This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP SiteGenerator"

From OWASP
Jump to: navigation, search
 
(56 intermediate revisions by 7 users not shown)
Line 1: Line 1:
== Owasp SiteGenerator v0.70 (public beta release) ==
+
{|
   
+
|-
After much development and hard work here is the first stable (beta)
+
! width="700" align="center" | <br>
release of the new Owasp SiteGenerator tool (whose Open Source
+
! width="500" align="center" | <br>
development has been sponsored by Foundstone)
+
|-
 +
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]
 +
| align="right" |
 +
 
 +
|}
 +
 
 +
 
 +
==== Main ====
 +
 
 +
'''Current Version: 0.80 (Public Beta)'''
 +
 
 +
'''Sponsor: Foundstone & [http://64.233.183.104/search?q=cache:3KOC8rvncLQJ:www.spydynamics.com/news/pr/pr30707.html+SPIDynamics+OSG&hl=en&ct=clnk&cd=1&gl=uk&client=firefox-a SPI Dynamics] & OWASP Spring of Code 2007''' [[Category:FIXME|link not working]]<br>
 +
 
 +
[[SpoC 007 - OWASP Site Generator|OWASP Site Generator's SpoC 007 Progress Page]]
 +
 
 +
==Description==
 +
OWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development
 +
architectures (for example, navigation: Html, Javascript, Flash, Java, etc...).
  
Owasp SiteGenerator allows the creating of dynamic websites based on XML
 
files and predefined vulnerabilities (some simple to detect/exploit,
 
some harder) covering multiple .Net languages and web development
 
architectures (for example, navigation: Html, Javascript, Flash, Java,
 
etc...).
 
  
SiteGenerator can be used on the following projects:
+
==Uses==
 +
* Evaluation of Web Application Security Scanners
 +
* Evaluation of Web Application Firewalls
 +
* Developer Training
 +
* Web Honeypots
 +
* Web Application hacking contests (or evaluations)
 +
* Whatever your mind can come up with!
  
    - Evaluation of Web Application Security Scanners
+
==Downloads==
    - Evaluation of Web Application Firewalls
+
* Installer: [http://downloads.sourceforge.net/owasp/OSG_v0.80.msi?use_mirror=easynews SiteGenerator Installer] (Version 0.80) - Updated 03/05/2007
    - Developer Training
+
* Source Code: [http://owasp.cvs.sourceforge.net/*checkout*/owasp/dotnet/SiteGenerator/SiteGenerator.zip Current_SiteGenerator_Source.zip] (Version 0.80)
    - Web Honeypots
 
    - Web Application hacking contests (or evaluations)
 
  
You can download the latest version from here:
+
==Accessing SVN for SiteGenerator==
 +
* One way is to browse the SVN online by going to the [http://owasp-code-central.googlecode.com/svn/trunk/labs/SiteGenerator/ SiteGenerator Source Tree]
 +
* Another way is to configure your SVN client to download the source locally.
  
* Website installer: [http://prdownloads.sourceforge.net/owasp/SiteGenerator_IIS_Website_Setup_v0.70.msi  SiteGenerator_IIS_Website_Setup v0.70.msi]
+
==Installation and configuration notes==
* Gui Installer: [http://prdownloads.sourceforge.net/owasp/Owasp_SiteGenerator_v0.70.msi Owasp_SiteGenerator_v0.70.msi]
 
* Source Code: [http://prdownloads.sourceforge.net/owasp/Owasp_SiteGenerator_v0.70_SourceCode.zip Owasp_SiteGenerator_v0.70_SourceCode.zip]
 
  
Some installation and configuration notes (which you only need to do once):
+
* Before you install the website portion please confirm the following.
 +
** There is an application pool that is configured to run under the System account
 +
** A website that is pointed to where you want the Site Generatorator web portion to be installed
 +
** Configure the website to run Asp.Net 2.0
 +
** Make sure there is an application for that website and have it set to the application pool created in the first step
 +
** Add a IIS wildcard Application Mapping (accessible via Home Directory -> Configuration) to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll and untick the 'Verify that file exists'
 +
*** Note: On Windows XP the OK button might appear disable.  You will need to browse to the file and then select the location and also put a dot in from of the asterik (i.e. .*) for the OK button to be enabled
 +
** Make sure Default.htm is one of the files included in the default document list (in the 'Documents' tab)
 +
** Configure the Website's IP Address to be 127.0.0.1, and click on the Advanced button to add a new host header mapping
 +
* Run the Installer
 +
* Point the website's document root to the install dir\sitegenerator_contentpages and make sure the IIS user has correct permissions
 +
* Click on the SiteGenerator link that was placed on your desktop
  
    * Before you install the website do this (assuming a windows 2003 image)
 
          o Create a new Application pool, call it
 
            SiteGeneratorSystemAppPool), and configure it to run under
 
            System
 
          o Create a new website and point it to a local directory (the
 
            website installation files will be copied here)
 
          o Configure the new website to run Asp.Net 2.0
 
          o Create a new Application in that website and set the
 
            application pool to SiteGeneratorSystemAppPool
 
          o Add a IIS wildcard Application Mapping (accessible via Home
 
            Directory -> Configuration) to
 
            C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
 
            and untick the 'Verify that file exists'
 
          o Make sure Default.htm is one of the files included in the
 
            default document list (in the 'Documents' tab)
 
          o Configure the Website's IP Address to be 127.0.0.1, and
 
            click on the Advanced button to add a new host header mapping
 
                + IPAddress: 127.0.0.1
 
                + TCP Port: 80
 
                + Host Header Value: SiteGenerator
 
    * Install the WebSite (selecting as the target the website created
 
      in the previous step)
 
    * Install the GUI
 
    * Add this line to your hosts file (located in
 
      C:\windows\system32\drivers\etc\hosts)
 
          o 127.0.0.1          SiteGenerator
 
    * Click on the SiteGenerator link that was placed on your desktop
 
  
If all goes well you now can browse to http://SiteGenerator or
+
If all goes well you now can browse to your localhost and see the
http://127.0.0.1 (depending if you did the mappings or not) and see the
 
 
default SiteGenerator's website. If you see a blank page, try
 
default SiteGenerator's website. If you see a blank page, try
http://127.0.0.1/Default.htm (you might be getting a cached version of
+
<nowiki>http://<SITE NAME>/Default.htm</nowiki> (you might be getting a cached version of
http://127.0.0.1)
+
<nowiki>http://<SITE NAME></nowiki>)
  
 
Note that the SQL Injection vulnerabilities expect that you have the
 
Note that the SQL Injection vulnerabilities expect that you have the
 
latest version of HacmeBank (v2.0) installed in your box.
 
latest version of HacmeBank (v2.0) installed in your box.
  
I am in the process of creating several videos (covering the
+
== Introduction to SiteGenerator ==
installation and GUI) which I am sure will be very useful and practical.
+
 
Also if you are interested in helping in the development of
+
* This tool has been sponsored by Foundstone, BUT (and it is a big but) it is being released under the Owasp .Net Project and an Open Source Licence. So Kudos for Foundstone for doing this and I hope they get good exposure from it
SiteGenerator or in its vulnerabilities database, then contact me directly.
+
 
 +
* The main objective of the tool is to create dynamic websites based on XML files which will 'map' to a database containing hundreds of different vulnerabilities (some simple to detect/exploit, some harder) covering multiple
 +
languages and web development architectures (for example navigation: Html, JavaScript, Flash, Java, etc...)
 +
 
 +
* There are many ways this tool can be used, here are just a couple starting ideas:
 +
** As a training tool since it allows the creation of multiple websites with multiple variations of vulnerabilities
 +
** As a Web Application Honeypot (since we are able to create dynamic ( i.e. false) websites and track / monitor in real-time all requests made)
 +
** As a test ground for newly discovered vulnerabilities types and its exploit vectors
 +
** As a benchmark for Web Security Scanners
 +
 
 +
* The Web Security Scanner benchmarking and testing is the most obvious short-term application for this tool, but I think that as it evolves the others will be proven to be as (if not more) valuable
 +
 
 +
* On the Web Security Scanner issue:
 +
** My main hope is that the Web Security Scanner Companies will see this tool as an opportunity and work with the Owasp .Net project (and other groups that want to be involved) in a productive and constructive way
 +
** Although in the short term some Web Security Scanners might have some bad results (well, at least when compared with what their Marketing machine publishes :) in the medium term, as they adapt and improve their scanning    techniques, everybody will benefit
 +
** One of the core objectives of the tool (when thinking about benchmarking Web Security Scanners) is to be able to create real and measurable metrics. For example:
 +
*** Scanner X was able to detect 65% of the vulnerabilities where Scanner Y was able to detect 90%
 +
*** Scanner X made 10000 to detect those 65% (over a period of 16h) where scanner Y made 4000 request (over a period of 10h)
 +
**** 20% of Scanner X results where false positives, where Scanner Y had 50% false positives
 +
**** Scanner X was able to deal with Html and JavaScript navigation, Scanner Y was able to deal with Html, JavaScript and Flash, and both where NOT able to deal with Java based navigation systems
 +
**** Scanner X is not able to go more than 40 levels deep, Scanner Y is able to go up at least 100 levels deep (if not more)
 +
**** etc, etc, etc
 +
** There will be two main types of tests that can be done in the short term:
 +
*** Provide the links to all different types of vulnerabilities existent in the database, and see how many can the scanner correctly identify? and
 +
*** When multiple types of website architectures and navigation techniques are used, how many vulnerabilities is the scanner able to detect?
 +
** In order to test (and further improve the tool) I want to take this opportunity to ask the Web Application Security Scanners that subscribe to this list (which I believe all do) to give the Owasp .Net project a temporary licence to their product so that we can use it during  development and during some basic benchmarking that we might do (and NO, I will not sign an NDA that doesn't allow me to publish the data collected, in fact I will not sign ANY NDA with ANY web application security scanner company)
 +
** Note that at the moment I (Dinis) have no plans to do a full benchmarking exercise since I don't have the time required, but I know of at least one group of experienced security consultants which is starting such project (and I will be supporting them). If anybody else is interested in doing a similar benchmarking project please contact me directly
  
== Introduction to SiteGenerator ==
+
* Regarding how the tool works, here is a brief technical description:
 +
There are two main components: A webserver (which can be IIS or a custom webserver) and a GUI application (written in C# 2.0). The GUI Application is responsible for handling all mappings (from the virtual requests to the actual pages on disk).  The two main components talk over tcp on port 4,000, the GUI application listens for requests from the web server and then returns an answer to the webserver
  
1) this tool has been sponsored by Foundstone, BUT (and it is a big but) it is being released under the Owasp .Net Project and an Open Source Licence. So Kudos for Foundstone for doing this and I hope they get good exposure from it
+
The current version is hardcoded to IIS, although in the code there is support for using a custom .Net webserver. This IIS version uses an HttpHander to capture all requests and communicate with the GUI Application (called SiteGeneratorGUI)
 
2) The main objective of the tool is to create dynamic websites based on XML files which will 'map' to a database containing hundreds of different vulnerabilities (some simple to detect/exploit, some harder) covering multiple languages and web development architectures (for example navigation: Html, JavaScript, Flash, Java, etc...)
 
 
3) There are many ways this tool can be used, here are just a couple starting ideas:
 
a) As a training tool since it allows the creation of multiple websites
 
    with multiple variations of vulnerabilities
 
b) As a Web Application Honeypot (since we are able to create dynamic ( i.e. false)
 
    websites and track / monitor in real-time all requests made)
 
c) As a test ground for newly discovered vulnerabilities types and its exploit vectors
 
d) As a benchmark for Web Security Scanners
 
 
4) The Web Security Scanner benchmarking and testing is the most obvious short-term application for this tool, but I think that as it evolves the others will be proven to be as (if not more) valuable
 
 
5) On the Web Security Scanner issue:
 
 
a) My main hope is that the Web Security Scanner Companies will see this
 
tool as an opportunity and work with the Owasp .Net project (and other
 
groups that want to be involved) in a productive and constructive way.
 
 
b) Although in the short term some Web Security Scanners might have some bad
 
    results (well, at least when compared with what their Marketing machine
 
    publishes :) in the medium term, as they adapt and improve their scanning
 
    techniques, everybody will benefit
 
 
c) One of the core objectives of the tool (when thinking about benchmarking
 
    Web Security Scanners) is to be able to create real and measurable metrics. For example:
 
    * Scanner X was able to detect 65% of the vulnerabilities where Scanner Y was able to detect 90%
 
    * Scanner X made 10000 to detect those 65% (over a period of 16h) where scanner Y
 
      made 4000 request (over a period of 10h)
 
    ** 20% of Scanner X results where false positives, where Scanner Y had 50% false positives
 
    ** Scanner X was able to deal with Html and JavaScript navigation, Scanner Y
 
      was able to deal with Html, JavaScript and Flash, and both where NOT able to deal
 
      with Java based navigation systems
 
    ** Scanner X is not able to go more than 40 levels deep, Scanner Y is able to go up
 
      at least 100 levels deep (if not more)
 
    ** etc, etc, etc.
 
 
d) There will be two main types of tests that can be done in the short term:
 
    * provive the links to all different types of vulnerabilities existent in
 
      the database, and see how many can the scanner correctly identify? and
 
    * when multiple types of website architectures and navigation techniques
 
      are used, how many vulnerabilities is the scanner able to detect?
 
 
e) In order to test (and further improve the tool) I want to take this opportunity to ask the Web Application Security Scanners that subscribe to this list (which I believe all do) to give the Owasp .Net project a temporary licence to they product so that we can use it during  development and during some basic benchmarking that we might do (and NO, I will not sign an NDA that doesn't allow me to publish the data collected, in fact I will not sign ANY NDA with ANY web application security scanner company)
 
 
f) note that at the moment I (Dinis) have no plans to do a full benchmarking exercise since I don't have the time required, but I know of at least one group of experienced security consultants which is starting such project (and I will be supporting them). If anybody else is interested in doing a similar benchmarking project please contact me directly
 
 
6) Regarding how the tool works, here is a brief technical description:
 
 
There are two main components: A webserver (which can be IIS or a custom webserver) and a GUI application (written in C# 2.0). The Gui Application is responsible for handling all mappings (from the virtual requests to the actual pages on disk) and there is an unmanaged C++ DLL loaded by both which implements a Shared Memory to send and receive data between them.
 
 
The current version is hardcoded to IIS, although in the code there is support for using a custom .Net webserver. This IIS version uses an HttpHander to capture all requests and communicate with the GUI Application (called SiteGeneratorGUI). The previous version used C++ Detours to hook all sorts of functions in either IIS or the Custom Webserver (this worked ok, but ultimately I decided to use IIS since it was much more robust and scalable
 
 
   
 
   
 
The dynamic websites are defined by XML files like this (which are edited on the GUI Application using the WYSIWYG Altova Authentic Browser Object (SPS files created via Altova's StyleVision application)):
 
The dynamic websites are defined by XML files like this (which are edited on the GUI Application using the WYSIWYG Altova Authentic Browser Object (SPS files created via Altova's StyleVision application)):
 
   
 
   
      <?xml version="1.0" encoding="utf-8" ?>
+
  <?xml version="1.0" encoding="utf-8" ?>
    <SiteGenerator name="SiteGenerator Demo" xmlns:ipo="
+
  <SiteGenerator name="SiteGenerator Demo" xmlns:ipo="<nowiki>http://www.altova.com/IPO</nowiki>"  
http://www.altova.com/IPO" xmlns="http://www.xmlspy.com/schemas/orgchart"
+
    xmlns="<nowiki>http://www.xmlspy.com/schemas/orgchart</nowiki>" xmlns:xsi="<nowiki>http://www.w3.org/2001/XMLSchema-instance</nowiki>">
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 
 
           <site>
 
           <site>
 
               <folder name="">
 
               <folder name="">
 
                 <file mappedTo="aspx/Default.aspx" name="HelloWorld.aspx" />
 
                 <file mappedTo="aspx/Default.aspx" name="HelloWorld.aspx" />
 
 
                 <folder name="htm" />
 
                 <folder name="htm" />
 
                 <folder name="aspx">
 
                 <folder name="aspx">
 
                     <file mappedTo="aspx/pages.htm" name="pages.htm" />
 
                     <file mappedTo="aspx/pages.htm" name="pages.htm" />
 
                     <file mappedTo="aspx/xss.aspx" name="xss.aspx" />
 
                     <file mappedTo="aspx/xss.aspx" name="xss.aspx" />
                     <file mappedTo="aspx/SqlInjection_Easy.aspx" name="
+
                     <file mappedTo="aspx/SqlInjection_Easy.aspx" name="SqlInjection.aspx" />
SqlInjection.aspx" />
+
                     <file mappedTo="aspx/SqlInjection_Hard.aspx" name="SqlInjection2.aspx" />
                     <file mappedTo="aspx/SqlInjection_Hard.aspx" name="
 
SqlInjection2.aspx" />
 
 
                 </folder>
 
                 </folder>
 
                 <folder name="flash">
 
                 <folder name="flash">
                       <file mappedTo="flash/cromas_xml.swf"
+
                       <file mappedTo="flash/cromas_xml.swf" name="cromas_xml.swf" />
name="cromas_xml.swf" />
+
                       <file mappedTo="flash/cromas_xml.htm" name="menu.htm" />
                       <file mappedTo="flash/cromas_xml.htm" name="menu.htm"
+
                       <file mappedTo="/flash/cromas_menu.xml" name="cromas_menu.xml" />
/>
 
                       <file mappedTo="/flash/cromas_menu.xml"
 
name="cromas_menu.xml" />
 
 
                 </folder>
 
                 </folder>
 
               </folder>
 
               </folder>
 
         </site>
 
         </site>
    </SiteGenerator>
+
  </SiteGenerator>
 
  
SiteGeneratorGUI.exe and IIS will map the virtual name "HelloWorld.aspx" to the file on disk "aspx/Default.aspx" . For example:
+
SiteGeneratorGUI.exe and IIS will map the virtual name "HelloWorld.aspx" to the file on disk "aspx/Default.aspx" . For example:
 
   
 
   
http://localhost/HelloWorld.aspx --> F:\Owasp  SiteGenerator\SiteGenerator_ContentPages\aspx\Default.aspx
+
http://localhost/HelloWorld.aspx --> F:\Owasp  SiteGenerator\SiteGenerator_ContentPages\aspx\Default.aspx
 
   
 
   
 
So to create new websites all you need to do is to create a new XML file
 
So to create new websites all you need to do is to create a new XML file
 
   
 
   
Tnd to create new vulnerabilities type, all you need to create in an
+
Then to create new vulnerabilities type, all you need to create in an
 
Aspx page and map it to the xml file
 
Aspx page and map it to the xml file
   
+
 
7) the tool is still in Beta, so please be patient with it. The code is still a bit in mess, since there are multiple past experiments in there which I will need to clean up
+
==How To Use SiteGenerator==
 +
SiteGenerator contains four different screens that can be used they are further explained below. In all of the screen shots you will see a bottom pane this contains all the information that is flowing from the website to the fat client.  Clicking on "Clear Received Data" will clear out the bottom text area and the information found on the file transformations log tab. 
 +
 
 +
'''Edit / Create Dynamic Websites Tab'''
 +
 
 +
[[Image:sg_maintain_websites_ss.jpg]]
 +
 
 +
This area allows users to create a basic website that could be used.  You can also remove a website and modify it using the word like widget. 
 +
 
 +
Select the root path for the site "/" you can choose the default page this can be another page that you have previously mapped or a specific path to a file.  
 +
 
 +
 
 +
''' File Transformations Log'''
 +
 
 +
[[Image:sg_file_transformations_tab.jpg]]
 +
 
 +
This tab allows a user to see how the transformations are working.  For example you could make sure that the new mapping for f00.aspx actually was converted to /test123/test.aspx.
 +
 
 +
 
 +
'''Web Browser Tab'''
 +
 
 +
[[Image:sg_webrowser_tab_ss.jpg]]
 +
 
 +
This tab will allow for a user to browse to the generated website instead of using a normal browser.
 +
 
 +
 
 +
'''Website Creator Tab'''
 +
 
 +
[[Image:Sg_website_creator_tab_ss.jpg]]
 +
 
 +
This tab allows a user to initially create the files for a given website. 
 +
 
 +
== Development Notes ==
 +
[[OSG_Dev_Notes]]
 +
 
 +
==== Project Identification ====
 +
{{:OWASP SiteGenerator - Project Identification}}
 +
 
 +
__NOTOC__ <headertabs />
  
 
[[Category:OWASP .NET Project]]
 
[[Category:OWASP .NET Project]]
 +
[[Category:OWASP Project|SiteGenerator Project]]

Latest revision as of 18:50, 30 January 2014



OWASP Inactive Banner.jpg


Main

Current Version: 0.80 (Public Beta)

Sponsor: Foundstone & SPI Dynamics & OWASP Spring of Code 2007

OWASP Site Generator's SpoC 007 Progress Page

Description

OWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) covering .Net languages and web development architectures (for example, navigation: Html, Javascript, Flash, Java, etc...).


Uses

  • Evaluation of Web Application Security Scanners
  • Evaluation of Web Application Firewalls
  • Developer Training
  • Web Honeypots
  • Web Application hacking contests (or evaluations)
  • Whatever your mind can come up with!

Downloads

Accessing SVN for SiteGenerator

  • One way is to browse the SVN online by going to the SiteGenerator Source Tree
  • Another way is to configure your SVN client to download the source locally.

Installation and configuration notes

  • Before you install the website portion please confirm the following.
    • There is an application pool that is configured to run under the System account
    • A website that is pointed to where you want the Site Generatorator web portion to be installed
    • Configure the website to run Asp.Net 2.0
    • Make sure there is an application for that website and have it set to the application pool created in the first step
    • Add a IIS wildcard Application Mapping (accessible via Home Directory -> Configuration) to C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll and untick the 'Verify that file exists'
      • Note: On Windows XP the OK button might appear disable. You will need to browse to the file and then select the location and also put a dot in from of the asterik (i.e. .*) for the OK button to be enabled
    • Make sure Default.htm is one of the files included in the default document list (in the 'Documents' tab)
    • Configure the Website's IP Address to be 127.0.0.1, and click on the Advanced button to add a new host header mapping
  • Run the Installer
  • Point the website's document root to the install dir\sitegenerator_contentpages and make sure the IIS user has correct permissions
  • Click on the SiteGenerator link that was placed on your desktop


If all goes well you now can browse to your localhost and see the default SiteGenerator's website. If you see a blank page, try http://<SITE NAME>/Default.htm (you might be getting a cached version of http://<SITE NAME>)

Note that the SQL Injection vulnerabilities expect that you have the latest version of HacmeBank (v2.0) installed in your box.

Introduction to SiteGenerator

  • This tool has been sponsored by Foundstone, BUT (and it is a big but) it is being released under the Owasp .Net Project and an Open Source Licence. So Kudos for Foundstone for doing this and I hope they get good exposure from it
  • The main objective of the tool is to create dynamic websites based on XML files which will 'map' to a database containing hundreds of different vulnerabilities (some simple to detect/exploit, some harder) covering multiple

languages and web development architectures (for example navigation: Html, JavaScript, Flash, Java, etc...)

  • There are many ways this tool can be used, here are just a couple starting ideas:
    • As a training tool since it allows the creation of multiple websites with multiple variations of vulnerabilities
    • As a Web Application Honeypot (since we are able to create dynamic ( i.e. false) websites and track / monitor in real-time all requests made)
    • As a test ground for newly discovered vulnerabilities types and its exploit vectors
    • As a benchmark for Web Security Scanners
  • The Web Security Scanner benchmarking and testing is the most obvious short-term application for this tool, but I think that as it evolves the others will be proven to be as (if not more) valuable
  • On the Web Security Scanner issue:
    • My main hope is that the Web Security Scanner Companies will see this tool as an opportunity and work with the Owasp .Net project (and other groups that want to be involved) in a productive and constructive way
    • Although in the short term some Web Security Scanners might have some bad results (well, at least when compared with what their Marketing machine publishes :) in the medium term, as they adapt and improve their scanning techniques, everybody will benefit
    • One of the core objectives of the tool (when thinking about benchmarking Web Security Scanners) is to be able to create real and measurable metrics. For example:
      • Scanner X was able to detect 65% of the vulnerabilities where Scanner Y was able to detect 90%
      • Scanner X made 10000 to detect those 65% (over a period of 16h) where scanner Y made 4000 request (over a period of 10h)
        • 20% of Scanner X results where false positives, where Scanner Y had 50% false positives
        • Scanner X was able to deal with Html and JavaScript navigation, Scanner Y was able to deal with Html, JavaScript and Flash, and both where NOT able to deal with Java based navigation systems
        • Scanner X is not able to go more than 40 levels deep, Scanner Y is able to go up at least 100 levels deep (if not more)
        • etc, etc, etc
    • There will be two main types of tests that can be done in the short term:
      • Provide the links to all different types of vulnerabilities existent in the database, and see how many can the scanner correctly identify? and
      • When multiple types of website architectures and navigation techniques are used, how many vulnerabilities is the scanner able to detect?
    • In order to test (and further improve the tool) I want to take this opportunity to ask the Web Application Security Scanners that subscribe to this list (which I believe all do) to give the Owasp .Net project a temporary licence to their product so that we can use it during development and during some basic benchmarking that we might do (and NO, I will not sign an NDA that doesn't allow me to publish the data collected, in fact I will not sign ANY NDA with ANY web application security scanner company)
    • Note that at the moment I (Dinis) have no plans to do a full benchmarking exercise since I don't have the time required, but I know of at least one group of experienced security consultants which is starting such project (and I will be supporting them). If anybody else is interested in doing a similar benchmarking project please contact me directly
  • Regarding how the tool works, here is a brief technical description:

There are two main components: A webserver (which can be IIS or a custom webserver) and a GUI application (written in C# 2.0). The GUI Application is responsible for handling all mappings (from the virtual requests to the actual pages on disk). The two main components talk over tcp on port 4,000, the GUI application listens for requests from the web server and then returns an answer to the webserver

The current version is hardcoded to IIS, although in the code there is support for using a custom .Net webserver. This IIS version uses an HttpHander to capture all requests and communicate with the GUI Application (called SiteGeneratorGUI)

The dynamic websites are defined by XML files like this (which are edited on the GUI Application using the WYSIWYG Altova Authentic Browser Object (SPS files created via Altova's StyleVision application)):

 <?xml version="1.0" encoding="utf-8" ?>
  <SiteGenerator name="SiteGenerator Demo" xmlns:ipo="http://www.altova.com/IPO" 
   xmlns="http://www.xmlspy.com/schemas/orgchart" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         <site>
             <folder name="">
                <file mappedTo="aspx/Default.aspx" name="HelloWorld.aspx" />
                <folder name="htm" />
                <folder name="aspx">
                    <file mappedTo="aspx/pages.htm" name="pages.htm" />
                    <file mappedTo="aspx/xss.aspx" name="xss.aspx" />
                    <file mappedTo="aspx/SqlInjection_Easy.aspx" name="SqlInjection.aspx" />
                    <file mappedTo="aspx/SqlInjection_Hard.aspx" name="SqlInjection2.aspx" />
                </folder>
                <folder name="flash">
                     <file mappedTo="flash/cromas_xml.swf" name="cromas_xml.swf" />
                     <file mappedTo="flash/cromas_xml.htm" name="menu.htm" />
                     <file mappedTo="/flash/cromas_menu.xml" name="cromas_menu.xml" />
                </folder>
             </folder>
        </site>
  </SiteGenerator>

SiteGeneratorGUI.exe and IIS will map the virtual name "HelloWorld.aspx" to the file on disk "aspx/Default.aspx" . For example:

http://localhost/HelloWorld.aspx --> F:\Owasp SiteGenerator\SiteGenerator_ContentPages\aspx\Default.aspx

So to create new websites all you need to do is to create a new XML file

Then to create new vulnerabilities type, all you need to create in an Aspx page and map it to the xml file

How To Use SiteGenerator

SiteGenerator contains four different screens that can be used they are further explained below. In all of the screen shots you will see a bottom pane this contains all the information that is flowing from the website to the fat client. Clicking on "Clear Received Data" will clear out the bottom text area and the information found on the file transformations log tab.

Edit / Create Dynamic Websites Tab

Sg maintain websites ss.jpg

This area allows users to create a basic website that could be used. You can also remove a website and modify it using the word like widget.

Select the root path for the site "/" you can choose the default page this can be another page that you have previously mapped or a specific path to a file.


File Transformations Log

Sg file transformations tab.jpg

This tab allows a user to see how the transformations are working. For example you could make sure that the new mapping for f00.aspx actually was converted to /test123/test.aspx.


Web Browser Tab

Sg webrowser tab ss.jpg

This tab will allow for a user to browse to the generated website instead of using a normal browser.


Website Creator Tab

Sg website creator tab ss.jpg

This tab allows a user to initially create the files for a given website.

Development Notes

OSG_Dev_Notes

Project Identification

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What does this OWASP project release offer you?
what is this project?
OWASP SiteGenerator

Purpose: N/A

License: N/A

who is working on this project?
Project Leader: N/A

Project Maintainer:

Project Contributor(s): N/A

how can you learn more?
Project Pamphlet: N/A

3x slide Project Presentation: N/A

Mailing list: N/A

Project Roadmap: To view, click here

Main links: N/A

Project Health: Yellow button.JPG Not Reviewed (Provisional)
To be reviewed under Assessment Criteria v2.0

Key Contacts
  • Contact the GPC to contribute, review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
First Release - Unknown Date - (no download available)

Release Leader: N/A

Release details: Main links, release roadmap and assessment

Rating: Yellow button.JPG Not Reviewed
To be reviewed under Assessment Criteria v2.0