP Git repository, but until then, use the guidelines below.

[[Image:010-JBroFuzz-Tutorial.png|Tortoise SVN Check out JBroFuzz Source Code]]

Right click on the folder location where you want to download the source code and select:

* SVN Checkout

In the "URL of repository", enter:

<pre>
https://jbrofuzz.svn.sourceforge.net/svnroot/jbrofuzz
</pre>

In the "Checkout directory", enter the folder location of your choice, in this case:

<pre>
C:\root\code\jbrofuzz
</pre>

In the "Checkout Depth" select:

* Fully recursive

Untick "Omit Externals" (should be unticked by default)

In the "Revision" select:

* "Head revision"

Select OK.

This process, once complete will checkout the entirety of the JBroFuzz source code from the SVN repository on sourceforge.

====Step 2: Configuring a JBroFuzz Project within Eclipse====

Having obtained the latest copy of the source code, the next step entails importing that source code within the Eclipse IDE.

Within Eclipse, select:

<pre>
File -> New -> Other
</pre>

From the "New" panel that appears, select:

<pre>
Java -> Java Project from Existig Ant Buildfile
</pre>

[[Image:011-JBroFuzz-Tutorial.png|Import JBroFuzz Code into Eclipse from Ant File]]

Select "Next".

In the next menu, under "Ant buildfile", select "Browse".

Browse to the location where you have just (step 1) downloaded the source code and select the following file:

* build.xml

The build.xml file is an Ant build file that JBroFuzz uses.

[[Image:012-JBroFuzz-Tutorial.png|Select the Ant File]]

Selecting that file should have populated the "Project name" as jbrofuzz and also given you:

<pre>
"javac" task found in target "compile"
</pre>

MAKE SURE TO TICK:

* "Link to the buildfile in the filesystem"

Otherwise eclipse will try to replicate the source code within your workspace and that makes the process a tiny bit more complicated when it comes to actually building JBroFuzz.

Click "Finish"

You will see the item "Building workspace (76%) on the bottom right hand side of Eclipse. Once that is complete, you should see the jbrofuzz project on the top left corner of the Package Explorer within Eclipse.

====Step 3: Building JBroFuzz====

Within the Package Explorer, expand the jbrofuzz project and double-click on the build.xml file.

Right click on the "build [default]" task within the "Outline" window (typically seen on the right hand side) and select:

<pre>
Run As -> 1. Ant Build [Alt+Shift+X, Q]
</pre>

If the build has been successful, a JBroFuzz.jar file within the the /jar folder would have been created. Following the path conventions above that should be in:

<pre>
C:\root\code\jbrofuzz\jar\JBroFuzz.jar
</pre>

[[Image:013-JBroFuzz-Tutorial.png|Building JBroFuzz within Eclipse]]

===How to Use JBroFuzz as a Fuzzing Library===

Quite often what you need to do in terms of fuzzing, far exceeds the User Interface (UI) of JBroFuzz. For this reason, a set of core fuzzing APIs have been made available that can be used for more advanced fuzzing scenarios.

The JBroFuzz.jar standalone archive (made available with every release) carries a core fuzzing library that holds a number of key classes. These are located under:

<pre>
org.owasp.jbrofuzz.core.*;
-Database.java
-Fuzzer.java
-FuzzerBigInteger.java
-NoSuchFuzzerException.java
-Prototype.java
</pre>

The class of importance is Fuzzer.java. If you are going to use recursive iterators of great length, there is also FuzzerBigInteger.java. The difference between the two is that Fuzzer.java uses the primitive java data type long (up to 16^16 values) while FuzzerBigInteger.java uses java BigInteger to perform the counting. Naturally, the class FuzzerBigInteger is slower and takes more memory than the Fuzzer class.

Within JBroFuzz a Fuzzer is an instance of a java Iterator. This implies that values can be accessed by simply calling the <code>next()</code> method once an object has been made available. Typically, a call to <code>hasNext()</code> should also be performed prior to avoid an exception being thrown.

A Fuzzer can be obtained from the factory method <code>createFuzzer(String, int);</code> available for every instance of the fuzzing Database. Ergo:

====A HelloFuzzer Example====

<pre>
Database myDatabase = new Database();

Fuzzer myFuzzer = myDatabase.createFuzzer("031-B16-HEX", 5);
</pre>

So how do I use the API? Here is a simple HelloFuzzer (file called HelloFuzzer.java) example:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

To compile the above use:

<pre>
javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>

This assumes that you are currently inside the directory where HelloFuzzer.java resides and that the JBroFuzz.jar is located two directories within your current location i.e. in jbrofuzz/jar. In order to run the above compiled HelloFuzzer class issue:

<pre>
java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>

Note: The above 2 commands have been crafted in a win32 environment. The process for compiling and running HelloFuzzer.java above is the same in *nix machines. Simply replace the backslash "\" with "/".

====Fuzzing Payload Definitions====
Within the JBroFuzz.jar file, there is a file called fuzzers.jbrf that carries all the fuzzer definitions that you see in the UI payloads tab of JBroFuzz. To view a latest copy of this file you can browse the SVN repository of JBroFuzz:

<pre>
http://jbrofuzz.svn.sourceforge.net/viewvc/jbrofuzz/tar/fuzzers.jbrf?view=log
</pre>

A note here worth mentioning: Files ending in .jbrofuzz are session files saved by users while performing fuzzing operations. Files ending in .jbrf are JBroFuzz system files. Typical examples of .jbrf files are headers.jbrf, as well as fuzzers.jbrf. Both these use an internal proprietary format not to be confused with the .jbrofuzz file format.

Fuzzers belong in categories (1 to many) and each fuzzer carries a set of payloads that define the alphabet of the fuzzer.

Also, you have replacive and recursive fuzzers, zero fuzzers, etc. There are a number of different fuzzer categories. As an example of a fuzzer within the fuzzers.jbrf file, consider the hexadecimal fuzzer:

<pre>
Fuzzer Name: Base16 (HEX)
Fuzzer Type: Recursive
Fuzzer Id: 031-B16-HEX

Total Number of Payloads: 16
</pre>

Within the fuzzers.jbrf file this fuzzer is defined in plain-text format as follows:

<pre>
R:031-B16-HEX:Base16 (HEX):16
> Number Systems | Base | Recursive Fuzzers
0
1
2
3
4
5
6
7
8
9
a
b
c
d
e
f
</pre>

There is very little preventing you from defining your own fuzzers within this file, by following the file format specified above. You can use the UI to see if they have been loaded successfully.

Further to recursive and replacive fuzzers you also have zero fuzzers (i.e. a zero fuzzer of 1000 will just transmit 1000 requests as they are, without adding any payloads) double fuzzers, cross product fuzzers, etc.

Notice the factory method Database.createFuzzer("031-B16-HEX", 4) yielding: "I want a 4 digit recursive fuzzer (why because NUM-HEX is recursive in its definition, starts with R: instead of P:) of HEX digits."

Thus the above scenario would iterate through all the digits from 0000 to ffff. I wouldn't recommend using the above scenario for such trivial fuzzing capabilities; simply presented as an example of the inner workings of JBroFuzz.jar

====HelloFuzzer Refined====
A more detailed code breakdown of the above HelloFuzzer example can be found below:

<pre>
/**
* JBroFuzz API Examples 01
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz a Fuzzer is a java Iterator.
*
* In order to create a Fuzzer, use the factory method
* Database.createFuzzer(String, int), passing as arguments
* the Fuzzer ID and the specified length as a positive int.
*
* Be careful to check that the fuzzer ID (labelled as f_ID)
* is actually an existing ID from the Database of Fuzzers.
*
* Expected Output:
* <code>
* The fuzzer payload is: 00000 
* The fuzzer payload is: 00001 
* ... 
* (a total of 16^5 = 1048576 lines) 
* ... 
* The fuzzer payload is: ffffd 
* The fuzzer payload is: ffffe 
* The fuzzer payload is: fffff 
* </code>
*
* For more information on the Database of Fuzzers, see the
* HelloDatabase Class.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloFuzzer {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "031-B16-HEX";
// You have to supply a (+)tive int
int f_len = 5;

try {

for(Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len); f.hasNext();) {

// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>

====Hello Database of Fuzzers====
Having seen how to access a single Fuzzer through the createFuzzer() method available in the Database object. The next question that comes naturally is what are the Fuzzers that are available by default in JBroFuzz?

To answer that, this example focuses more on the database component that we previously initialised, investigating the list of available methods that it offers.

In JBroFuzz, all Fuzzers are stored in a Database object that you will be required to construct in order to access them.

<pre>
/**
* JBroFuzz API Examples 02
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* In JBroFuzz all Fuzzers are stored in a Database
* object that you will be required to construct in order
* to access them.
*
* Within the Database, each Fuzzer is a collection of
* payloads, which carries a unique ID string value.
*
* Example ID values are the output of this program:
* <code>
* The fuzzer ID is: 013-LDP-INJ 
* The name of the fuzzer is: LDAP Injection 
* The id of the fuzzer is: 013-LDP-INJ 
* The of payloads it carries (it's alphabet) is: 20 
* It has as 1st payload: 
* | 
* The fuzzer ID is: 018-XSS-4IE 
* The name of the fuzzer is: XSS IE 
* The id of the fuzzer is: 018-XSS-4IE 
* The of payloads it carries (it's alphabet) is: 38 
* It has as 1st payload: 
* < img src=`x` onrerror= ` ;; alert(1) ` /> 
*
* </code>
*
* Do not be confused between Prototypes and Fuzzers;
* JBroFuzz uses Prototype objects to construct the Fuzzers
* that get added into the Database upon initialisation.
*
* As a result, the getter methods available within a Database
* object can carry the name of getAllPrototypeIDs and
* getAllFuzzerIDs interchangebly.
*
* @author subere@uncon.org
* @version n/a
*/
public class HelloDatabase {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();

// Get a list of all the fuzzer IDs from the database
String[] fuzzer_IDs = fuzzDB.getAllPrototypeIDs();

System.out.println("The fuzzer IDs found are:");

for(String fuzzerID : fuzzer_IDs) {

System.out.println("The fuzzer ID is: " + fuzzerID);

// We pass of length of 1, irrelevant if we are
// just going to access the first payload
// of the fuzzer
Fuzzer fuzzer;
try {

fuzzer = fuzzDB.createFuzzer(fuzzerID, 1);
// Normally you should check for fuzzer.hasNext()
String payload = fuzzer.next();

System.out.println("\tThe name of the fuzzer is:\t\t\t" + fuzzer.getName() );
System.out.println("\tThe id of the fuzzer is:\t\t\t" + fuzzer.getId() );
System.out.println("\tThe of payloads it carries (it's alphabet) is:\t" + fuzzDB.getSize(fuzzerID));
System.out.println("\tIt has as 1st payload:\n\t\t" + payload );

} catch (NoSuchFuzzerException e) {
System.out.println("Could not find the specified fuzzer!");
System.out.println("Going to print all the fuzzer IDs I know:");
// old vs new for loop :)
// in case of an error, print just the
// fuzzer IDs, accessed from the DB
for(int j = 0; j < fuzzer_IDs.length; j++) {
System.out.println("The fuzzer ID is: " + fuzzer_IDs[j]);
}

}

}

}

}
</pre>

====Methods available within the Fuzzer Class====
A final example of this section, involves seeing the usage of all the method calls available in the Fuzzer.java class

<pre>
/**
* JBroFuzz API Examples 03
*
* JBroFuzz - A stateless network protocol fuzzer for web applications.
*
* Copyright (C) 2007, 2008, 2009 subere@uncon.org
*
* This file is part of the JBroFuzz API examples on how to use the
* fuzzer libraries included in JBroFuzz.jar.
*
* JBroFuzz is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* JBroFuzz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with JBroFuzz. If not, see <http://www.gnu.org/licenses/>.
* Alternatively, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Verbatim copying and distribution of this entire program file is
* permitted in any medium without royalty provided this notice
* is preserved.
*
*/

import org.owasp.jbrofuzz.core.NoSuchFuzzerException;
import org.owasp.jbrofuzz.core.Database;
import org.owasp.jbrofuzz.core.Fuzzer;

/**
* Example iterating through all the methods available
* in the Fuzzer Object and their respective outputs.
*
* @author subere@uncon.org
* @version n/a
*/
public class IndigoFuzzerTests {

/**
* @param args
*/
public static void main(String[] args) {

// You have to construct an instance of the fuzzers database
Database fuzzDB = new Database();
// You have to supply a valid fuzzer ID
String f_ID = "033-B08-OCT";
// You have to supply a (+)tive int
int f_len = 5;

try {

Fuzzer f = fuzzDB.createFuzzer(f_ID, f_len);

while(f.hasNext()) {

// Could do this via reflection, but..
f.next();
// System.out.println(" The fuzzer payload is: " + f.next());
System.out.println(" The maximum value is: " + f.getMaximumValue());

System.out.println(" The current value is: " + f.getCurrectValue());

}

} catch (NoSuchFuzzerException e) {

System.out.println("Could not find fuzzer " + e.getMessage());

}

}

}
</pre>

===Advanced Fuzzing with the JBroFuzz Library===

This section covers more advanced APIs that are available under the org.owasp.jbrofuzz.core package. It should be noted that some of these classes and their corresponding functionality are not used by the JBroFuzz program application. Instead, they are made available for incorporation into other java code that you have perhaps written that requires more specialized type of fuzzing.

====Fuzzing Really Long Values with Big Integer====

As stated previously, within JBroFuzz a Fuzzer is a java Iterator. This implies that while fuzzing, we typically keep track of a counter representing the value that we are currently on. Consider the example of HelloFuzzer.java, above:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 4); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

If we compile this program:

<pre>
javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar" HelloFuzzer.java
</pre>

and run it:

<pre>
java -cp ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer
</pre>

We are going to see output similar to:

<pre>
The fuzzer payload is: 0000
... (output omitted)
The fuzzer payload is: fffd
The fuzzer payload is: fffe
The fuzzer payload is: ffff
</pre>

Now what if we want a hexadecimal fuzzer of length not 4, but, say, 24. Let's try compile and run the above program with a length of 24. Changing the line to:

<pre>
for(Fuzzer f = fuzzDB.createFuzzer("031-B16-HEX", 24); f.hasNext();) {
</pre>

Running this modified version of HelloFuzzer.java, yields:

<pre>
>javac -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer.java

>java -classpath ".\jbrofuzz\jar\JBroFuzz.jar;." HelloFuzzer

>
</pre>

Nothing! What is actually happening is JBroFuzz is figuring out that the specified length of the Fuzzer we are about to create is far greater than that of the long java data type. As a result, the Fuzzer is not even entering the iteration mode that is typically expected with methods next() and hasNext().

That's all great, but we still want a hexadecimal fuzzer, 24 digits long going from:

<pre>
000000000000000000000000
...to...
ffffffffffffffffffffffff
</pre>

For this JBroFuzz offers another type of Fuzzer class, that of FuzzerBigInteger. Let's modify the critical line within the original HelloFuzzer.java program that we had:

<pre>
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
</pre>

With the entire program becoming:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

try {
for(FuzzerBigInteger f = fuzzDB.createFuzzerBigInteger("031-B16-HEX", 24); f.hasNext();) {
// Get the next payload value...
System.out.println(" The fuzzer payload is: " + f.next());
}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloFuzzer.java OWASP JBroFuzz Example 1
</pre>

Compiling and running this program yields:

<pre>
The fuzzer payload is: 000000000000000000000000
The fuzzer payload is: 000000000000000000000001
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
... (output omitted)
The fuzzer payload is: 00000000000000000001a982
The fuzzer payload is: ffffffffffffffffffffffff
</pre>

There are limitations to this class, as governed by the BigInteger class itself. Further information can be found at:

<pre>
http://java.sun.com/j2se/1.5.0/docs/api/java/math/BigInteger.html
</pre>

Still, on a virtual windows xp machine with 256Mb of RAM the above code had no problem running to completion. It took some time though.. Characteristics of the windows machine while this iteration was ongoing: The CPU was being utilised at 100% and memory usage was constant at 212 Mb. Overall, a clean sheet for FuzzerBigInteger.java.

====Using the Power Fuzzer API====

With web applications, it is often that you find yourself re-using part of, or the entirety of a fuzzing payload in more than one location, as part of the GET, POST, or any other type of request you submit.

For this reason, JBroFuzz offers the PowerFuzzer class: A type of iterator for which you can specify how many copies of the payload you require in each request.

Let's consider the following trivial scenario. You are in need of all hexadecimal values, which are 4-digits long (i.e. 0000 to FFFF) and you are in need of these 5 times for each request.

This scenario is trivial, because typically you can assign the fuzzing payload (i.e. the value you get back from Fuzzer.next() ) to a String variable and re-use it as many times as you see fit.

<pre>
Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
....
for(Fuzzer f = fuzzDB.createFuzzer(fuzzerID, length); f.hasNext();) {
String payload = f.next();
....
}
</pre>

Using the PowerFuzzer.class, the following HelloPowerFuzzer.java program can be created:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {
// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java OWASP JBroFuzz Power Fuzzer Example

</pre>

This program would output the following; no rocket science here:

<pre>
....
I have 5 elements: 4817 4817 4817 4817 4817
I have 5 elements: 4818 4818 4818 4818 4818
I have 5 elements: 4819 4819 4819 4819 4819
I have 5 elements: 481a 481a 481a 481a 481a
I have 5 elements: 481b 481b 481b 481b 481b
I have 5 elements: 481c 481c 481c 481c 481c
I have 5 elements: 481d 481d 481d 481d 481d
I have 5 elements: 481e 481e 481e 481e 481e
I have 5 elements: 481f 481f 481f 481f 481f
I have 5 elements: 4820 4820 4820 4820 4820
I have 5 elements: 4821 4821 4821 4821 4821
I have 5 elements: 4822 4822 4822 4822 4822
I have 5 elements: 4823 4823 4823 4823 4823
I have 5 elements: 4824 4824 4824 4824 4824
I have 5 elements: 4825 4825 4825 4825 4825
I have 5 elements: 4826 4826 4826 4826 4826
....
</pre>

Now imagine you need to change the number of elements you obtain back every time. For every second request, you need to obtain back two identical payloads, for every third request, you need to obtain back three payloads and for every fourth request, you need to obtain back four payloads.

The PowerFuzzer class, with the corresponding method setPower(int) allows you to set how many identical elements you obtain back, without having to worry about the length argument. Below is a class that solves the above scenario:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloPowerFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzerID = "031-B16-HEX";
int length = 4;
int power = 5;

try {
for(PowerFuzzer f = fuzzDB.createPowerFuzzer(fuzzerID, length, power); f.hasNext();) {

int currentValue = (int) f.getCurrentValue();
currentValue %= 4;
switch (currentValue) {
case 0: f.setPower(1); break;
case 1: f.setPower(2); break;
case 2: f.setPower(3); break;
default: f.setPower(4); break;
}

// Get the next payload in an array of length[power]
String [] identicalElements = f.nextPower();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : identicalElements) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloPowerFuzzer.java

</pre>

This class has as output:

<pre>
....
I have 1 elements: 22a8
I have 2 elements: 22a9 22a9
I have 3 elements: 22aa 22aa 22aa
I have 4 elements: 22ab 22ab 22ab 22ab
I have 1 elements: 22ac
I have 2 elements: 22ad 22ad
I have 3 elements: 22ae 22ae 22ae
I have 4 elements: 22af 22af 22af 22af
I have 1 elements: 22b0
I have 2 elements: 22b1 22b1
I have 3 elements: 22b2 22b2 22b2
I have 4 elements: 22b3 22b3 22b3 22b3
I have 1 elements: 22b4
I have 2 elements: 22b5 22b5
I have 3 elements: 22b6 22b6 22b6
I have 4 elements: 22b7 22b7 22b7 22b7
I have 1 elements: 22b8
I have 2 elements: 22b9 22b9
....
</pre>

Naturally, the algorithm of the number of elements required can vary based on any number of parameters. The PowerFuzzer class gives you a quick way to control the number of identical payloads you obtain back, without having to worry about creating a data type to store them in.

====Using the Double Fuzzer API====

In some cases of fuzzing web applications, a requirement to fuzz two (or more) locations part of the request being submitted to the web server becomes apparent.

The DoubleFuzzer class allows you to create a fuzzer based on two prototype definitions. Similarly to instantiating a Fuzzer through a prototype and a given length, with a DoubleFuzzer, we pass two prototype definitions and two lengths. The corresponding method call available within the Database class of org.owasp.jbrofuzz.core is:

<pre>
public DoubleFuzzer createDoubleFuzzer(String id1, int length1,
String id2, int length2) throws NoSuchFuzzerException {
</pre>

Let's cross-breed some fuzzers, see what results we get back during an iteration.

The first example below, uses two hexadecimal fuzzers of different lengths, as specified by the variables:

<pre>
String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;
</pre>

As the double fuzzer iteration is taking place, the second fuzzer, defined by the fuzzID2 & length2 loops, starting from 00 and going all the way up to FF. An example output is:

<pre>
I have 2 elements: fefb fb
I have 2 elements: fefc fc
I have 2 elements: fefd fd
I have 2 elements: fefe fe
I have 2 elements: feff ff
I have 2 elements: ff00 00
I have 2 elements: ff01 01
I have 2 elements: ff02 02
I have 2 elements: ff03 03
</pre>

The complete code listing of HelloDoubleFuzzer.java is:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "031-B16-HEX";
String fuzzID2 = "031-B16-HEX";

int length1 = 4;
int length2 = 2;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>

That's simple enough; now let's cross-breed something a bit more exotic: Imagine a 3-digit octal ID value [000 - 777] being submitted inline with, say, a parameter that we want to test for Cross-Site Scripting (XSS). Let's adjust the program above with the corresponding fuzzer IDs of these fuzzers. Remember all the IDs of all the fuzzers can be found in the fuzzers.jbrf file within JBroFuzz.jar:

<pre>
import org.owasp.jbrofuzz.core.*;

public class HelloDoubleFuzzer {

public static void main(String[] args) {

Database fuzzDB = new Database();

String fuzzID1 = "033-B08-OCT";
String fuzzID2 = "019-XSS-GEK";

int length1 = 3;
int length2 = 1;

try {
DoubleFuzzer f = fuzzDB.createDoubleFuzzer(fuzzID1, length1, fuzzID2, length2);

while( f.hasNext() ) {
// Get the next payload in an array of length[power]
String [] payloads = f.next();

// f.getPower() == identicalElements.length, always
System.out.print(" I have " + f.getPower() + " elements: ");
// System.out.println(currentValue);

for(String elem : payloads) {

System.out.print(elem + " ");
}
System.out.println("");

}
} catch (NoSuchFuzzerException e) {
System.out.println("Could not find fuzzer " + e.getMessage());
}

}

} // HelloDoubleFuzzer.java
</pre>

The output from this program is:

<pre>
I have 2 elements: 000 (1?(1?{a:1?""[1?"ev\a\l":0](1?"\a\lert":0):0}:0).a:0)[1?"\c\a\l\l":0](content,1?"x\s\s":0)
I have 2 elements: 001 <STYLE TYPE="text/javascript">alert('XSS');</STYLE>
I have 2 elements: 002 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 003 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 004 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 005 <A HREF="//google">XSS</A>
....
...
..
.
..
...
....
I have 2 elements: 774 <SCRIPT SRC=http://ha.ckers.org/xss.js
I have 2 elements: 775 <A HREF="http://google:ha.ckers.org">XSS</A>
I have 2 elements: 776 <A HREF="http://ha.ckers.org@google">XSS</A>
I have 2 elements: 777 <A HREF="//google">XSS</A>
</pre>

With the list stopping iterating at the last element of the greatest of the two fuzzers.

==Graphing with JBroFuzz==

Once a fuzzing session has completed, JBroFuzz offers the ability to generate a number of graphs, using various metrics. This section investigates how to further the graphing functionality available with the application.

===Customizing the logo on each Graph===

As of version 2.0, all image icons within JBroFuzz are located within the /icons directory of the application. The particular transparent image file displayed on top right part of the graphs is named:

<pre>
/icons/owasp-med.png
</pre>

This file is a 64 x 64 PNG image file. You can replace it with your own file, as follows:

<pre>
>ls -l JBroFuzz.jar
-rw-rw-rw- 1 user group 4033612 Feb 15 12:33 JBroFuzz.jar

>unzip -oq JBroFuzz.jar
>cd icons
>mv owasp-med.png file64x64-file.png
>cd ..
>zip -r JBroFuzz.zip *
>mv JBroFuzz.zip JBroFuzz.jar
</pre>

This enables you to have your own (company logo) on JBroFuzz graphs. Further to this, a number of other customization options are available, by right clicking on each of the graph generated.