This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

One Click Ownage

Jump to: navigation, search

The presentation

Owasp logo normal.jpg
A simple plug-in based open source framework for Automation of detection and exploitation vulnerabilities such as SQL Injection, Arbitrary File Upload and Remote Code Execution. Talks demonstrates how to gain a remote shell in an SQL Injection just by one request. Also it shows that it's possible to get a reverse shell out of SQL Injection by mounting a CSRF attack which wasn't possible before this. WebRaider is written in .NET, open-source and allows users to write new attack plug-ins. It's a similar design to CORE Impact just for web applications and vulnerabilites which causes remote code execution. It's planned to be an OWASP Project, and will be publicly released in the conference among with "One Click Ownage" whitepaper which explains one request remote code execution in SQL Server. This will be an updated and more detailed version of the talk that I've presented in ITUnderground 2009. However the whitepaper, WebRaider tool and details of the talk hasn't been published yet.

The speaker

Ferruh Mavituna worked as Security Consultant for Turkish Army and Police Forces. Released several research papers such as "SQL Injection Wildcard Attacks" and "XSS Tunnelling" also contributed to OWASP Testing Guide v3. Released several open source projects in web applications area such as "BSQL Hacker" and "XSS Shell". Was OWASP Turkey Chapter Leader for 3 years. He's currently working as Project Leader of "Netsparker, Web Application Security Scanner" for Mavituna Security Ltd.