OWASP Basic Expression & Lexicon Variation Algorithms (BELVA) Project

To participate, please contact Kenneth F. Belva (the Project Leader) for more information. More FAQs to come over time....

How can I participate in your project?

All you have to do is make the Project Leader's aware of your available time to contribute to the project. It is also important to let the Leader's know how you would like to contribute and pitch in to help the project meet it's goals and milestones. There are many different ways you can contribute to an OWASP Project, but communication with the leads is key.

If I am not a programmer can I participate in your project?

Yes, you can certainly participate in the project if you are not a programmer or technical. The project needs different skills and expertise and different times during its development. Currently, we are looking for researchers, writers, graphic designers, and a project administrator.

Why am I not getting any data when I run the application?

Be sure an option is always chosen for each of the substitution, mutation and selection policies. This includes selecting the "(0)" policy if no selection is to be made.

Where do I put my data files for import?

All files to import should be put in a single directory. The files may be in sub-directories under the main directory/folder.

Either select a user defined directory with the by clicking on the Directory button under the Import Sources Directory or put all files to be used in a specific run in the importExternalSources directory under the application root.

The application will import all words from each file. If you don't want a specific file imported for a particular run, remove it from the directory before hitting the Run button.

Do you have example input files?

Yes. They are distributed in folder importExternalSources but should be deleted before running.

The current distribution has sample burp xml, ZAP raw, text file wordlists and text file usernames.

I'm getting OWASP & test words in my output. What's wrong?

Be sure to delete the default files in the directory importExternalSources before putting your files in there.

You may also select a different directory.

Do I need to keep the default directories?

No. The default input directories and output file may be changed through the UI.

How can I make a unique set of words without applying any substitutions or policies?

Be sure to select "(0)" in each of the boxes with nothing else.

In what order are the selections applied?

Currently from top down: First, words are substituted. Second, they are mutated. Third, they are checked to see if these transformations match the selection policy.

Reordering the application of the transformations is not available.

Can I import words with special characters?

Yes. Words with special characters is supported.

Does the application do any transformation to the word before processing?

Yes. Words are cased to be all lowercase in order to make sure that they are unique.

Why does my output.txt file keep growing?

To create consolidated dictionaries from different runs the output.txt file is not cleaned or created before each run. See answer below to fix. Future version may provide a checkbox for the option of creating a new file.

The idea is that many instances of the application can point to the same output file so that each may use different criteria and inputs but all the output be sent to one file.

How do I "clean" the output.txt file from last use?

Either delete it or cd into the outputFile directory and type:

   echo "" > output.txt

Which file types are recognized

On importing data (importExternalSources):

   txt, xml and raw [ZAP default] 

On filtering out common words (filterDictionaries)

   txt only

How to Filter A Wordlist to Match Organizational Criteria

1. Make sure there is a Selection Plugin with proper criteria
2. If not, write one, put it in the plugin/policies/select directory and restart the app
3. Put the wordlist -- such as Rockyou -- in the folder importExternalSource directory
4. Select the two polices: "(0) No Substitution" & "(0) No Mutate Policies"
5. Select the Selection Policy with your criteria
6. Hit Run button
7. Grab a cup of coffee.....

Can I run more than one instance at a time?

Yes. Type:

   ./pyOwaspBELVA.py &

Be aware that without changing the output file per instance the resulting datasets are will be intermingled.

How to import burp xml files for organization specific content

To be written soon and/or video posted.

How to import ZAP raw files for organization specific content

To be written soon and/or video posted.

How to create user id combinations

To be written soon and/or video posted.

How to write a plugin

To be written soon and/or video posted.

To Do

1. Word selection / automated weighing of which words to use
2. Interface improvements: better responsiveness
3. Non-GUI version that directs output to stdout
4. Expand functionality and add more plug-ins
• Additional permutation dictionaries
• Additional applied and removal policies
• Additional username creation policies
5. Other types of permutations in addition to just usernames and passwords (i.e., email addresses, sub-domain names)

Getting Involved

Fork the code on git and contribute! :)