This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Category:OWASP CAL9000 Project"

From OWASP
Jump to: navigation, search
(Downloads)
 
(24 intermediate revisions by 10 users not shown)
Line 1: Line 1:
 +
{|
 +
|-
 +
! width="700" align="center" | <br>
 +
! width="500" align="center" | <br>
 +
|-
 +
| align="right" | [[Image:OWASP Inactive Banner.jpg|800px| link=https://www.owasp.org/index.php/OWASP_Project_Stages#tab=Inactive_Projects]]
 +
| align="right" |
 +
 +
|}
 +
 +
<br>
 +
 
'''Welcome to the OWASP CAL9000 project...'''
 
'''Welcome to the OWASP CAL9000 project...'''
  
== Overview ==
+
== PREVIOUS NOTE  ==
 +
 
 +
This project, while still useful, is pretty much dormant and orphaned by the project lead.
 +
 
 +
[[Image:HttpRequests.jpg|thumb|right|300px]]
 +
 
 +
== Overview ==
 +
 
 +
CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.
 +
 
 +
CAL9000 is written in JavaScript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features (like executing cross-domain xmlHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a server.
 +
 
 +
Take a few moments to check out the CAL9000 built-in Help file for information about all of the new features and some potential gotchas (browser quirks, xmlHttpRequest limitations, etc.)
 +
 
 +
Please only use this tool for testing your own applications or those that you have been authorized to test.
 +
 
 +
== Features  ==
 +
 
 +
*XSS Attacks - This is a listing of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
 +
*Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Encode only with MD4 and SHA1. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
 +
*Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
 +
*Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
 +
*Scratchpad - A place to save code snippets, notes, results, etc.
 +
*Cheatsheets - Collection of references for various web-related platforms and languages.
 +
*IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
 +
*String Generator - Create character strings of almost any length.
 +
*Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
 +
*Testing Tips - Collection of testing ideas for assessments.
 +
*Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
 +
*AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
 +
*Store/Restore - Temporarily hold and retrieve textarea and text field contents.
 +
*Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
 +
*Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents.
 +
 
 +
== Downloads  ==
 +
 
 +
LATEST RELEASE - Version 2.0 released November 16, 2006. See the [[OWASP CAL9000 Project Roadmap]] for release notes.
  
== Features ==
+
* The latest release has been incorporated into the [[:Category:OWASP_Live_CD_Project|OWASP LiveCD project]]
 +
*Click [http://owasp-code-central.googlecode.com/svn/trunk/labs/cal9000/ here] to view the CAL9000 source code.
  
* XSS Attacks - This is a library of the XSS Attack Info from [http://ha.ckers.org/xss.html RSnake]. You can also try executing the various attacks or using RegEx filters against them.
+
== Project Contributors  ==
* Character Encoder/Decoder - Encodes and decodes the following: URL, Hex, Unicode, Html(Decimal), Base64, MD5. Encode only for Sha1 and Sha256.
 
* Simple Http Requests - Send GET, POST, HEAD, TRACE, OPTIONS, PUT and DELETE requests and see the results.
 
* Scratchpad - A place to save code snippets, notes, results, etc.
 
* Cheatsheets - Collection of references for various web-related platforms and languages.
 
* Page Info - Splits out the Forms in a target page, as well as the source for internal and external Scripts.
 
* IP Encoder/Decoder - Go to/from IP, Dword, Hex and Octal addresses.
 
* String Generator - Create alpha(i), numeric(1) or special(!) strings of almost any length.
 
* Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
 
* Testing Checklist - Collection of testing ideas for assessments.
 
* Save State/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
 
  
== Downloads ==
+
Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:[email protected] here] or submitted via the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 mailing list].
  
* RightClick [http://www.digilantesecurity.com/CAL9000/files/CAL9000.zip here] to download the CAL9000 tool.
+
Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.  
* RightClick [http://ha.ckers.org/xssAttacks.xml here] to download the latest XSS Attack List XML file from [http://ha.ckers.org/xss.html RSnake's site]. Replace the file of the same name in your &quot;CAL9000/files/xml/&quot; folder.
 
  
The online help for CAL9000 can be found [http://www.digilantesecurity.com/CAL9000/help.html here].
+
'''Geeze, Really helpful stuff.'''
  
== Project Contributors ==
+
== Feedback and Participation:  ==
  
Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed [mailto:cal9000tool@mac.com here].
+
We hope that you find the OWASP CAL9000 Project useful. Please contribute to the Project by volunteering for one of the Tasks and/or sending your comments, questions and suggestions to [email protected]. To join the OWASP CAL9000 Project mailing list or to view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-cal9000 subscription page].  
  
== Roadmap ==
+
== Roadmap ==
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.
 
  
 +
Please refer to the [[OWASP CAL9000 Project Roadmap]] for current tasks.
  
[[Category:OWASP Project]]
+
[[Category:OWASP_Project|CAL9000 Project]] [[Category:OWASP_Download]] [[Category:OWASP_Tool]]
[[Category:OWASP Download]]
 
[[Category:OWASP Tool]]
 

Latest revision as of 18:42, 30 January 2014



OWASP Inactive Banner.jpg


Welcome to the OWASP CAL9000 project...

PREVIOUS NOTE

This project, while still useful, is pretty much dormant and orphaned by the project lead.

HttpRequests.jpg

Overview

CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

CAL9000 is written in JavaScript, so you have full access to the source code. Feel free to modify it to best suit your particular needs. CAL9000 has some powerful features (like executing cross-domain xmlHttpRequests and writing to disk). It is purposefully designed to do some horribly insecure things. Therefore, I would strongly encourage that you only run it locally and NOT off of a server.

Take a few moments to check out the CAL9000 built-in Help file for information about all of the new features and some potential gotchas (browser quirks, xmlHttpRequest limitations, etc.)

Please only use this tool for testing your own applications or those that you have been authorized to test.

Features

  • XSS Attacks - This is a listing of the XSS Attack Info from RSnake. You can filter the listing based on which browsers the attacks work in, test them, apply RegEx filters and create/edit/save/delete your own attacks.
  • Character Encoder/Decoder - Encodes and decodes the following types: URL, Standard Hex, Unicode, Html(Named), Html(Decimal), Html(Hex), Html(Hex Long), Javascript Escaped, XML Escaped, Straight Decimal, Straight Hex, IE Hex, IE Unicode, Base64 and MD5. Encode only with MD4 and SHA1. Specify Upper/Lowercase, Delimiters and Trailing Characters. You can add/remove wrappers around your results and encode/decode selected text instead of the entire contents of the window.
  • Http Requests - Manually craft and send HTTP requests to servers. GET, POST, HEAD, TRACE, TRACK, OPTIONS, CONNECT, PUT, DELETE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, SEARCH and UNLOCK methods supported. Send single requests or launch automated attacks with more than one request at a time. All results are saved in a history file.
  • Http Responses - View the status codes, response headers and body. Isolate the script, form and cookie information in the response.
  • Scratchpad - A place to save code snippets, notes, results, etc.
  • Cheatsheets - Collection of references for various web-related platforms and languages.
  • IP Encode/Decode - Go to/from IP, Dword, Hex and Octal addresses.
  • String Generator - Create character strings of almost any length.
  • Scroogle Search - A privacy-friendly scrape of Google results w/Advanced Operators.
  • Testing Tips - Collection of testing ideas for assessments.
  • Testing Checklist - Track the progress of your testing efforts and record your findings. The checklist categories roughly correlate with the Manual Testing Techniques from the OWASP Testing Guide. Create/edit/save/delete your own checklist items.
  • AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiple-request capabilities on the HTTP Requests page.
  • Store/Restore - Temporarily hold and retrieve textarea and text field contents.
  • Save/Load State - Allows you to save CAL9000 textarea and text field contents and reload them when you are ready to resume testing.
  • Selected Text Processing - Allows you to process selected text inside of a textarea instead of the entire contents.

Downloads

LATEST RELEASE - Version 2.0 released November 16, 2006. See the OWASP CAL9000 Project Roadmap for release notes.

Project Contributors

Chris Loomis wrote the CAL9000 tool and currently leads the project. Any and all questions, comments or suggestions are welcome and may be directed here or submitted via the mailing list.

Thanks to everyone who has emailed me their comments and great suggestions for enhancing CAL9000. Keep the ideas coming! Special thanks to Achim Hoffmann for his significant contributions of code and time to the project.

Geeze, Really helpful stuff.

Feedback and Participation:

We hope that you find the OWASP CAL9000 Project useful. Please contribute to the Project by volunteering for one of the Tasks and/or sending your comments, questions and suggestions to [email protected]. To join the OWASP CAL9000 Project mailing list or to view the archives, please visit the subscription page.

Roadmap

Please refer to the OWASP CAL9000 Project Roadmap for current tasks.

Pages in category "OWASP CAL9000 Project"

This category contains only the following page.